diff options
| author | Jakub Hrozek <jhrozek@redhat.com> | 2011-07-04 17:16:31 -0400 |
|---|---|---|
| committer | Stephen Gallagher <sgallagh@redhat.com> | 2012-05-10 15:16:02 -0400 |
| commit | 62826f0052c1d6b71f62c1149c894d40549828ad (patch) | |
| tree | 3552b56aaae4c2533d90edd68e3d74b1d8bb7b17 /src | |
| parent | 388214d8cc47968fa7f53c5a6624746b42865dde (diff) | |
| download | sssd-62826f0052c1d6b71f62c1149c894d40549828ad.tar.gz sssd-62826f0052c1d6b71f62c1149c894d40549828ad.tar.xz sssd-62826f0052c1d6b71f62c1149c894d40549828ad.zip | |
Filter out IP addresses inappropriate for DNS forward records
https://fedorahosted.org/sssd/ticket/949
Diffstat (limited to 'src')
| -rw-r--r-- | src/providers/ipa/ipa_dyndns.c | 58 |
1 files changed, 57 insertions, 1 deletions
diff --git a/src/providers/ipa/ipa_dyndns.c b/src/providers/ipa/ipa_dyndns.c index 4224919bb..66515e840 100644 --- a/src/providers/ipa/ipa_dyndns.c +++ b/src/providers/ipa/ipa_dyndns.c @@ -180,6 +180,60 @@ void ipa_dyndns_update(void *pvt) tevent_req_set_callback(req, ipa_dyndns_update_done, NULL); } +static bool ok_for_dns(struct sockaddr *sa) +{ + char straddr[INET6_ADDRSTRLEN]; + + if (sa->sa_family == AF_INET6) { + struct in6_addr *addr = &((struct sockaddr_in6 *) sa)->sin6_addr; + + if (inet_ntop(AF_INET6, addr, straddr, INET6_ADDRSTRLEN) == NULL) { + DEBUG(SSSDBG_MINOR_FAILURE, + ("inet_ntop failed, won't log IP addresses\n")); + snprintf(straddr, INET6_ADDRSTRLEN, "unknown"); + } + + if (IN6_IS_ADDR_LINKLOCAL(addr)) { + DEBUG(SSSDBG_FUNC_DATA, ("Link local IPv6 address %s\n", straddr)); + return false; + } else if (IN6_IS_ADDR_LOOPBACK(addr)) { + DEBUG(SSSDBG_FUNC_DATA, ("Loopback IPv6 address %s\n", straddr)); + return false; + } else if (IN6_IS_ADDR_MULTICAST(addr)) { + DEBUG(SSSDBG_FUNC_DATA, ("Multicast IPv6 address %s\n", straddr)); + return false; + } + } else if (sa->sa_family == AF_INET) { + struct in_addr *addr = &((struct sockaddr_in *) sa)->sin_addr; + + if (inet_ntop(AF_INET, addr, straddr, INET6_ADDRSTRLEN) == NULL) { + DEBUG(SSSDBG_MINOR_FAILURE, + ("inet_ntop failed, won't log IP addresses\n")); + snprintf(straddr, INET6_ADDRSTRLEN, "unknown"); + } + + if (IN_MULTICAST(addr->s_addr)) { + DEBUG(SSSDBG_FUNC_DATA, ("Multicast IPv4 address %s\n", straddr)); + return false; + } else if (inet_netof(*addr) == IN_LOOPBACKNET) { + DEBUG(SSSDBG_FUNC_DATA, ("Loopback IPv4 address %s\n", straddr)); + return false; + } else if ((addr->s_addr & 0xffff0000) == 0xa9fe0000) { + /* 169.254.0.0/16 */ + DEBUG(SSSDBG_FUNC_DATA, ("Link-local IPv4 address %s\n", straddr)); + return false; + } else if (addr->s_addr == htonl(INADDR_BROADCAST)) { + DEBUG(SSSDBG_FUNC_DATA, ("Broadcast IPv4 address %s\n", straddr)); + return false; + } + } else { + DEBUG(SSSDBG_CRIT_FAILURE, ("Unknown address family\n")); + return false; + } + + return true; +} + static void ipa_dyndns_sdap_connect_done(struct tevent_req *subreq); static int ipa_dyndns_add_ldap_iface(struct ipa_dyndns_ctx *state, struct sdap_handle *sh); @@ -233,7 +287,9 @@ ipa_dyndns_update_send(struct ipa_options *ctx) /* Add IP addresses to the list */ if((ifa->ifa_addr->sa_family == AF_INET || ifa->ifa_addr->sa_family == AF_INET6) && - strcasecmp(ifa->ifa_name, iface) == 0) { + strcasecmp(ifa->ifa_name, iface) == 0 && + ok_for_dns(ifa->ifa_addr)) { + /* Add this address to the IP address list */ address = talloc_zero(state, struct ipa_ipaddress); if (!address) { |