Sanitize UDP checks in conncheck

UDP port checks in ipa-replica-conncheck always returns OK even if they are closed by a firewall. They cannot be reliably checked in the same way as TCP ports as there is no session management as in TCP protocol. We cannot guarantee a response on the checked side without our own echo server bound to checked port. This patch removes UDP port checks in replica->master direction as we would have to implement (kerberos) protocol-wise check to make the other side actually respond. A list of skipped ports is printed for user. Direction master->replica was fixed and now it is able to report error when the port is blocked. https://fedorahosted.org/freeipa/ticket/2062
2025-02-25 18:55:28 -06:00 · 2012-02-01 17:12:17 +01:00
parent cbb3bfae23
commit 306bdccfa4
2 changed files with 49 additions and 36 deletions
--- a/ipapython/ipautil.py
+++ b/ipapython/ipautil.py
@@ -1106,15 +1106,10 @@ def get_gsserror(e):



-def host_port_open(host, port, socket_stream=True, socket_timeout=None):
+def host_port_open(host, port, socket_type=socket.SOCK_STREAM, socket_timeout=None):
    families = (socket.AF_INET, socket.AF_INET6)
    success = False

-    if socket_stream:
-        socket_type = socket.SOCK_STREAM
-    else:
-        socket_type = socket.SOCK_DGRAM
-
    for family in families:
        try:
            try:
@@ -1126,6 +1121,11 @@ def host_port_open(host, port, socket_stream=True, socket_timeout=None):
                s.settimeout(socket_timeout)

            s.connect((host, port))
+
+            if socket_type == socket.SOCK_DGRAM:
+                s.send('')
+                s.recv(512)
+
            success = True
        except socket.error, e:
            pass
@@ -1137,14 +1137,9 @@ def host_port_open(host, port, socket_stream=True, socket_timeout=None):

    return False

-def bind_port_responder(port, socket_stream=True, socket_timeout=None, responder_data=None):
+def bind_port_responder(port, socket_type=socket.SOCK_STREAM, socket_timeout=None, responder_data=None):
    families = (socket.AF_INET, socket.AF_INET6)

-    if socket_stream:
-        socket_type = socket.SOCK_STREAM
-    else:
-        socket_type = socket.SOCK_DGRAM
-
    host = ''   # all available interfaces

    for family in families:
@@ -1157,13 +1152,13 @@ def bind_port_responder(port, socket_stream=True, socket_timeout=None, responder
    if socket_timeout is not None:
        s.settimeout(socket_timeout)

-    if socket_stream:
+    if socket_type == socket.SOCK_STREAM:
        s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)

    try:
        s.bind((host, port))

-        if socket_stream:
+        if socket_type == socket.SOCK_STREAM:
            s.listen(1)
            connection, client_address = s.accept()
            try:
@@ -1171,8 +1166,8 @@ def bind_port_responder(port, socket_stream=True, socket_timeout=None, responder
                    connection.sendall(responder_data) #pylint: disable=E1101
            finally:
                connection.close()
-        else:
-            data, addr = s.recvfrom( 512 ) # buffer size is 1024 bytes
+        elif socket_type == socket.SOCK_DGRAM:
+            data, addr = s.recvfrom(1)

            if responder_data:
                s.sendto(responder_data, addr)