145 lines
6.9 KiB
Python
145 lines
6.9 KiB
Python
# Copyright (c) 2015 Mirantis, Inc.
|
|
# All Rights Reserved.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
# not use this file except in compliance with the License. You may obtain
|
|
# a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
# License for the specific language governing permissions and limitations
|
|
# under the License.
|
|
|
|
from neutron_lib import constants
|
|
from neutron_lib.utils import net
|
|
|
|
from neutron.plugins.ml2.drivers.linuxbridge.agent import arp_protect
|
|
from neutron.tests.common import machine_fixtures
|
|
from neutron.tests.common import net_helpers
|
|
from neutron.tests.functional import base as functional_base
|
|
|
|
no_arping = net_helpers.assert_no_arping
|
|
arping = net_helpers.assert_arping
|
|
|
|
|
|
class LinuxBridgeARPSpoofTestCase(functional_base.BaseSudoTestCase):
|
|
|
|
def setUp(self):
|
|
super(LinuxBridgeARPSpoofTestCase, self).setUp()
|
|
|
|
lbfixture = self.useFixture(net_helpers.LinuxBridgeFixture())
|
|
self.addCleanup(setattr, arp_protect, 'NAMESPACE', None)
|
|
arp_protect.NAMESPACE = lbfixture.namespace
|
|
bridge = lbfixture.bridge
|
|
self.source, self.destination, self.observer = self.useFixture(
|
|
machine_fixtures.PeerMachines(bridge, amount=3)).machines
|
|
self.addCleanup(self._ensure_rules_cleaned)
|
|
|
|
def _ensure_rules_cleaned(self):
|
|
rules = [r for r in arp_protect.ebtables(['-L']).splitlines()
|
|
if r and 'Bridge' not in r]
|
|
self.assertEqual([], rules, 'Test leaked ebtables rules')
|
|
|
|
def _add_arp_protection(self, machine, addresses, extra_port_dict=None):
|
|
port_dict = {'fixed_ips': [{'ip_address': a} for a in addresses],
|
|
'device_owner': 'nobody',
|
|
'mac_address': machine.port.link.address}
|
|
if extra_port_dict:
|
|
port_dict.update(extra_port_dict)
|
|
name = net_helpers.VethFixture.get_peer_name(machine.port.name)
|
|
arp_protect.setup_arp_spoofing_protection(name, port_dict)
|
|
self.addCleanup(arp_protect.delete_arp_spoofing_protection,
|
|
[name])
|
|
|
|
def test_arp_no_protection(self):
|
|
arping(self.source.namespace, self.destination.ip)
|
|
arping(self.destination.namespace, self.source.ip)
|
|
|
|
def test_arp_correct_protection(self):
|
|
self._add_arp_protection(self.source, [self.source.ip])
|
|
self._add_arp_protection(self.destination, [self.destination.ip])
|
|
arping(self.source.namespace, self.destination.ip)
|
|
arping(self.destination.namespace, self.source.ip)
|
|
|
|
def test_arp_correct_protection_allowed_address_pairs(self):
|
|
smac = self.source.port.link.address
|
|
port = {'mac_address': '00:11:22:33:44:55',
|
|
'allowed_address_pairs': [{'mac_address': smac,
|
|
'ip_address': self.source.ip}]}
|
|
# make sure a large number of allowed address pairs works
|
|
for i in range(100000):
|
|
port['allowed_address_pairs'].append(
|
|
{'mac_address': net.get_random_mac(
|
|
'fa:16:3e:00:00:00'.split(':')),
|
|
'ip_address': '10.10.10.10'})
|
|
self._add_arp_protection(self.source, ['1.2.2.2'], port)
|
|
self._add_arp_protection(self.destination, [self.destination.ip])
|
|
arping(self.source.namespace, self.destination.ip)
|
|
arping(self.destination.namespace, self.source.ip)
|
|
|
|
def test_arp_fails_incorrect_protection(self):
|
|
self._add_arp_protection(self.source, ['1.1.1.1'])
|
|
self._add_arp_protection(self.destination, ['2.2.2.2'])
|
|
no_arping(self.source.namespace, self.destination.ip)
|
|
no_arping(self.destination.namespace, self.source.ip)
|
|
|
|
def test_arp_fails_incorrect_mac_protection(self):
|
|
# a bad mac filter on the source will prevent any traffic from it
|
|
self._add_arp_protection(self.source, [self.source.ip],
|
|
{'mac_address': '00:11:22:33:44:55'})
|
|
no_arping(self.source.namespace, self.destination.ip)
|
|
no_arping(self.destination.namespace, self.source.ip)
|
|
# correcting it should make it work
|
|
self._add_arp_protection(self.source, [self.source.ip])
|
|
arping(self.source.namespace, self.destination.ip)
|
|
|
|
def test_arp_protection_removal(self):
|
|
self._add_arp_protection(self.source, ['1.1.1.1'])
|
|
self._add_arp_protection(self.destination, ['2.2.2.2'])
|
|
no_arping(self.observer.namespace, self.destination.ip)
|
|
no_arping(self.observer.namespace, self.source.ip)
|
|
name = net_helpers.VethFixture.get_peer_name(self.source.port.name)
|
|
arp_protect.delete_arp_spoofing_protection([name])
|
|
# spoofing should have been removed from source, but not dest
|
|
arping(self.observer.namespace, self.source.ip)
|
|
no_arping(self.observer.namespace, self.destination.ip)
|
|
|
|
def test_arp_protection_update(self):
|
|
self._add_arp_protection(self.source, ['1.1.1.1'])
|
|
self._add_arp_protection(self.destination, ['2.2.2.2'])
|
|
no_arping(self.observer.namespace, self.destination.ip)
|
|
no_arping(self.observer.namespace, self.source.ip)
|
|
self._add_arp_protection(self.source, ['192.0.0.0/1'])
|
|
# spoofing should have been updated on source, but not dest
|
|
arping(self.observer.namespace, self.source.ip)
|
|
no_arping(self.observer.namespace, self.destination.ip)
|
|
|
|
def test_arp_protection_port_security_disabled(self):
|
|
self._add_arp_protection(self.source, ['1.1.1.1'])
|
|
no_arping(self.observer.namespace, self.source.ip)
|
|
self._add_arp_protection(self.source, ['1.1.1.1'],
|
|
{'port_security_enabled': False})
|
|
arping(self.observer.namespace, self.source.ip)
|
|
|
|
def test_arp_protection_network_owner(self):
|
|
self._add_arp_protection(self.source, ['1.1.1.1'])
|
|
no_arping(self.observer.namespace, self.source.ip)
|
|
self._add_arp_protection(self.source, ['1.1.1.1'],
|
|
{'device_owner':
|
|
constants.DEVICE_OWNER_ROUTER_GW})
|
|
arping(self.observer.namespace, self.source.ip)
|
|
|
|
def test_arp_protection_dead_reference_removal(self):
|
|
self._add_arp_protection(self.source, ['1.1.1.1'])
|
|
self._add_arp_protection(self.destination, ['2.2.2.2'])
|
|
no_arping(self.observer.namespace, self.destination.ip)
|
|
no_arping(self.observer.namespace, self.source.ip)
|
|
name = net_helpers.VethFixture.get_peer_name(self.source.port.name)
|
|
# This should remove all arp protect rules that aren't source port
|
|
arp_protect.delete_unreferenced_arp_protection([name])
|
|
no_arping(self.observer.namespace, self.source.ip)
|
|
arping(self.observer.namespace, self.destination.ip)
|