neutron/neutron/tests/functional/agent/linux/test_linuxbridge_arp_protect.py

# Copyright (c) 2015 Mirantis, Inc.
# All Rights Reserved.
#
#    Licensed under the Apache License, Version 2.0 (the "License"); you may
#    not use this file except in compliance with the License. You may obtain
#    a copy of the License at
#
#         http://www.apache.org/licenses/LICENSE-2.0
#
#    Unless required by applicable law or agreed to in writing, software
#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
#    License for the specific language governing permissions and limitations
#    under the License.

from neutron_lib import constants
from neutron_lib.utils import net

from neutron.plugins.ml2.drivers.linuxbridge.agent import arp_protect
from neutron.tests.common import machine_fixtures
from neutron.tests.common import net_helpers
from neutron.tests.functional import base as functional_base

no_arping = net_helpers.assert_no_arping
arping = net_helpers.assert_arping


class LinuxBridgeARPSpoofTestCase(functional_base.BaseSudoTestCase):

    def setUp(self):
        super(LinuxBridgeARPSpoofTestCase, self).setUp()

        lbfixture = self.useFixture(net_helpers.LinuxBridgeFixture())
        self.addCleanup(setattr, arp_protect, 'NAMESPACE', None)
        arp_protect.NAMESPACE = lbfixture.namespace
        bridge = lbfixture.bridge
        self.source, self.destination, self.observer = self.useFixture(
            machine_fixtures.PeerMachines(bridge, amount=3)).machines
        self.addCleanup(self._ensure_rules_cleaned)

    def _ensure_rules_cleaned(self):
        rules = [r for r in arp_protect.ebtables(['-L']).splitlines()
                 if r and 'Bridge' not in r]
        self.assertEqual([], rules, 'Test leaked ebtables rules')

    def _add_arp_protection(self, machine, addresses, extra_port_dict=None):
        port_dict = {'fixed_ips': [{'ip_address': a} for a in addresses],
                     'device_owner': 'nobody',
                     'mac_address': machine.port.link.address}
        if extra_port_dict:
            port_dict.update(extra_port_dict)
        name = net_helpers.VethFixture.get_peer_name(machine.port.name)
        arp_protect.setup_arp_spoofing_protection(name, port_dict)
        self.addCleanup(arp_protect.delete_arp_spoofing_protection,
                        [name])

    def test_arp_no_protection(self):
        arping(self.source.namespace, self.destination.ip)
        arping(self.destination.namespace, self.source.ip)

    def test_arp_correct_protection(self):
        self._add_arp_protection(self.source, [self.source.ip])
        self._add_arp_protection(self.destination, [self.destination.ip])
        arping(self.source.namespace, self.destination.ip)
        arping(self.destination.namespace, self.source.ip)

    def test_arp_correct_protection_allowed_address_pairs(self):
        smac = self.source.port.link.address
        port = {'mac_address': '00:11:22:33:44:55',
                'allowed_address_pairs': [{'mac_address': smac,
                                           'ip_address': self.source.ip}]}
        # make sure a large number of allowed address pairs works
        for i in range(100000):
            port['allowed_address_pairs'].append(
                {'mac_address': net.get_random_mac(
                     'fa:16:3e:00:00:00'.split(':')),
                 'ip_address': '10.10.10.10'})
        self._add_arp_protection(self.source, ['1.2.2.2'], port)
        self._add_arp_protection(self.destination, [self.destination.ip])
        arping(self.source.namespace, self.destination.ip)
        arping(self.destination.namespace, self.source.ip)

    def test_arp_fails_incorrect_protection(self):
        self._add_arp_protection(self.source, ['1.1.1.1'])
        self._add_arp_protection(self.destination, ['2.2.2.2'])
        no_arping(self.source.namespace, self.destination.ip)
        no_arping(self.destination.namespace, self.source.ip)

    def test_arp_fails_incorrect_mac_protection(self):
        # a bad mac filter on the source will prevent any traffic from it
        self._add_arp_protection(self.source, [self.source.ip],
                                 {'mac_address': '00:11:22:33:44:55'})
        no_arping(self.source.namespace, self.destination.ip)
        no_arping(self.destination.namespace, self.source.ip)
        # correcting it should make it work
        self._add_arp_protection(self.source, [self.source.ip])
        arping(self.source.namespace, self.destination.ip)

    def test_arp_protection_removal(self):
        self._add_arp_protection(self.source, ['1.1.1.1'])
        self._add_arp_protection(self.destination, ['2.2.2.2'])
        no_arping(self.observer.namespace, self.destination.ip)
        no_arping(self.observer.namespace, self.source.ip)
        name = net_helpers.VethFixture.get_peer_name(self.source.port.name)
        arp_protect.delete_arp_spoofing_protection([name])
        # spoofing should have been removed from source, but not dest
        arping(self.observer.namespace, self.source.ip)
        no_arping(self.observer.namespace, self.destination.ip)

    def test_arp_protection_update(self):
        self._add_arp_protection(self.source, ['1.1.1.1'])
        self._add_arp_protection(self.destination, ['2.2.2.2'])
        no_arping(self.observer.namespace, self.destination.ip)
        no_arping(self.observer.namespace, self.source.ip)
        self._add_arp_protection(self.source, ['192.0.0.0/1'])
        # spoofing should have been updated on source, but not dest
        arping(self.observer.namespace, self.source.ip)
        no_arping(self.observer.namespace, self.destination.ip)

    def test_arp_protection_port_security_disabled(self):
        self._add_arp_protection(self.source, ['1.1.1.1'])
        no_arping(self.observer.namespace, self.source.ip)
        self._add_arp_protection(self.source, ['1.1.1.1'],
                                 {'port_security_enabled': False})
        arping(self.observer.namespace, self.source.ip)

    def test_arp_protection_network_owner(self):
        self._add_arp_protection(self.source, ['1.1.1.1'])
        no_arping(self.observer.namespace, self.source.ip)
        self._add_arp_protection(self.source, ['1.1.1.1'],
                                 {'device_owner':
                                  constants.DEVICE_OWNER_ROUTER_GW})
        arping(self.observer.namespace, self.source.ip)

    def test_arp_protection_dead_reference_removal(self):
        self._add_arp_protection(self.source, ['1.1.1.1'])
        self._add_arp_protection(self.destination, ['2.2.2.2'])
        no_arping(self.observer.namespace, self.destination.ip)
        no_arping(self.observer.namespace, self.source.ip)
        name = net_helpers.VethFixture.get_peer_name(self.source.port.name)
        # This should remove all arp protect rules that aren't source port
        arp_protect.delete_unreferenced_arp_protection([name])
        no_arping(self.observer.namespace, self.source.ip)
        arping(self.observer.namespace, self.destination.ip)