Re: [Freeipa-devel] [PATCH] 222 Sanitize UDP checks in conncheck

[Rob Crittenden]

Martin Kosek wrote:

An easy way to check if master-replica UDP port check actually works is
to simply configure few iptables rules to drop packets for tested UDP or
TCP ports:

A INPUT -m udp -p udp --dport 88 -j DROP
-A INPUT -m tcp -p tcp --dport 88 -j DROP


UDP port checks in ipa-replica-conncheck always returns OK even
if they are closed by a firewall. They cannot be reliably checked
in the same way as TCP ports as there is no session management as
in TCP protocol. We cannot guarantee a response on the checked
side without our own echo server bound to checked port.

This patch removes UDP port checks in replica-master direction
as we would have to implement (kerberos) protocol-wise check
to make the other side actually respond. A list of skipped
ports is printed for user.

Direction master-replica was fixed and now it is able to report
error when the port is blocked.

https://fedorahosted.org/freeipa/ticket/2062


ACK, pushed to master and ipa-2-2

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] 222 Sanitize UDP checks in conncheck

[Martin Kosek]

An easy way to check if master-replica UDP port check actually works is
to simply configure few iptables rules to drop packets for tested UDP or
TCP ports:

A INPUT -m udp -p udp --dport 88 -j DROP
-A INPUT -m tcp -p tcp --dport 88 -j DROP


UDP port checks in ipa-replica-conncheck always returns OK even
if they are closed by a firewall. They cannot be reliably checked
in the same way as TCP ports as there is no session management as
in TCP protocol. We cannot guarantee a response on the checked
side without our own echo server bound to checked port.

This patch removes UDP port checks in replica-master direction
as we would have to implement (kerberos) protocol-wise check
to make the other side actually respond. A list of skipped
ports is printed for user.

Direction master-replica was fixed and now it is able to report
error when the port is blocked.

https://fedorahosted.org/freeipa/ticket/2062

From 415cae5d3b63e10471e515666224863036be0ece Mon Sep 17 00:00:00 2001
From: Martin Kosek mko...@redhat.com
Date: Wed, 1 Feb 2012 17:12:17 +0100
Subject: [PATCH] Sanitize UDP checks in conncheck

UDP port checks in ipa-replica-conncheck always returns OK even
if they are closed by a firewall. They cannot be reliably checked
in the same way as TCP ports as there is no session management as
in TCP protocol. We cannot guarantee a response on the checked
side without our own echo server bound to checked port.

This patch removes UDP port checks in replica-master direction
as we would have to implement (kerberos) protocol-wise check
to make the other side actually respond. A list of skipped
ports is printed for user.

Direction master-replica was fixed and now it is able to report
error when the port is blocked.

https://fedorahosted.org/freeipa/ticket/2062
---
 install/tools/ipa-replica-conncheck |   58 +++
 ipapython/ipautil.py|   27 ++-
 2 files changed, 49 insertions(+), 36 deletions(-)

diff --git a/install/tools/ipa-replica-conncheck b/install/tools/ipa-replica-conncheck
index 2622130e7c6f6ceabe6ff8a17e89412089897c5f..44b3caa45a20d3a72985c051a7982da1f9716147 100755
--- a/install/tools/ipa-replica-conncheck
+++ b/install/tools/ipa-replica-conncheck
@@ -34,6 +34,7 @@ import socket
 import time
 import threading
 import errno
+from socket import SOCK_STREAM, SOCK_DGRAM
 
 CONNECT_TIMEOUT = 5
 RESPONDERS = [ ]
@@ -42,24 +43,24 @@ CCACHE_FILE = /etc/ipa/.conncheck_ccache
 KRB5_CONFIG = None
 
 class CheckedPort(object):
-def __init__(self, port, stream, description):
+def __init__(self, port, port_type, description):
 self.port = port
-self.stream = stream
+self.port_type = port_type
 self.description = description
 
 BASE_PORTS = [
-CheckedPort(389, True, Directory Service: Unsecure port),
-CheckedPort(636, True, Directory Service: Secure port),
-CheckedPort(88, True, Kerberos KDC: TCP),
-CheckedPort(88, False, Kerberos KDC: UDP),
-CheckedPort(464, True, Kerberos Kpasswd: TCP),
-CheckedPort(464, False, Kerberos Kpasswd: UDP),
-CheckedPort(80, True, HTTP Server: Unsecure port),
-CheckedPort(443, True, HTTP Server: Secure port),
+CheckedPort(389, SOCK_STREAM, Directory Service: Unsecure port),
+CheckedPort(636, SOCK_STREAM, Directory Service: Secure port),
+CheckedPort(88, SOCK_STREAM, Kerberos KDC: TCP),
+CheckedPort(88, SOCK_DGRAM, Kerberos KDC: UDP),
+CheckedPort(464, SOCK_STREAM, Kerberos Kpasswd: TCP),
+CheckedPort(464, SOCK_DGRAM, Kerberos Kpasswd: UDP),
+CheckedPort(80, SOCK_STREAM, HTTP Server: Unsecure port),
+CheckedPort(443, SOCK_STREAM, HTTP Server: Secure port),
  ]
 
 CA_PORTS  = [
-CheckedPort(7389, True, PKI-CA: Directory Service port),
+CheckedPort(7389, SOCK_STREAM, PKI-CA: Directory Service port),
 ]
 
 def print_info(msg):
@@ -211,18 +212,20 @@ def configure_krb5_conf(realm, kdc, filename):
 
 class PortResponder(threading.Thread):
 
-def __init__(self, port, socket_stream = True, socket_timeout=1):
+def __init__(self, port, port_type, socket_timeout=1):
 super(PortResponder, self).__init__()
 self.port = port
-self.socket_stream = socket_stream
+self.port_type = port_type
 self.socket_timeout = socket_timeout
 self._stop_request = False
 
 def run(self):
 while not self._stop_request:
 try:
-ipautil.bind_port_responder(self.port, self.socket_stream,
-self.socket_timeout, responder_data=FreeIPA)
+ipautil.bind_port_responder(self.port,
+self.port_type,
+socket_timeout=self.socket_timeout,
+