UDP port checks in ipa-replica-conncheck always returns OK even
if they are closed by firewall. They cannot be reliably checked
in the same way as TCP ports as there is no session management as
in TCP protocol. We cannot guarantee a response on the checked
side without our own echo server bound to checked port.

This patch removes UDP port checks altogether so that user gets
a consistent conncheck report without confusing UDP results.

https://fedorahosted.org/freeipa/ticket/2062

>From 60042e2ae7d5857ea355895bedab988687554f97 Mon Sep 17 00:00:00 2001
From: Martin Kosek <mko...@redhat.com>
Date: Wed, 1 Feb 2012 17:12:17 +0100
Subject: [PATCH] Remove UDP checks from conncheck

UDP port checks in ipa-replica-conncheck always returns OK even
if they are closed by firewall. They cannot be reliably checked
in the same way as TCP ports as there is no session management as
in TCP protocol. We cannot guarantee a response on the checked
side without our own echo server bound to checked port.

This patch removes UDP port checks altogether so that user gets
a consistent conncheck report without confusing UDP results.

https://fedorahosted.org/freeipa/ticket/2062
---
 install/tools/ipa-replica-conncheck |   31 ++++++++++++++-----------------
 1 files changed, 14 insertions(+), 17 deletions(-)

diff --git a/install/tools/ipa-replica-conncheck b/install/tools/ipa-replica-conncheck
index 2622130e7c6f6ceabe6ff8a17e89412089897c5f..2a6651416f7a8b19d8def2b3b2e7e089cf3efcb6 100755
--- a/install/tools/ipa-replica-conncheck
+++ b/install/tools/ipa-replica-conncheck
@@ -42,24 +42,21 @@ CCACHE_FILE = "/etc/ipa/.conncheck_ccache"
 KRB5_CONFIG = None
 
 class CheckedPort(object):
-    def __init__(self, port, stream, description):
+    def __init__(self, port, description):
         self.port = port
-        self.stream = stream
         self.description = description
 
 BASE_PORTS = [
-                CheckedPort(389, True, "Directory Service: Unsecure port"),
-                CheckedPort(636, True, "Directory Service: Secure port"),
-                CheckedPort(88, True, "Kerberos KDC: TCP"),
-                CheckedPort(88, False, "Kerberos KDC: UDP"),
-                CheckedPort(464, True, "Kerberos Kpasswd: TCP"),
-                CheckedPort(464, False, "Kerberos Kpasswd: UDP"),
-                CheckedPort(80, True, "HTTP Server: Unsecure port"),
-                CheckedPort(443, True, "HTTP Server: Secure port"),
+                CheckedPort(389, "Directory Service: Unsecure port"),
+                CheckedPort(636, "Directory Service: Secure port"),
+                CheckedPort(88, "Kerberos KDC port"),
+                CheckedPort(464, "Kerberos Kpasswd port"),
+                CheckedPort(80, "HTTP Server: Unsecure port"),
+                CheckedPort(443, "HTTP Server: Secure port"),
              ]
 
 CA_PORTS  = [
-                CheckedPort(7389, True, "PKI-CA: Directory Service port"),
+                CheckedPort(7389, "PKI-CA: Directory Service port"),
             ]
 
 def print_info(msg):
@@ -211,18 +208,18 @@ def configure_krb5_conf(realm, kdc, filename):
 
 class PortResponder(threading.Thread):
 
-    def __init__(self, port, socket_stream = True, socket_timeout=1):
+    def __init__(self, port, socket_timeout=1):
         super(PortResponder, self).__init__()
         self.port = port
-        self.socket_stream = socket_stream
         self.socket_timeout = socket_timeout
         self._stop_request = False
 
     def run(self):
         while not self._stop_request:
             try:
-                ipautil.bind_port_responder(self.port, self.socket_stream,
-                        self.socket_timeout, responder_data="FreeIPA")
+                ipautil.bind_port_responder(self.port,
+                        socket_timeout=self.socket_timeout,
+                        responder_data="FreeIPA")
             except socket.timeout:
                 pass
             except socket.error, e:
@@ -242,7 +239,7 @@ def port_check(host, port_list):
 
     failed_ports = []
     for port in port_list:
-        if ipautil.host_port_open(host, port.port, port.stream, CONNECT_TIMEOUT):
+        if ipautil.host_port_open(host, port.port, socket_timeout=CONNECT_TIMEOUT):
             result = "OK"
         else:
             failed_ports.append(port)
@@ -284,7 +281,7 @@ def main():
         print_info("Start listening on required ports for remote master check")
         for port in required_ports:
             root_logger.debug("Start listening on port %d (%s)" % (port.port, port.description))
-            responder = PortResponder(port.port, port.stream)
+            responder = PortResponder(port.port)
             responder.start()
             RESPONDERS.append(responder)
 
-- 
1.7.7.6

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to