diff options
| author | Martin Kosek <mkosek@redhat.com> | 2012-02-01 17:12:17 +0100 |
|---|---|---|
| committer | Rob Crittenden <rcritten@redhat.com> | 2012-02-26 18:09:36 -0500 |
| commit | d0320b9198fb84198a7e927caa9f9ef388f1b551 (patch) | |
| tree | 8a8f44f33a19fefabdb2bd4fe026d394d70ec344 /ipapython | |
| parent | 4265028befbea0418aa7469adc7ce356e357fda4 (diff) | |
| download | freeipa.git-d0320b9198fb84198a7e927caa9f9ef388f1b551.tar.gz freeipa.git-d0320b9198fb84198a7e927caa9f9ef388f1b551.tar.xz freeipa.git-d0320b9198fb84198a7e927caa9f9ef388f1b551.zip | |
Sanitize UDP checks in conncheck
UDP port checks in ipa-replica-conncheck always returns OK even
if they are closed by a firewall. They cannot be reliably checked
in the same way as TCP ports as there is no session management as
in TCP protocol. We cannot guarantee a response on the checked
side without our own echo server bound to checked port.
This patch removes UDP port checks in replica->master direction
as we would have to implement (kerberos) protocol-wise check
to make the other side actually respond. A list of skipped
ports is printed for user.
Direction master->replica was fixed and now it is able to report
error when the port is blocked.
https://fedorahosted.org/freeipa/ticket/2062
Diffstat (limited to 'ipapython')
| -rw-r--r-- | ipapython/ipautil.py | 27 |
1 files changed, 11 insertions, 16 deletions
diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py index 596787ff..3cb3683b 100644 --- a/ipapython/ipautil.py +++ b/ipapython/ipautil.py @@ -1106,15 +1106,10 @@ def get_gsserror(e): -def host_port_open(host, port, socket_stream=True, socket_timeout=None): +def host_port_open(host, port, socket_type=socket.SOCK_STREAM, socket_timeout=None): families = (socket.AF_INET, socket.AF_INET6) success = False - if socket_stream: - socket_type = socket.SOCK_STREAM - else: - socket_type = socket.SOCK_DGRAM - for family in families: try: try: @@ -1126,6 +1121,11 @@ def host_port_open(host, port, socket_stream=True, socket_timeout=None): s.settimeout(socket_timeout) s.connect((host, port)) + + if socket_type == socket.SOCK_DGRAM: + s.send('') + s.recv(512) + success = True except socket.error, e: pass @@ -1137,14 +1137,9 @@ def host_port_open(host, port, socket_stream=True, socket_timeout=None): return False -def bind_port_responder(port, socket_stream=True, socket_timeout=None, responder_data=None): +def bind_port_responder(port, socket_type=socket.SOCK_STREAM, socket_timeout=None, responder_data=None): families = (socket.AF_INET, socket.AF_INET6) - if socket_stream: - socket_type = socket.SOCK_STREAM - else: - socket_type = socket.SOCK_DGRAM - host = '' # all available interfaces for family in families: @@ -1157,13 +1152,13 @@ def bind_port_responder(port, socket_stream=True, socket_timeout=None, responder if socket_timeout is not None: s.settimeout(socket_timeout) - if socket_stream: + if socket_type == socket.SOCK_STREAM: s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) try: s.bind((host, port)) - if socket_stream: + if socket_type == socket.SOCK_STREAM: s.listen(1) connection, client_address = s.accept() try: @@ -1171,8 +1166,8 @@ def bind_port_responder(port, socket_stream=True, socket_timeout=None, responder connection.sendall(responder_data) #pylint: disable=E1101 finally: connection.close() - else: - data, addr = s.recvfrom( 512 ) # buffer size is 1024 bytes + elif socket_type == socket.SOCK_DGRAM: + data, addr = s.recvfrom(1) if responder_data: s.sendto(responder_data, addr) |