Add test scripts for spoofing tests
Signed-off-by: Gerhard Stenzel <gstenzel(a)linux.vnet.ibm.com>
Index: libvirt-tck/scripts/network/README
===================================================================
--- /dev/null
+++ libvirt-tck/scripts/network/README
@@ -0,0 +1,12 @@
+
+Test cases:
+
+000-install-image.t creates and install a 2GB fedora virtual disk via kickstart file
from the network
+100-ping-still-working.t verifies the VM is pingable
+210-no-mac-spoofing.t verifies mac spoofing is prevented
+220-no-ip-spoofing.t verifies ip spoofing is prevented
+230-no-mac-broadcast.t verifies mac broadcasting is prevented
+240-no-arp-spoofing.t verifies arp spoofing is prevented
+
+
+
Index: libvirt-tck/scripts/network/000-install-image.t
===================================================================
--- /dev/null
+++ libvirt-tck/scripts/network/000-install-image.t
@@ -0,0 +1,55 @@
+# -*- perl -*-
+#
+# Copyright (C) 2010 IBM Corp.
+#
+# This program is free software; You can redistribute it and/or modify
+# it under the GNU General Public License as published by the Free
+# Software Foundation; either version 2, or (at your option) any
+# later version
+#
+# The file "LICENSE" distributed along with this file provides full
+# details of the terms and conditions
+#
+
+=pod
+
+=head1 NAME
+
+network/000-install-image.t - install network test image
+
+=head1 DESCRIPTION
+
+The test case creates and install a 2GB fedora virtual
+disk via kickstart file from the network.
+
+=cut
+
+use strict;
+use warnings;
+
+use Test::More tests => 1;
+
+use Sys::Virt::TCK;
+use Sys::Virt::TCK::NetworkHelpers;
+
+
+my $tck = Sys::Virt::TCK->new();
+my $conn = eval { $tck->setup(); };
+BAIL_OUT "failed to setup test harness: $@" if $@;
+END { $tck->cleanup if $tck; }
+
+use File::Spec::Functions qw(catfile catdir rootdir);
+
+# variables which may need to be adapted
+my $disk_name ="f12nwtest";
+
+my $testdom = prepare_test_disk_and_vm($tck, $conn, "${disk_name}");
+$testdom->create();
+ok($testdom->get_id() > 0, "running domain has an ID > 0");
+sleep(20);
+
+shutdown_vm_gracefully($testdom);
+
+exit 0;
+
+
Index: libvirt-tck/scripts/network/100-ping-still-working.t
===================================================================
--- /dev/null
+++ libvirt-tck/scripts/network/100-ping-still-working.t
@@ -0,0 +1,83 @@
+# -*- perl -*-
+#
+# Copyright (C) 2010 IBM Corp.
+#
+# This program is free software; You can redistribute it and/or modify
+# it under the GNU General Public License as published by the Free
+# Software Foundation; either version 2, or (at your option) any
+# later version
+#
+# The file "LICENSE" distributed along with this file provides full
+# details of the terms and conditions
+#
+
+=pod
+
+=head1 NAME
+
+network/100-ping-still-working.t - verify machines can be pinged from host
+
+=head1 DESCRIPTION
+
+The test case validates that it is possible to ping a guest machine from
+the host.
+
+=cut
+
+use strict;
+use warnings;
+
+use Test::More tests => 3;
+
+use Sys::Virt::TCK;
+use Sys::Virt::TCK::NetworkHelpers;
+use Test::Exception;
+use Net::SSH::Perl;
+
+use File::Spec::Functions qw(catfile catdir rootdir);
+
+my $tck = Sys::Virt::TCK->new();
+my $conn = eval { $tck->setup(); };
+BAIL_OUT "failed to setup test harness: $@" if $@;
+END {
+ $tck->cleanup if $tck;
+}
+
+# create first domain and start it
+diag "Trying domain lookup by name";
+my $dom1;
+my $disk_name ="f12nwtest";
+
+$dom1 = prepare_test_disk_and_vm($tck, $conn, "${disk_name}");
+$dom1->create();
+
+my $xml = $dom1->get_xml_description;
+diag $xml;
+ok($dom1->get_id() > 0, "running domain has an ID > 0");
+#my $mac1 = get_macaddress($xml);
+#diag $mac1;
+#my $result = xpath($dom1, "/domain/devices/interface/mac/\@address");
+#my @macaddrs = map { $_->getNodeValue} $result->get_nodelist;
+# we want the first mac
+#my $mac1 = $macaddrs[0];
+my $mac1 = get_first_macaddress($dom1);
+diag "mac is $mac1";
+
+sleep(30);
+my $guestip1 = get_ip_from_leases($mac1);
+diag "ip is $guestip1";
+
+# check ebtables entry
+my $ebtable1 = `/sbin/ebtables -L;/sbin/ebtables -t nat -L`;
+diag $ebtable1;
+# fixme to include mac adress
+ok($ebtable1 =~ "vnet0", "check ebtables entry");
+
+# ping guest1
+my $ping1 = `ping -c 10 $guestip1`;
+diag $ping1;
+ok($ping1 =~ "10 received", "ping $guestip1 test");
+
+shutdown_vm_gracefully($dom1);
+
+exit 0;
Index: libvirt-tck/scripts/network/210-no-mac-spoofing.t
===================================================================
--- /dev/null
+++ libvirt-tck/scripts/network/210-no-mac-spoofing.t
@@ -0,0 +1,119 @@
+# -*- perl -*-
+#
+# Copyright (C) 2010 IBM Corp.
+#
+# This program is free software; You can redistribute it and/or modify
+# it under the GNU General Public License as published by the Free
+# Software Foundation; either version 2, or (at your option) any
+# later version
+#
+# The file "LICENSE" distributed along with this file provides full
+# details of the terms and conditions
+#
+
+=pod
+
+=head1 NAME
+
+network/210-no-mac-spoofing.t - verify MAC spoofing is prevented
+
+=head1 DESCRIPTION
+
+The test case validates that MAC spoofing is prevented
+
+=cut
+
+use strict;
+use warnings;
+
+use Test::More tests => 4;
+
+use Sys::Virt::TCK;
+use Sys::Virt::TCK::NetworkHelpers;
+use Test::Exception;
+use Net::SSH::Perl;
+use XML::LibXML;
+
+use File::Spec::Functions qw(catfile catdir rootdir);
+
+my $tck = Sys::Virt::TCK->new();
+my $conn = eval { $tck->setup(); };
+BAIL_OUT "failed to setup test harness: $@" if $@;
+END {
+ $tck->cleanup if $tck;
+}
+
+# create first domain and start it
+
+my $disk_name ="f12nwtest";
+
+my $dom1;
+$dom1 = prepare_test_disk_and_vm($tck, $conn, "${disk_name}");
+$dom1->create();
+ok($dom1->get_id() > 0, "running domain has an ID > 0");
+my $xml = $dom1->get_xml_description;
+diag $xml;
+
+
+# ping guest1 first nic
+my $mac1 = get_first_macaddress($dom1);
+diag "mac is $mac1";
+
+sleep(30);
+my $guestip1 = get_ip_from_leases($mac1);
+diag "ip is $guestip1";
+
+# check ebtables entry
+my $ebtable1 = `/sbin/ebtables -L;/sbin/ebtables -t nat -L`;
+diag $ebtable1;
+# ebtables shortens :00: to :0: so we need to do that too
+$_ = $mac1;
+s/00/0/g;
+ok($ebtable1 =~ $_, "check ebtables entry");
+
+my $gateway = "192.168.122.1";
+my $macfalse = "52:54:00:f9:21:22";
+my $ping1 = `ping -c 10 $guestip1`;
+diag $ping1;
+ok($ping1 =~ "10 received", "ping $guestip1 test");
+
+# log into guest
+my $ssh = Net::SSH::Perl->new($guestip1);
+$ssh->login("root", "foobar");
+
+# now bring eth0 down, change MAC and bring it up again
+diag "fiddling with mac";
+my $cmdfile = "echo '" .
+ "/sbin/ifconfig eth0\n".
+ "/sbin/ifconfig eth0 down\n".
+ "/sbin/ifconfig eth0 hw ether ${macfalse}\n".
+ "/sbin/ifconfig eth0 up\n".
+ "/sbin/ifconfig eth0\n".
+ "ping -c 10 ${gateway}\n".
+ "/sbin/ifconfig eth0 down\n".
+ "/sbin/ifconfig eth0 hw ether ${mac1}\n".
+ "/sbin/ifconfig eth0 up\n".
+ "/sbin/ifconfig eth0\n".
+ "' > /test.sh";
+diag $cmdfile;
+my ($stdout, $stderr, $exit) = $ssh->cmd($cmdfile);
+diag $stdout;
+diag $stderr;
+diag $exit;
+($stdout, $stderr, $exit) = $ssh->cmd("chmod +x /test.sh");
+diag $stdout;
+diag $stderr;
+diag $exit;
+($stdout, $stderr, $exit) = $ssh->cmd("/test.sh > /test.log");
+diag $stdout;
+diag $stderr;
+diag $exit;
+($stdout, $stderr, $exit) = $ssh->cmd("cat /test.log");
+diag $stdout;
+diag $stderr;
+diag $exit;
+ok($stdout =~ "100% packet loss", "packet loss expected");
+
+shutdown_vm_gracefully($dom1);
+
+exit 0;
Index: libvirt-tck/scripts/network/230-no-mac-broadcast.t
===================================================================
--- /dev/null
+++ libvirt-tck/scripts/network/230-no-mac-broadcast.t
@@ -0,0 +1,107 @@
+# -*- perl -*-
+#
+# Copyright (C) 2010 IBM Corp.
+#
+# This program is free software; You can redistribute it and/or modify
+# it under the GNU General Public License as published by the Free
+# Software Foundation; either version 2, or (at your option) any
+# later version
+#
+# The file "LICENSE" distributed along with this file provides full
+# details of the terms and conditions
+#
+
+=pod
+
+=head1 NAME
+
+network/230-no-mac-broadcast.t - verify MAC broadcasts are prevented
+
+=head1 DESCRIPTION
+
+The test case validates that MAC broadcasts are prevented
+
+=cut
+
+use strict;
+use warnings;
+
+use Test::More tests => 3;
+
+use Sys::Virt::TCK;
+use Sys::Virt::TCK::NetworkHelpers;
+use Test::Exception;
+use Net::SSH::Perl;
+use File::Spec::Functions qw(catfile catdir rootdir);
+
+my $tck = Sys::Virt::TCK->new();
+my $conn = eval { $tck->setup(); };
+BAIL_OUT "failed to setup test harness: $@" if $@;
+END {
+ $tck->cleanup if $tck;
+}
+
+# create first domain and start it
+my $dom1;
+my $disk_name ="f12nwtest";
+
+$dom1 = prepare_test_disk_and_vm($tck, $conn, "${disk_name}");
+$dom1->create();
+
+ok($dom1->get_id() > 0, "running domain has an ID > 0");
+my $xml = $dom1->get_xml_description;
+diag $xml;
+my $mac1 = get_first_macaddress($dom1);
+diag "mac is $mac1";
+
+sleep(30);
+my $guestip1 = get_ip_from_leases($mac1);
+diag "ip is $guestip1";
+
+# check ebtables entry
+my $ebtable1 = `/sbin/ebtables -L;/sbin/ebtables -t nat -L`;
+diag $ebtable1;
+# fixme to include mac adress
+ok($ebtable1 =~ "vnet0", "check ebtables entry");
+
+# prepare tcpdump
+diag "prepare tcpdump";
+system("/usr/sbin/tcpdump -v -i virbr0 -n host 255.255.255.255 2>
/tmp/tcpdump.log &");
+
+# log into guest
+my $ssh = Net::SSH::Perl->new($guestip1);
+$ssh->login("root", "foobar");
+
+# now generate a mac broadcast paket
+diag "generate mac broadcast";
+my $cmdfile = "echo '" .
+ "/bin/ping -c 1 192.168.122.255 -b\n".
+ "' > /test.sh";
+diag $cmdfile;
+my ($stdout, $stderr, $exit) = $ssh->cmd($cmdfile);
+diag $stdout;
+diag $stderr;
+diag $exit;
+($stdout, $stderr, $exit) = $ssh->cmd("chmod +x /test.sh");
+diag $stdout;
+diag $stderr;
+diag $exit;
+($stdout, $stderr, $exit) = $ssh->cmd("/test.sh > /test.log");
+diag $stdout;
+diag $stderr;
+diag $exit;
+($stdout, $stderr, $exit) = $ssh->cmd("cat /test.log");
+diag $stdout;
+diag $stderr;
+diag $exit;
+
+# now stop tcpdump and verify result
+diag "stopping tcpdump";
+system("kill -15 `/sbin/pidof tcpdump`");
+my $tcpdumplog = `cat /tmp/tcpdump.log`;
+diag($tcpdumplog);
+ok($tcpdumplog =~ "0 packets captured", "tcpdump expected to capture no
packets");
+
+shutdown_vm_gracefully($dom1);
+
+exit 0;
Index: libvirt-tck/scripts/network/240-no-arp-spoofing.t
===================================================================
--- /dev/null
+++ libvirt-tck/scripts/network/240-no-arp-spoofing.t
@@ -0,0 +1,116 @@
+# -*- perl -*-
+#
+# Copyright (C) 2010 IBM Corp.
+#
+# This program is free software; You can redistribute it and/or modify
+# it under the GNU General Public License as published by the Free
+# Software Foundation; either version 2, or (at your option) any
+# later version
+#
+# The file "LICENSE" distributed along with this file provides full
+# details of the terms and conditions
+#
+
+=pod
+
+=head1 NAME
+
+network/240-no-arp-spoofing.t - verify ARP spoofing is prevented
+
+=head1 DESCRIPTION
+
+The test case validates that ARP spoofing is prevented
+
+=cut
+
+use strict;
+use warnings;
+
+use Test::More tests => 3;
+
+use Sys::Virt::TCK;
+use Sys::Virt::TCK::NetworkHelpers;
+use Test::Exception;
+use Net::SSH::Perl;
+use File::Spec::Functions qw(catfile catdir rootdir);
+
+my $spoofid = "192.168.122.183";
+
+my $tck = Sys::Virt::TCK->new();
+my $conn = eval { $tck->setup(); };
+BAIL_OUT "failed to setup test harness: $@" if $@;
+END {
+ $tck->cleanup if $tck;
+}
+
+# creating domain
+my $dom1;
+my $disk_name ="f12nwtest";
+
+$dom1 = prepare_test_disk_and_vm($tck, $conn, "${disk_name}");
+$dom1->create();
+
+ok($dom1->get_id() > 0, "running domain has an ID > 0");
+my $xml = $dom1->get_xml_description;
+diag $xml;
+my $mac1 = get_first_macaddress($dom1);
+diag "mac is $mac1";
+
+sleep(30);
+my $guestip1 = get_ip_from_leases($mac1);
+diag "ip is $guestip1";
+
+# check ebtables entry
+my $ebtable1 = `/sbin/ebtables -L;/sbin/ebtables -t nat -L`;
+diag $ebtable1;
+# check if mac address is listed
+ok($ebtable1 =~ "$guestip1", "check ebtables entry");
+
+# prepare tcpdump
+diag "prepare tcpdump";
+system("/usr/sbin/tcpdump -v -i virbr0 not ip > /tmp/tcpdump.log &");
+
+# log into guest
+my $ssh = Net::SSH::Perl->new($guestip1);
+$ssh->login("root", "foobar");
+
+# now generate a arp spoofing packets
+diag "generate arpspoof";
+my $cmdfile = "echo '" .
+ "/usr/bin/yum -y install dsniff\n".
+ "/usr/sbin/arpspoof ${spoofid} &\n".
+ "/bin/sleep 10\n".
+ "kill -15 `/sbin/pidof arpspoof`\n".
+ "' > /test.sh";
+diag "content of cmdfile:";
+diag $cmdfile;
+diag "creating cmdfile";
+my ($stdout, $stderr, $exit) = $ssh->cmd($cmdfile);
+diag $stdout;
+diag $stderr;
+diag $exit;
+($stdout, $stderr, $exit) = $ssh->cmd("chmod +x /test.sh");
+diag $stdout;
+diag $stderr;
+diag $exit;
+diag "excuting cmdfile";
+($stdout, $stderr, $exit) = $ssh->cmd("/test.sh > /test.log");
+diag $stdout;
+diag $stderr;
+diag $exit;
+($stdout, $stderr, $exit) = $ssh->cmd("echo test.log\ncat /test.log");
+diag $stdout;
+diag $stderr;
+diag $exit;
+
+# now stop tcpdump and verify result
+diag "stopping tcpdump";
+system("kill -15 `/sbin/pidof tcpdump`");
+diag "tcpdump.log:";
+my $tcpdumplog = `cat /tmp/tcpdump.log`;
+diag($tcpdumplog);
+ok($tcpdumplog !~ "${spoofid} is-at", "tcpdump expected to capture no arp
reply packets");
+
+shutdown_vm_gracefully($dom1);
+
+exit 0;
Index: libvirt-tck/scripts/network/220-no-ip-spoofing.t
===================================================================
--- /dev/null
+++ libvirt-tck/scripts/network/220-no-ip-spoofing.t
@@ -0,0 +1,106 @@
+# -*- perl -*-
+#
+# Copyright (C) 2010 IBM Corp.
+#
+# This program is free software; You can redistribute it and/or modify
+# it under the GNU General Public License as published by the Free
+# Software Foundation; either version 2, or (at your option) any
+# later version
+#
+# The file "LICENSE" distributed along with this file provides full
+# details of the terms and conditions
+#
+
+=pod
+
+=head1 NAME
+
+network/220-no-ip-spoofing.t - verify IP spoofing is prevented
+
+=head1 DESCRIPTION
+
+The test case validates that IP spoofing is prevented
+
+=cut
+
+use strict;
+use warnings;
+
+use Test::More tests => 3;
+
+use Sys::Virt::TCK;
+use Sys::Virt::TCK::NetworkHelpers;
+use Test::Exception;
+use Net::SSH::Perl;
+
+use File::Spec::Functions qw(catfile catdir rootdir);
+
+my $tck = Sys::Virt::TCK->new();
+my $conn = eval { $tck->setup(); };
+BAIL_OUT "failed to setup test harness: $@" if $@;
+END {
+ $tck->cleanup if $tck;
+}
+
+# looking up domain
+my $dom1;
+my $disk_name ="f12nwtest";
+
+$dom1 = prepare_test_disk_and_vm($tck, $conn, "${disk_name}");
+$dom1->create();
+
+ok($dom1->get_id() > 0, "running domain has an ID > 0");
+my $xml = $dom1->get_xml_description;
+diag $xml;
+my $mac1 = get_first_macaddress($dom1);
+diag "mac is $mac1";
+
+sleep(30);
+my $guestip1 = get_ip_from_leases($mac1);
+diag "ip is $guestip1";
+
+# check ebtables entry
+my $ebtable1 = `/sbin/ebtables -L;/sbin/ebtables -t nat -L`;
+diag $ebtable1;
+# check if IP address is listed
+ok($ebtable1 =~ "$guestip1", "check ebtables entry");
+
+# log into guest
+my $ssh = Net::SSH::Perl->new($guestip1);
+$ssh->login("root", "foobar");
+
+# now bring eth0 down, change IP and bring it up again
+diag "preparing ip spoof";
+my $cmdfile = "echo '" .
+ "/bin/sleep 1\n".
+ "/sbin/ifconfig eth0\n".
+ "/sbin/ifconfig eth0 down\n".
+ "/sbin/ifconfig eth0 192.168.122.183 netmask 255.255.255.0 up\n".
+ "/sbin/ifconfig eth0\n".
+ "/bin/sleep 1\n".
+ "/bin/ping -c 1 192.168.122.1\n".
+ "/sbin/ifconfig eth0 down\n".
+ "/sbin/ifconfig eth0 ${guestip1} netmask 255.255.255.0 up\n".
+ "/sbin/ifconfig eth0 \n".
+ "/bin/sleep 1\n".
+ "' > /test.sh";
+diag $cmdfile;
+my ($stdout, $stderr, $exit) = $ssh->cmd($cmdfile);
+diag $stdout;
+diag $stderr;
+diag $exit;
+($stdout, $stderr, $exit) = $ssh->cmd("chmod +x /test.sh");
+diag $stdout;
+diag $stderr;
+diag $exit;
+diag "running ip spoof";
+($stdout, $stderr, $exit) = $ssh->cmd("/test.sh");
+diag $stdout;
+diag $stderr;
+diag $exit;
+diag "checking result";
+ok($stdout =~ "100% packet loss", "packet loss expected");
+
+shutdown_vm_gracefully($dom1);
+
+exit 0;