def test_arp_spoof_allowed_address_pairs_0cidr(self): self._setup_arp_spoof_for_port(self.dst_p.name, ['9.9.9.9/0', '1.2.3.4']) self.src_p.addr.add('%s/24' % self.src_addr) self.dst_p.addr.add('%s/24' % self.dst_addr) pinger = helpers.Pinger(self.src_ns) pinger.assert_ping(self.dst_addr)
def test_arp_spoof_allowed_address_pairs(self): self._setup_arp_spoof_for_port(self.dst_p.name, ['192.168.0.3', self.dst_addr]) self.src_p.addr.add('%s/24' % self.src_addr) self.dst_p.addr.add('%s/24' % self.dst_addr) pinger = helpers.Pinger(self.src_ns) pinger.assert_ping(self.dst_addr)
def test_arp_spoof_doesnt_block_normal_traffic(self): self._setup_arp_spoof_for_port(self.src_p.name, [self.src_addr]) self._setup_arp_spoof_for_port(self.dst_p.name, [self.dst_addr]) self.src_p.addr.add('%s/24' % self.src_addr) self.dst_p.addr.add('%s/24' % self.dst_addr) pinger = helpers.Pinger(self.src_ns) pinger.assert_ping(self.dst_addr)
def test_port_sec_within_firewall(self): pinger = helpers.Pinger(self.src_ip_wrapper) # update the sg_group to make ping pass sg_rules = [{ 'ethertype': 'IPv4', 'direction': 'ingress', 'source_ip_prefix': '0.0.0.0/0', 'protocol': 'icmp' }, { 'ethertype': 'IPv4', 'direction': 'egress' }] with self.firewall.defer_apply(): self.firewall.update_security_group_rules( self.FAKE_SECURITY_GROUP_ID, sg_rules) self.firewall.prepare_port_filter(self.src_port_desc) pinger.assert_ping(self.DST_ADDRESS) # modify the src_veth's MAC and test again self._set_src_mac(self.MAC_SPOOFED) pinger.assert_no_ping(self.DST_ADDRESS) # update the port's port_security_enabled value and test again self.src_port_desc['port_security_enabled'] = False self.firewall.update_port_filter(self.src_port_desc) pinger.assert_ping(self.DST_ADDRESS)
def test_arp_spoof_blocks_response(self): # this will prevent the destination from responding to the ARP # request for it's own address self._setup_arp_spoof_for_port(self.dst_p.name, ['192.168.0.3']) self.src_p.addr.add('%s/24' % self.src_addr) self.dst_p.addr.add('%s/24' % self.dst_addr) pinger = helpers.Pinger(self.src_ns) pinger.assert_no_ping(self.dst_addr)
def test_icmp(self): pinger = helpers.Pinger(self.client_ns) pinger.assert_ping(self.DST_ADDRESS) self.server_fw.ipv4['filter'].add_rule('INPUT', base.ICMP_BLOCK_RULE) self.server_fw.apply() pinger.assert_no_ping(self.DST_ADDRESS) self.server_fw.ipv4['filter'].remove_rule('INPUT', base.ICMP_BLOCK_RULE) self.server_fw.apply() pinger.assert_ping(self.DST_ADDRESS)
def test_arp_spoof_disable_port_security(self): # block first and then disable port security to make sure old rules # are cleared self._setup_arp_spoof_for_port(self.dst_p.name, ['192.168.0.3']) self._setup_arp_spoof_for_port(self.dst_p.name, ['192.168.0.3'], psec=False) self.src_p.addr.add('%s/24' % self.src_addr) self.dst_p.addr.add('%s/24' % self.dst_addr) pinger = helpers.Pinger(self.src_ns) pinger.assert_ping(self.dst_addr)
def test_arp_spoof_doesnt_block_ipv6(self): self.src_addr = '2000::1' self.dst_addr = '2000::2' self._setup_arp_spoof_for_port(self.src_p.name, [self.src_addr]) self._setup_arp_spoof_for_port(self.dst_p.name, [self.dst_addr]) self.src_p.addr.add('%s/64' % self.src_addr) self.dst_p.addr.add('%s/64' % self.dst_addr) # IPv6 addresses seem to take longer to initialize pinger = helpers.Pinger(self.src_ns, max_attempts=4) pinger.assert_ping(self.dst_addr)
def setUp(self): super(IpsetBase, self).setUp() self.src_ns, self.dst_ns = self.prepare_veth_pairs() self.ipset = self._create_ipset_manager_and_set(self.dst_ns, IPSET_SET) self.dst_iptables = iptables_manager.IptablesManager( namespace=self.dst_ns.namespace) self._add_iptables_ipset_rules(self.dst_iptables) self.pinger = helpers.Pinger(self.src_ns)
def setUp(self): super(IpsetBase, self).setUp() self.src_ns, self.dst_ns = self.prepare_veth_pairs() self.ipset_name = base.get_rand_name(MAX_IPSET_NAME_LENGTH, 'set-') self.icmp_accept_rule = ('-p icmp -m set --match-set %s src -j ACCEPT' % self.ipset_name) self.ipset = self._create_ipset_manager_and_set(self.dst_ns, self.ipset_name) self.addCleanup(self.ipset._destroy, self.ipset_name) self.dst_iptables = iptables_manager.IptablesManager( namespace=self.dst_ns.namespace) self._add_iptables_ipset_rules() self.addCleanup(self._remove_iptables_ipset_rules) self.pinger = helpers.Pinger(self.src_ns)
def setUp(self): if not checks.arp_header_match_supported(): self.skipTest("ARP header matching not supported") # NOTE(kevinbenton): it would be way cooler to use scapy for # these but scapy requires the python process to be running as # root to bind to the ports. super(ARPSpoofTestCase, self).setUp() self.src_addr = '192.168.0.1' self.dst_addr = '192.168.0.2' self.src_ns = self._create_namespace() self.dst_ns = self._create_namespace() self.pinger = helpers.Pinger(self.src_ns, max_attempts=2) self.src_p = self.useFixture( net_helpers.OVSPortFixture(self.br, self.src_ns.namespace)).port self.dst_p = self.useFixture( net_helpers.OVSPortFixture(self.br, self.dst_ns.namespace)).port
def setUp(self): super(BaseIPVethTestCase, self).setUp() self.check_sudo_enabled() self.pinger = helpers.Pinger(self)