[libvirt] [RFC] libvirt-TCK scripts to verify spoofing prevention

The following patch mainly adds a set of test case to verify that several spoofing attacks are prevented by the nwfilter subsystem. In order to have a well defined test machine, the patch also includes test scripts to network install a virtual disk from scratch, to boot the virtual test machine prior to running the actual test scripts and to shut it down afterwards. While I have tried to remove as much dependency on my local setup as possible there is still some left, so I am currently more interested in feedback about the general approach, not necessarily actual inclusion into the libvirt-TCK git. For example, I am currently trying to find a suitable location for the kickstart file, and also a suitable place for the common_functions.pl. Comments are appreciated ... thanks, Gerhard Index: libvirt-tck/scripts/network/README =================================================================== --- /dev/null +++ libvirt-tck/scripts/network/README @@ -0,0 +1,14 @@ + +Test cases: + +000-install-image.t creates and install a 2GB fedora virtual disk via kickstart file from the network +001-boot-image.t defines and boots a VM which uses the fedora virtual disk +100-ping-still-working.t verifies the VM is pingable +210-no-mac-spoofing.t verifies mac spoofing is prevented +220-no-ip-spoofing.t verifies ip spoofing is prevented +230-no-mac-broadcast.t verifies mac broadcasting is prevented +240-no-arp-spoofing.t verifies arp spoofing is prevented +999-shutdown-image.t shuts the VM down + + + Index: libvirt-tck/scripts/network/000-install-image.t =================================================================== --- /dev/null +++ libvirt-tck/scripts/network/000-install-image.t @@ -0,0 +1,181 @@ +# -*- perl -*- +# +# Copyright (C) 2010 IBM Corp. +# +# This program is free software; You can redistribute it and/or modify +# it under the GNU General Public License as published by the Free +# Software Foundation; either version 2, or (at your option) any +# later version +# +# The file "LICENSE" distributed along with this file provides full +# details of the terms and conditions +# + +=pod + +=head1 NAME + +network/000-install-image.t - install network test image + +=head1 DESCRIPTION + +The test case creates and install a 2GB fedora virtual +disk via kickstart file from the network. + +=cut + +use strict; +use warnings; + +use Test::More tests => 1; + +use Sys::Virt::TCK; + +my $tck = Sys::Virt::TCK->new(); +my $conn = eval { $tck->setup(); }; +BAIL_OUT "failed to setup test harness: $@" if $@; +END { $tck->cleanup if $tck; } + +# variables which may need to be adapted +my $domain_name ="f12nwtest"; +my $disk_name = "/var/lib/libvirt/images/${domain_name}.img"; +my $disk_size = "2147483648"; + +my $kickstart_file ="http://192.168.122.1/ks.cfg"; +my $cmdline = "ip=dhcp gateway=192.168.122.1 ks=${kickstart_file}"; + +# see if the domain already exits +my $already_defined = 0; +diag "searching if ${domain_name} is already defined"; +my $nnames = $conn->num_of_defined_domains(); +my @names = $conn->list_defined_domain_names($nnames); +foreach (@names){ + if (/${domain_name}/) { + print "$_ already exists, no need to redefine\n"; + $already_defined = 1; + } +} +diag $already_defined; + +# check for installation disk and build it if not exists +my $already_installed = 0; +my $pool = $conn->get_storage_pool_by_name("default"); +my $nnames = $pool->num_of_storage_volumes(); +my @volNames = $pool->list_storage_vol_names($nnames); +foreach (@volNames){ + if (/${domain_name}/) { + print "$_ already exists, no need to install\n"; + $already_installed = 1; + } +} + +my $volumexml = "<volume>". +" <name>${domain_name}.img</name>". +" <key>${disk_name}</key>". +" <source>". +" </source>". +" <capacity>${disk_size}</capacity>". +" <allocation>4096</allocation>". +" <target>". +" <path>${disk_name}</path>". +" <format type='raw'/>". +" <permissions>". +" <mode>0644</mode>". +" <owner>0</owner>". +" <group>0</group>". +" </permissions>". +" </target>". +"</volume>"; + + +# prepare image +if ($already_installed == 0) { + diag "Creating ${disk_name}"; + diag $volumexml; + my $vol = $pool->create_volume($volumexml) +# system("qemu-img create ${disk_name} ${disk_size}"); +} + +my $topxml = " <name>${domain_name}</name>". +" <memory>524288</memory>". +" <currentMemory>524288</currentMemory>". +" <vcpu>1</vcpu>"; + +my $osxml = " <os>". +" <type arch='x86_64' machine='fedora-13'>hvm</type>". +" <kernel>/var/cache/libvirt-tck/os-i686-hvm/vmlinuz</kernel>". +" <initrd>/var/cache/libvirt-tck/os-i686-hvm/initrd</initrd>". +" <cmdline>${cmdline}</cmdline>". +" <boot dev='hd'/>". +" </os>"; + +my $bottomxml = " <features>". +" <acpi/>". +" <apic/>". +" </features>". +" <clock offset='utc'/>". +" <on_poweroff>destroy</on_poweroff>". +" <on_reboot>restart</on_reboot>". +" <on_crash>restart</on_crash>". +" <devices>". +" <emulator>/usr/bin/qemu-kvm</emulator>". +" <disk type='file' device='disk'>". +" <driver name='qemu' type='raw'/>". +" <source file='${disk_name}'/>". +" <target dev='hda' bus='ide'/>". +" </disk>". +" <controller type='ide' index='0'>". +" </controller>". +" <interface type='network'>". +" <source network='default'/>". +" <target dev='vnet0'/>". +" <model type='virtio'/>". +" </interface>". +" <serial type='pty'>". +" <target port='0'/>". +" </serial>". +" <console type='pty'>". +" <target port='0'/>". +" </console>". +" <graphics type='vnc' port='-1' autoport='yes' listen='127.0.0.1' keymap='de'/>". +" <video>". +" <model type='cirrus' vram='9216' heads='1'/>". +" </video>". +" </devices>"; + +my $xml = "<domain type='kvm'>" . +$topxml. +$osxml. +$bottomxml. +"</domain>"; + +diag $xml; +diag "Defining an inactive domain config"; +my $dom; + +# no need to start if already installed +if (($already_installed == 0) && ($already_defined == 0)) { + ok_domain(sub { $dom = $conn->define_domain($xml) }, "defined persistent domain config"); + $xml = $dom->get_xml_description; + diag $xml; + diag "Starting inactive domain config"; + $dom->create; + + # wait for completion of installation + diag "wait for installation to finish .. "; + while($dom->is_active()) { + sleep(10); + diag ".. to view progress connect to virtual machine ${domain_name} .. "; + } + sleep(10); + diag " .. done"; + # cleanup + $dom->undefine; +} else { + ok_domain { $dom = $conn->get_domain_by_name($domain_name) } "the existing domain object"; +} + + + + + Index: libvirt-tck/scripts/network/001-boot-image.t =================================================================== --- /dev/null +++ libvirt-tck/scripts/network/001-boot-image.t @@ -0,0 +1,133 @@ +# -*- perl -*- +# +# Copyright (C) 2010 IBM Corp. +# +# This program is free software; You can redistribute it and/or modify +# it under the GNU General Public License as published by the Free +# Software Foundation; either version 2, or (at your option) any +# later version +# +# The file "LICENSE" distributed along with this file provides full +# details of the terms and conditions +# + +=pod + +=head1 NAME + +network/001-boot-image.t - boot installed test image + +=head1 DESCRIPTION + +The test case defines and boots a VM which uses the +fedora virtual disk create ny 000-install-image + +=cut + +use strict; +use warnings; + +use Test::More tests => 2; + +use Sys::Virt::TCK; +use XML::LibXML; + +require 'scripts/network/common_functions.pl'; + +my $tck = Sys::Virt::TCK->new(); +my $conn = eval { $tck->setup(); }; +BAIL_OUT "failed to setup test harness: $@" if $@; +END { $tck->cleanup if $tck; } + +my $already_defined = 0; +my $domain_name ="f12nwtest"; + +# see if the domain already exits +diag "searching if ${domain_name} is already defined"; +my $nnames = $conn->num_of_defined_domains(); +my @names = $conn->list_defined_domain_names($nnames); +foreach (@names){ + if (/${domain_name}/) { + print "$_ already exists, no need to redefine\n"; + $already_defined = 1; + } +} +diag $already_defined; + +my $dom; +my $xml; + +if ($already_defined == 1) { + ok_domain { $dom = $conn->get_domain_by_name($domain_name) } "the existing domain object"; +} else { + my $topxml = " <name>${domain_name}</name>". + " <memory>524288</memory>". + " <currentMemory>524288</currentMemory>". + " <vcpu>1</vcpu>"; + + my $osxml = " <os>". + " <type arch='x86_64' machine='fedora-13'>hvm</type>". + " <boot dev='hd'/>". + " </os>"; + + my $bottomxml = " <features>". + " <acpi/>". + " <apic/>". + " </features>". + " <clock offset='utc'/>". + " <on_poweroff>destroy</on_poweroff>". + " <on_reboot>restart</on_reboot>". + " <on_crash>restart</on_crash>". + " <devices>". + " <emulator>/usr/bin/qemu-kvm</emulator>". + " <disk type='file' device='disk'>". + " <driver name='qemu' type='raw'/>". + " <source file='/var/lib/libvirt/images/${domain_name}.img'/>". + " <target dev='hda' bus='ide'/>". + " </disk>". + " <controller type='ide' index='0'>". + " </controller>". + " <interface type='network'>". + " <source network='default'/>". + " <filterref filter='no-spoofing'/>". + " <target dev='vnet0'/>". + " <model type='virtio'/>". + " </interface>". + " <serial type='pty'>". + " <target port='0'/>". + " </serial>". + " <console type='pty'>". + " <target port='0'/>". + " </console>". + " <graphics type='vnc' port='-1' autoport='yes' listen='127.0.0.1' keymap='de'/>". + " <video>". + " <model type='cirrus' vram='9216' heads='1'/>". + " </video>". + " </devices>"; + + $xml = "<domain type='kvm'>" . + $topxml. + $osxml. + $bottomxml. + "</domain>"; + + diag $xml; + diag "Defining an inactive domain config"; + ok_domain(sub { $dom = $conn->define_domain($xml) }, "defined persistent domain config"); +} + +# already existing or newly defined, start it up +$dom->create; +my $uuid = $dom->get_uuid_string(); +diag $uuid; +$xml = $dom->get_xml_description(); +diag $xml; +ok($dom->get_id() > 0, "running domain has an ID > 0"); + +my $mac = get_macaddress($xml); +diag $mac; +# wait for guest to boot and request dhcp +sleep(20); +my $ip = get_ip_from_leases($mac); +diag "ip is $ip"; + Index: libvirt-tck/scripts/network/100-ping-still-working.t =================================================================== --- /dev/null +++ libvirt-tck/scripts/network/100-ping-still-working.t @@ -0,0 +1,71 @@ +# -*- perl -*- +# +# Copyright (C) 2010 IBM Corp. +# +# This program is free software; You can redistribute it and/or modify +# it under the GNU General Public License as published by the Free +# Software Foundation; either version 2, or (at your option) any +# later version +# +# The file "LICENSE" distributed along with this file provides full +# details of the terms and conditions +# + +=pod + +=head1 NAME + +network/100-ping-still-working.t - verify machines can be pinged from host + +=head1 DESCRIPTION + +The test case validates that it is possible to ping a guest machine from +the host. + +=cut + +use strict; +use warnings; + +use Test::More tests => 4; + +use Sys::Virt::TCK; +use Test::Exception; +use Net::SSH::Perl; +use XML::LibXML; + +require 'scripts/network/common_functions.pl'; + +my $tck = Sys::Virt::TCK->new(); +my $conn = eval { $tck->setup(); }; +BAIL_OUT "failed to setup test harness: $@" if $@; +END { + $tck->cleanup if $tck; +} + +# create first domain and start it +diag "Trying domain lookup by name"; +my $dom1; +my $domain_name ="f12nwtest"; + +ok_domain { $dom1 = $conn->get_domain_by_name($domain_name) } "the running domain object"; +my $xml = $dom1->get_xml_description; +diag $xml; +ok($dom1->get_id() > 0, "running domain has an ID > 0"); +my $mac1 = get_macaddress($xml); +diag $mac1; +my $guestip1 = get_ip_from_leases($mac1); +diag "ip is $guestip1"; + +# check ebtables entry +my $ebtable1 = `/sbin/ebtables -L;/sbin/ebtables -t nat -L`; +diag $ebtable1; +# fixme to include mac adress +ok($ebtable1 =~ "vnet0", "check ebtables entry"); + +# ping guest1 +my $ping1 = `ping -c 10 $guestip1`; +diag $ping1; +ok($ping1 =~ "10 received", "ping $guestip1 test"); + +exit 0; Index: libvirt-tck/scripts/network/210-no-mac-spoofing.t =================================================================== --- /dev/null +++ libvirt-tck/scripts/network/210-no-mac-spoofing.t @@ -0,0 +1,113 @@ +# -*- perl -*- +# +# Copyright (C) 2010 IBM Corp. +# +# This program is free software; You can redistribute it and/or modify +# it under the GNU General Public License as published by the Free +# Software Foundation; either version 2, or (at your option) any +# later version +# +# The file "LICENSE" distributed along with this file provides full +# details of the terms and conditions +# + +=pod + +=head1 NAME + +network/210-no-mac-spoofing.t - verify MAC spoofing is prevented + +=head1 DESCRIPTION + +The test case validates that MAC spoofing is prevented + +=cut + +use strict; +use warnings; + +use Test::More tests => 5; + +use Sys::Virt::TCK; +use Test::Exception; +use Net::SSH::Perl; +use XML::LibXML; + +require 'scripts/network/common_functions.pl'; + +my $tck = Sys::Virt::TCK->new(); +my $conn = eval { $tck->setup(); }; +BAIL_OUT "failed to setup test harness: $@" if $@; +END { + $tck->cleanup if $tck; +} + +# create first domain and start it +diag "Trying domain lookup by name"; +my $domain_name ="f12nwtest"; +my $dom1; +ok_domain { $dom1 = $conn->get_domain_by_name($domain_name) } "the running domain object"; +ok($dom1->get_id() > 0, "running domain has an ID > 0"); +my $xml = $dom1->get_xml_description; +diag $xml; + +# check ebtables entry +my $ebtable1 = `/sbin/ebtables -L;/sbin/ebtables -t nat -L`; +diag $ebtable1; +# fixme to include mac adress +ok($ebtable1 =~ "vnet0", "check ebtables entry"); + +# wait for guest to boot +diag "waiting for guests to boot"; +#system("sleep 20"); +diag "done"; + +# ping guest1 first nic +my $mac1 = get_macaddress($xml); +diag "$mac1"; +my $guestip1 = get_ip_from_leases($mac1); +diag "ip is $guestip1"; +my $gateway = "192.168.122.1"; +my $macfalse = "52:54:00:f9:21:22"; +my $ping1 = `ping -c 10 $guestip1`; +diag $ping1; +ok($ping1 =~ "10 received", "ping $guestip1 test"); + +# log into guest +my $ssh = Net::SSH::Perl->new($guestip1); +$ssh->login("root", "foobar"); + +# now bring eth0 down, change MAC and bring it up again +diag "fiddling with mac"; +my $cmdfile = "echo '" . + "/sbin/ifconfig eth0\n". + "/sbin/ifconfig eth0 down\n". + "/sbin/ifconfig eth0 hw ether ${macfalse}\n". + "/sbin/ifconfig eth0 up\n". + "/sbin/ifconfig eth0\n". + "ping -c 10 ${gateway}\n". + "/sbin/ifconfig eth0 down\n". + "/sbin/ifconfig eth0 hw ether ${mac1}\n". + "/sbin/ifconfig eth0 up\n". + "/sbin/ifconfig eth0\n". + "' > /test.sh"; +diag $cmdfile; +my ($stdout, $stderr, $exit) = $ssh->cmd($cmdfile); +diag $stdout; +diag $stderr; +diag $exit; +($stdout, $stderr, $exit) = $ssh->cmd("chmod +x /test.sh"); +diag $stdout; +diag $stderr; +diag $exit; +($stdout, $stderr, $exit) = $ssh->cmd("/test.sh > /test.log"); +diag $stdout; +diag $stderr; +diag $exit; +($stdout, $stderr, $exit) = $ssh->cmd("cat /test.log"); +diag $stdout; +diag $stderr; +diag $exit; +ok($stdout =~ "100% packet loss", "packet loss expected"); + +exit 0; Index: libvirt-tck/scripts/network/230-no-mac-broadcast.t =================================================================== --- /dev/null +++ libvirt-tck/scripts/network/230-no-mac-broadcast.t @@ -0,0 +1,102 @@ +# -*- perl -*- +# +# Copyright (C) 2010 IBM Corp. +# +# This program is free software; You can redistribute it and/or modify +# it under the GNU General Public License as published by the Free +# Software Foundation; either version 2, or (at your option) any +# later version +# +# The file "LICENSE" distributed along with this file provides full +# details of the terms and conditions +# + +=pod + +=head1 NAME + +network/230-no-mac-broadcast.t - verify MAC broadcasts are prevented + +=head1 DESCRIPTION + +The test case validates that MAC broadcasts are prevented + +=cut + +use strict; +use warnings; + +use Test::More tests => 4; + +use Sys::Virt::TCK; +use Test::Exception; +use Net::SSH::Perl; +use XML::LibXML; + +require 'scripts/network/common_functions.pl'; + +my $tck = Sys::Virt::TCK->new(); +my $conn = eval { $tck->setup(); }; +BAIL_OUT "failed to setup test harness: $@" if $@; +END { + $tck->cleanup if $tck; +} + +# create first domain and start it +diag "Trying domain lookup by name"; +my $dom1; +ok_domain { $dom1 = $conn->get_domain_by_name("f12nwtest") } "the running domain object"; + +ok($dom1->get_id() > 0, "running domain has an ID > 0"); +my $xml = $dom1->get_xml_description; +diag $xml; +my $mac1 = get_macaddress($xml); +diag "$mac1"; +my $guestip1 = get_ip_from_leases($mac1); +diag "ip is $guestip1"; + +# check ebtables entry +my $ebtable1 = `/sbin/ebtables -L;/sbin/ebtables -t nat -L`; +diag $ebtable1; +# fixme to include mac adress +ok($ebtable1 =~ "vnet0", "check ebtables entry"); + +# prepare tcpdump +diag "prepare tcpdump"; +system("/usr/sbin/tcpdump -v -i virbr0 -n host 255.255.255.255 2> /tmp/tcpdump.log &"); + +# log into guest +my $ssh = Net::SSH::Perl->new($guestip1); +$ssh->login("root", "foobar"); + +# now generate a mac broadcast paket +diag "generate mac broadcast"; +my $cmdfile = "echo '" . + "/bin/ping -c 1 192.168.122.255 -b\n". + "' > /test.sh"; +diag $cmdfile; +my ($stdout, $stderr, $exit) = $ssh->cmd($cmdfile); +diag $stdout; +diag $stderr; +diag $exit; +($stdout, $stderr, $exit) = $ssh->cmd("chmod +x /test.sh"); +diag $stdout; +diag $stderr; +diag $exit; +($stdout, $stderr, $exit) = $ssh->cmd("/test.sh > /test.log"); +diag $stdout; +diag $stderr; +diag $exit; +($stdout, $stderr, $exit) = $ssh->cmd("cat /test.log"); +diag $stdout; +diag $stderr; +diag $exit; + +# now stop tcpdump and verify result +diag "stopping tcpdump"; +system("kill -15 `/sbin/pidof tcpdump`"); +my $tcpdumplog = `cat /tmp/tcpdump.log`; +diag($tcpdumplog); +ok($tcpdumplog =~ "0 packets captured", "tcpdump expected to capture no packets"); + +exit 0; Index: libvirt-tck/scripts/network/240-no-arp-spoofing.t =================================================================== --- /dev/null +++ libvirt-tck/scripts/network/240-no-arp-spoofing.t @@ -0,0 +1,111 @@ +# -*- perl -*- +# +# Copyright (C) 2010 IBM Corp. +# +# This program is free software; You can redistribute it and/or modify +# it under the GNU General Public License as published by the Free +# Software Foundation; either version 2, or (at your option) any +# later version +# +# The file "LICENSE" distributed along with this file provides full +# details of the terms and conditions +# + +=pod + +=head1 NAME + +network/240-no-arp-spoofing.t - verify ARP spoofing is prevented + +=head1 DESCRIPTION + +The test case validates that ARP spoofing is prevented + +=cut + +use strict; +use warnings; + +use Test::More tests => 4; + +use Sys::Virt::TCK; +use Test::Exception; +use Net::SSH::Perl; +use XML::LibXML; + +require 'scripts/network/common_functions.pl'; + +my $spoofid = "192.168.122.183"; + +my $tck = Sys::Virt::TCK->new(); +my $conn = eval { $tck->setup(); }; +BAIL_OUT "failed to setup test harness: $@" if $@; +END { + $tck->cleanup if $tck; +} + +# looking up domain +diag "Trying domain lookup by name"; +my $dom1; +my $domain_name ="f12nwtest"; +ok_domain { $dom1 = $conn->get_domain_by_name($domain_name) } "the running domain object"; +ok($dom1->get_id() > 0, "running domain has an ID > 0"); +my $xml = $dom1->get_xml_description; +diag $xml; +my $mac1 = get_macaddress($xml); +diag "$mac1"; +my $guestip1 = get_ip_from_leases($mac1); +diag "ip is $guestip1"; + +# check ebtables entry +my $ebtable1 = `/sbin/ebtables -L;/sbin/ebtables -t nat -L`; +diag $ebtable1; +# check if mac address is listed +ok($ebtable1 =~ "$guestip1", "check ebtables entry"); + +# prepare tcpdump +diag "prepare tcpdump"; +system("/usr/sbin/tcpdump -v -i virbr0 not ip > /tmp/tcpdump.log &"); + +# log into guest +my $ssh = Net::SSH::Perl->new($guestip1); +$ssh->login("root", "foobar"); + +# now generate a arp spoofing packets +diag "generate arpspoof"; +my $cmdfile = "echo '" . + "/usr/bin/yum -y install dsniff\n". + "/usr/sbin/arpspoof ${spoofid} &\n". + "/bin/sleep 10\n". + "kill -15 `/sbin/pidof arpspoof`\n". + "' > /test.sh"; +diag "content of cmdfile:"; +diag $cmdfile; +diag "creating cmdfile"; +my ($stdout, $stderr, $exit) = $ssh->cmd($cmdfile); +diag $stdout; +diag $stderr; +diag $exit; +($stdout, $stderr, $exit) = $ssh->cmd("chmod +x /test.sh"); +diag $stdout; +diag $stderr; +diag $exit; +diag "excuting cmdfile"; +($stdout, $stderr, $exit) = $ssh->cmd("/test.sh > /test.log"); +diag $stdout; +diag $stderr; +diag $exit; +($stdout, $stderr, $exit) = $ssh->cmd("echo test.log\ncat /test.log"); +diag $stdout; +diag $stderr; +diag $exit; + +# now stop tcpdump and verify result +diag "stopping tcpdump"; +system("kill -15 `/sbin/pidof tcpdump`"); +diag "tcpdump.log:"; +my $tcpdumplog = `cat /tmp/tcpdump.log`; +diag($tcpdumplog); +ok($tcpdumplog !~ "${spoofid} is-at", "tcpdump expected to capture no arp reply packets"); + +exit 0; Index: libvirt-tck/scripts/network/220-no-ip-spoofing.t =================================================================== --- /dev/null +++ libvirt-tck/scripts/network/220-no-ip-spoofing.t @@ -0,0 +1,101 @@ +# -*- perl -*- +# +# Copyright (C) 2010 IBM Corp. +# +# This program is free software; You can redistribute it and/or modify +# it under the GNU General Public License as published by the Free +# Software Foundation; either version 2, or (at your option) any +# later version +# +# The file "LICENSE" distributed along with this file provides full +# details of the terms and conditions +# + +=pod + +=head1 NAME + +network/220-no-ip-spoofing.t - verify IP spoofing is prevented + +=head1 DESCRIPTION + +The test case validates that IP spoofing is prevented + +=cut + +use strict; +use warnings; + +use Test::More tests => 4; + +use Sys::Virt::TCK; +use Test::Exception; +use Net::SSH::Perl; +use XML::LibXML; + +require 'scripts/network/common_functions.pl'; + +my $tck = Sys::Virt::TCK->new(); +my $conn = eval { $tck->setup(); }; +BAIL_OUT "failed to setup test harness: $@" if $@; +END { + $tck->cleanup if $tck; +} + +# looking up domain +diag "Trying domain lookup by name"; +my $dom1; +my $domain_name ="f12nwtest"; + +ok_domain { $dom1 = $conn->get_domain_by_name($domain_name) } "the running domain object"; +ok($dom1->get_id() > 0, "running domain has an ID > 0"); +my $xml = $dom1->get_xml_description; +diag $xml; +my $mac1 = get_macaddress($xml); +diag "$mac1"; +my $guestip1 = get_ip_from_leases($mac1); +diag "ip is $guestip1"; + +# check ebtables entry +my $ebtable1 = `/sbin/ebtables -L;/sbin/ebtables -t nat -L`; +diag $ebtable1; +# check if IP address is listed +ok($ebtable1 =~ "$guestip1", "check ebtables entry"); + +# log into guest +my $ssh = Net::SSH::Perl->new($guestip1); +$ssh->login("root", "foobar"); + +# now bring eth0 down, change IP and bring it up again +diag "preparing ip spoof"; +my $cmdfile = "echo '" . + "/bin/sleep 1\n". + "/sbin/ifconfig eth0\n". + "/sbin/ifconfig eth0 down\n". + "/sbin/ifconfig eth0 192.168.122.183 netmask 255.255.255.0 up\n". + "/sbin/ifconfig eth0\n". + "/bin/sleep 1\n". + "/bin/ping -c 1 192.168.122.1\n". + "/sbin/ifconfig eth0 down\n". + "/sbin/ifconfig eth0 ${guestip1} netmask 255.255.255.0 up\n". + "/sbin/ifconfig eth0 \n". + "/bin/sleep 1\n". + "' > /test.sh"; +diag $cmdfile; +my ($stdout, $stderr, $exit) = $ssh->cmd($cmdfile); +diag $stdout; +diag $stderr; +diag $exit; +($stdout, $stderr, $exit) = $ssh->cmd("chmod +x /test.sh"); +diag $stdout; +diag $stderr; +diag $exit; +diag "running ip spoof"; +($stdout, $stderr, $exit) = $ssh->cmd("/test.sh"); +diag $stdout; +diag $stderr; +diag $exit; +diag "checking result"; +ok($stdout =~ "100% packet loss", "packet loss expected"); + +exit 0; Index: libvirt-tck/scripts/network/999-shutdown-image.t =================================================================== --- /dev/null +++ libvirt-tck/scripts/network/999-shutdown-image.t @@ -0,0 +1,59 @@ +# -*- perl -*- +# +# Copyright (C) 2010 IBM Corp. +# +# This program is free software; You can redistribute it and/or modify +# it under the GNU General Public License as published by the Free +# Software Foundation; either version 2, or (at your option) any +# later version +# +# The file "LICENSE" distributed along with this file provides full +# details of the terms and conditions +# + +=pod + +=head1 NAME + +network/240-no-arp-spoofing.t - verify ARP spoofing is prevented + +=head1 DESCRIPTION + +The test case validates that ARP spoofing is prevented + +=cut + +use strict; +use warnings; + +use Test::More tests => 2; + +use Sys::Virt::TCK; +use Test::Exception; +use Net::SSH::Perl; + + +my $tck = Sys::Virt::TCK->new(); +my $conn = eval { $tck->setup(); }; +BAIL_OUT "failed to setup test harness: $@" if $@; +END { + $tck->cleanup if $tck; +} + +# find domain +my $domain_name = "f12nwtest"; +diag "Trying domain lookup by name"; +my $dom; +ok_domain { $dom = $conn->get_domain_by_name($domain_name) } "the running domain object"; +ok($dom->get_id() > 0, "running domain has an ID > 0"); + +# cleanup guest +diag "cleaning up"; +$dom->shutdown(); + while($dom->is_active()) { + sleep(1); + diag ".. waiting for virtual machine ${domain_name} to shutdown.. "; + } +#$dom->undefine(); + +exit 0; Index: libvirt-tck/scripts/network/common_functions.pl =================================================================== --- /dev/null +++ libvirt-tck/scripts/network/common_functions.pl @@ -0,0 +1,35 @@ +use utf8; +#no utf8; + +sub get_macaddress { + my $xmldesc = shift; + + my $mac; + my $parser = XML::LibXML->new(); + + my $doc = $parser->parse_string($xmldesc); + + my $rootel = $doc -> getDocumentElement(); + + my @devices = $rootel->getChildrenByTagName("devices"); + foreach my $device(@devices) { + my @interfaces = $device->getChildrenByTagName("interface"); + foreach my $interface(@interfaces) { + my @targets = $interface->getChildrenByTagName("mac"); + foreach my $target(@targets) { + $mac = $target->getAttribute("address"); + } + } + } + utf8::decode($mac); + return $mac; +} + +sub get_ip_from_leases{ + my $mac = shift; + my $tmp = `grep $mac /var/lib/dnsmasq/dnsmasq.leases`; + my @fields = split(/ /, $tmp); + my $ip = $fields[2]; + return $ip; +} +1; -- Best regards, Gerhard Stenzel, ----------------------------------------------------------------------------------------------------------------------------------- IBM Deutschland Research & Development GmbH Vorsitzender des Aufsichtsrats: Martin Jetter Geschäftsführung: Dirk Wittkopp Sitz der Gesellschaft: Böblingen Registergericht: Amtsgericht Stuttgart, HRB 243294