XML-RPC server always listens on all interfaces

[mtdcr]

I agree to the following

• [X] I have read the documentation right now
• [X] I have read the FAQs right now
• [X] I am aware of the latest release notes
• [X] I am aware that an integration that was installed via HACS also needs to be updated via HACS
• [X] The Backend (CCU/Homegear/...) is working as expected, devices are taught in and are controllable by its own UI.
• [X] I am running the latest version of the custom_component (and Home Assistant)

The problem

As the following lines show, the XML-RPC server always listens on 0.0.0.0.

https://github.com/danielperna84/hahomematic/blob/46e91e1d711da6ed52c0eaa1151ecb2413a5b861/hahomematic/central/xml_rpc_server.py#L178-L183

Usually, this isn't a problem at all. However, in some setups there are multiple network interfaces. So users like me may want to restrict services to listen on only one interface. The return value of await network.async_get_source_ip(hass, address_of_ccu) could be used as a sensible replacement for IP_ANY_V4. It returns the address of HA seen by the CCU.

In my HA setup, hahomematic is currently providing the only TCP service that listens globally. So changing this behaviour would solve a real problem for me.

What version of HomematicIP (local) has the issue?

1.64.0

What was the last working version of HomematicIP (local)?

No response

What type of installation are you running?

Home Assistant Container

What type of installation are you running for your homematic backend?

RaspberryMatic Standalone

Which version of your homematic backend are you running?

No response

What hardware are you running for your system?

No response

Which config details do you use

• [ ] TLS
• [ ] callback data (see)

Which interfaces do you use?

• [X] Homematic IP
• [ ] Homematic (Bidcos-RF)
• [ ] Groups (Heating-Group)
• [ ] BidCos-Wired (HM-Wired)

Diagnostics information (no logs here)

No response

Log file extract. Anything in the logs that might be useful for us? The log (Setting/System/Logs -> load full log) is the best source to support trouble shooting!

No response

Additional information

No response

[SukramJ]

It returns the address of HA seen by the CCU.

What about people using multiple CCUs in different subnets? (e.G. HA-Addon and standalone CCU)

Usually, this isn't a problem at all. ... solve a real problem for me.

What is the problem? You don't like it or it doesn't work? Please add more details.

[mtdcr]

What is the problem? You don't like it or it doesn't work? Please add more details.

For another integration to work, I need HA to have an additional network interface in the same physical broadcast domain as the device to be controlled. Due to using docker, my options are limited to macvlan and ipvlan, both of which can not be firewalled internally (neither on the host due to the nature of the interfaces, nor in the container because HA images don't offer any means to configure firewall rules).

To reduce the attack surface of my HA instance, I would like to reduce the number of exposed network services to zero, on that second interface.

So I'd like to return the question: Would there be a problem with my proposed change applied?

Mature network services offer options to bind them to ip addresses or interfaces. HA has the http.server_host configuration item, for example. In case my proposal can't convince you, I'd welcome such a configuration option for homematic as an alternative.

[SukramJ]

Thanks for the details.

Would there be a problem with my proposed change applied?

Basically not, and I think that the majority will not be affected by it, but it will be interesting to see which exotic setup, like yours, will have a problem with the implementation.

[SukramJ]

Version 1.65.0b5 fixes the issue