Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Antispoof #542

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Antispoof #542

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
45a121e
antispoof: add defines for NDP and ARP
outscale-hmi Jan 2, 2020
7c41767
antispoof: code factorisation
outscale-hmi Dec 14, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions include/packetgraph/antispoof.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,9 @@
#include <packetgraph/common.h>
#include <packetgraph/errors.h>

#define PG_ARP_MAX 100
#define PG_NPD_MAX 100

struct ether_addr;

/**
Expand Down
14 changes: 5 additions & 9 deletions src/antispoof.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,9 +25,7 @@
#include "utils/mac.h"
#include "utils/ip.h"
#include "utils/network.h"

#define ARP_MAX 100
#define NPD_MAX 100
#include <packetgraph/antispoof.h>

struct pg_antispoof_arp {
/* Format of hardware address. */
Expand Down Expand Up @@ -88,11 +86,11 @@ struct pg_antispoof_state {
struct ether_addr mac;
bool arp_enabled;
uint16_t arps_size;
struct arp arps[ARP_MAX];
struct arp arps[PG_ARP_MAX];
/* icmpv6 / neighbor discovery */
bool ndp_enabled;
uint16_t ndps_size;
struct ndp ndps[NPD_MAX];
struct ndp ndps[PG_NPD_MAX];
};

struct pg_antispoof_config {
Expand Down Expand Up @@ -120,7 +118,7 @@ int pg_antispoof_arp_add(struct pg_brick *brick, uint32_t ip,
uint16_t n = state->arps_size;
struct arp *arp = &state->arps[n];

if (unlikely(n == ARP_MAX)) {
if (unlikely(n == PG_ARP_MAX)) {
*errp = pg_error_new("Maximal IP reached");
return -1;
}
Expand Down Expand Up @@ -229,7 +227,7 @@ int pg_antispoof_ndp_add(struct pg_brick *brick, uint8_t *ip,
uint16_t n = state->ndps_size;
struct ndp *ndp = &state->ndps[n];

if (unlikely(n == NPD_MAX)) {
if (unlikely(n == PG_NPD_MAX)) {
*errp = pg_error_new("Maximal IPV6 reached");
return -1;
}
Expand Down Expand Up @@ -412,5 +410,3 @@ static struct pg_brick_ops antispoof_ops = {

pg_brick_register(antispoof, &antispoof_ops);

#undef NPD_MAX
#undef ARP_MAX
94 changes: 26 additions & 68 deletions tests/antispoof/tests.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,23 @@ static struct rte_mbuf *build_packet(const unsigned char *data, size_t len)
return pkt;
}

#define REPLAY(pass) \
for (i = 0; i < pkts_nb; i++) { \
g_assert(pg_brick_reset(col_east, &error) >= 0); \
g_assert(!error); \
packet = build_packet(pkts[i], pkts_size[i]); \
pg_brick_poll(gen_west, &packet_count, &error); \
g_assert(!error); \
g_assert(packet_count == 1); \
filtered_pkts = pg_brick_west_burst_get(col_east, \
&filtered_pkts_mask, \
&error); \
g_assert(!error); \
g_assert(pg_mask_count(filtered_pkts_mask) == (pass)); \
g_assert(!!filtered_pkts == pass); \
rte_pktmbuf_free(packet); \
}

static void test_antispoof_mac(void)
{
# include "test-arp-gratuitous.c"
Expand All @@ -64,6 +81,7 @@ static void test_antispoof_mac(void)
uint16_t packet_count;
uint16_t i;
struct rte_mbuf *packet;
struct rte_mbuf **filtered_pkts;
uint64_t filtered_pkts_mask;

/* only those packets should pass */
Expand All @@ -83,17 +101,8 @@ static void test_antispoof_mac(void)
pg_brick_link(antispoof, col_east, &error);
g_assert(!error);

/* replay traffic */
for (i = 0; i < pkts_nb; i++) {
packet = build_packet(pkts[i], pkts_size[i]);
pg_brick_poll(gen_west, &packet_count, &error);
g_assert(!error);
g_assert(packet_count == 1);
pg_brick_west_burst_get(col_east, &filtered_pkts_mask, &error);
g_assert(!error);
g_assert(pg_mask_count(filtered_pkts_mask) == 0);
rte_pktmbuf_free(packet);
}
REPLAY(0);

pg_brick_destroy(gen_west);
pg_brick_destroy(antispoof);
pg_brick_destroy(col_east);
Expand All @@ -113,6 +122,7 @@ static void test_antispoof_rarp(void)
uint16_t packet_count;
uint16_t i;
struct rte_mbuf *packet;
struct rte_mbuf **filtered_pkts;
uint64_t filtered_pkts_mask;

pg_scan_ether_addr(&inside_mac, "00:23:df:ff:c9:23");
Expand All @@ -132,17 +142,8 @@ static void test_antispoof_rarp(void)
pg_brick_link(antispoof, col_east, &error);
g_assert(!error);

/* replay traffic */
for (i = 0; i < pkts_nb; i++) {
packet = build_packet(pkts[i], pkts_size[i]);
pg_brick_poll(gen_west, &packet_count, &error);
g_assert(!error);
g_assert(packet_count == 1);
pg_brick_west_burst_get(col_east, &filtered_pkts_mask, &error);
g_assert(!error);
g_assert(pg_mask_count(filtered_pkts_mask) == 0);
rte_pktmbuf_free(packet);
}
REPLAY(0);

pg_brick_destroy(gen_west);
pg_brick_destroy(antispoof);
pg_brick_destroy(col_east);
Expand Down Expand Up @@ -179,23 +180,6 @@ static void test_antispoof_generic(const unsigned char **pkts,
pg_brick_link(antispoof, col_east, &error);
g_assert(!error);

#define REPLAY(pass) \
for (i = 0; i < pkts_nb; i++) { \
g_assert(pg_brick_reset(col_east, &error) >= 0); \
g_assert(!error); \
packet = build_packet(pkts[i], pkts_size[i]); \
pg_brick_poll(gen_west, &packet_count, &error); \
g_assert(!error); \
g_assert(packet_count == 1); \
filtered_pkts = pg_brick_west_burst_get(col_east, \
&filtered_pkts_mask, \
&error); \
g_assert(!error); \
g_assert(pg_mask_count(filtered_pkts_mask) == (pass)); \
g_assert(!!filtered_pkts == pass); \
rte_pktmbuf_free(packet); \
}

/* enable ARP antispoof with the correct IP */
pg_antispoof_arp_enable(antispoof);
g_assert(!pg_antispoof_arp_add(antispoof, inside_ip, &error));
Expand Down Expand Up @@ -275,7 +259,6 @@ static void test_antispoof_generic(const unsigned char **pkts,
pg_brick_link(antispoof, col_east, &error);
g_assert(!error);
REPLAY(1);
#undef REPLAY

pg_brick_destroy(gen_west);
pg_brick_destroy(antispoof);
Expand Down Expand Up @@ -322,38 +305,13 @@ static void test_pg_antispoof_arp_disable(void)
g_assert(!pg_antispoof_arp_add(antispoof, inside_ip, &error));
g_assert(!error);

/* replay traffic */
for (i = 0; i < pkts_nb; i++) {
packet = build_packet(pkts[i], pkts_size[i]);
pg_brick_poll(gen_west, &packet_count, &error);
g_assert(!error);
g_assert(packet_count == 1);
filtered_pkts = pg_brick_west_burst_get(col_east,
&filtered_pkts_mask,
&error);
g_assert(!error);
g_assert(pg_mask_count(filtered_pkts_mask) == 0);
pg_packets_free(filtered_pkts, filtered_pkts_mask);
rte_pktmbuf_free(packet);
}
REPLAY(0);

/* disable ARP antispoof, should now pass */
pg_antispoof_arp_disable(antispoof);

/* replay traffic */
for (i = 0; i < pkts_nb; i++) {
packet = build_packet(pkts[i], pkts_size[i]);
pg_brick_poll(gen_west, &packet_count, &error);
g_assert(!error);
g_assert(packet_count == 1);
filtered_pkts = pg_brick_west_burst_get(col_east,
&filtered_pkts_mask,
&error);
g_assert(!error);
g_assert(pg_mask_count(filtered_pkts_mask) == 1);
pg_packets_free(filtered_pkts, filtered_pkts_mask);
rte_pktmbuf_free(packet);
}
REPLAY(1);
#undef REPLAY

pg_brick_destroy(gen_west);
pg_brick_destroy(antispoof);
Expand Down