diff options
| author | Martin Kosek <mkosek@redhat.com> | 2012-02-24 09:30:39 +0100 |
|---|---|---|
| committer | Martin Kosek <mkosek@redhat.com> | 2012-02-24 09:40:43 +0100 |
| commit | 860579022532ee4133fc74e8f916cb40dc3ea239 (patch) | |
| tree | 475fa305e89561b10fcd3523d34acd7e8b981f5a /ipapython | |
| parent | 2cf58937615c28527d1c78f883dad8726331c6df (diff) | |
| download | freeipa-860579022532ee4133fc74e8f916cb40dc3ea239.tar.gz freeipa-860579022532ee4133fc74e8f916cb40dc3ea239.tar.xz freeipa-860579022532ee4133fc74e8f916cb40dc3ea239.zip | |
Query and transfer ACLs for DNS zones
Provide a way to specify BIND allow-query and allow-transfer ACLs
for DNS zones.
IMPORTANT: new bind-dyndb-ldap adds a zone transfer ability. To
avoid zone information leaks to unintended places, allow-transfer
ACL for every zone is by default set to none and has to be
explicitly enabled by an Administrator. This is done both for new
DNS zones and old DNS zones during RPM update via new DNS upgrade
plugin.
https://fedorahosted.org/freeipa/ticket/1211
Diffstat (limited to 'ipapython')
| -rw-r--r-- | ipapython/ipautil.py | 19 |
1 files changed, 12 insertions, 7 deletions
diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py index d9b0455e5..596787ff4 100644 --- a/ipapython/ipautil.py +++ b/ipapython/ipautil.py @@ -77,7 +77,9 @@ class CheckedIPAddress(netaddr.IPAddress): # and don't allow IP addresses such as '1.1.1' in the same time netaddr_ip_flags = netaddr.INET_PTON - def __init__(self, addr, match_local=False, parse_netmask=True): + def __init__(self, addr, match_local=False, parse_netmask=True, + allow_network=False, allow_loopback=False, + allow_broadcast=False, allow_multicast=False): if isinstance(addr, CheckedIPAddress): super(CheckedIPAddress, self).__init__(addr, flags=self.netaddr_ip_flags) self.prefixlen = addr.prefixlen @@ -98,20 +100,23 @@ class CheckedIPAddress(netaddr.IPAddress): try: addr = netaddr.IPAddress(addr, flags=self.netaddr_ip_flags) except ValueError: - net = netaddr.IPNetwork(addr) + net = netaddr.IPNetwork(addr, flags=self.netaddr_ip_flags) if not parse_netmask: raise ValueError("netmask and prefix length not allowed here") addr = net.ip if addr.version not in (4, 6): raise ValueError("unsupported IP version") - if addr.is_loopback(): + + if not allow_loopback and addr.is_loopback(): raise ValueError("cannot use loopback IP address") - if addr.is_reserved() or addr in netaddr.ip.IPV4_6TO4: + if (not addr.is_loopback() and addr.is_reserved()) \ + or addr in netaddr.ip.IPV4_6TO4: raise ValueError("cannot use IANA reserved IP address") + if addr.is_link_local(): raise ValueError("cannot use link-local IP address") - if addr.is_multicast(): + if not allow_multicast and addr.is_multicast(): raise ValueError("cannot use multicast IP address") if match_local: @@ -143,9 +148,9 @@ class CheckedIPAddress(netaddr.IPAddress): elif addr.version == 6: net = netaddr.IPNetwork(str(addr) + '/64') - if addr == net.network: + if not allow_network and addr == net.network: raise ValueError("cannot use IP network address") - if addr.version == 4 and addr == net.broadcast: + if not allow_broadcast and addr.version == 4 and addr == net.broadcast: raise ValueError("cannot use broadcast IP address") super(CheckedIPAddress, self).__init__(addr, flags=self.netaddr_ip_flags) |