Re: [Freeipa-devel] [PATCH] 19 Do stricter checking of IP addressed passed to server install
On Fri, 2011-05-27 at 16:50 +0200, Jan Cholasta wrote: On 25.5.2011 09:46, Martin Kosek wrote: On Tue, 2011-05-24 at 15:42 +0200, Jan Cholasta wrote: On 24.5.2011 14:44, Jan Cholasta wrote: On 24.5.2011 14:43, Martin Kosek wrote: On Fri, 2011-05-20 at 20:34 +0200, Jan Cholasta wrote: On 18.5.2011 10:51, Martin Kosek wrote: On Mon, 2011-05-16 at 19:15 +0200, Jan Cholasta wrote: On 16.5.2011 17:26, Martin Kosek wrote: On Tue, 2011-05-10 at 20:11 +0200, Jan Cholasta wrote: Split from patch 3, requires patch 18. https://fedorahosted.org/freeipa/ticket/1213 Honza I tested all patches (3.6, 18, 19), but I think some work still needs to be done: 1) What about adding /sbin/ip package to Requires in spec? I thought there was an agreement to do it. Will do. Ok. 2) When I run `ipa-server-install --ip-address=$ADDR`, and $ADDR is invalid address (e.g. $ADDR==foo), loopback address (e.g. $ADDR==127.0.0.1) or just another that the local address (e.g. $ADDR==123.123.123.123) the installer always fails with the hostname resolves to an IP address that is different from the one provided on the command line. I think we may want a different error message in those 3 cases - it should be easy to do it now, with the improved IP handling. It looks like the print statements from verify_ip_address doesn't actually print anything to the user. Will look onto that. Ok. 3) When I pass netmask to ipa-server-install --ip-address=$ADDR, the installation always fails with the above message. Even though I took the addr+netmask from /sbin/ip address output. Works for me. Please make sure you've added your hostname to /etc/hosts. I think I had. But I will recheck when you send a fix. 4) I miss IP address checks in --ip-address and --forwarder parameters of ipa-dns-install script. I can pass invalid or local addresses to these parameters. This breaks Bind configuration. --ip-address is checked, but --forwarder is not. Will fix that. Ok, I will recheck both of them when you do. 5) I think we may want to check also for local address in #ipa host-add $HOST --ip-address=127.0.0.1 6) I couldn't add IP address with netmask in host module: # ipa host-add $HOST --ip-address=10.16.78.102/22 ipa: ERROR: invalid 'ip_address': invalid IP address The patches are for the installer, as are the tickets they fix, so these issues are out of scope. A new ticket should be opened for them. You touched this parameter in your patches, that's why I tested it. I created a new ticket for it: https://fedorahosted.org/freeipa/ticket/1234 Ticket 1234, yey :-) 7) Why is the _ParsedIPAddress named with a leading underscore? It's not really an internal use since it is returned by new IP handling functions and used in other modules. _ParsedIPAddress is not for public use. The fact that object of this class is returned by parse_ip_address doesn't really matter - this is Python, not C++ or Java. Hm, snappy... And I was wondering why my /usr/bin/java doesn't want to run FreeIPA, now I know - it's because its Python. Martin Patch updated. Requires patch 18.1 Honza All reported issues were fixed, good idea with a new type for our IPAOptionParser. Still, NACK from me: ipa-replica-install doesn't use IPAOptionParser, but the good old OptionParser which doesn't know the new type. This makes ipa-replica-prepare crash all the time. I know, I am nitpicker :-) Martin Thanks, I missed that. Honza Fixed and added a unit test. NACK. Please test your patches before you send them for a review. It saves reviewer's time. Sorry, I'll do better next time. 1) Unwanted warning about unmatching network interface when replica is installed: # ipa-replica-prepare vm-059.idm.lab.bos.redhat.com --ip-address=10.16.78.59 Warning: No network interface matches IP address 10.16.78.59 Directory Manager (existing master) password: ... Fixed. 2) ipa-replica-install crashes # ipa-replica-install /home/mkosek/replica-info-vm-059.idm.lab.bos.redhat.com.gpg Directory Manager (existing master) password: Configuring ntpd [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd done configuring ntpd. creation of replica failed: unsupported operand type(s) for /: 'NoneType' and 'int' Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. ipa-replica-install log: 2011-05-25 03:36:18,503 DEBUG unsupported operand type(s) for /: 'NoneType' and 'int' File /usr/sbin/ipa-replica-install, line 550, inmodule main() File /usr/sbin/ipa-replica-install, line 496, in main install_dns_records(config, options) File /usr/sbin/ipa-replica-install, line 329, in
Re: [Freeipa-devel] [PATCH] 19 Do stricter checking of IP addressed passed to server install
On 25.5.2011 09:46, Martin Kosek wrote: On Tue, 2011-05-24 at 15:42 +0200, Jan Cholasta wrote: On 24.5.2011 14:44, Jan Cholasta wrote: On 24.5.2011 14:43, Martin Kosek wrote: On Fri, 2011-05-20 at 20:34 +0200, Jan Cholasta wrote: On 18.5.2011 10:51, Martin Kosek wrote: On Mon, 2011-05-16 at 19:15 +0200, Jan Cholasta wrote: On 16.5.2011 17:26, Martin Kosek wrote: On Tue, 2011-05-10 at 20:11 +0200, Jan Cholasta wrote: Split from patch 3, requires patch 18. https://fedorahosted.org/freeipa/ticket/1213 Honza I tested all patches (3.6, 18, 19), but I think some work still needs to be done: 1) What about adding /sbin/ip package to Requires in spec? I thought there was an agreement to do it. Will do. Ok. 2) When I run `ipa-server-install --ip-address=$ADDR`, and $ADDR is invalid address (e.g. $ADDR==foo), loopback address (e.g. $ADDR==127.0.0.1) or just another that the local address (e.g. $ADDR==123.123.123.123) the installer always fails with the hostname resolves to an IP address that is different from the one provided on the command line. I think we may want a different error message in those 3 cases - it should be easy to do it now, with the improved IP handling. It looks like the print statements from verify_ip_address doesn't actually print anything to the user. Will look onto that. Ok. 3) When I pass netmask to ipa-server-install --ip-address=$ADDR, the installation always fails with the above message. Even though I took the addr+netmask from /sbin/ip address output. Works for me. Please make sure you've added your hostname to /etc/hosts. I think I had. But I will recheck when you send a fix. 4) I miss IP address checks in --ip-address and --forwarder parameters of ipa-dns-install script. I can pass invalid or local addresses to these parameters. This breaks Bind configuration. --ip-address is checked, but --forwarder is not. Will fix that. Ok, I will recheck both of them when you do. 5) I think we may want to check also for local address in #ipa host-add $HOST --ip-address=127.0.0.1 6) I couldn't add IP address with netmask in host module: # ipa host-add $HOST --ip-address=10.16.78.102/22 ipa: ERROR: invalid 'ip_address': invalid IP address The patches are for the installer, as are the tickets they fix, so these issues are out of scope. A new ticket should be opened for them. You touched this parameter in your patches, that's why I tested it. I created a new ticket for it: https://fedorahosted.org/freeipa/ticket/1234 Ticket 1234, yey :-) 7) Why is the _ParsedIPAddress named with a leading underscore? It's not really an internal use since it is returned by new IP handling functions and used in other modules. _ParsedIPAddress is not for public use. The fact that object of this class is returned by parse_ip_address doesn't really matter - this is Python, not C++ or Java. Hm, snappy... And I was wondering why my /usr/bin/java doesn't want to run FreeIPA, now I know - it's because its Python. Martin Patch updated. Requires patch 18.1 Honza All reported issues were fixed, good idea with a new type for our IPAOptionParser. Still, NACK from me: ipa-replica-install doesn't use IPAOptionParser, but the good old OptionParser which doesn't know the new type. This makes ipa-replica-prepare crash all the time. I know, I am nitpicker :-) Martin Thanks, I missed that. Honza Fixed and added a unit test. NACK. Please test your patches before you send them for a review. It saves reviewer's time. Sorry, I'll do better next time. 1) Unwanted warning about unmatching network interface when replica is installed: # ipa-replica-prepare vm-059.idm.lab.bos.redhat.com --ip-address=10.16.78.59 Warning: No network interface matches IP address 10.16.78.59 Directory Manager (existing master) password: ... Fixed. 2) ipa-replica-install crashes # ipa-replica-install /home/mkosek/replica-info-vm-059.idm.lab.bos.redhat.com.gpg Directory Manager (existing master) password: Configuring ntpd [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd done configuring ntpd. creation of replica failed: unsupported operand type(s) for /: 'NoneType' and 'int' Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. ipa-replica-install log: 2011-05-25 03:36:18,503 DEBUG unsupported operand type(s) for /: 'NoneType' and 'int' File /usr/sbin/ipa-replica-install, line 550, inmodule main() File /usr/sbin/ipa-replica-install, line 496, in main install_dns_records(config, options) File /usr/sbin/ipa-replica-install, line 329, in install_dns_records options.conf_ntp) File /usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py, line 469, in add_master_dns_records self.__add_self() File /usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py, line 399, in __add_self if
Re: [Freeipa-devel] [PATCH] 19 Do stricter checking of IP addressed passed to server install
On Tue, 2011-05-24 at 15:42 +0200, Jan Cholasta wrote: On 24.5.2011 14:44, Jan Cholasta wrote: On 24.5.2011 14:43, Martin Kosek wrote: On Fri, 2011-05-20 at 20:34 +0200, Jan Cholasta wrote: On 18.5.2011 10:51, Martin Kosek wrote: On Mon, 2011-05-16 at 19:15 +0200, Jan Cholasta wrote: On 16.5.2011 17:26, Martin Kosek wrote: On Tue, 2011-05-10 at 20:11 +0200, Jan Cholasta wrote: Split from patch 3, requires patch 18. https://fedorahosted.org/freeipa/ticket/1213 Honza I tested all patches (3.6, 18, 19), but I think some work still needs to be done: 1) What about adding /sbin/ip package to Requires in spec? I thought there was an agreement to do it. Will do. Ok. 2) When I run `ipa-server-install --ip-address=$ADDR`, and $ADDR is invalid address (e.g. $ADDR==foo), loopback address (e.g. $ADDR==127.0.0.1) or just another that the local address (e.g. $ADDR==123.123.123.123) the installer always fails with the hostname resolves to an IP address that is different from the one provided on the command line. I think we may want a different error message in those 3 cases - it should be easy to do it now, with the improved IP handling. It looks like the print statements from verify_ip_address doesn't actually print anything to the user. Will look onto that. Ok. 3) When I pass netmask to ipa-server-install --ip-address=$ADDR, the installation always fails with the above message. Even though I took the addr+netmask from /sbin/ip address output. Works for me. Please make sure you've added your hostname to /etc/hosts. I think I had. But I will recheck when you send a fix. 4) I miss IP address checks in --ip-address and --forwarder parameters of ipa-dns-install script. I can pass invalid or local addresses to these parameters. This breaks Bind configuration. --ip-address is checked, but --forwarder is not. Will fix that. Ok, I will recheck both of them when you do. 5) I think we may want to check also for local address in #ipa host-add $HOST --ip-address=127.0.0.1 6) I couldn't add IP address with netmask in host module: # ipa host-add $HOST --ip-address=10.16.78.102/22 ipa: ERROR: invalid 'ip_address': invalid IP address The patches are for the installer, as are the tickets they fix, so these issues are out of scope. A new ticket should be opened for them. You touched this parameter in your patches, that's why I tested it. I created a new ticket for it: https://fedorahosted.org/freeipa/ticket/1234 Ticket 1234, yey :-) 7) Why is the _ParsedIPAddress named with a leading underscore? It's not really an internal use since it is returned by new IP handling functions and used in other modules. _ParsedIPAddress is not for public use. The fact that object of this class is returned by parse_ip_address doesn't really matter - this is Python, not C++ or Java. Hm, snappy... And I was wondering why my /usr/bin/java doesn't want to run FreeIPA, now I know - it's because its Python. Martin Patch updated. Requires patch 18.1 Honza All reported issues were fixed, good idea with a new type for our IPAOptionParser. Still, NACK from me: ipa-replica-install doesn't use IPAOptionParser, but the good old OptionParser which doesn't know the new type. This makes ipa-replica-prepare crash all the time. I know, I am nitpicker :-) Martin Thanks, I missed that. Honza Fixed and added a unit test. NACK. Please test your patches before you send them for a review. It saves reviewer's time. 1) Unwanted warning about unmatching network interface when replica is installed: # ipa-replica-prepare vm-059.idm.lab.bos.redhat.com --ip-address=10.16.78.59 Warning: No network interface matches IP address 10.16.78.59 Directory Manager (existing master) password: ... 2) ipa-replica-install crashes # ipa-replica-install /home/mkosek/replica-info-vm-059.idm.lab.bos.redhat.com.gpg Directory Manager (existing master) password: Configuring ntpd [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd done configuring ntpd. creation of replica failed: unsupported operand type(s) for /: 'NoneType' and 'int' Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. ipa-replica-install log: 2011-05-25 03:36:18,503 DEBUG unsupported operand type(s) for /: 'NoneType' and 'int' File /usr/sbin/ipa-replica-install, line 550, in module main() File /usr/sbin/ipa-replica-install, line 496, in main install_dns_records(config, options) File /usr/sbin/ipa-replica-install, line 329, in install_dns_records options.conf_ntp) File /usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py, line 469, in add_master_dns_records self.__add_self() File
Re: [Freeipa-devel] [PATCH] 19 Do stricter checking of IP addressed passed to server install
On 24.5.2011 14:43, Martin Kosek wrote: On Fri, 2011-05-20 at 20:34 +0200, Jan Cholasta wrote: On 18.5.2011 10:51, Martin Kosek wrote: On Mon, 2011-05-16 at 19:15 +0200, Jan Cholasta wrote: On 16.5.2011 17:26, Martin Kosek wrote: On Tue, 2011-05-10 at 20:11 +0200, Jan Cholasta wrote: Split from patch 3, requires patch 18. https://fedorahosted.org/freeipa/ticket/1213 Honza I tested all patches (3.6, 18, 19), but I think some work still needs to be done: 1) What about adding /sbin/ip package to Requires in spec? I thought there was an agreement to do it. Will do. Ok. 2) When I run `ipa-server-install --ip-address=$ADDR`, and $ADDR is invalid address (e.g. $ADDR==foo), loopback address (e.g. $ADDR==127.0.0.1) or just another that the local address (e.g. $ADDR==123.123.123.123) the installer always fails with the hostname resolves to an IP address that is different from the one provided on the command line. I think we may want a different error message in those 3 cases - it should be easy to do it now, with the improved IP handling. It looks like the print statements from verify_ip_address doesn't actually print anything to the user. Will look onto that. Ok. 3) When I pass netmask to ipa-server-install --ip-address=$ADDR, the installation always fails with the above message. Even though I took the addr+netmask from /sbin/ip address output. Works for me. Please make sure you've added your hostname to /etc/hosts. I think I had. But I will recheck when you send a fix. 4) I miss IP address checks in --ip-address and --forwarder parameters of ipa-dns-install script. I can pass invalid or local addresses to these parameters. This breaks Bind configuration. --ip-address is checked, but --forwarder is not. Will fix that. Ok, I will recheck both of them when you do. 5) I think we may want to check also for local address in #ipa host-add $HOST --ip-address=127.0.0.1 6) I couldn't add IP address with netmask in host module: # ipa host-add $HOST --ip-address=10.16.78.102/22 ipa: ERROR: invalid 'ip_address': invalid IP address The patches are for the installer, as are the tickets they fix, so these issues are out of scope. A new ticket should be opened for them. You touched this parameter in your patches, that's why I tested it. I created a new ticket for it: https://fedorahosted.org/freeipa/ticket/1234 Ticket 1234, yey :-) 7) Why is the _ParsedIPAddress named with a leading underscore? It's not really an internal use since it is returned by new IP handling functions and used in other modules. _ParsedIPAddress is not for public use. The fact that object of this class is returned by parse_ip_address doesn't really matter - this is Python, not C++ or Java. Hm, snappy... And I was wondering why my /usr/bin/java doesn't want to run FreeIPA, now I know - it's because its Python. Martin Patch updated. Requires patch 18.1 Honza All reported issues were fixed, good idea with a new type for our IPAOptionParser. Still, NACK from me: ipa-replica-install doesn't use IPAOptionParser, but the good old OptionParser which doesn't know the new type. This makes ipa-replica-prepare crash all the time. I know, I am nitpicker :-) Martin Thanks, I missed that. Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 19 Do stricter checking of IP addressed passed to server install
On 24.5.2011 14:44, Jan Cholasta wrote: On 24.5.2011 14:43, Martin Kosek wrote: On Fri, 2011-05-20 at 20:34 +0200, Jan Cholasta wrote: On 18.5.2011 10:51, Martin Kosek wrote: On Mon, 2011-05-16 at 19:15 +0200, Jan Cholasta wrote: On 16.5.2011 17:26, Martin Kosek wrote: On Tue, 2011-05-10 at 20:11 +0200, Jan Cholasta wrote: Split from patch 3, requires patch 18. https://fedorahosted.org/freeipa/ticket/1213 Honza I tested all patches (3.6, 18, 19), but I think some work still needs to be done: 1) What about adding /sbin/ip package to Requires in spec? I thought there was an agreement to do it. Will do. Ok. 2) When I run `ipa-server-install --ip-address=$ADDR`, and $ADDR is invalid address (e.g. $ADDR==foo), loopback address (e.g. $ADDR==127.0.0.1) or just another that the local address (e.g. $ADDR==123.123.123.123) the installer always fails with the hostname resolves to an IP address that is different from the one provided on the command line. I think we may want a different error message in those 3 cases - it should be easy to do it now, with the improved IP handling. It looks like the print statements from verify_ip_address doesn't actually print anything to the user. Will look onto that. Ok. 3) When I pass netmask to ipa-server-install --ip-address=$ADDR, the installation always fails with the above message. Even though I took the addr+netmask from /sbin/ip address output. Works for me. Please make sure you've added your hostname to /etc/hosts. I think I had. But I will recheck when you send a fix. 4) I miss IP address checks in --ip-address and --forwarder parameters of ipa-dns-install script. I can pass invalid or local addresses to these parameters. This breaks Bind configuration. --ip-address is checked, but --forwarder is not. Will fix that. Ok, I will recheck both of them when you do. 5) I think we may want to check also for local address in #ipa host-add $HOST --ip-address=127.0.0.1 6) I couldn't add IP address with netmask in host module: # ipa host-add $HOST --ip-address=10.16.78.102/22 ipa: ERROR: invalid 'ip_address': invalid IP address The patches are for the installer, as are the tickets they fix, so these issues are out of scope. A new ticket should be opened for them. You touched this parameter in your patches, that's why I tested it. I created a new ticket for it: https://fedorahosted.org/freeipa/ticket/1234 Ticket 1234, yey :-) 7) Why is the _ParsedIPAddress named with a leading underscore? It's not really an internal use since it is returned by new IP handling functions and used in other modules. _ParsedIPAddress is not for public use. The fact that object of this class is returned by parse_ip_address doesn't really matter - this is Python, not C++ or Java. Hm, snappy... And I was wondering why my /usr/bin/java doesn't want to run FreeIPA, now I know - it's because its Python. Martin Patch updated. Requires patch 18.1 Honza All reported issues were fixed, good idea with a new type for our IPAOptionParser. Still, NACK from me: ipa-replica-install doesn't use IPAOptionParser, but the good old OptionParser which doesn't know the new type. This makes ipa-replica-prepare crash all the time. I know, I am nitpicker :-) Martin Thanks, I missed that. Honza Fixed and added a unit test. -- Jan Cholasta From 7cd30f0be8ae4556f67d39348cbb3205d6867f21 Mon Sep 17 00:00:00 2001 From: Jan Cholasta jchol...@redhat.com Date: Tue, 24 May 2011 15:41:41 +0200 Subject: [PATCH] Do stricter checking of IP addressed passed to server install. ticket 1213 --- ipapython/ipautil.py | 11 +++ tests/test_ipapython/test_ipautil.py |9 + 2 files changed, 20 insertions(+), 0 deletions(-) diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py index 2ad9240..c77a93c 100644 --- a/ipapython/ipautil.py +++ b/ipapython/ipautil.py @@ -93,6 +93,12 @@ class CheckedIPAddress(netaddr.IPAddress): raise ValueError(unsupported IP version) if addr.is_loopback(): raise ValueError(cannot use loopback IP address) +if addr.is_reserved() or addr in netaddr.ip.IPV4_6TO4: +raise ValueError(cannot use IANA reserved IP address) +if addr.is_link_local(): +raise ValueError(cannot use link-local IP address) +if addr.is_multicast(): +raise ValueError(cannot use multicast IP address) if match_local: if addr.version == 4: @@ -119,6 +125,11 @@ class CheckedIPAddress(netaddr.IPAddress): elif addr.version == 6: net = netaddr.IPNetwork(str(addr) + '/64') +if addr == net.network: +raise ValueError(cannot use IP network address) +if addr.version == 4 and addr == net.broadcast: +raise ValueError(cannot use broadcast IP address) + super(CheckedIPAddress, self).__init__(addr) self.prefixlen = net.prefixlen
Re: [Freeipa-devel] [PATCH] 19 Do stricter checking of IP addressed passed to server install
On 18.5.2011 10:51, Martin Kosek wrote: On Mon, 2011-05-16 at 19:15 +0200, Jan Cholasta wrote: On 16.5.2011 17:26, Martin Kosek wrote: On Tue, 2011-05-10 at 20:11 +0200, Jan Cholasta wrote: Split from patch 3, requires patch 18. https://fedorahosted.org/freeipa/ticket/1213 Honza I tested all patches (3.6, 18, 19), but I think some work still needs to be done: 1) What about adding /sbin/ip package to Requires in spec? I thought there was an agreement to do it. Will do. Ok. 2) When I run `ipa-server-install --ip-address=$ADDR`, and $ADDR is invalid address (e.g. $ADDR==foo), loopback address (e.g. $ADDR==127.0.0.1) or just another that the local address (e.g. $ADDR==123.123.123.123) the installer always fails with the hostname resolves to an IP address that is different from the one provided on the command line. I think we may want a different error message in those 3 cases - it should be easy to do it now, with the improved IP handling. It looks like the print statements from verify_ip_address doesn't actually print anything to the user. Will look onto that. Ok. 3) When I pass netmask to ipa-server-install --ip-address=$ADDR, the installation always fails with the above message. Even though I took the addr+netmask from /sbin/ip address output. Works for me. Please make sure you've added your hostname to /etc/hosts. I think I had. But I will recheck when you send a fix. 4) I miss IP address checks in --ip-address and --forwarder parameters of ipa-dns-install script. I can pass invalid or local addresses to these parameters. This breaks Bind configuration. --ip-address is checked, but --forwarder is not. Will fix that. Ok, I will recheck both of them when you do. 5) I think we may want to check also for local address in #ipa host-add $HOST --ip-address=127.0.0.1 6) I couldn't add IP address with netmask in host module: # ipa host-add $HOST --ip-address=10.16.78.102/22 ipa: ERROR: invalid 'ip_address': invalid IP address The patches are for the installer, as are the tickets they fix, so these issues are out of scope. A new ticket should be opened for them. You touched this parameter in your patches, that's why I tested it. I created a new ticket for it: https://fedorahosted.org/freeipa/ticket/1234 Ticket 1234, yey :-) 7) Why is the _ParsedIPAddress named with a leading underscore? It's not really an internal use since it is returned by new IP handling functions and used in other modules. _ParsedIPAddress is not for public use. The fact that object of this class is returned by parse_ip_address doesn't really matter - this is Python, not C++ or Java. Hm, snappy... And I was wondering why my /usr/bin/java doesn't want to run FreeIPA, now I know - it's because its Python. Martin Patch updated. Requires patch 18.1 Honza -- Jan Cholasta From 3f9fbc8dbf8d6981fb7c20a554a78f94ba12d36a Mon Sep 17 00:00:00 2001 From: Jan Cholasta jchol...@redhat.com Date: Fri, 20 May 2011 20:21:11 +0200 Subject: [PATCH] Do stricter checking of IP addressed passed to server install. ticket 1213 --- ipapython/ipautil.py | 11 +++ 1 files changed, 11 insertions(+), 0 deletions(-) diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py index 2ad9240..c77a93c 100644 --- a/ipapython/ipautil.py +++ b/ipapython/ipautil.py @@ -93,6 +93,12 @@ class CheckedIPAddress(netaddr.IPAddress): raise ValueError(unsupported IP version) if addr.is_loopback(): raise ValueError(cannot use loopback IP address) +if addr.is_reserved() or addr in netaddr.ip.IPV4_6TO4: +raise ValueError(cannot use IANA reserved IP address) +if addr.is_link_local(): +raise ValueError(cannot use link-local IP address) +if addr.is_multicast(): +raise ValueError(cannot use multicast IP address) if match_local: if addr.version == 4: @@ -119,6 +125,11 @@ class CheckedIPAddress(netaddr.IPAddress): elif addr.version == 6: net = netaddr.IPNetwork(str(addr) + '/64') +if addr == net.network: +raise ValueError(cannot use IP network address) +if addr.version == 4 and addr == net.broadcast: +raise ValueError(cannot use broadcast IP address) + super(CheckedIPAddress, self).__init__(addr) self.prefixlen = net.prefixlen self.interface = iface -- 1.7.4.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 19 Do stricter checking of IP addressed passed to server install
On Mon, 2011-05-16 at 19:15 +0200, Jan Cholasta wrote: On 16.5.2011 17:26, Martin Kosek wrote: On Tue, 2011-05-10 at 20:11 +0200, Jan Cholasta wrote: Split from patch 3, requires patch 18. https://fedorahosted.org/freeipa/ticket/1213 Honza I tested all patches (3.6, 18, 19), but I think some work still needs to be done: 1) What about adding /sbin/ip package to Requires in spec? I thought there was an agreement to do it. Will do. Ok. 2) When I run `ipa-server-install --ip-address=$ADDR`, and $ADDR is invalid address (e.g. $ADDR==foo), loopback address (e.g. $ADDR==127.0.0.1) or just another that the local address (e.g. $ADDR==123.123.123.123) the installer always fails with the hostname resolves to an IP address that is different from the one provided on the command line. I think we may want a different error message in those 3 cases - it should be easy to do it now, with the improved IP handling. It looks like the print statements from verify_ip_address doesn't actually print anything to the user. Will look onto that. Ok. 3) When I pass netmask to ipa-server-install --ip-address=$ADDR, the installation always fails with the above message. Even though I took the addr+netmask from /sbin/ip address output. Works for me. Please make sure you've added your hostname to /etc/hosts. I think I had. But I will recheck when you send a fix. 4) I miss IP address checks in --ip-address and --forwarder parameters of ipa-dns-install script. I can pass invalid or local addresses to these parameters. This breaks Bind configuration. --ip-address is checked, but --forwarder is not. Will fix that. Ok, I will recheck both of them when you do. 5) I think we may want to check also for local address in #ipa host-add $HOST --ip-address=127.0.0.1 6) I couldn't add IP address with netmask in host module: # ipa host-add $HOST --ip-address=10.16.78.102/22 ipa: ERROR: invalid 'ip_address': invalid IP address The patches are for the installer, as are the tickets they fix, so these issues are out of scope. A new ticket should be opened for them. You touched this parameter in your patches, that's why I tested it. I created a new ticket for it: https://fedorahosted.org/freeipa/ticket/1234 Ticket 1234, yey :-) 7) Why is the _ParsedIPAddress named with a leading underscore? It's not really an internal use since it is returned by new IP handling functions and used in other modules. _ParsedIPAddress is not for public use. The fact that object of this class is returned by parse_ip_address doesn't really matter - this is Python, not C++ or Java. Hm, snappy... And I was wondering why my /usr/bin/java doesn't want to run FreeIPA, now I know - it's because its Python. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 19 Do stricter checking of IP addressed passed to server install
On 16.5.2011 17:26, Martin Kosek wrote: On Tue, 2011-05-10 at 20:11 +0200, Jan Cholasta wrote: Split from patch 3, requires patch 18. https://fedorahosted.org/freeipa/ticket/1213 Honza I tested all patches (3.6, 18, 19), but I think some work still needs to be done: 1) What about adding /sbin/ip package to Requires in spec? I thought there was an agreement to do it. Will do. 2) When I run `ipa-server-install --ip-address=$ADDR`, and $ADDR is invalid address (e.g. $ADDR==foo), loopback address (e.g. $ADDR==127.0.0.1) or just another that the local address (e.g. $ADDR==123.123.123.123) the installer always fails with the hostname resolves to an IP address that is different from the one provided on the command line. I think we may want a different error message in those 3 cases - it should be easy to do it now, with the improved IP handling. It looks like the print statements from verify_ip_address doesn't actually print anything to the user. Will look onto that. 3) When I pass netmask to ipa-server-install --ip-address=$ADDR, the installation always fails with the above message. Even though I took the addr+netmask from /sbin/ip address output. Works for me. Please make sure you've added your hostname to /etc/hosts. 4) I miss IP address checks in --ip-address and --forwarder parameters of ipa-dns-install script. I can pass invalid or local addresses to these parameters. This breaks Bind configuration. --ip-address is checked, but --forwarder is not. Will fix that. 5) I think we may want to check also for local address in #ipa host-add $HOST --ip-address=127.0.0.1 6) I couldn't add IP address with netmask in host module: # ipa host-add $HOST --ip-address=10.16.78.102/22 ipa: ERROR: invalid 'ip_address': invalid IP address The patches are for the installer, as are the tickets they fix, so these issues are out of scope. A new ticket should be opened for them. 7) Why is the _ParsedIPAddress named with a leading underscore? It's not really an internal use since it is returned by new IP handling functions and used in other modules. _ParsedIPAddress is not for public use. The fact that object of this class is returned by parse_ip_address doesn't really matter - this is Python, not C++ or Java. Martin Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 19 Do stricter checking of IP addressed passed to server install
Split from patch 3, requires patch 18. https://fedorahosted.org/freeipa/ticket/1213 Honza -- Jan Cholasta From 3e218c2028e5769779aac1cfaae558ae7f047ef8 Mon Sep 17 00:00:00 2001 From: Jan Cholasta jchol...@redhat.com Date: Tue, 10 May 2011 19:35:31 +0200 Subject: [PATCH] Do stricter checking of IP addressed passed to server install. ticket 1213 --- install/tools/ipa-replica-prepare |2 +- ipaserver/install/installutils.py | 98 ++--- tests/test_install/test_utils.py | 15 +- 3 files changed, 94 insertions(+), 21 deletions(-) diff --git a/install/tools/ipa-replica-prepare b/install/tools/ipa-replica-prepare index 6a4e413..43a49d5 100755 --- a/install/tools/ipa-replica-prepare +++ b/install/tools/ipa-replica-prepare @@ -425,7 +425,7 @@ def main(): name = domain.pop(0) domain = ..join(domain) -ip = installutils.parse_ip_address(options.ip_address) +ip = installutils.parse_ip_address(options.ip_address, match_local=False) ip_address = str(ip) zone = add_zone(domain, nsaddr=ip_address) diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py index 8ac24c9..85c3337 100644 --- a/ipaserver/install/installutils.py +++ b/ipaserver/install/installutils.py @@ -148,13 +148,52 @@ def verify_fqdn(host_name,no_host_dns=False): else: print Warning: Hostname (%s) not found in DNS % host_name +def find_local_ip_address(addr): +try: +ip = netaddr.IPAddress(addr) +except netaddr.core.AddrFormatError, ValueError: +return None + +if ip.version == 4: +family = 'inet' +elif ip.version == 6: +family = 'inet6' +else: +return None + +ipresult = ipautil.run(['/sbin/ip', '-family', family, '-oneline', 'address', 'show']) +lines = ipresult[0].split('\n') +for line in lines: +fields = line.split() +if len(fields) 4: +continue + +net = netaddr.IPNetwork(fields[3]) +if net.ip == ip: +return net + +return None + class _ParsedIPAddress(netaddr.IPAddress): def __init__(self, net): super(_ParsedIPAddress, self).__init__(net.ip) self.prefixlen = net.prefixlen +self.network = net.network +self.broadcast = net.broadcast + +def is_reserved(self): +if self in netaddr.ip.IPV4_6TO4: +return True +return super(_ParsedIPAddress, self).is_reserved() + +def is_network(self): +return self == self.network + +def is_broadcast(self): +return self == self.broadcast and self.version == 4 -def parse_ip_address(addr): +def parse_ip_address(addr, match_local=True): if addr is None: return None if isinstance(addr, _ParsedIPAddress): @@ -165,11 +204,17 @@ def parse_ip_address(addr): else: try: ip = netaddr.IPAddress(addr) -if ip.version == 4: -net = netaddr.IPNetwork(netaddr.cidr_abbrev_to_verbose(str(ip))) -elif ip.version == 6: -net = netaddr.IPNetwork(ip) -net.prefixlen = 64 +net = None + +if match_local: +net = find_local_ip_address(ip) + +if net is None: +if ip.version == 4: +net = netaddr.IPNetwork(netaddr.cidr_abbrev_to_verbose(str(ip))) +elif ip.version == 6: +net = netaddr.IPNetwork(ip) +net.prefixlen = 64 except ValueError: try: net = netaddr.IPNetwork(addr) @@ -183,12 +228,35 @@ def parse_ip_address(addr): return _ParsedIPAddress(net) -def verify_ip_address(addr): -ip = parse_ip_address(addr) +def verify_ip_address(addr, check_local=True): +ip = parse_ip_address(addr, match_local=check_local) if ip is None: print Unable to verify IP address return False +elif ip.is_loopback(): +print Cannot use localhost IP address +return False +elif ip.is_reserved(): +print Cannot use IANA reserved IP address +return False +elif ip.is_link_local(): +print Cannot use link-local IP address +return False +elif ip.is_network(): +print Cannot use IP network address +return False +elif ip.is_multicast(): +print Cannot use multicast IP address +return False +elif ip.is_broadcast(): +print Cannot use broadcast IP address +return False + +if check_local: +local = find_local_ip_address(ip) +if local is None or local.prefixlen != ip.prefixlen: +print Warning: No network interface matches the provided IP address and netmask return True @@ -225,10 +293,6 @@ def read_ip_address(host_name, fstore): ip = ipautil.user_input(Please provide the IP address to be used for this host name, allow_empty =