summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorTails developers <amnesia@boum.org>2015-02-10 11:57:20 +0100
committerTails developers <amnesia@boum.org>2015-02-18 11:51:15 +0100
commitf06537a27a47a75857ef2bd87188b210c168c960 (patch)
tree4b9da35a1d9ef495c4983d07c0d8d8d6e1d98eab
parentc21c26019d7bc166b81312954138ddc4b31e598d (diff)
Test that ICMP packets are dropped.
-rw-r--r--features/step_definitions/tor.rb11
-rw-r--r--features/tor.feature6
2 files changed, 14 insertions, 3 deletions
diff --git a/features/step_definitions/tor.rb b/features/step_definitions/tor.rb
index cea3a9b..32a4c44 100644
--- a/features/step_definitions/tor.rb
+++ b/features/step_definitions/tor.rb
@@ -163,11 +163,12 @@ Then /^the firewall is configured to block all IPv6 traffic$/ do
end
def firewall_has_dropped_packet_to?(proto, host, port)
- regex = "Dropped outbound packet: .* DST=#{host} .* PROTO=#{proto} .* DPT=#{port} "
+ regex = "Dropped outbound packet: .* DST=#{host} .* PROTO=#{proto} "
+ regex += ".* DPT=#{port} " if port
@vm.execute("grep -q '#{regex}' /var/log/syslog").success?
end
-When /^I open an untorified (TCP|UDP) connections to (.*) on port (\d+) that is expected to fail$/ do |proto, host, port|
+When /^I open an untorified (TCP|UDP|ICMP) connections to (\S*)(?: on port (\d+))? that is expected to fail$/ do |proto, host, port|
next if @skip_steps_while_restoring_background
assert(!firewall_has_dropped_packet_to?(proto, host, port),
"A #{proto} packet to #{host}:#{port} has already been dropped by " \
@@ -177,9 +178,13 @@ When /^I open an untorified (TCP|UDP) connections to (.*) on port (\d+) that is
@conn_port = port
case proto
when "TCP"
+ assert_not_nil(port)
cmd = "echo | netcat #{host} #{port}"
when "UDP"
+ assert_not_nil(port)
cmd = "echo | netcat -u #{host} #{port}"
+ when "ICMP"
+ cmd = "ping -c 5 #{host}"
end
@conn_res = @vm.execute(cmd, $live_user)
end
@@ -191,7 +196,7 @@ Then /^the untorified connection fails$/ do
expected_in_stderr = "Connection refused"
conn_failed = !@conn_res.success? &&
@conn_res.stderr.chomp.end_with?(expected_in_stderr)
- when "UDP"
+ when "UDP", "ICMP"
conn_failed = !@conn_res.success?
end
assert(conn_failed,
diff --git a/features/tor.feature b/features/tor.feature
index 508891d..309c883 100644
--- a/features/tor.feature
+++ b/features/tor.feature
@@ -28,6 +28,12 @@ Feature: Tor is configured properly
And the untorified connection is logged as dropped by the firewall
@check_tor_leaks
+ Scenario: The Tor enforcement is effective at blocking untorified ICMP connection attempts
+ When I open an untorified ICMP connections to 1.2.3.4 that is expected to fail
+ Then the untorified connection fails
+ And the untorified connection is logged as dropped by the firewall
+
+ @check_tor_leaks
Scenario: tails-security-check is using the Tails-specific SocksPort
When I monitor the network connections of tails-security-check
And I re-run tails-security-check