test:improve coverage of antispoof

Signed-off-by: hanen mizouni <hanen.mizouni@outscale.com>
outscale · Jan 7, 2020 · a99f224 · a99f224
1 parent a1125d0
commit a99f224
Show file tree

Hide file tree

Showing 3 changed files with 112 additions and 7 deletions.
diff --git a/src/brick-int.h b/src/brick-int.h
@@ -208,8 +208,8 @@ int pg_brick_reset(struct pg_brick *brick, struct pg_error **errp);
 
 /* testing */
 uint32_t pg_brick_links_count_get(const struct pg_brick *brick,
-				  const struct pg_brick *target,
-				  struct pg_error **errp);
+				const struct pg_brick *target,
+				struct pg_error **errp);
 int64_t pg_brick_refcount(const struct pg_brick *brick);
 
 /* generic functions used to factorize code */

diff --git a/tests/antispoof/test-ndp.c b/tests/antispoof/test-ndp.c
@@ -147,3 +147,17 @@ static const unsigned char pkt2[86] = {
 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x02, 0x01, /* ........ */
 0x52, 0x54, 0x00, 0x12, 0x34, 0x06              /* RT..4. */
 };
+
+/* pkt3 with Next header : UDP (17)
+ *
+ * */
+static unsigned char pkt3[86];
+memcpy(pkt3, pkt2, 86);
+pkt3[21] = 0x11;
+
+/* Internet Control Message Protocol v6
+ * Type: Neighbor Advertisement (137)
+ * */
+static unsigned char pkt4[86];
+memcpy(pkt4, pkt2, 86);
+pkt4[47] = 0x89;
diff --git a/tests/antispoof/tests.c b/tests/antispoof/tests.c
@@ -253,10 +253,61 @@ static void test_antispoof_generic(const unsigned char **pkts,
 	pg_error_free(error);
 	error = NULL;
 
+	/* re-add other IP and original IP, should pass */  
+	g_assert(!pg_antispoof_arp_del(antispoof, 42, &error));  
+	g_assert(!pg_antispoof_arp_del(antispoof, 51, &error));
+	g_assert(!pg_antispoof_arp_add(antispoof, 42, &error)); 
+	g_assert(!pg_antispoof_arp_add(antispoof, 51, &error)); 
+	g_assert(!pg_antispoof_arp_add(antispoof, inside_ip, &error));
+	g_assert(!error); 
+	REPLAY(1);
+
+	/* remove IP, should not pass */ 
+	pg_antispoof_arp_del_all(antispoof); 
+	REPLAY(0);
+
+	/* add ARP_MAX */
+	for (int i = 0; i <= 150; i++) {
+		if (i < PG_ARP_MAX) {
+			g_assert(!pg_antispoof_arp_add(antispoof, i, &error));
+			g_assert(!error);
+		} else {
+			g_assert(pg_antispoof_arp_add(antispoof, i, &error));
+			g_assert(error);
+			pg_error_free(error);
+			error = NULL;
+		}
+	}
+
+	/* remove IP, should not pass */
+	pg_antispoof_arp_del_all(antispoof);
+	REPLAY(0);
+
 	/* disable arp antispoof, should pass */
 	pg_antispoof_arp_disable(antispoof);
 	REPLAY(1);
 
+	/* add ARP_MAX */
+       for (int i = 0; i <= 150; i++) {
+	       if (i < PG_ARP_MAX) {
+		       g_assert(!pg_antispoof_arp_add(antispoof, i, &error));
+		       g_assert(!error);
+	       } else {
+		       g_assert(pg_antispoof_arp_add(antispoof, i, &error));
+		       g_assert(error);
+		       pg_error_free(error);
+		       error = NULL;
+	       }
+       }
+
+       /* remove IP, should pass */
+        pg_antispoof_arp_del_all(antispoof);
+        REPLAY(1);
+
+        /* disable arp antispoof, should pass */
+        pg_antispoof_arp_disable(antispoof);
+        REPLAY(1);
+
 	/* enable arp antispoof again, should re-block */
 	pg_antispoof_arp_enable(antispoof);
 	REPLAY(0);
@@ -265,8 +316,7 @@ static void test_antispoof_generic(const unsigned char **pkts,
 	pg_brick_unlink(antispoof, &error);
 	g_assert(!error);
 	pg_brick_destroy(antispoof);
-	antispoof = pg_antispoof_new("antispoof", PG_WEST_SIDE,
-				     &inside_mac, &error);
+	antispoof = pg_antispoof_new("antispoof", PG_WEST_SIDE, &inside_mac, &error);
 	pg_antispoof_arp_enable(antispoof);
 	g_assert(!pg_antispoof_arp_add(antispoof, inside_ip, &error));
 	g_assert(!error);
@@ -437,8 +487,8 @@ static void test_antispoof_empty_burst(void)
 	g_free(pkts);
 }
 
-static int test_antispoof_filter(struct pg_brick *antispoof,
-				 struct rte_mbuf *packet)
+static int test_antispoof_filter(struct pg_brick *antispoof, 
+		                 struct rte_mbuf *packet)
 {
 	struct pg_brick *gen_west;
 	struct pg_brick *col_east;
@@ -521,6 +571,33 @@ static void test_antispoof_ndp(void)
 	pg_antispoof_ndp_enable(antispoof);
 	pg_antispoof_ndp_del_all(antispoof);
 
+	/* add NDP_MAX adresses  */
+	for (int i = 0; i < 150; i++) {
+		pg_autofree char *c = NULL;
+		c = g_strdup_printf("2001:db8:2000:aff0::%d",i);
+		pg_ip_from_str(ip, c);
+		if (i < PG_NPD_MAX) {
+		        pg_antispoof_ndp_add(antispoof, ip, &error);
+			g_assert(!error);
+		} else {
+			pg_antispoof_ndp_add(antispoof, ip, &error);
+                	g_assert(error);
+			pg_error_free(error);
+			error = NULL;
+		}
+	}
+
+	/* remove all adresses */
+        pg_antispoof_ndp_del_all(antispoof);
+
+	/* add several bad addresses */
+	pg_ip_from_str(ip, "2001:db8:2000:aff0::42");
+	pg_antispoof_ndp_add(antispoof, ip, &error);
+	g_assert(!error);
+
+	/* remove all addresses */
+	pg_antispoof_ndp_del(antispoof,ip,&error);
+
 	/* legit packet */
 	packet = build_packet(pkt0, 86);
 	g_assert(test_antispoof_filter(antispoof, packet) == 0);
@@ -538,10 +615,24 @@ static void test_antispoof_ndp(void)
 	pg_ip_from_str(ip, "2001:db8:2000:aff0::42");
 	pg_antispoof_ndp_add(antispoof, ip, &error);
 	g_assert(!error);
-	pg_ip_from_str(ip, "2001:db8:2000:aff0::43");
+	pg_ip_from_str(ip, "0");
 	pg_antispoof_ndp_add(antispoof, ip, &error);
 	g_assert(!error);
 
+	/* remove adresse */
+	g_assert(pg_antispoof_ndp_del(antispoof,ip,&error) == 0);
+        g_assert(!error);
+
+	/* legit packet with next header :UDP */
+	packet = build_packet(pkt3, 86);
+	g_assert(test_antispoof_filter(antispoof, packet) == 0);
+	pg_packets_free(&packet, pg_mask_firsts(1));
+
+	/*  legit packet with type Redirect Message */
+	packet = build_packet(pkt4, 86); 
+	g_assert(test_antispoof_filter(antispoof, packet) == 0);
+	pg_packets_free(&packet, pg_mask_firsts(1));
+
 	/* legit packet */
 	packet = build_packet(pkt0, 86);
 	g_assert(test_antispoof_filter(antispoof, packet) == 0);