On 02/08/2018 02:19 PM, Laine Stump wrote:
This test changes the IP address of the guest interface so that it
can
send out a packet with a different source IP address. It may have
worked properly with older versions of Fedora running on the test
guest, but at least in Fedora 27, NetworkManager keeps the dhclient
process running after it has already acquired an IP address, and if
you set the interface offline and then back on, dhclient will very
quickly re-acquire the IP address, so the test ends up sending a ping
from the *same* address, the packet passes the filters, and the test
fails.
The solution is to just kill the dhclient process. This allows the
manually set IP address to "stick". Since the guest is shutdown
immediately after this test, it doesn't matter that dhclient is no
longer running. (We *do* need to set the IP address back to its
original setting though, so that the ssh socket used for the test
(which is connecting via the same interface) won't hang and delay
completion of the test (also causing it to fail).
Signed-off-by: Laine Stump <laine(a)laine.org>
Reviewed-by: Stefan Berger
<stefanb(a)linux.vnet.ibm.com>
---
"New" in V2 - this line was previously sneaked into the middle of the
patch that removed path specifiers from binary names in guest-side
scripts, but it really deserves an explanation.
scripts/nwfilter/220-no-ip-spoofing.t | 1 +
1 file changed, 1 insertion(+)
diff --git a/scripts/nwfilter/220-no-ip-spoofing.t
b/scripts/nwfilter/220-no-ip-spoofing.t
index 72dcae8..9e1bb70 100644
--- a/scripts/nwfilter/220-no-ip-spoofing.t
+++ b/scripts/nwfilter/220-no-ip-spoofing.t
@@ -83,6 +83,7 @@ my $cmdfile = <<EOF;
echo "DEV=\\\$(ip link | head -3 | tail -1 | awk '{print \\\$2}' | sed -e
's/://')
MASK=\\\$(ip addr show \\\$DEV | grep 'inet ' | awk '{print \\\$2}' |
sed -e 's/.*\\///;q')
ip addr show \\\$DEV
+kill \\\$(pidof dhclient)
ip link set \\\$DEV down
ip addr flush dev \\\$DEV
ip addr add 192.168.122.183/\\\$MASK dev \\\$DEV