Univention Bugzilla – Bug 32995
Missing gateway validation
Last modified: 2019-01-03 07:18:38 CET
Created attachment 5537 [details] Validate gateway addresses The IP address of the default gateway is not validated: The IP address given must be located in one of the network ranges of the configured interfaces. Currently ifup ignores the invalid address, but the host becomes unreachable, since it now longer can't communicate with hosts outside its local sub-networks.
hmm, don't remove the IP4Set() and IP6Set(). Otherwise same IP addresses aren't equal. '::1' != '0::1' / '127.0.0.1' != '127.00.0.1'.
ah nvm, I didn't watch the patch exactly.
This is really annoying, especially during testing for Bug #28670, as the VM looses its network connection. The patch has one minor cosmetic bug: If the address is not (syntax-)valid, two errors are displayed. Bug #32815 would fix that.
IMHO important as the new wizard writes wrong default gateway values!
(In reply to Florian Best from comment #4) > IMHO important as the new wizard writes wrong default gateway values! Currently, there are checks for correct ipv4/ipv6 addresses in the frontend + backend code.
(In reply to Alexander Kläser from comment #5) > (In reply to Florian Best from comment #4) > > IMHO important as the new wizard writes wrong default gateway values! > > Currently, there are checks for correct ipv4/ipv6 addresses in the frontend > + backend code. They only check the syntax, but not the semantic: The gateway 10.0.0.1 is not in the network 192.168.0.0/24, so the IP stack can't reach the gateway and thus no host outside the given network is reachable. from ipaddr import IPAddress, IPNetwork assert(IPAddress(gateway) in IPNetwork(network))
For IPv6 see Bug #23897 where link-local fe80::/10 are also valid while not being configured explicitly via UCR.
Today a user on the forum[1] asked about how to configure a gateway that's not part of the subnet configured for the address. He's trying to install UCS on a root server, and the scenario that the gateway is outside of the network interface's subnet is rather common due to IPv4 shortage. Yes, this works just fine if a host route is established for the gateway. And yes, base Debian[2] does support such a scenario with the "pointopoint …" key word in "/etc/network/interfaces". It even seems that UCS supports such a scenario: the template "/etc/univention/templates/files/etc/network/interfaces.d/10-default" checks if the subnet mask has all bits set and inserts the appropriate "pointopoint" entry for the geteway if that's the case. Additionally an IPv6 gateway can often be a link-local address (fe80::/10) as Philipp has said. In that case the gateway isn't part of the subnet either. So please do NOT restrict the gateway. Instead fix the installer to recognize the need for an additional host route to the gateway. [1] http://forum.univention.de/posting.php?mode=reply&f=48&t=6147#pr22780 [2] https://wiki.hetzner.de/index.php/Netzkonfiguration_Debian
This issue has been filled against UCS 4.1. The maintenance with bug and security fixes for UCS 4.1 has ended on 5st of April 2018. Customers still on UCS 4.1 are encouraged to update to UCS 4.3. Please contact your partner or Univention for any questions. If this issue still occurs in newer UCS versions, please use "Clone this bug" or simply reopen the issue. In this case please provide detailed information on how this issue is affecting you.