ipftest(1M)ipftest(1M)NAMEipftest - test packet filter rules with arbitary input.
SYNOPSISDESCRIPTION
The utility enables you to to test a set of HP-UX IPFilter filter rules
without loading them.
The utility will parse any standard IPFilter ruleset and evaluate the
rules against a set of packet descriptors that simulate network traf‐
fic. The utility determines the action IPFilter would take for each
packet and writes the packet descriptor and the action to The possible
actions are pass, block or nomatch.
When used without the options or takes an input file with packet
descriptors specified in the following format:
This enables you to describe a packet going "in" or "out" of an inter‐
face, and optionally, the upper-layer protocol. If the protocol is or
you must also specify a port number. If the protocol is you can also
specify TCP flags.
The following is an example IPv4 input file:
# a UDP packet coming in on lan0
in on lan0 udp 10.1.1.1,2210 10.2.1.5,23
# an IP packet coming in on lan0 from host1
in on lan0 host1 10.4.12.1
# a TCP packet going out of lan0 with the SYN flag set.
out on lan0 tcp 10.4.12.1,2245 10.1.1.1,23 S
The following is an example IPv6 input file:
# a UDP packet coming in on lan0
in on lan0 udp 2001:db8::100,2210 2001:db8::111,23
# an IP packet coming in on lan0 from host2
in on lan0 host2 2001:db8::111
# a TCP packet going out of lan0 with the SYN flag set.
out on lan0 tcp 2110:db8::111,65535 2001:db8::333,23 S
OPTIONS
This option is required to parse IPv6 rules.
Verbose mode. This provides more information about which parts of rule
matching the input packet passes and fails.
Turn on filter rule debugging. Currently, this only shows you what
caused
the rule to not match in the IP header checking (addresses/net‐
masks, etc).
Cause the output to be a brief summary (one-word) of the result of
passing
the packet through the filter; either "pass", "block" or
"nomatch". This is used in the regression testing.
Set the interface name (used in rule matching) to be the specified
name.
This is useful with the and options, where it is not possible to
specify an interface name in the packet descriptor.
The input file specified for the
option is a binary file produced using libpcap (i.e., tcpdump
version 3). You can specify an interface for the packets using
the option.
The input file specified for the
option is in "snoop" format (see RFC 1761). You can specify an
interface for the packets using the option.
The input file specified for the
option is output file from tcpdump. You can specify an inter‐
face for the packets using the option.
The file must be created using one of the following tcdump
option combinations:
tcpdump -n
tcpdump -nq
tcpdump -nqt
tcpdump -nqtt
tcpdump -nqte
The input file specified for the
option contains hexadecimal digits that represent the binary
value of the packet. No length correction is made if the IP
header length field contains an incorrect length.
The input file specified for the
option contains text descriptions of IP packets.
The input file specified for the
option contains text output from etherfind. The file must be
created using one of the following etherfind option combina‐
tions:
etherfind -n
etherfind -n -t
Specify the input filename for the packets. The default is
Specify the filename from which to read filter rules.
SEE ALSOipf(4), ipf(1M)AUTHOR
IPFilter was originally developed by Darren Reed. This HP-UX
enhanced version of IPFilter is based on the open source version
3.5 Alpha 5.
ipftest(1M)