On 24.5.2011 14:44, Jan Cholasta wrote:
On 24.5.2011 14:43, Martin Kosek wrote:
On Fri, 2011-05-20 at 20:34 +0200, Jan Cholasta wrote:
On 18.5.2011 10:51, Martin Kosek wrote:
On Mon, 2011-05-16 at 19:15 +0200, Jan Cholasta wrote:
On 16.5.2011 17:26, Martin Kosek wrote:
On Tue, 2011-05-10 at 20:11 +0200, Jan Cholasta wrote:
Split from patch 3, requires patch 18.
I tested all patches (3.6, 18, 19), but I think some work still
1) What about adding /sbin/ip package to Requires in spec? I thought
there was an agreement to do it.
2) When I run `ipa-server-install --ip-address=$ADDR`, and $ADDR is
invalid address (e.g. $ADDR==foo), loopback address (e.g.
$ADDR==127.0.0.1) or just another that the local address (e.g.
$ADDR==188.8.131.52) the installer always fails with "the hostname
resolves to an IP address that is different from the one provided
I think we may want a different error message in those 3 cases - it
should be easy to do it now, with the improved IP handling.
It looks like the print statements from verify_ip_address doesn't
actually print anything to the user. Will look onto that.
3) When I pass netmask to ipa-server-install --ip-address=$ADDR, the
installation always fails with the above message. Even though I
addr+netmask from "/sbin/ip address" output.
Works for me. Please make sure you've added your hostname to
I think I had. But I will recheck when you send a fix.
4) I miss IP address checks in --ip-address and --forwarder
of ipa-dns-install script. I can pass invalid or local addresses to
these parameters. This breaks Bind configuration.
--ip-address is checked, but --forwarder is not. Will fix that.
Ok, I will recheck both of them when you do.
5) I think we may want to check also for local address in
#ipa host-add $HOST --ip-address=127.0.0.1
6) I couldn't add IP address with netmask in host module:
# ipa host-add $HOST --ip-address=10.16.78.102/22
ipa: ERROR: invalid 'ip_address': invalid IP address
The patches are for the installer, as are the tickets they fix, so
issues are out of scope. A new ticket should be opened for them.
You touched this parameter in your patches, that's why I tested it. I
created a new ticket for it:
Ticket 1234, yey :-)
7) Why is the _ParsedIPAddress named with a leading underscore?
really an internal use since it is returned by new IP handling
and used in other modules.
_ParsedIPAddress is not for public use. The fact that object of this
class is returned by parse_ip_address doesn't really matter - this is
Python, not C++ or Java.
Hm, snappy... And I was wondering why my /usr/bin/java doesn't want to
run FreeIPA, now I know - it's because its Python.
Patch updated. Requires patch 18.1
All reported issues were fixed, good idea with a new type for our
Still, NACK from me:
ipa-replica-install doesn't use IPAOptionParser, but the good old
OptionParser which doesn't know the new type. This makes
ipa-replica-prepare crash all the time. I know, I am nitpicker :-)
Thanks, I missed that.
Fixed and added a unit test.
>From 7cd30f0be8ae4556f67d39348cbb3205d6867f21 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Tue, 24 May 2011 15:41:41 +0200
Subject: [PATCH] Do stricter checking of IP addressed passed to server
ipapython/ipautil.py | 11 +++++++++++
tests/test_ipapython/test_ipautil.py | 9 +++++++++
2 files changed, 20 insertions(+), 0 deletions(-)
diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py
index 2ad9240..c77a93c 100644
@@ -93,6 +93,12 @@ class CheckedIPAddress(netaddr.IPAddress):
raise ValueError("unsupported IP version")
raise ValueError("cannot use loopback IP address")
+ if addr.is_reserved() or addr in netaddr.ip.IPV4_6TO4:
+ raise ValueError("cannot use IANA reserved IP address")
+ if addr.is_link_local():
+ raise ValueError("cannot use link-local IP address")
+ if addr.is_multicast():
+ raise ValueError("cannot use multicast IP address")
if addr.version == 4:
@@ -119,6 +125,11 @@ class CheckedIPAddress(netaddr.IPAddress):
elif addr.version == 6:
net = netaddr.IPNetwork(str(addr) + '/64')
+ if addr == net.network:
+ raise ValueError("cannot use IP network address")
+ if addr.version == 4 and addr == net.broadcast:
+ raise ValueError("cannot use broadcast IP address")
self.prefixlen = net.prefixlen
self.interface = iface
diff --git a/tests/test_ipapython/test_ipautil.py b/tests/test_ipapython/test_ipautil.py
index 03f5f7b..68391c2 100644
@@ -42,12 +42,21 @@ def test_ip_address():
('2001::1', (0x2001, 0, 0, 0, 0, 0, 0, 1), 64),
('2001::1/72', (0x2001, 0, 0, 0, 0, 0, 0, 1), 72),
Freeipa-devel mailing list