tests: improve spoof_ip test

Not only check if full round trip ping (does not) work, but also if just echo-request get filtered.
2017-12-03 03:15:14 +01:00 · 2017-12-03 03:15:14 +01:00 · 4d6bfbab4d
commit 4d6bfbab4d
parent 379add52ba
1 changed files with 13 additions and 0 deletions
--- a/qubes/tests/integ/network.py
+++ b/qubes/tests/integ/network.py
@ -325,6 +325,9 @@ class VmNetworkingMixin(object):
        self.loop.run_until_complete(self.testvm1.start())

        self.assertEqual(self.run_cmd(self.testvm1, self.ping_ip), 0)
+        self.assertEqual(self.run_cmd(self.testnetvm,
+            'iptables -I INPUT -i vif+ ! -s {} -p icmp -j LOG'.format(
+                self.testvm1.ip)), 0)
        self.loop.run_until_complete(self.testvm1.run_for_stdio(
            'ip addr flush dev eth0 && '
            'ip addr add 10.137.1.128/24 dev eth0 && '
@ -332,6 +335,16 @@ class VmNetworkingMixin(object):
            user='root'))
        self.assertNotEqual(self.run_cmd(self.testvm1, self.ping_ip), 0,
                         "Spoofed ping should be blocked")
+        try:
+            (output, _) = self.loop.run_until_complete(
+                self.testnetvm.run_for_stdio('iptables -nxvL INPUT',
+                    user='root'))
+        except subprocess.CalledProcessError:
+            self.fail('iptables -nxvL INPUT failed')
+
+        output = output.decode().splitlines()
+        packets = output[2].lstrip().split()[0]
+        self.assertEquals(packets, '0', 'Some packet hit the INPUT rule')

    def test_100_late_xldevd_startup(self):
        """Regression test for #1990"""