openstack/neutron-fwaas
Code Issues Proposed changes

Merge "Fix error when apply rule with dst port large than src port"

Browse Source
This commit is contained in:
Zuul 2022-05-06 10:45:27 +00:00 committed by Gerrit Code Review
commit 28ba8cc6ca
2 changed files with 88 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
neutron_fwaas/services/firewall/service_drivers/agents/drivers/linux/l2/openvswitch_firewall/firewall.py
View File

@ -957,7 +957,7 @@ class OVSFirewallDriver(driver_base.FirewallL2DriverBase):
return return
ports = range_str.split(':', 1) ports = range_str.split(':', 1)
rule[key_min] = int(ports[0]) rule[key_min] = int(ports[0])
rule['port_range_max'] = ( rule[key_max] = (
int(ports[1]) if len(ports) == 2 else int(ports[0])) int(ports[1]) if len(ports) == 2 else int(ports[0]))
add_range('destination_port', 'port_range_min', 'port_range_max') add_range('destination_port', 'port_range_min', 'port_range_max')

87
neutron_fwaas/tests/unit/services/firewall/service_drivers/agents/drivers/linux/l2/openvswitch_firewall/test_firewall.py
View File

@ -694,3 +694,90 @@ class TestOVSFirewallDriver(base.BaseTestCase):
self.mock_bridge.br.db_get_val.return_value = {} self.mock_bridge.br.db_get_val.return_value = {}
self.firewall._remove_egress_no_port_security('port_id') self.firewall._remove_egress_no_port_security('port_id')
self.assertFalse(self.mock_bridge.br.delete_flows.called) self.assertFalse(self.mock_bridge.br.delete_flows.called)
def test_add_flows_from_rules_with_dst_large_than_src_port(self):
port_dict = {
'device': 'port-id',
'firewall_group': 123,
'lvlan': TESTING_VLAN_TAG,
}
port = self.firewall.get_or_create_ofport(port_dict)
ingress_rules = [{
'ip_version': 4,
'source_port': '4000',
'destination_port': '7000',
'protocol': 6,
'direction': 'ingress',
'ethertype': 'IPv4',
'offset': 1,
'port_range_min': 7000,
'port_range_max': 7000,
'source_port_range_min': 4000,
'source_port_range_max': 4000
}, {
'ip_version': 6,
'source_port': '4000',
'destination_port': '7000',
'protocol': 6,
'direction': 'ingress',
'ethertype': 'IPv6',
'offset': 0,
'port_range_min': 7000,
'port_range_max': 7000,
'source_port_range_min': 4000,
'source_port_range_max': 4000
}]
egress_rules = [{
'ip_version': 4,
'source_port': '4000',
'destination_port': '7000',
'protocol': 6,
'direction': 'egress',
'ethertype': 'IPv4',
'offset': 1,
'port_range_min': 7000,
'port_range_max': 7000,
'source_port_range_min': 4000,
'source_port_range_max': 4000
}, {
'ip_version': 6,
'source_port': '4000',
'destination_port': '7000',
'protocol': 6,
'direction': 'egress',
'ethertype': 'IPv6',
'offset': 0,
'port_range_min': 7000,
'port_range_max': 7000,
'source_port_range_min': 4000,
'source_port_range_max': 4000
}]
port.fw_group.ingress_rules = [{
'ip_version': 4,
'source_port': '4000',
'destination_port': '7000',
'protocol': 6
},
{
'ip_version': 6,
'source_port': '4000',
'destination_port': '7000',
'protocol': 6
}
]
port.fw_group.egress_rules = [{
'ip_version': 4,
'source_port': '4000',
'destination_port': '7000',
'protocol': 6
},
{
'ip_version': 6,
'source_port': '4000',
'destination_port': '7000',
'protocol': 6
}
]
self.firewall.add_flows_from_rules(port)
self.assertEqual(ingress_rules, port.fw_group.ingress_rules)
self.assertEqual(egress_rules, port.fw_group.egress_rules)