Skip to content

fix(ns-scan): block network scan for large network (/19 or lower) #1493

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
m-dilorenzi wants to merge 4 commits into
base: main
Choose a base branch
from
Open

fix(ns-scan): block network scan for large network (/19 or lower) #1493

m-dilorenzi wants to merge 4 commits into from

Conversation

@m-dilorenzi
Copy link
Collaborator

@m-dilorenzi m-dilorenzi commented Jan 28, 2026

This pull request enhances the network scanning functionality by adding subnet size validation and improving interface information. The most important changes are:

Network scanning improvements:

  • Updated the scan function to take both device and interface parameters, and added logic to block ARP scans on subnets smaller than /20, returning a validation error if the subnet is too large.
  • Added the netmask_to_cidr_notation helper function to convert a netmask (e.g., 255.255.0.0) into CIDR notation (e.g., 16), using the ipaddress module.

Interface listing enhancements:

  • Modified the list_interfaces function to include the netmask in CIDR notation for each interface in its output.

Command-line interface updates:

  • Updated the command-line argument handling to require and pass the interface parameter for scans, ensuring the new validation logic is used.

Refs: #1434

@m-dilorenzi m-dilorenzi requested a review from Tbaile January 28, 2026 11:57
@m-dilorenzi m-dilorenzi self-assigned this Jan 28, 2026
Tbaile
Tbaile reviewed Jan 29, 2026
View reviewed changes
packages/ns-api/files/ns.scan Outdated
Comment on lines 48 to 59
def scan(device, interface):
ret = []
u = EUci()

if interface:
netmask = u.get('network', interface, 'netmask')
netmask_cidr = netmask_to_cidr_notation(netmask)

# block arp-scan if the subnet is /19 or smaller
if netmask_cidr is not None and netmask_cidr < 20:
return utils.validation_error("subnet_too_large_for_scan")

Copy link
Collaborator

@Tbaile Tbaile Jan 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://nethserver.github.io/python3-nethsec/nethsec.utils.html#get_interface_from_device

@Tbaile Tbaile linked an issue Jan 29, 2026 that may be closed by this pull request
network scan fails when using very large subnets #1434
Open
gsanchietti
gsanchietti requested changes Jan 30, 2026
View reviewed changes
Copy link
Member

@gsanchietti gsanchietti left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since you're already executing the code in a try/except, you get rif of the netmask_to_cidr notation function

packages/ns-api/files/ns.scan Outdated
ret.append({"interface": i, "device": interfaces[i].get('device', '')})
try:
netmask = u.get('network', i, 'netmask') or ""
netmask_cidr = netmask_to_cidr_notation(netmask)
Copy link
Member

@gsanchietti gsanchietti Jan 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
netmask_cidr = netmask_to_cidr_notation(netmask)
netmask_cidr = ipaddress.IPv4Network(f'0.0.0.0/{netmask}').prefixlen

packages/ns-api/files/ns.scan Outdated
Comment on lines 43 to 51
def netmask_to_cidr_notation(netmask):
"""Convert a netmask to CIDR notation (ex. 255.255.0.0 -> 16)"""
if not netmask:
return None
try:
return ipaddress.IPv4Network(f'0.0.0.0/{netmask}').prefixlen
except:
return None

Copy link
Member

@gsanchietti gsanchietti Jan 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
def netmask_to_cidr_notation(netmask):
"""Convert a netmask to CIDR notation (ex. 255.255.0.0 -> 16)"""
if not netmask:
return None
try:
return ipaddress.IPv4Network(f'0.0.0.0/{netmask}').prefixlen
except:
return None

packages/ns-api/files/ns.scan Outdated
try:
interface = utils.get_interface_from_device(u, device)
netmask = u.get('network', interface, 'netmask')
netmask_cidr = netmask_to_cidr_notation(netmask)
Copy link
Member

@gsanchietti gsanchietti Jan 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
netmask_cidr = netmask_to_cidr_notation(netmask)
netmask_cidr = ipaddress.IPv4Network(f'0.0.0.0/{netmask}').prefixlen

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Tbaile Tbaile Tbaile left review comments

@gsanchietti gsanchietti gsanchietti requested changes

Requested changes must be addressed to merge this pull request.

Assignees

@m-dilorenzi m-dilorenzi

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

network scan fails when using very large subnets

4 participants

@m-dilorenzi @gsanchietti @Tbaile