def test_arp_spoof_allowed_address_pairs_0cidr(self):
self._setup_arp_spoof_for_port(self.dst_p.name,
['9.9.9.9/0', '1.2.3.4'])
self.src_p.addr.add('%s/24' % self.src_addr)
self.dst_p.addr.add('%s/24' % self.dst_addr)
pinger = helpers.Pinger(self.src_ns)
pinger.assert_ping(self.dst_addr)
def test_arp_spoof_allowed_address_pairs(self):
self._setup_arp_spoof_for_port(self.dst_p.name,
['192.168.0.3', self.dst_addr])
self.src_p.addr.add('%s/24' % self.src_addr)
self.dst_p.addr.add('%s/24' % self.dst_addr)
pinger = helpers.Pinger(self.src_ns)
pinger.assert_ping(self.dst_addr)
def test_arp_spoof_doesnt_block_normal_traffic(self):
self._setup_arp_spoof_for_port(self.src_p.name, [self.src_addr])
self._setup_arp_spoof_for_port(self.dst_p.name, [self.dst_addr])
self.src_p.addr.add('%s/24' % self.src_addr)
self.dst_p.addr.add('%s/24' % self.dst_addr)
pinger = helpers.Pinger(self.src_ns)
pinger.assert_ping(self.dst_addr)
def test_port_sec_within_firewall(self):
pinger = helpers.Pinger(self.src_ip_wrapper)
# update the sg_group to make ping pass
sg_rules = [{
'ethertype': 'IPv4',
'direction': 'ingress',
'source_ip_prefix': '0.0.0.0/0',
'protocol': 'icmp'
}, {
'ethertype': 'IPv4',
'direction': 'egress'
}]
with self.firewall.defer_apply():
self.firewall.update_security_group_rules(
self.FAKE_SECURITY_GROUP_ID, sg_rules)
self.firewall.prepare_port_filter(self.src_port_desc)
pinger.assert_ping(self.DST_ADDRESS)
# modify the src_veth's MAC and test again
self._set_src_mac(self.MAC_SPOOFED)
pinger.assert_no_ping(self.DST_ADDRESS)
# update the port's port_security_enabled value and test again
self.src_port_desc['port_security_enabled'] = False
self.firewall.update_port_filter(self.src_port_desc)
pinger.assert_ping(self.DST_ADDRESS)
def test_arp_spoof_blocks_response(self):
# this will prevent the destination from responding to the ARP
# request for it's own address
self._setup_arp_spoof_for_port(self.dst_p.name, ['192.168.0.3'])
self.src_p.addr.add('%s/24' % self.src_addr)
self.dst_p.addr.add('%s/24' % self.dst_addr)
pinger = helpers.Pinger(self.src_ns)
pinger.assert_no_ping(self.dst_addr)
def test_icmp(self):
pinger = helpers.Pinger(self.client_ns)
pinger.assert_ping(self.DST_ADDRESS)
self.server_fw.ipv4['filter'].add_rule('INPUT', base.ICMP_BLOCK_RULE)
self.server_fw.apply()
pinger.assert_no_ping(self.DST_ADDRESS)
self.server_fw.ipv4['filter'].remove_rule('INPUT',
base.ICMP_BLOCK_RULE)
self.server_fw.apply()
pinger.assert_ping(self.DST_ADDRESS)
def test_arp_spoof_disable_port_security(self):
# block first and then disable port security to make sure old rules
# are cleared
self._setup_arp_spoof_for_port(self.dst_p.name, ['192.168.0.3'])
self._setup_arp_spoof_for_port(self.dst_p.name, ['192.168.0.3'],
psec=False)
self.src_p.addr.add('%s/24' % self.src_addr)
self.dst_p.addr.add('%s/24' % self.dst_addr)
pinger = helpers.Pinger(self.src_ns)
pinger.assert_ping(self.dst_addr)
def test_arp_spoof_doesnt_block_ipv6(self):
self.src_addr = '2000::1'
self.dst_addr = '2000::2'
self._setup_arp_spoof_for_port(self.src_p.name, [self.src_addr])
self._setup_arp_spoof_for_port(self.dst_p.name, [self.dst_addr])
self.src_p.addr.add('%s/64' % self.src_addr)
self.dst_p.addr.add('%s/64' % self.dst_addr)
# IPv6 addresses seem to take longer to initialize
pinger = helpers.Pinger(self.src_ns, max_attempts=4)
pinger.assert_ping(self.dst_addr)
def setUp(self):
super(IpsetBase, self).setUp()
self.src_ns, self.dst_ns = self.prepare_veth_pairs()
self.ipset = self._create_ipset_manager_and_set(self.dst_ns, IPSET_SET)
self.dst_iptables = iptables_manager.IptablesManager(
namespace=self.dst_ns.namespace)
self._add_iptables_ipset_rules(self.dst_iptables)
self.pinger = helpers.Pinger(self.src_ns)
def setUp(self):
super(IpsetBase, self).setUp()
self.src_ns, self.dst_ns = self.prepare_veth_pairs()
self.ipset_name = base.get_rand_name(MAX_IPSET_NAME_LENGTH, 'set-')
self.icmp_accept_rule = ('-p icmp -m set --match-set %s src -j ACCEPT'
% self.ipset_name)
self.ipset = self._create_ipset_manager_and_set(self.dst_ns,
self.ipset_name)
self.addCleanup(self.ipset._destroy, self.ipset_name)
self.dst_iptables = iptables_manager.IptablesManager(
namespace=self.dst_ns.namespace)
self._add_iptables_ipset_rules()
self.addCleanup(self._remove_iptables_ipset_rules)
self.pinger = helpers.Pinger(self.src_ns)
def setUp(self):
if not checks.arp_header_match_supported():
self.skipTest("ARP header matching not supported")
# NOTE(kevinbenton): it would be way cooler to use scapy for
# these but scapy requires the python process to be running as
# root to bind to the ports.
super(ARPSpoofTestCase, self).setUp()
self.src_addr = '192.168.0.1'
self.dst_addr = '192.168.0.2'
self.src_ns = self._create_namespace()
self.dst_ns = self._create_namespace()
self.pinger = helpers.Pinger(self.src_ns, max_attempts=2)
self.src_p = self.useFixture(
net_helpers.OVSPortFixture(self.br, self.src_ns.namespace)).port
self.dst_p = self.useFixture(
net_helpers.OVSPortFixture(self.br, self.dst_ns.namespace)).port
def setUp(self):
super(BaseIPVethTestCase, self).setUp()
self.check_sudo_enabled()
self.pinger = helpers.Pinger(self)
