Commit c5588b32 authored by anonym's avatar anonym
Browse files

Make it possible to not filter out LAN hosts in FirewallLeakCheck.

parent b684b37e
......@@ -417,7 +417,8 @@ end
Then /^all Internet traffic has only flowed through Tor$/ do
next if @skip_steps_while_restoring_background
leaks = FirewallLeakCheck.new(@sniffer.pcap_file, get_all_tor_nodes)
leaks = FirewallLeakCheck.new(@sniffer.pcap_file,
:accepted_hosts => get_all_tor_nodes)
leaks.assert_no_leaks
end
......
Then(/^the firewall leak detector has detected (.*?) leaks$/) do |type|
next if @skip_steps_while_restoring_background
leaks = FirewallLeakCheck.new(@sniffer.pcap_file, get_all_tor_nodes)
leaks = FirewallLeakCheck.new(@sniffer.pcap_file,
:accepted_hosts => get_all_tor_nodes)
case type.downcase
when 'ipv4 tcp'
if leaks.ipv4_tcp_leaks.empty?
......
......@@ -369,7 +369,8 @@ When /^all Internet traffic has only flowed through the configured pluggable tra
next if @skip_steps_while_restoring_background
assert_not_nil(@bridge_hosts, "No bridges has been configured via the " +
"'I configure some ... bridges in Tor Launcher' step")
leaks = FirewallLeakCheck.new(@sniffer.pcap_file, @bridge_hosts)
leaks = FirewallLeakCheck.new(@sniffer.pcap_file,
:accepted_hosts => @bridge_hosts)
leaks.assert_no_leaks
end
......
......@@ -36,7 +36,9 @@ end
class FirewallLeakCheck
attr_reader :ipv4_tcp_leaks, :ipv4_nontcp_leaks, :ipv6_leaks, :nonip_leaks
def initialize(pcap_file, hosts)
def initialize(pcap_file, options = {})
options[:accepted_hosts] ||= []
options[:ignore_lan] ||= true
@pcap_file = pcap_file
packets = PacketFu::PcapFile.new.file_to_array(:filename => @pcap_file)
ipv4_tcp_packets = []
......@@ -57,11 +59,14 @@ class FirewallLeakCheck
raise "Found something in the pcap file that cannot be parsed"
end
end
ipv4_tcp_hosts = get_public_hosts_from_ippackets ipv4_tcp_packets
accepted = Set.new(hosts)
ipv4_tcp_hosts = filter_hosts_from_ippackets(ipv4_tcp_packets,
options[:ignore_lan])
accepted = Set.new(options[:accepted_hosts])
@ipv4_tcp_leaks = ipv4_tcp_hosts.select { |host| !accepted.member?(host) }
@ipv4_nontcp_leaks = get_public_hosts_from_ippackets ipv4_nontcp_packets
@ipv6_leaks = get_public_hosts_from_ippackets ipv6_packets
@ipv4_nontcp_leaks = filter_hosts_from_ippackets(ipv4_nontcp_packets,
options[:ignore_lan])
@ipv6_leaks = filter_hosts_from_ippackets(ipv6_packets,
options[:ignore_lan])
@nonip_leaks = nonip_packets
end
......@@ -71,9 +76,9 @@ class FirewallLeakCheck
puts "Full network capture available at: #{pcap_copy}"
end
# Returns a list of all unique non-LAN destination IP addresses
# found in `packets`.
def get_public_hosts_from_ippackets(packets)
# Returns a list of all unique destination IP addresses found in
# `packets`. Exclude LAN hosts if ignore_lan is set.
def filter_hosts_from_ippackets(packets, ignore_lan)
hosts = []
packets.each do |p|
candidate = nil
......@@ -86,7 +91,7 @@ class FirewallLeakCheck
raise "Expected an IP{v4,v6} packet, but got something else:\n" +
p.peek_format
end
if candidate != nil and IPAddr.new(candidate).public?
if candidate != nil and (not(ignore_lan) or IPAddr.new(candidate).public?)
hosts << candidate
end
end
......
......@@ -146,7 +146,7 @@ After('@product', '@check_tor_leaks') do |scenario|
expected_tor_nodes = @bridge_hosts
end
leaks = FirewallLeakCheck.new(@tor_leaks_sniffer.pcap_file,
expected_tor_nodes)
:accepted_hosts => expected_tor_nodes)
leaks.assert_no_leaks
end
@tor_leaks_sniffer.clear
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment