Description

this case test the functions of arptables, use arptables to drop packets

How to test

1. Install iproute net-tools and arptables packages

 # yum install iproute net-tools arptables -y

2. Create Client-Server test environment

 # ip netns add C
 # ip netns add S
 # ip link add name eth1 netns C type veth peer name eth1 netns S
 # ip netns exec C ip link set lo up
 # ip netns exec C ip link set eth1 up
 # ip netns exec S ip link set lo up
 # ip netns exec S ip link set eth1 up
 # ip netns exec C ip addr add 192.168.1.2/24 dev eth1
 # ip netns exec S ip addr add 192.168.1.1/24 dev eth1

3. Check the above test environment and assert that the ping & arping succeed

 # ip netns exec C ifconfig
 # ip netns exec S ifconfig
 # ip netns exec C ping 192.168.1.1 -c 1

output should be:

 PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.
 64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=0.057 ms
 --- 192.168.1.1 ping statistics ---
 1 packets transmitted, 1 received, 0% packet loss, time 0ms
 rtt min/avg/max/mdev = 0.057/0.057/0.057/0.000 ms

 # ip netns exec C arping -I eth1 192.168.1.1 -c 1

output should be:

 ARPING 192.168.1.1 from 192.168.1.2 eth1
 Unicast reply from 192.168.1.1 [C2:C6:D9:61:F5:83]  0.523ms
 Sent 1 probes (1 broadcast(s))
 Received 1 response(s)

4. Add one arptables rule on the Server

 # ip netns exec S arptables -A INPUT -i eth1 -j DROP

5. Check arptables statistics and assert that the arping fail

 # ip netns exec C arping -I eth1 192.168.1.1 -c 1

output should be:

 ARPING 192.168.1.1 from 192.168.1.2 eth1
 Sent 1 probes (1 broadcast(s))
 Received 0 response(s)

 # ip netns exec S arptables -L -n -v

output should be:

 Chain INPUT (policy ACCEPT 4 packets, 112 bytes)
 -j DROP -i eth1 -o * , pcnt=1 -- bcnt=28
 Chain OUTPUT (policy ACCEPT 4 packets, 112 bytes)
 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

Expected Results

1. when use arptables to add above rule, specific packets should be dropped