Currently IP address validation in CheckedIPAddress class is using is_reserved() method from python-netaddr, which has undesired side-effects.
CheckedIPAddress
is_reserved()
As a consequence, accepted IP ranges differ wildly between different Fedora versions and the check may not accept ranges which were working in the past and vice versa. This ultimatelly break tests in a way which depends on Fedora/python-netaddr version.
Appropriate solution is to use new methods is_source() and is_destination() from python-netaddr. These functions will give stable results matching http://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml .
is_source()
is_destination()
This needs small tweaks in python-netaddr but python-netaddr upstream is open to this, see https://github.com/drkjam/netaddr/issues/119#issuecomment-155343809 for furtner information.
FYI, this may break stuff with containers which use link-local addressing. We may want to consider raising priority.
self = Str('idnsallowquery', _validate_bind_aci, attribute=True, autofill=False, cli_...aledir=None), multivalue=False, normalizer=_normalize_bind_aci, required=False) value = '192.0.2/24;any;', index = None def _validate_scalar(self, value, index=None): if type(value) not in self.allowed_types: raise TypeError( TYPE_ERROR % (self.name, self.type, value, type(value)) ) if index is not None and type(index) is not int: raise TypeError( TYPE_ERROR % ('index', int, index, type(index)) ) for rule in self.all_rules: error = rule(ugettext, value) if error is not None: raise ValidationError( name=self.get_param_name(), value=value, index=index, error=error, > rule=rule, ) E ValidationError: invalid 'allow_query': cannot use IANA reserved IP address /usr/lib/python2.7/site-packages/ipalib/parameters.py:856: ValidationError}}} Tests on ipa-4-2 branch are failing due to problem described here. On pspacek's suggestion, I mark this ticket to triage again.
We may want to switch to ipaddress module that is standard library in python3, backported to python2 as python-ipaddress package. I suggest to postpone this ticket.
Replying to [comment:2 npmccallum]:
I can't imagine how link-local addresses can work with IPA. The only one guess I have is that all containers and IPA are on the same link, and DNS provides results only for the one particular link, because outside of that link addresses are invalid, can be reused, etc..
I would like to re-triage this ticket, see comments 6 and 7. Proposing milestone Future release.
move to Future releases acked in triage
Metadata Update from @pspacek: - Issue assigned to mbasti - Issue set to the milestone: Future Releases
Metadata Update from @mbasti: - Issue assigned to tkrizek (was: mbasti) - Issue close_status updated to: None
Metadata Update from @tkrizek: - Assignee reset
Login to comment on this ticket.