ipftest - test packet filter rules with arbitrary input.
ipftest [ -6bCdDoRvx ] [ -F input-format ] [ -i
  <filename> ] [ -I interface ] [ -l <filename> ] [
  -N <filename> ] [ -P <filename> ] [ -r
  <filename> ] [ -S <ip_address> ] [ -T
  <optionlist> ]
ipftest is provided for the purpose of being able to test a set of filter
  rules without having to put them in place, in operation and proceed to test
  their effectiveness. The hope is that this minimises disruptions in providing
  a secure IP environment.
ipftest will parse any standard ruleset for use with
    ipf, ipnat and/or ippool and apply input, returning
    output as to the result. However, ipftest will return one of three
    values for packets passed through the filter: pass, block or nomatch. This
    is intended to give the operator a better idea of what is happening with
    packets passing through their filter ruleset.
At least one of -N, -P or -r must be
    specified.
  - -6
- Use IPv6.
- -b
- Cause the output to be a brief summary (one-word) of the result of passing
      the packet through the filter; either "pass", "block"
      or "nomatch". This is used in the regression testing.
- -C
- Force the checksums to be (re)calculated for all packets being input into
      ipftest. This may be necessary if pcap files from tcpdump are being
      fed in where there are partial checksums present due to hardware
      offloading.
- -d
- Turn on filter rule debugging. Currently, this only shows you what caused
      the rule to not match in the IP header checking (addresses/netmasks,
    etc).
- -D
- Dump internal tables before exiting. This excludes log messages.
- -F
- This option is used to select which input format the input file is in. The
      following formats are available: etherfind, hex, pcap, snoop,
      tcpdump,text.
  - etherfind
- The input file is to be text output from etherfind. The text formats which
      are currently supported are those which result from the following
      etherfind option combinations:
		etherfind -n
		etherfind -n -t
  - hex
- The input file is to be hex digits, representing the binary makeup of the
      packet. No length correction is made, if an incorrect length is put in the
      IP header. A packet may be broken up over several lines of hex digits, a
      blank line indicating the end of the packet. It is possible to specify
      both the interface name and direction of the packet (for filtering
      purposes) at the start of the line using this format:
      [direction,interface] To define a packet going in on le0, we would use
      [in,le0] - the []'s are required and part of the input syntax.
pcap The input file specified by -i is a binary
    file produced using libpcap (i.e., tcpdump version 3). Packets are read from
    this file as being input (for rule purposes). An interface maybe specified
    using -I.
  - snoop
- The input file is to be in "snoop" format (see RFC 1761).
      Packets are read from this file and used as input from any interface. This
      is perhaps the most useful input type, currently.
- tcpdump
- The input file is to be text output from tcpdump. The text formats which
      are currently supported are those which result from the following tcpdump
      option combinations:
		tcpdump -n
		tcpdump -nq
		tcpdump -nqt
		tcpdump -nqtt
		tcpdump -nqte
  - text
- The input file is in ipftest text input format. This is the default
      if no -F argument is specified. The format used is as follows:
    
	"in"|"out" "on" if ["tcp"|"udp"|"icmp"]
		srchost[,srcport] dsthost[,destport] [FSRPAU]
    
This allows for a packet going "in" or "out"
    of an interface (if) to be generated, being one of the three main protocols
    (optionally), and if either TCP or UDP, a port parameter is also expected.
    If TCP is selected, it is possible to (optionally) supply TCP flags at the
    end. Some examples are:
	# a UDP packet coming in on le0
	in on le0 udp 10.1.1.1,2210 10.2.1.5,23
	# an IP packet coming in on le0 from localhost - hmm :)
	in on le0 localhost 10.4.12.1
	# a TCP packet going out of le0 with the SYN flag set.
	out on le0 tcp 10.4.12.1,2245 10.1.1.1,23 S
 
  - -i <filename>
- Specify the filename from which to take input. Default is stdin.
- -I <interface>
- Set the interface name (used in rule matching) to be the name supplied.
      This is useful where it is not otherwise possible to associate a packet
      with an interface. Normal "text packets" can override this
      setting.
- -l <filename>
- Dump log messages generated during testing to the specified file.
- -N <filename>
- Specify the filename from which to read NAT rules in ipnat(5)
      format.
- -o
- Save output packets that would have been written to each interface in a
      file /tmp/interface_name in raw format.
- -P <filename>
- Read IP pool configuration information in ippool(5) format from the
      specified file.
- -r <filename>
- Specify the filename from which to read filter rules in ipf(5)
      format.
- -R
- Don't attempt to convert IP addresses to hostnames.
- -S <ip_address>
- The IP address specifived with this option is used by ipftest to determine
      whether a packet should be treated as "input" or
      "output". If the source address in an IP packet matches then it
      is considered to be inbound. If it does not match then it is considered to
      be outbound. This is primarily for use with tcpdump (pcap) files where
      there is no in/out information saved with each packet.
- -T <optionlist>
- This option simulates the run-time changing of IPFilter kernel variables
      available with the -T option of ipf. The optionlist
      parameter is a comma separated list of tuning commands. A tuning command
      is either "list" (retrieve a list of all variables in the
      kernel, their maximum, minimum and current value), a single variable name
      (retrieve its current value) and a variable name with a following
      assignment to set a new value. See ipf(8) for examples.
- -v
- Verbose mode. This provides more information about which parts of rule
      matching the input packet passes and fails.
- -x
- Print a hex dump of each packet before printing the decoded contents.
ipf(5), ipf(8), snoop(1m), tcpdump(8), etherfind(8c)
Not all of the input formats are sufficiently capable of introducing a wide
  enough variety of packets for them to be all useful in testing.