On 24.5.2011 14:44, Jan Cholasta wrote:
On 24.5.2011 14:43, Martin Kosek wrote:
On Fri, 2011-05-20 at 20:34 +0200, Jan Cholasta wrote:
On 18.5.2011 10:51, Martin Kosek wrote:
On Mon, 2011-05-16 at 19:15 +0200, Jan Cholasta wrote:
On 16.5.2011 17:26, Martin Kosek wrote:
On Tue, 2011-05-10 at 20:11 +0200, Jan Cholasta wrote:
Split from patch 3, requires patch 18.



I tested all patches (3.6, 18, 19), but I think some work still
needs to
be done:

1) What about adding /sbin/ip package to Requires in spec? I thought
there was an agreement to do it.

Will do.


2) When I run `ipa-server-install --ip-address=$ADDR`, and $ADDR is
invalid address (e.g. $ADDR==foo), loopback address (e.g.
$ADDR== or just another that the local address (e.g.
$ADDR== the installer always fails with "the hostname
resolves to an IP address that is different from the one provided
on the
command line".

I think we may want a different error message in those 3 cases - it
should be easy to do it now, with the improved IP handling.

It looks like the print statements from verify_ip_address doesn't
actually print anything to the user. Will look onto that.


3) When I pass netmask to ipa-server-install --ip-address=$ADDR, the
installation always fails with the above message. Even though I
took the
addr+netmask from "/sbin/ip address" output.

Works for me. Please make sure you've added your hostname to

I think I had. But I will recheck when you send a fix.

4) I miss IP address checks in --ip-address and --forwarder
of ipa-dns-install script. I can pass invalid or local addresses to
these parameters. This breaks Bind configuration.

--ip-address is checked, but --forwarder is not. Will fix that.

Ok, I will recheck both of them when you do.

5) I think we may want to check also for local address in
#ipa host-add $HOST --ip-address=

6) I couldn't add IP address with netmask in host module:
# ipa host-add $HOST --ip-address=
ipa: ERROR: invalid 'ip_address': invalid IP address

The patches are for the installer, as are the tickets they fix, so
issues are out of scope. A new ticket should be opened for them.

You touched this parameter in your patches, that's why I tested it. I
created a new ticket for it:


Ticket 1234, yey :-)

7) Why is the _ParsedIPAddress named with a leading underscore?
It's not
really an internal use since it is returned by new IP handling
and used in other modules.

_ParsedIPAddress is not for public use. The fact that object of this
class is returned by parse_ip_address doesn't really matter - this is
Python, not C++ or Java.

Hm, snappy... And I was wondering why my /usr/bin/java doesn't want to
run FreeIPA, now I know - it's because its Python.


Patch updated. Requires patch 18.1


All reported issues were fixed, good idea with a new type for our

Still, NACK from me:

ipa-replica-install doesn't use IPAOptionParser, but the good old
OptionParser which doesn't know the new type. This makes
ipa-replica-prepare crash all the time. I know, I am nitpicker :-)


Thanks, I missed that.


Fixed and added a unit test.

Jan Cholasta
>From 7cd30f0be8ae4556f67d39348cbb3205d6867f21 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Tue, 24 May 2011 15:41:41 +0200
Subject: [PATCH] Do stricter checking of IP addressed passed to server

ticket 1213
 ipapython/ipautil.py                 |   11 +++++++++++
 tests/test_ipapython/test_ipautil.py |    9 +++++++++
 2 files changed, 20 insertions(+), 0 deletions(-)

diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py
index 2ad9240..c77a93c 100644
--- a/ipapython/ipautil.py
+++ b/ipapython/ipautil.py
@@ -93,6 +93,12 @@ class CheckedIPAddress(netaddr.IPAddress):
             raise ValueError("unsupported IP version")
         if addr.is_loopback():
             raise ValueError("cannot use loopback IP address")
+        if addr.is_reserved() or addr in netaddr.ip.IPV4_6TO4:
+            raise ValueError("cannot use IANA reserved IP address")
+        if addr.is_link_local():
+            raise ValueError("cannot use link-local IP address")
+        if addr.is_multicast():
+            raise ValueError("cannot use multicast IP address")
         if match_local:
             if addr.version == 4:
@@ -119,6 +125,11 @@ class CheckedIPAddress(netaddr.IPAddress):
             elif addr.version == 6:
                 net = netaddr.IPNetwork(str(addr) + '/64')
+        if addr == net.network:
+            raise ValueError("cannot use IP network address")
+        if addr.version == 4 and addr == net.broadcast:
+            raise ValueError("cannot use broadcast IP address")
         super(CheckedIPAddress, self).__init__(addr)
         self.prefixlen = net.prefixlen
         self.interface = iface
diff --git a/tests/test_ipapython/test_ipautil.py b/tests/test_ipapython/test_ipautil.py
index 03f5f7b..68391c2 100644
--- a/tests/test_ipapython/test_ipautil.py
+++ b/tests/test_ipapython/test_ipautil.py
@@ -42,12 +42,21 @@ def test_ip_address():
+        ('',),
+        ('',),
+        ('',),
+        ('',),
+        ('',),
         ('2001::1',         (0x2001, 0, 0, 0, 0, 0, 0, 1), 64),
         ('2001::1/72',      (0x2001, 0, 0, 0, 0, 0, 0, 1), 72),
+        ('6789::1',),
+        ('fe89::1',),
+        ('2001::/64',),
+        ('ff01::1',),

Freeipa-devel mailing list

Reply via email to