parent
2c6c476410
commit
4585f2b503
@ -58,7 +58,7 @@ class VmNetworkingMixin(qubes.tests.SystemTestsMixin):
|
|||||||
|
|
||||||
def setUp(self):
|
def setUp(self):
|
||||||
super(VmNetworkingMixin, self).setUp()
|
super(VmNetworkingMixin, self).setUp()
|
||||||
if self.template.startswith('whonix-'):
|
if self.template.startswith('whonix-gw'):
|
||||||
self.skipTest("Test not supported here - Whonix uses its own "
|
self.skipTest("Test not supported here - Whonix uses its own "
|
||||||
"firewall settings")
|
"firewall settings")
|
||||||
self.init_default_template(self.template)
|
self.init_default_template(self.template)
|
||||||
@ -339,6 +339,100 @@ class VmNetworkingMixin(qubes.tests.SystemTestsMixin):
|
|||||||
|
|
||||||
self.assertEqual(self.run_cmd(self.testvm1, self.ping_ip), 0)
|
self.assertEqual(self.run_cmd(self.testvm1, self.ping_ip), 0)
|
||||||
|
|
||||||
|
def test_200_fake_ip_simple(self):
|
||||||
|
'''Test hiding VM real IP'''
|
||||||
|
self.testvm1.features['net/fake-ip'] = '192.168.1.128'
|
||||||
|
self.testvm1.features['net/fake-gateway'] = '192.168.1.1'
|
||||||
|
self.testvm1.features['net/fake-netmask'] = '255.255.255.0'
|
||||||
|
self.testvm1.start()
|
||||||
|
self.assertEqual(self.run_cmd(self.testvm1, self.ping_ip), 0)
|
||||||
|
self.assertEqual(self.run_cmd(self.testvm1, self.ping_name), 0)
|
||||||
|
p = self.testvm1.run('ip addr show dev eth0', user='root',
|
||||||
|
passio_popen=True,
|
||||||
|
ignore_stderr=True)
|
||||||
|
p.stdin.close()
|
||||||
|
output = p.stdout.read()
|
||||||
|
self.assertEqual(p.wait(), 0, 'ip addr show dev eth0 failed')
|
||||||
|
self.assertIn('192.168.1.128', output)
|
||||||
|
self.assertNotIn(self.testvm1.ip, output)
|
||||||
|
|
||||||
|
p = self.testvm1.run('ip route show', user='root',
|
||||||
|
passio_popen=True,
|
||||||
|
ignore_stderr=True)
|
||||||
|
p.stdin.close()
|
||||||
|
output = p.stdout.read()
|
||||||
|
self.assertEqual(p.wait(), 0, 'ip route show failed')
|
||||||
|
self.assertIn('192.168.1.1', output)
|
||||||
|
self.assertNotIn(self.testvm1.netvm.ip, output)
|
||||||
|
|
||||||
|
def test_201_fake_ip_without_gw(self):
|
||||||
|
'''Test hiding VM real IP'''
|
||||||
|
self.testvm1.features['net/fake-ip'] = '192.168.1.128'
|
||||||
|
self.testvm1.start()
|
||||||
|
self.assertEqual(self.run_cmd(self.testvm1, self.ping_ip), 0)
|
||||||
|
self.assertEqual(self.run_cmd(self.testvm1, self.ping_name), 0)
|
||||||
|
p = self.testvm1.run('ip addr show dev eth0', user='root',
|
||||||
|
passio_popen=True,
|
||||||
|
ignore_stderr=True)
|
||||||
|
p.stdin.close()
|
||||||
|
output = p.stdout.read()
|
||||||
|
self.assertEqual(p.wait(), 0, 'ip addr show dev eth0 failed')
|
||||||
|
self.assertIn('192.168.1.128', output)
|
||||||
|
self.assertNotIn(self.testvm1.ip, output)
|
||||||
|
|
||||||
|
def test_202_fake_ip_firewall(self):
|
||||||
|
'''Test hiding VM real IP, firewall'''
|
||||||
|
self.testvm1.features['net/fake-ip'] = '192.168.1.128'
|
||||||
|
self.testvm1.features['net/fake-gateway'] = '192.168.1.1'
|
||||||
|
self.testvm1.features['net/fake-netmask'] = '255.255.255.0'
|
||||||
|
|
||||||
|
self.proxy = self.app.add_new_vm(qubes.vm.appvm.AppVM,
|
||||||
|
name=self.make_vm_name('proxy'),
|
||||||
|
label='red')
|
||||||
|
self.proxy.provides_network = True
|
||||||
|
self.proxy.create_on_disk()
|
||||||
|
self.proxy.netvm = self.testnetvm
|
||||||
|
self.testvm1.netvm = self.proxy
|
||||||
|
self.app.save()
|
||||||
|
|
||||||
|
if self.run_cmd(self.testnetvm, 'nc -h 2>&1|grep -q nmap.org') == 0:
|
||||||
|
nc_version = NcVersion.Nmap
|
||||||
|
else:
|
||||||
|
nc_version = NcVersion.Trad
|
||||||
|
|
||||||
|
# block all but ICMP and DNS
|
||||||
|
|
||||||
|
self.testvm1.firewall.policy = 'drop'
|
||||||
|
self.testvm1.firewall.rules = [
|
||||||
|
qubes.firewall.Rule(None, action='accept', proto='icmp'),
|
||||||
|
qubes.firewall.Rule(None, action='accept', specialtarget='dns'),
|
||||||
|
]
|
||||||
|
self.testvm1.firewall.save()
|
||||||
|
self.testvm1.start()
|
||||||
|
self.assertTrue(self.proxy.is_running())
|
||||||
|
|
||||||
|
if nc_version == NcVersion.Nmap:
|
||||||
|
self.testnetvm.run("nc -l --send-only -e /bin/hostname -k 1234")
|
||||||
|
else:
|
||||||
|
self.testnetvm.run("while nc -l -e /bin/hostname -p 1234; do "
|
||||||
|
"true; done")
|
||||||
|
|
||||||
|
self.assertEqual(self.run_cmd(self.proxy, self.ping_ip), 0,
|
||||||
|
"Ping by IP from ProxyVM failed")
|
||||||
|
self.assertEqual(self.run_cmd(self.proxy, self.ping_name), 0,
|
||||||
|
"Ping by name from ProxyVM failed")
|
||||||
|
self.assertEqual(self.run_cmd(self.testvm1, self.ping_ip), 0,
|
||||||
|
"Ping by IP should be allowed")
|
||||||
|
self.assertEqual(self.run_cmd(self.testvm1, self.ping_name), 0,
|
||||||
|
"Ping by name should be allowed")
|
||||||
|
if nc_version == NcVersion.Nmap:
|
||||||
|
nc_cmd = "nc -w 1 --recv-only {} 1234".format(self.test_ip)
|
||||||
|
else:
|
||||||
|
nc_cmd = "nc -w 1 {} 1234".format(self.test_ip)
|
||||||
|
self.assertNotEqual(self.run_cmd(self.testvm1, nc_cmd), 0,
|
||||||
|
"TCP connection should be blocked")
|
||||||
|
|
||||||
|
|
||||||
# noinspection PyAttributeOutsideInit
|
# noinspection PyAttributeOutsideInit
|
||||||
class VmUpdatesMixin(qubes.tests.SystemTestsMixin):
|
class VmUpdatesMixin(qubes.tests.SystemTestsMixin):
|
||||||
"""
|
"""
|
||||||
|
Loading…
Reference in New Issue
Block a user