def testTopo():
"Create an empty network and add nodes to it."
net = Containernet(controller=Controller, link=TCLink)
info("*** Adding controller\n")
net.addController("c0")
info("*** Adding hosts\n")
h1 = net.addDockerHost(
"h1",
dimage="dev_test",
ip="10.0.0.1",
docker_args={
"cpuset_cpus": "0",
"nano_cpus": int(1e8)
},
)
h2 = net.addDockerHost(
"h2",
dimage="dev_test",
ip="10.0.0.2",
docker_args={
"cpuset_cpus": "0",
"nano_cpus": int(1e8)
},
)
info("*** Adding switch\n")
s1 = net.addSwitch("s1")
info("*** Creating links\n")
net.addLinkNamedIfce(s1, h1, bw=10, delay="10ms")
net.addLinkNamedIfce(s1, h2, bw=10, delay="10ms")
info("*** Starting network\n")
net.start()
info("*** Create TUN interfaces in h1\n")
h1.cmd("ip tuntap add mode tun tun-test")
h1.cmd("ip link set tun-test up")
print("* Interfaces in the main namespace of h1:")
ret = h1.cmd("ip link")
print(ret)
info(
"*** Load a XDP(eBPF) program to drop all frames sent to and from h2\n"
)
fn = b.load_func("drop_all", BPF.XDP)
b.attach_xdp("s1-h2", fn, 0)
net.ping([h1, h2])
info("*** Remove the XDP(eBPF) program\n")
b.remove_xdp("s1-h2", 0)
net.ping([h1, h2])
info("*** Stopping network")
net.stop()
def testTopo():
# xterms=True, spawn xterms for all nodes after net.start()
net = Containernet(controller=Controller, link=TCLink, xterms=True)
info("*** Adding controller\n")
net.addController("c0")
info("*** Adding hosts\n")
h1 = net.addDockerHost(
"h1",
dimage="dev_test",
ip="10.0.0.1/24",
docker_args={
"cpuset_cpus": "0",
"nano_cpus": int(1e8),
"hostname": "h1"
},
)
h2 = net.addDockerHost(
"h2",
dimage="dev_test",
ip="10.0.0.2/24",
docker_args={
"cpuset_cpus": "0",
"nano_cpus": int(1e8),
"hostname": "h2"
},
)
h3 = net.addHost("h3", ip="10.0.0.3/24")
h4 = net.addHost("h4", ip="10.0.0.4/24")
info("*** Adding switch\n")
s1 = net.addSwitch("s1")
info("*** Creating links\n")
net.addLinkNamedIfce(s1, h1, bw=10, delay="100ms")
net.addLinkNamedIfce(s1, h2, bw=10, delay="100ms")
net.addLinkNamedIfce(s1, h3, bw=10, delay="100ms")
net.addLinkNamedIfce(s1, h4, bw=10, delay="100ms")
info("*** Starting network\n")
net.start()
info("*** Enter CLI\n")
info("Use help command to get CLI usages\n")
CLI(net)
info("*** Stopping network")
net.stop()
def testTopo():
"Create an empty network and add nodes to it."
net = Containernet(controller=Controller, link=TCLink)
info("*** Adding controller\n")
net.addController("c0")
info("*** Adding hosts\n")
h1 = net.addDockerHost("h1",
dimage="sec_test",
ip="10.0.0.1",
docker_args={"cpuset_cpus": "0"})
h2 = net.addDockerHost("h2",
dimage="sec_test",
ip="10.0.0.2",
docker_args={"cpuset_cpus": "0"})
info("*** Adding switch\n")
s1 = net.addSwitch("s1")
info("*** Creating links\n")
net.addLinkNamedIfce(s1, h1, bw=10, delay="10ms")
net.addLinkNamedIfce(s1, h2, bw=10, delay="10ms")
info("*** Starting network\n")
net.start()
test_connection(h2)
info("*** Add drop all nftables rule\n")
h1.cmd("nft add table inet filter")
h1.cmd(
"nft add chain inet filter input { type filter hook input priority 0 \; policy accept \; }"
)
h1.cmd("nft add rule inet filter input ip saddr 10.0.0.2 counter drop")
test_connection(h2)
print(h1.cmd("nft list table inet filter"))
info("*** Stopping network")
net.stop()
def testTopo():
"Create an empty network and add nodes to it."
net = Containernet(build=False,
link=TCLink,
xterms=False,
autoSetMacs=True,
autoStaticArp=True)
info("*** Adding Controller\n")
controller = net.addController("c0",
controller=RemoteController,
ip="127.0.0.1",
port=6633)
controller.start()
info("*** Add switches\n")
for i in range(4):
sw = net.addSwitch("s%d" % (i + 1), dpid="%016x" % (i + 1))
sw.start([controller])
sw.cmdPrint("ovs-ofctl show s%d" % (i + 1))
sw.cmdPrint("ovs-vsctl show")
info("Add hosts\n")
for i in range(4):
net.addDockerHost("h%d" % (i + 1),
dimage="dev_test",
ip="10.0.0.%d" % (i + 1))
info("*** Add links\n")
http_link_config = {"bw": 1}
video_link_config = {"bw": 10}
net.addLinkNamedIfce("s1", "s2", **http_link_config)
net.addLinkNamedIfce("s2", "s4", **http_link_config)
net.addLinkNamedIfce("s1", "s3", **video_link_config)
net.addLinkNamedIfce("s3", "s4", **video_link_config)
net.addLinkNamedIfce("s1", "h1", bw=100, use_htb=True)
net.addLinkNamedIfce("s1", "h2", bw=100, use_htb=True)
net.addLinkNamedIfce("s4", "h3", bw=100, use_htb=True)
net.addLinkNamedIfce("s4", "h4", bw=100, use_htb=True)
net.build()
info("*** Starting network\n")
net.start()
info("*** Enter CLI\n")
info("Use help command to get CLI usages\n")
CLI(net)
info("*** Stopping network")
net.stop()
def testTopo():
"""testTopo"""
net = Containernet(
controller=Controller,
link=TCLink,
autoSetMacs=True,
autoStaticArp=True,
xterms=True,
)
info("*** Adding controller\n")
net.addController("c0")
info("*** Adding hosts\n")
client = net.addDockerHost(
"client",
dimage="yolov2",
ip="10.0.0.11/24",
docker_args={
"cpuset_cpus": "0",
"hostname": "client"
},
)
vnf = net.addDockerHost(
"vnf",
dimage="yolov2",
ip="10.0.0.12/24",
docker_args={
"cpuset_cpus": "0",
"hostname": "vnf"
},
)
# Run server on another vCPU since it is more compute-intensive than client
# and vnf.
server = net.addDockerHost(
"server",
dimage="yolov2",
ip="10.0.0.21/24",
docker_args={
"cpuset_cpus": "1",
"hostname": "server"
},
)
info("*** Adding switch\n")
s1 = net.addSwitch("s1")
info("*** Creating links\n")
net.addLinkNamedIfce(s1, client, bw=10, delay="150ms", use_htb=True)
net.addLinkNamedIfce(s1, vnf, bw=10, delay="150ms", use_htb=True)
net.addLinkNamedIfce(s1, server, bw=10, delay="150ms", use_htb=True)
info("*** Starting network\n")
net.start()
net.pingAll()
add_ovs_flows()
ifces = ["s1-vnf"]
disable_cksum_offload(ifces)
info("*** Enter CLI\n")
CLI(net)
info("*** Stopping network")
net.stop()
def testTopo():
# xterms=True, spawn xterms for all nodes after net.start()
net = Containernet(controller=Controller, link=TCLink, xterms=True)
info("*** Adding controller\n")
net.addController("c0")
info("*** Adding hosts\n")
compressor = net.addDockerHost(
"compressor",
dimage="o2sc",
ip="10.0.0.1/24",
docker_args={
"cpuset_cpus": "1",
"cpu_quota": 25000,
"hostname": "compressor"
},
)
decompressor = net.addDockerHost(
"decompressor",
dimage="o2sc",
ip="10.0.0.2/24",
docker_args={
"cpuset_cpus": "1",
"cpu_quota": 25000,
"hostname": "decompressor",
},
)
source_1 = net.addDockerHost(
"source_1",
dimage="o2sc",
ip="10.0.0.11/24",
docker_args={
"cpuset_cpus": "1",
"cpu_quota": 25000,
"hostname": "source_1"
},
)
source_2 = net.addDockerHost(
"source_2",
dimage="o2sc",
ip="10.0.0.12/24",
docker_args={
"cpuset_cpus": "1",
"cpu_quota": 25000,
"hostname": "source_2"
},
)
source_3 = net.addDockerHost(
"source_3",
dimage="o2sc",
ip="10.0.0.13/24",
docker_args={
"cpuset_cpus": "1",
"cpu_quota": 25000,
"hostname": "source_3"
},
)
info("*** Adding switch\n")
s1 = net.addSwitch("s1")
info("*** Creating links\n")
net.addLinkNamedIfce(s1, compressor, bw=10, delay="100ms")
net.addLinkNamedIfce(s1, decompressor, bw=10, delay="100ms")
net.addLinkNamedIfce(s1, source_1, bw=10, delay="100ms")
net.addLinkNamedIfce(s1, source_2, bw=10, delay="100ms")
net.addLinkNamedIfce(s1, source_3, bw=10, delay="100ms")
info("*** Starting network\n")
net.start()
net.pingAll()
info("*** Enter CLI\n")
info("Use help command to get CLI usages\n")
CLI(net)
info("*** Stopping network")
net.stop()
def testTopo():
net = Containernet(controller=Controller, link=TCLink)
info("*** Adding controller\n")
net.addController("c0")
info("*** Adding hosts\n")
client = net.addDockerHost(
"client",
dimage="sec_test",
ip="10.0.0.1/24",
docker_args={
"cpuset_cpus": "0",
"cpu_quota": 25000
},
)
server = net.addDockerHost(
"server",
dimage="nginx",
ip="10.0.0.2/24",
docker_args={
"cpuset_cpus": "0",
"cpu_quota": 25000
},
)
info("*** Adding switch\n")
s1 = net.addSwitch("s1")
info("*** Creating links\n")
net.addLinkNamedIfce(s1, client, bw=100, delay="10ms")
net.addLinkNamedIfce(s1, server, bw=100, delay="10ms")
info("*** Starting network\n")
try:
net.start()
info("** client -> server\n")
info("** " + str(test_connection(client, "10.0.0.2")) + "\n")
info("\n")
# Create whitelist
info("*** Create whitelist\n")
server.cmd("nft add table inet filter")
server.cmd(
"nft add chain inet filter input { type filter hook input priority 0 \; policy drop \; }"
)
server.cmd("nft add rule inet filter input ip saddr 10.0.0.1 accept")
# The server can talk back to client
info("** server -> client\n")
info("** " + str(test_connection(server, "10.0.0.1")) + "\n")
# But he cannot talk to some other server on the internet, this is a problem
info("** server -> internet\n")
info("** " + str(test_connection(server, "8.8.8.8")) + "\n")
info("\n")
info(
"*** The server can only communicate with the client because of the implemented whitelist filtering.\n"
)
info(
"*** When the server wants to talk to the internet the internet cannot talk back because the incoming "
"traffic is dropped.\n")
info(
"*** Use the connection tracking state to allow established connections to answer the server.\n"
)
info("*** Do this without removing the whitelist.\n")
while not test_connection(server, "8.8.8.8") or not test_connection(
client, "10.0.0.2"):
sleep(5)
info("** server -> internet\n")
info("** " + str(test_connection(server, "8.8.8.8")) + "\n")
info(
"*** Now we want to make sure that the client cannot overload the server with traffic.\n"
)
info("*** Drop all traffic of the client that exceeds 10 Mbit/s.\n")
# client is overdoing it a little and our server cannot handle all of its requests...
server.cmd("iperf -s &")
while try_to_flood_the_server(client):
sleep(5)
info("\n")
except KeyboardInterrupt:
info("** KeyboardInterrupt detected, exit the program.\n")
finally:
info("*** Stopping network")
net.stop()
def testTopo():
"Create an empty network and add nodes to it."
net = Containernet(controller=Controller, link=TCLink)
info("*** Adding controller\n")
net.addController("c0")
info("*** Adding hosts\n")
router = net.addDockerHost(
"router",
dimage="sec_test",
docker_args={
"cpuset_cpus": "1",
"cpu_quota": 25000
},
)
internal1 = net.addDockerHost(
"internal1",
dimage="sec_test",
ip="10.0.0.2",
docker_args={
"cpuset_cpus": "1",
"cpu_quota": 25000
},
)
internal2 = net.addDockerHost(
"internal2",
dimage="sec_test",
ip="192.168.0.2",
docker_args={
"cpuset_cpus": "0",
"cpu_quota": 25000
},
)
internet = net.addDockerHost(
"internet",
dimage="sec_test",
ip="100.64.0.2",
docker_args={
"cpuset_cpus": "0",
"cpu_quota": 25000
},
)
info("*** Adding switch\n")
s1 = net.addSwitch("s1")
s2 = net.addSwitch("s2")
s3 = net.addSwitch("s3")
info("*** Creating links\n")
net.addLinkNamedIfce(s1, router, bw=100, delay="10ms")
net.addLinkNamedIfce(s2, router, bw=100, delay="10ms")
net.addLinkNamedIfce(s3, router, bw=100, delay="10ms")
net.addLinkNamedIfce(s1, internal1, bw=100, delay="10ms")
net.addLinkNamedIfce(s2, internal2, bw=100, delay="10ms")
net.addLinkNamedIfce(s3, internet, bw=100, delay="10ms")
info("*** Starting network\n")
net.start()
# Setup the router
router.cmd("ip a a 10.0.0.1/24 dev router-s1")
router.cmd("ip a a 192.168.0.1/24 dev router-s2")
router.cmd("ip a a 100.64.0.1/24 dev router-s3")
# Configure the router as default gateway
internal1.cmd("ip r c default via 10.0.0.1")
internal2.cmd("ip r c default via 192.168.0.1")
internet.cmd("ip r c default via 100.64.0.1")
# Start some services
internal2.cmd("service ssh start")
internal2.cmd("nc -l -p 1337 &")
router.cmd("service ssh start")
check_connectivity_between_hosts(router, internal1, internal2, internet)
"""
info('*** Create firewall whitelist\n')
router.cmd("nft add table inet filter")
router.cmd("nft add chain inet filter forward { type filter hook forward priority 0 \; policy drop \; }")
router.cmd("nft add rule inet filter forward ct state established,related ip daddr 10.0.0.0/24 accept")
router.cmd("nft add rule inet filter forward ip saddr 10.0.0.0/24 accept")
router.cmd("nft add rule inet filter forward ip saddr 192.168.0.0/24 accept")
"""
router.cmd("nft add table inet filter")
router.cmd(
"nft add chain inet filter forward { type filter hook forward priority 0 \; policy drop \; }"
)
router.cmd(
"nft add chain inet filter input { type filter hook input priority 0 \; policy drop \; }"
)
router.cmd("nft add chain inet filter forward-s1")
router.cmd("nft add chain inet filter forward-s2")
router.cmd("nft add chain inet filter forward-s3")
router.cmd(
"nft add rule inet filter forward iif router-s1 counter jump forward-s1"
)
router.cmd(
"nft add rule inet filter forward iif router-s2 counter jump forward-s2"
)
router.cmd(
"nft add rule inet filter forward iif router-s3 counter jump forward-s3"
)
router.cmd(
"nft add rule inet filter forward-s1 tcp dport {ssh, 1337} drop")
router.cmd(
"nft add rule inet filter forward-s1 ip saddr 10.0.0.0/24 accept")
router.cmd(
"nft add rule inet filter forward-s2 ip saddr 192.168.0.0/24 accept")
router.cmd(
"nft add rule inet filter forward-s3 ct state established,related ip daddr 10.0.0.0/24 accept"
)
check_connectivity_between_hosts(router, internal1, internal2, internet)
info("*** Stopping network")
net.stop()
def testTopo():
net = Containernet(controller=Controller, link=TCLink)
info("*** Adding controller\n")
net.addController("c0")
info("*** Adding hosts\n")
router = net.addDockerHost(
"router",
dimage="sec_test",
docker_args={
"cpuset_cpus": "1",
"cpu_quota": 25000
},
)
internal1 = net.addDockerHost(
"internal1",
dimage="sec_test",
ip="10.0.0.2",
docker_args={
"cpuset_cpus": "1",
"cpu_quota": 25000
},
)
internal2 = net.addDockerHost(
"internal2",
dimage="sec_test",
ip="192.168.0.2",
docker_args={
"cpuset_cpus": "0",
"cpu_quota": 25000
},
)
internet = net.addDockerHost(
"internet",
dimage="sec_test",
ip="100.64.0.2",
docker_args={
"cpuset_cpus": "0",
"cpu_quota": 25000
},
)
info("*** Adding switch\n")
s1 = net.addSwitch("s1")
s2 = net.addSwitch("s2")
s3 = net.addSwitch("s3")
info("*** Creating links\n")
net.addLinkNamedIfce(s1, router, bw=100, delay="10ms")
net.addLinkNamedIfce(s2, router, bw=100, delay="10ms")
net.addLinkNamedIfce(s3, router, bw=100, delay="10ms")
net.addLinkNamedIfce(s1, internal1, bw=100, delay="10ms")
net.addLinkNamedIfce(s2, internal2, bw=100, delay="10ms")
net.addLinkNamedIfce(s3, internet, bw=100, delay="10ms")
try:
info("*** Starting network\n")
net.start()
# Setup the router
router.cmd("ip a a 10.0.0.1/24 dev router-s1")
router.cmd("ip a a 192.168.0.1/24 dev router-s2")
router.cmd("ip a a 100.64.0.1/24 dev router-s3")
# Configure the router as default gateway
internal1.cmd("ip r c default via 10.0.0.1")
internal2.cmd("ip r c default via 192.168.0.1")
internet.cmd("ip r c default via 100.64.0.1")
# Start some services
internal2.cmd("service ssh start")
internal2.cmd("nc -l -p 1337 &")
router.cmd("service ssh start")
# Create whitelist
info("*** Create firewall whitelist\n")
router.cmd("nft add table inet filter")
router.cmd(
"nft add chain inet filter forward { type filter hook forward priority 0 \; policy drop \; }"
)
router.cmd(
"nft add rule inet filter forward ct state established,related ip daddr 192.168.0.0/24 accept"
)
router.cmd(
"nft add rule inet filter forward ip saddr 10.0.0.0/24 accept")
router.cmd(
"nft add rule inet filter forward ip saddr 192.168.0.0/24 accept")
info(
"*** Rewrite the present filter ruleset and create one chain for each of the 3 networks.\n"
)
info(
"*** You can use the network interfaces to distinguish the traffic from the networks.\n"
)
info(
"*** Additionally filter traffic to the ports 22 and 1337 on the router and the internal networks.\n"
)
while not check_connectivity_between_hosts(router, internal1,
internal2, internet):
sleep(5)
except KeyboardInterrupt:
info("** KeyboardInterrupt detected, exit the program.\n")
finally:
info("*** Stopping network")
net.stop()
def create_dumbbell():
"""Create a single dumbbell topology with the given number of hosts on one side"""
num_hosts = 2
net = Containernet(
controller=Controller,
link=TCLink,
xterms=False,
)
topo_params = {
"sfc_port": SFC_PORT,
"no_sfc_port": NO_SFC_PORT,
"control_port": CONTROL_PORT,
}
nodes = {}
info("*** Adding controller, listening on port 6653, use OpenFlow 1.3\n")
c1 = net.addController(
"c1", controller=RemoteController, port=6653, protocols="OpenFlow13"
)
topo_params.update({"controllers": [{"name": "c1", "port": 6653}]})
info(f"*** Adding {num_hosts} clients and {num_hosts} servers\n")
# Boilerplate code...
clients = []
servers = []
topo_params["clients"] = {}
topo_params["servers"] = {}
# TODO: Play with cpuset_cpus if measurement results are not good enough
for i in range(1, num_hosts + 1):
client_ip = f"10.0.1.{10+i}/16"
server_ip = f"10.0.2.{10+i}/16"
client = net.addDockerHost(
f"client{i}",
dimage=f"{DIMAGE}",
ip=client_ip,
docker_args={
"cpuset_cpus": "0",
"nano_cpus": int(1e9),
"hostname": f"client{i}",
"working_dir": "/coin_dl",
"volumes": {
CURRENT_DIR: {"bind": "/coin_dl/share", "mode": "rw"},
},
},
)
server = net.addDockerHost(
f"server{i}",
dimage=f"{DIMAGE}",
ip=server_ip,
docker_args={
"cpuset_cpus": "1",
"nano_cpus": int(1e9),
"hostname": f"server{i}",
"working_dir": "/coin_dl",
"volumes": {
CURRENT_DIR: {"bind": "/coin_dl/share", "mode": "rw"},
},
},
)
clients.append(client)
topo_params["clients"][client.name] = {
"ip": client_ip,
}
servers.append(server)
topo_params["servers"][server.name] = {
"ip": server_ip,
}
info("*** Adding two switches and two VNF nodes\n")
s1 = net.addSwitch("s1", protocols="OpenFlow13")
s2 = net.addSwitch("s2", protocols="OpenFlow13")
switches = [s1, s2]
DPDK_VOLUME = {
"/sys/kernel/mm/hugepages": {
"bind": "/sys/kernel/mm/hugepages",
"mode": "rw",
},
"/dev": {"bind": "/dev", "mode": "rw"},
CURRENT_DIR: {"bind": "/coin_dl/share", "mode": "rw"},
}
vnfs = []
for i in range(1, len(switches) + 1):
vnf = net.addDockerHost(
f"vnf{i}",
dimage=f"{DIMAGE}",
ip=f"10.0.3.{10+i}/16",
docker_args={
"cpuset_cpus": "3",
"nano_cpus": int(9e8 / 2),
"hostname": f"vnf{i}",
"volumes": DPDK_VOLUME,
"working_dir": "/coin_dl",
},
)
vnfs.append(vnf)
# TODO: Pick up the suitable parameters here.
# TODO: Use better DS and names for parameters here.
BW_MAX_NODE = 1000 # 1Gb/sec
DELAY_MIN_NODE_MS = 1
DELAY_MIN_NODE_MS_STR = f"{DELAY_MIN_NODE_MS}ms"
BW_MIN_NODE = 100
DELAY_MAX_NODE_MS = 10
DELAY_MAX_NODE_MS_STR = f"{DELAY_MAX_NODE_MS}ms"
BW_BOTTLENECK = 100 # Mbits/s
DELAY_BOTTLENECK_MS = 100
DELAY_BOTTLENECK_MS_STR = str(DELAY_BOTTLENECK_MS) + "ms"
BDP = ((BW_BOTTLENECK * 10 ** 6) * (DELAY_BOTTLENECK_MS * 10 ** -3)) / 8.0
info(f"\n*** The BDP of the bottleneck link is {BDP:.2f} B\n")
topo_params.update(
{
"bottleneck": {
"bandwidth_mbps": BW_BOTTLENECK,
"delay_ms": DELAY_BOTTLENECK_MS,
"BDP_B": BDP,
}
}
)
info("*** Creating links\n")
for client, server in zip(clients, servers):
# TODO (Zuo): Check if max_queue_size need to be added here
net.addLinkNamedIfce(client, s1, bw=BW_MAX_NODE, delay=DELAY_MIN_NODE_MS_STR)
# Here... the server should also be a "bottleneck"
net.addLinkNamedIfce(s2, server, bw=BW_MIN_NODE, delay=DELAY_MAX_NODE_MS_STR)
# Add bottleneck link
net.addLinkNamedIfce(s1, s2, bw=BW_BOTTLENECK, delay=DELAY_BOTTLENECK_MS_STR)
for switch, vnf in zip(switches, vnfs):
# TODO (Zuo): Check if max_queue_size need to be added here, to remove additional queuing latency of VNF data interfaces
net.addLinkNamedIfce(switch, vnf, bw=BW_MAX_NODE, delay="0ms")
with open("./dumbbell.json", "w+", encoding="ascii") as f:
json.dump(topo_params, f, sort_keys=True, indent=2)
nodes["clients"] = clients
nodes["servers"] = servers
nodes["switches"] = switches
nodes["vnfs"] = vnfs
nodes["controllers"] = [c1]
return (net, nodes, topo_params)
def testTopo():
"Create an empty network and add nodes to it."
net = Containernet(controller=Controller, link=TCLink)
info("*** Adding controller\n")
net.addController("c0")
info("*** Adding hosts\n")
client = net.addDockerHost(
"client",
dimage="sec_test",
ip="10.0.0.1",
docker_args={
"cpuset_cpus": "1",
"cpu_quota": 25000
},
)
server = net.addDockerHost(
"server",
dimage="sec_test",
ip="10.0.0.2",
docker_args={
"cpuset_cpus": "1",
"cpu_quota": 25000
},
)
attacker = net.addDockerHost(
"attacker",
dimage="sec_test",
ip="10.0.0.3",
docker_args={
"cpuset_cpus": "0",
"cpu_quota": 25000
},
)
info("*** Adding switch\n")
s1 = net.addSwitch("s1")
info("*** Creating links\n")
net.addLinkNamedIfce(s1, client, bw=10, delay="10ms")
net.addLinkNamedIfce(s1, server, bw=10, delay="10ms")
net.addLinkNamedIfce(s1, attacker, bw=10, delay="10ms")
info("*** Starting network\n")
net.start()
info("*** Attacker, Client and Server setup\n")
client.cmd("ping -c 10 10.0.0.2")
attacker.cmd(
"printf -- '#!/bin/bash\narpspoof -i attacker-s1 -t 10.0.0.1 10.0.0.2 >> /dev/null &\narpspoof -i attacker-s1 -t 10.0.0.2 10.0.0.1 >> /dev/null &' > spoof.sh; chmod +x spoof.sh; ./spoof.sh"
)
sleep(10)
attacker.cmd("tcpdump -vvv -i attacker-s1 -B 100000 ip >> messages.log &")
sleep(10)
server.cmd("mkdir -p /var/run/vsftpd/empty")
server.cmd("vsftpd &")
info("*** Create wg key pairs\n")
client.cmd("umask 077; wg genkey > privatekey")
client.cmd("wg pubkey < privatekey > publickey")
client_pubkey = client.cmd("cat ./publickey").replace("\n", " ").replace(
"\r", "")
server.cmd("umask 077; wg genkey > privatekey")
server.cmd("wg pubkey < privatekey > publickey")
server_pubkey = server.cmd("cat ./publickey").replace("\n", " ").replace(
"\r", "")
info("*** Create wg interfaces\n")
client.cmd("ip link add dev wg0 type wireguard")
client.cmd("ip address add dev wg0 192.168.0.1/24")
server.cmd("ip link add dev wg0 type wireguard")
server.cmd("ip address add dev wg0 192.168.0.2/24")
info("*** Setup peer configuration\n")
client.cmd(
"wg set wg0 listen-port 1337 private-key ./privatekey peer {} allowed-ips 192.168.0.0/24 endpoint 10.0.0.2:1337"
.format(server_pubkey))
client.cmd("ip link set up dev wg0")
server.cmd(
"wg set wg0 listen-port 1337 private-key ./privatekey peer {} allowed-ips 192.168.0.0/24 endpoint 10.0.0.1:1337"
.format(client_pubkey))
server.cmd("ip link set up dev wg0")
test_connection(client, "192.168.0.2")
login_at_ftp_server(client, "192.168.0.2")
info("*** Extract Passwords\n")
sleep(20)
output = attacker.cmd("cat messages.log")
password_found = False
for line in output.split("\n"):
if "PASS" in line:
password_found = True
info("*** Found password: "******"\n")
if not password_found:
info("*** No password found!\n")
info("*** Stopping network\n")
net.stop()
def testTopo():
"Create an empty network and add nodes to it."
net = Containernet(controller=Controller, link=TCLink)
info("*** Adding controller\n")
net.addController("c0")
info("*** Adding hosts\n")
center = net.addDockerHost(
"center",
dimage="sec_test",
ip="10.0.0.1",
docker_args={
"cpuset_cpus": "1",
"cpu_quota": 25000
},
)
client1 = net.addDockerHost(
"h2",
dimage="sec_test",
ip="10.0.0.2",
docker_args={
"cpuset_cpus": "1",
"cpu_quota": 25000
},
)
client2 = net.addDockerHost(
"h3",
dimage="sec_test",
ip="10.0.0.3",
docker_args={
"cpuset_cpus": "0",
"cpu_quota": 25000
},
)
client3 = net.addDockerHost(
"h4",
dimage="sec_test",
ip="10.0.0.4",
docker_args={
"cpuset_cpus": "0",
"cpu_quota": 25000
},
)
info("*** Adding switch\n")
s1 = net.addSwitch("s1")
info("*** Creating links\n")
net.addLinkNamedIfce(s1, center, bw=10, delay="10ms")
net.addLinkNamedIfce(s1, client1, bw=10, delay="10ms")
net.addLinkNamedIfce(s1, client2, bw=10, delay="10ms")
net.addLinkNamedIfce(s1, client3, bw=10, delay="10ms")
try:
info("*** Starting network\n")
net.start()
info("*** Create wg key pairs\n")
center_private_key, center_public_key = generate_key_pair_for_host(
center)
h2_private_key, h2_public_key = generate_key_pair_for_host(client1)
h3_private_key, h3_public_key = generate_key_pair_for_host(client2)
h4_private_key, h4_public_key = generate_key_pair_for_host(client3)
info("*** Create wg interfaces\n")
info(
"*** Create a star topology with center as the center. Instead of using wg tool write a configuration for the\n"
)
info(
"*** interface and place it in /etc/wireguard/wg0.conf, then use the wg-quick command to setup the interface.\n"
)
info(
"*** The wg and wg-quick manpages contain a reference for the syntax of the configuration file.\n"
)
info(
"*** Use the network 192.168.0.0/24 for the inner tunnel and asign 192.168.0.1 to the center.\n"
)
while (not test_connection(client1, "192.168.0.1")
or not test_connection(client2, "192.168.0.1")
or not test_connection(client3, "192.168.0.1")):
sleep(10)
except KeyboardInterrupt:
info("** KeyboardInterrupt detected, exit the program.\n")
finally:
info("*** Stopping network")
net.stop()
def run_benchmark(proto):
net = Containernet(controller=Controller,
link=TCLink,
switch=OVSSwitch,
autoStaticArp=False)
info("*** Adding controller\n")
net.addController("c0")
info("*** Adding switch\n")
s1 = net.addSwitch("s1")
# MARK: The relay should run on a different CPU core as the client and
# server. To avoid cache misses of the VNF running on the relay.
info("*** Adding client and server.\n")
client = net.addDockerHost(
"client",
dimage="lat_bm:latest",
ip="10.0.0.100/24",
docker_args={
"cpuset_cpus": "0",
"volumes": {
"%s" % FFPP_DIR: {
"bind": "/ffpp",
"mode": "ro"
}
},
},
)
net.addLinkNamedIfce(s1, client, delay="100ms")
server = net.addDockerHost(
"server",
dimage="lat_bm:latest",
ip="10.0.0.200/24",
docker_args={"cpuset_cpus": "0"},
)
net.addLinkNamedIfce(s1, server, delay="100ms")
if ADD_RELAY:
cpus_relay = "1"
if TEST_NF == "l2fwd-power":
print(
"*** [INFO] l2fwd-power application require at least one master and one slave core.\n"
"The master handles timers and slave core handles forwarding task."
)
cpus_relay = "0,1"
info("*** Adding relay.\n")
# Need additional mounts to run DPDK application
# MARK: Just used for development, never use this in production container
# setup.
relay = net.addDockerHost(
"relay",
dimage="ffpp:latest",
ip="10.0.0.101/24",
docker_args={
"cpuset_cpus": cpus_relay,
"nano_cpus": int(1.0 * 1e9),
"volumes": {
"/sys/bus/pci/drivers": {
"bind": "/sys/bus/pci/drivers",
"mode": "rw",
},
"/sys/kernel/mm/hugepages": {
"bind": "/sys/kernel/mm/hugepages",
"mode": "rw",
},
"/sys/devices/system/node": {
"bind": "/sys/devices/system/node",
"mode": "rw",
},
"/dev": {
"bind": "/dev",
"mode": "rw"
},
"%s" % FFPP_DIR: {
"bind": "/ffpp",
"mode": "rw"
},
},
},
)
net.addLinkNamedIfce(s1, relay, delay="100ms")
info("*** Starting network\n")
net.start()
net.pingAll()
nodes = [n.name for n in net.hosts]
sw_ifaces = [f"s1-{n}" for n in nodes]
info("*** Disable kernel IP checksum offloading.\n")
for iface in sw_ifaces:
check_output(split(f"ethtool --offload {iface} rx off tx off"))
node_portnum_map = {n: getOFPort(s1, f"s1-{n}") for n in nodes}
if ADD_RELAY:
info("*** Add OpenFlow rules for traffic redirection.\n")
peer_map = {"client": "relay", "relay": "server", "server": "client"}
for p in ["udp", "tcp"]:
for peer in peer_map.keys():
check_output(
split(
'ovs-ofctl add-flow s1 "{},in_port={},actions=output={}"'
.format(p, node_portnum_map[peer],
node_portnum_map[peer_map[peer]])))
if DEBUG:
flow_table = s1.dpctl("dump-flows")
print(f"*** Current flow table of s1: \n {flow_table}")
info("*** Run DPDK helloworld\n")
relay.cmd("cd $RTE_SDK/examples/helloworld && make")
ret = relay.cmd(
"cd $RTE_SDK/examples/helloworld/build && ./helloworld")
print(f"Output of helloworld app:\n{ret}")
DISPATCHER[TEST_NF](relay)
server.cmd("pkill sockperf")
setup_server(server, proto)
for mps in LAT_TEST_PARAS["client_mps_list"]:
run_latency_test(server, client, proto, mps)
time.sleep(3)
if ENTER_CLI:
info("*** Enter CLI\n")
info("Use help command to get CLI usages\n")
CLI(net)
info("*** Stopping network")
net.stop()
def testTopo():
"Create an empty network and add nodes to it."
net = Containernet(controller=Controller, link=TCLink)
info("*** Adding controller\n")
net.addController("c0")
info("*** Adding hosts\n")
client = net.addDockerHost(
"client",
dimage="sec_test",
ip="10.0.0.1/24",
docker_args={
"cpuset_cpus": "0",
"cpu_quota": 25000
},
)
server = net.addDockerHost(
"server",
dimage="nginx",
ip="10.0.0.2/24",
docker_args={
"cpuset_cpus": "0",
"cpu_quota": 25000
},
)
info("*** Adding switch\n")
s1 = net.addSwitch("s1")
info("*** Creating links\n")
net.addLinkNamedIfce(s1, client, bw=100, delay="10ms")
net.addLinkNamedIfce(s1, server, bw=100, delay="10ms")
info("*** Starting network\n")
net.start()
info("** client -> server\n")
test_connection(client, "10.0.0.2")
info("\n")
# Create whitelist
info("*** Create whitelist\n")
server.cmd("nft add table inet filter")
server.cmd(
"nft add chain inet filter input { type filter hook input priority 0 \; policy drop \; }"
)
server.cmd("nft add rule inet filter input ip saddr 10.0.0.1 accept")
# The server can talk back to client
info("** server -> client\n")
test_connection(server, "10.0.0.2")
# But he cannot talk to some other server on the internet, this is a problem
info("** server -> internet\n")
test_connection(server, "8.8.8.8")
info("\n")
info("*** Enable connection tracking\n")
server.cmd(
"nft add rule inet filter input ct state established,related accept")
info("** server -> internet\n")
test_connection(server, "8.8.8.8")
# client is overdoing it a little and our server cannot handle all of its requests...
info("*** client is flodding server with too many requests!\n")
server.cmd("iperf -s &")
print(client.cmd("iperf -c 10.0.0.2"))
server.cmd(
"nft insert rule inet filter input position 2 limit rate over 1 mbytes/second drop"
)
print(client.cmd("iperf -c 10.0.0.2"))
info("\n")
info("*** Stopping network")
net.stop()
def testTopo():
net = Containernet(controller=Controller, link=TCLink)
info("*** Adding controller\n")
net.addController("c0")
info("*** Adding hosts\n")
client = net.addDockerHost(
"client",
dimage="sec_test",
ip="10.0.0.1",
docker_args={
"cpuset_cpus": "1",
"cpu_quota": 25000
},
)
server = net.addDockerHost(
"server",
dimage="sec_test",
ip="10.0.0.2",
docker_args={
"cpuset_cpus": "1",
"cpu_quota": 25000
},
)
attacker = net.addDockerHost(
"attacker",
dimage="sec_test",
ip="10.0.0.3",
docker_args={
"cpuset_cpus": "0",
"cpu_quota": 25000
},
)
info("*** Adding switch\n")
s1 = net.addSwitch("s1")
info("*** Creating links\n")
net.addLinkNamedIfce(s1, client, bw=10, delay="10ms")
net.addLinkNamedIfce(s1, server, bw=10, delay="10ms")
net.addLinkNamedIfce(s1, attacker, bw=10, delay="10ms")
try:
info("*** Starting network\n")
net.start()
info("*** Attacker, Client and Server setup\n")
client.cmd("ping -c 10 10.0.0.2")
attacker.cmd(
"printf -- '#!/bin/bash\narpspoof -i attacker-s1 -t 10.0.0.1 10.0.0.2 >> /dev/null &\narpspoof -i attacker-s1 -t 10.0.0.2 10.0.0.1 >> /dev/null &' > spoof.sh; chmod +x spoof.sh; ./spoof.sh"
)
sleep(10)
attacker.cmd(
"tcpdump -vvv -i attacker-s1 -B 100000 ip >> messages.log &")
sleep(10)
server.cmd("mkdir -p /var/run/vsftpd/empty")
server.cmd("vsftpd &")
info(
"*** Setup a tunnel to protect the ftp request from the MitM attacker!\n"
)
info(
"*** First create key pairs for the client and server and then establish a WireGuard tunnel between them\n"
)
info("*** Use the inner tunnel ip 192.168.0.2 for the server!\n")
x = 0
while not check_secure_network_tunnel(attacker, client, x):
sleep(10)
x = x + 1
except KeyboardInterrupt:
info("** KeyboardInterrupt detected, exit the program.\n")
finally:
info("*** Stopping network")
net.stop()
def testTopo():
"Create an empty network and add nodes to it."
net = Containernet(controller=Controller, link=TCLink)
info("*** Adding controller\n")
net.addController("c0")
info("*** Adding hosts\n")
client = net.addDockerHost(
"client",
dimage="sec_test",
ip="10.0.0.1/24",
docker_args={
"cpuset_cpus": "1",
"cpu_quota": 25000
},
)
server = net.addDockerHost(
"server",
dimage="nginx",
ip="10.0.0.2/24",
docker_args={
"cpuset_cpus": "1",
"cpu_quota": 25000
},
)
attacker = net.addDockerHost(
"attacker",
dimage="sec_test",
ip="10.0.0.3/24",
docker_args={
"cpuset_cpus": "0",
"cpu_quota": 25000
},
)
info("*** Adding switch\n")
s1 = net.addSwitch("s1")
info("*** Creating links\n")
net.addLinkNamedIfce(s1, client, bw=10, delay="10ms")
net.addLinkNamedIfce(s1, server, bw=10, delay="10ms")
net.addLinkNamedIfce(s1, attacker, bw=10, delay="10ms")
info("*** Starting network\n")
net.start()
info("** client -> server\n")
test_connection(client, "10.0.0.2")
info("** attacker -> server\n")
test_connection(attacker, "10.0.0.2")
info("\n")
# Create blacklist
info("*** Create blacklist\n")
server.cmd("nft add table inet filter")
server.cmd(
"nft add chain inet filter input { type filter hook input priority 0 \; policy accept \; }"
)
server.cmd("nft add rule inet filter input ip saddr 10.0.0.3 drop")
# Check if client can connect and attacker can not.
info("** client -> server\n")
test_connection(client, "10.0.0.2")
info("** attacker -> server\n")
test_connection(attacker, "10.0.0.2")
# attacker changes her ip address
info("*** attacker changes ip address to a different one!\n")
attacker.cmd("ip a f dev attacker-s1")
attacker.cmd("ip a a 10.0.0." + str(random.randint(3, 250)) +
"/24 dev attacker-s1")
# attacker can connect again
info("** attacker -> server\n")
test_connection(attacker, "10.0.0.2")
info("\n")
# Change to whitelist
info("*** Create whitelist\n")
server.cmd("nft flush rule inet filter input")
server.cmd(
"nft add chain inet filter input { type filter hook input priority 0 \; policy drop \; }"
)
server.cmd("nft add rule inet filter input ip saddr 10.0.0.1 accept")
# The server can talk back to server
info("** client -> server\n")
test_connection(client, "10.0.0.2")
info("** attacker -> server\n")
test_connection(attacker, "10.0.0.2")
info("*** Stopping network")
net.stop()
"pid_mode": "host"
},
)
h3 = net.addDockerHost(
"h3",
dimage="dev_test",
ip="10.0.0.12/24",
docker_args={
"hostname": "h3",
"pid_mode": "host"
},
)
info("*** Adding switch and links\n")
s1 = net.addSwitch("s1")
net.addLinkNamedIfce(s1, h1, bw=1000, delay="5ms")
# Add the interfaces for service traffic.
net.addLinkNamedIfce(s1, h2, bw=1000, delay="5ms")
net.addLinkNamedIfce(s1, h3, bw=1000, delay="5ms")
# Add the interface for host internal traffic.
net.addLink(s1,
h2,
bw=1000,
delay="1ms",
intfName1="s1-h2-int",
intfName2="h2-s1-int")
net.addLink(s1,
h3,
bw=1000,
delay="1ms",
intfName1="s1-h3-int",
def testMuNF(nano_cpus):
net = Containernet(controller=Controller, link=TCLink)
mgr = VNFManager(net)
start_ts = time.time()
info("*** Adding controller\n")
net.addController("c0")
info("*** Adding Docker hosts\n")
pktgen = net.addDockerHost(
"pktgen",
dimage=f"trex:{TREX_VER}",
ip="10.0.0.1/24",
docker_args={
"cpuset_cpus": "0",
"hostname": "pktgen",
"volumes": {
os.path.join(TREX_CONF_DIR, "trex_cfg.yaml"): {
"bind": "/etc/trex_cfg.yaml",
"mode": "rw",
},
TREX_CONF_DIR: {"bind": f"/trex/{TREX_VER}/local", "mode": "rw"},
},
},
)
dut = net.addDockerHost(
"dut",
dimage=f"ffpp:{FFPP_VER}",
ip="10.0.0.2/24",
docker_args={
"cpuset_cpus": "1,2",
"nano_cpus": int(nano_cpus),
"hostname": "dut",
"volumes": {
"/sys/bus/pci/drivers": {"bind": "/sys/bus/pci/drivers", "mode": "rw"},
"/sys/kernel/mm/hugepages": {
"bind": "/sys/kernel/mm/hugepages",
"mode": "rw",
},
"/sys/devices/system/node": {
"bind": "/sys/devices/system/node",
"mode": "rw",
},
"/dev": {"bind": "/dev", "mode": "rw"},
FFPP_DIR: {"bind": "/ffpp", "mode": "rw"},
},
},
)
s1 = net.addSwitch("s1")
# Control plane links.
net.addLinkNamedIfce(s1, pktgen)
net.addLinkNamedIfce(s1, dut)
# Data plane links.
net.addLink(
dut, pktgen, bw=1000, delay="1ms", intfName1="vnf-in", intfName2="pktgen-out"
)
net.addLink(
dut, pktgen, bw=1000, delay="1ms", intfName1="vnf-out", intfName2="pktgen-in"
)
pktgen.cmd("ip addr add 192.168.17.1/24 dev pktgen-out")
pktgen.cmd("ip addr add 192.168.18.1/24 dev pktgen-in")
dut.cmd("ip addr add 192.168.17.2/24 dev vnf-in")
dut.cmd("ip addr add 192.168.18.2/24 dev vnf-out")
# TODO: Deploy a chain of CNFs.
cnfs = list()
for n in range(1):
cnf = mgr.addContainer(
f"cnf{n}",
"dut",
f"ffpp:{FFPP_VER}",
"/bin/bash",
docker_args={
"volumes": {
"/sys/bus/pci/drivers": {
"bind": "/sys/bus/pci/drivers",
"mode": "rw",
},
"/sys/kernel/mm/hugepages": {
"bind": "/sys/kernel/mm/hugepages",
"mode": "rw",
},
"/sys/devices/system/node": {
"bind": "/sys/devices/system/node",
"mode": "rw",
},
"/dev": {"bind": "/dev", "mode": "rw"},
FFPP_DIR: {"bind": "/ffpp", "mode": "rw"},
}
},
)
cnfs.append(cnf)
net.start()
# Avoid looping
pktgen.cmd("ip addr flush dev pktgen-s1")
pktgen.cmd("ip link set pktgen-s1 down")
dut.cmd("ip addr flush dev dut-s1")
dut.cmd("ip link set dut-s1 down")
pktgen.cmd("ping -c 5 192.168.17.2")
pktgen.cmd("ping -c 5 192.168.18.2")
duration = time.time() - start_ts
print(f"Setup duration: {duration:.2f} seconds.")
CLI(net)
info("*** Stopping network\n")
net.stop()
mgr.stop()
def testTopo():
"Create an empty network and add nodes to it."
net = Containernet(controller=Controller, link=TCLink)
info("*** Adding controller\n")
net.addController("c0")
info("*** Adding hosts\n")
h1 = net.addDockerHost(
"h1",
dimage="sec_test",
ip="10.0.0.1",
docker_args={
"cpuset_cpus": "0",
"nano_cpus": int(1e8)
},
)
h2 = net.addDockerHost(
"h2",
dimage="sec_test",
ip="10.0.0.2",
docker_args={
"cpuset_cpus": "0",
"nano_cpus": int(1e8)
},
)
info("*** Adding switch\n")
s1 = net.addSwitch("s1")
info("*** Creating links\n")
net.addLinkNamedIfce(s1, h1, bw=10, delay="1ms", use_htb=True)
net.addLinkNamedIfce(s1, h2, bw=10, delay="1ms", use_htb=True)
info("*** Starting network\n")
net.start()
info("*** Create wg key pairs\n")
h1.cmd("umask 077; wg genkey > privatekey")
h1.cmd("wg pubkey < privatekey > publickey")
h1_pubkey = h1.cmd("cat ./publickey").replace("\n", " ").replace("\r", "")
h2.cmd("umask 077; wg genkey > privatekey")
h2.cmd("wg pubkey < privatekey > publickey")
h2_pubkey = h2.cmd("cat ./publickey").replace("\n", " ").replace("\r", "")
info("*** Create wg interfaces\n")
h1.cmd("ip link add dev wg0 type wireguard")
h1.cmd("ip address add dev wg0 192.168.0.1/24")
h2.cmd("ip link add dev wg0 type wireguard")
h2.cmd("ip address add dev wg0 192.168.0.2/24")
info("*** Setup peer configuration\n")
h1.cmd(
"wg set wg0 listen-port 1337 private-key ./privatekey peer {} allowed-ips 192.168.0.0/24 endpoint 10.0.0.2:1337"
.format(h2_pubkey))
h1.cmd("ip link set up dev wg0")
h2.cmd(
"wg set wg0 listen-port 1337 private-key ./privatekey peer {} allowed-ips 192.168.0.0/24 endpoint 10.0.0.1:1337"
.format(h1_pubkey))
h2.cmd("ip link set up dev wg0")
info("*** Test the connection\n")
print("* Ping test count: %d" % PING_COUNT)
ret = h1.cmd("ping -c %d 192.168.0.2" % PING_COUNT)
sent, received = tool.parsePing(ret)
measured = ((sent - received) / float(sent)) * 100.0
print("* Measured loss rate: {:.2f}%".format(measured))
info("*** Stopping network")
net.stop()
def testTopo():
net = Containernet(controller=Controller, link=TCLink)
info("*** Adding controller\n")
net.addController("c0")
info("*** Adding hosts\n")
client = net.addDockerHost(
"client",
dimage="sec_test",
ip="10.0.0.1/24",
docker_args={"cpuset_cpus": "1", "cpu_quota": 25000},
)
server = net.addDockerHost(
"server",
dimage="nginx",
ip="10.0.0.2/24",
docker_args={"cpuset_cpus": "1", "cpu_quota": 25000},
)
attacker = net.addDockerHost(
"attacker",
dimage="sec_test",
ip="10.0.0.3/24",
docker_args={"cpuset_cpus": "0", "cpu_quota": 25000},
)
info("*** Adding switch\n")
s1 = net.addSwitch("s1")
info("*** Creating links\n")
net.addLinkNamedIfce(s1, client, bw=10, delay="10ms")
net.addLinkNamedIfce(s1, server, bw=10, delay="10ms")
net.addLinkNamedIfce(s1, attacker, bw=10, delay="10ms")
try:
info("*** Starting network\n")
net.start()
info("** client -> server\n")
info("** " + str(test_connection(client, "10.0.0.2")) + "\n")
info("** attacker -> server\n")
info("** " + str(test_connection(attacker, "10.0.0.2")) + "\n")
info(
"*** The client and the attacker can both communicate with the server \n\n"
)
# Create blacklist
info(
"*** Create a blacklist that stops the attacker from accessing the server.\n"
)
info(
"*** First create a nftables table for IPv4 and IPv6 and then add a base chain connected to the input hook.\n"
)
info(
"*** Finally add a rule to the base chain that drops packets coming from the attacker (10.0.0.3).\n"
)
info("*** When the attacker is blocked the exercise continues.\n")
# Check if client can connect and attacker can not.
while not test_connection(client, "10.0.0.2") or test_connection(
attacker, "10.0.0.2"
):
sleep(5)
info("** client -> server\n")
info("** " + str(test_connection(client, "10.0.0.2")) + "\n")
test_connection(client, "10.0.0.2")
info("** attacker -> server\n")
info("** " + str(test_connection(attacker, "10.0.0.2")) + "\n")
info("\n")
info(
"*** The attacker is blocked and the client can still access the server.\n"
)
info("*** The attacker changed her IP address to a different one!\n")
info(
"*** Implement a whitelist that only allows the client to connect to the server.\n"
)
attacker_ip = "10.0.0." + str(random.randint(3, 250))
attacker.cmd("ip a f dev attacker-s1")
attacker.cmd("ip a a " + attacker_ip + "/24 dev attacker-s1")
info("** attacker -> server\n")
info("** " + str(test_connection(attacker, "10.0.0.2")) + "\n")
# Check if client can connect and attacker can not.
while not test_connection(client, "10.0.0.2") or test_connection(
attacker, "10.0.0.2"
):
sleep(5)
info("\n")
# The server can talk back to server
info("** client -> server\n")
info("** " + str(test_connection(client, "10.0.0.2")) + "\n")
test_connection(client, "10.0.0.2")
info("** attacker -> server\n")
info("** " + str(test_connection(attacker, "10.0.0.2")) + "\n")
except KeyboardInterrupt:
info("** KeyboardInterrupt detected, exit the program.\n")
finally:
info("*** Stopping network")
net.stop()
