From 306bdccfa4ef02d72bbd4103ad413bd4ed024177 Mon Sep 17 00:00:00 2001
From: Martin Kosek <mkosek@redhat.com>
Date: Wed, 1 Feb 2012 17:12:17 +0100
Subject: Sanitize UDP checks in conncheck

UDP port checks in ipa-replica-conncheck always returns OK even
if they are closed by a firewall. They cannot be reliably checked
in the same way as TCP ports as there is no session management as
in TCP protocol. We cannot guarantee a response on the checked
side without our own echo server bound to checked port.

This patch removes UDP port checks in replica->master direction
as we would have to implement (kerberos) protocol-wise check
to make the other side actually respond. A list of skipped
ports is printed for user.

Direction master->replica was fixed and now it is able to report
error when the port is blocked.

https://fedorahosted.org/freeipa/ticket/2062
---
 ipapython/ipautil.py | 27 +++++++++++----------------
 1 file changed, 11 insertions(+), 16 deletions(-)

(limited to 'ipapython/ipautil.py')

diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py
index 596787ff..3cb3683b 100644
--- a/ipapython/ipautil.py
+++ b/ipapython/ipautil.py
@@ -1106,15 +1106,10 @@ def get_gsserror(e):
 
 
 
-def host_port_open(host, port, socket_stream=True, socket_timeout=None):
+def host_port_open(host, port, socket_type=socket.SOCK_STREAM, socket_timeout=None):
     families = (socket.AF_INET, socket.AF_INET6)
     success = False
 
-    if socket_stream:
-        socket_type = socket.SOCK_STREAM
-    else:
-        socket_type = socket.SOCK_DGRAM
-
     for family in families:
         try:
             try:
@@ -1126,6 +1121,11 @@ def host_port_open(host, port, socket_stream=True, socket_timeout=None):
                 s.settimeout(socket_timeout)
 
             s.connect((host, port))
+
+            if socket_type == socket.SOCK_DGRAM:
+                s.send('')
+                s.recv(512)
+
             success = True
         except socket.error, e:
             pass
@@ -1137,14 +1137,9 @@ def host_port_open(host, port, socket_stream=True, socket_timeout=None):
 
     return False
 
-def bind_port_responder(port, socket_stream=True, socket_timeout=None, responder_data=None):
+def bind_port_responder(port, socket_type=socket.SOCK_STREAM, socket_timeout=None, responder_data=None):
     families = (socket.AF_INET, socket.AF_INET6)
 
-    if socket_stream:
-        socket_type = socket.SOCK_STREAM
-    else:
-        socket_type = socket.SOCK_DGRAM
-
     host = ''   # all available interfaces
 
     for family in families:
@@ -1157,13 +1152,13 @@ def bind_port_responder(port, socket_stream=True, socket_timeout=None, responder
     if socket_timeout is not None:
         s.settimeout(socket_timeout)
 
-    if socket_stream:
+    if socket_type == socket.SOCK_STREAM:
         s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
 
     try:
         s.bind((host, port))
 
-        if socket_stream:
+        if socket_type == socket.SOCK_STREAM:
             s.listen(1)
             connection, client_address = s.accept()
             try:
@@ -1171,8 +1166,8 @@ def bind_port_responder(port, socket_stream=True, socket_timeout=None, responder
                     connection.sendall(responder_data) #pylint: disable=E1101
             finally:
                 connection.close()
-        else:
-            data, addr = s.recvfrom( 512 ) # buffer size is 1024 bytes
+        elif socket_type == socket.SOCK_DGRAM:
+            data, addr = s.recvfrom(1)
 
             if responder_data:
                 s.sendto(responder_data, addr)
-- 
cgit