Enforce ethertype with IPv6 integer protocols

By extending the black list to include the integer representation for IPv6 we can succesfully block api requests to create security group rules for IPv6 protocols with ehtertype IPv4. Closes-Bug: #1706229 Change-Id: I5abeff178b3be18f1e93d00d9d546147b11c1a74
2017-07-25 08:44:08 -05:00 · 2017-07-25 08:44:08 -05:00 · 2ec36dc812
parent 8718d5c2b6
commit 2ec36dc812
2 changed files with 19 additions and 1 deletions
--- a/neutron/db/securitygroups_db.py
+++ b/neutron/db/securitygroups_db.py
@ -473,7 +473,13 @@ class SecurityGroupDbMixin(ext_sg.SecurityGroupPluginBase):
                                constants.PROTO_NAME_IPV6_ICMP_LEGACY,
                                constants.PROTO_NAME_IPV6_NONXT,
                                constants.PROTO_NAME_IPV6_OPTS,
-                                constants.PROTO_NAME_IPV6_ROUTE]:
+                                constants.PROTO_NAME_IPV6_ROUTE,
+                                str(constants.PROTO_NUM_IPV6_ENCAP),
+                                str(constants.PROTO_NUM_IPV6_FRAG),
+                                str(constants.PROTO_NUM_IPV6_ICMP),
+                                str(constants.PROTO_NUM_IPV6_NONXT),
+                                str(constants.PROTO_NUM_IPV6_OPTS),
+                                str(constants.PROTO_NUM_IPV6_ROUTE)]:
            if rule['ethertype'] == constants.IPv4:
                raise ext_sg.SecurityGroupEthertypeConflictWithProtocol(
                        ethertype=rule['ethertype'], protocol=rule['protocol'])
--- a/neutron/tests/unit/db/test_securitygroups_db.py
+++ b/neutron/tests/unit/db/test_securitygroups_db.py
@ -217,6 +217,18 @@ class SecurityGroupDbMixinTestCase(testlib_api.SqlTestCase):
                           {'protocol': constants.PROTO_NAME_IPV6_NONXT,
                            'ethertype': constants.IPv4},
                           {'protocol': constants.PROTO_NAME_IPV6_OPTS,
+                            'ethertype': constants.IPv4},
+                           {'protocol': str(constants.PROTO_NUM_IPV6_ICMP),
+                            'ethertype': constants.IPv4},
+                           {'protocol': str(constants.PROTO_NUM_IPV6_ENCAP),
+                            'ethertype': constants.IPv4},
+                           {'protocol': str(constants.PROTO_NUM_IPV6_ROUTE),
+                            'ethertype': constants.IPv4},
+                           {'protocol': str(constants.PROTO_NUM_IPV6_FRAG),
+                            'ethertype': constants.IPv4},
+                           {'protocol': str(constants.PROTO_NUM_IPV6_NONXT),
+                            'ethertype': constants.IPv4},
+                           {'protocol': str(constants.PROTO_NUM_IPV6_OPTS),
                            'ethertype': constants.IPv4}]
        # test wrong protocols
        for rule in fake_ipv4_rules: