I wrote: > Have a look at the iptables testsuite, found in CVS. There you can see > how to _properly_ do such checks. There really is only one way: create > a ruleset to be checked within a controlled setup (with tunnel interfaces > and routing tables chosen for the test), and the synthesize a full packet > to be checked, actually route it through, and see what happens. That's > what the testsuite does, and there is no less complex replacement > possible if you want real checking.
If you don't have a spare machine to do this, and you want to do it regularly when changing rules and testsuite, you should be able to fire up a user mode Linux instance (see http://user-mode-linux.sourceforge.net) as your testbed. best regards Patrick
