Enforce ethertype with IPv6 integer protocols
By extending the black list to include the integer representation for IPv6 we can succesfully block api requests to create security group rules for IPv6 protocols with ehtertype IPv4. Closes-Bug: #1706229 Change-Id: I5abeff178b3be18f1e93d00d9d546147b11c1a74
This commit is contained in:
parent
8718d5c2b6
commit
2ec36dc812
|
@ -473,7 +473,13 @@ class SecurityGroupDbMixin(ext_sg.SecurityGroupPluginBase):
|
|||
constants.PROTO_NAME_IPV6_ICMP_LEGACY,
|
||||
constants.PROTO_NAME_IPV6_NONXT,
|
||||
constants.PROTO_NAME_IPV6_OPTS,
|
||||
constants.PROTO_NAME_IPV6_ROUTE]:
|
||||
constants.PROTO_NAME_IPV6_ROUTE,
|
||||
str(constants.PROTO_NUM_IPV6_ENCAP),
|
||||
str(constants.PROTO_NUM_IPV6_FRAG),
|
||||
str(constants.PROTO_NUM_IPV6_ICMP),
|
||||
str(constants.PROTO_NUM_IPV6_NONXT),
|
||||
str(constants.PROTO_NUM_IPV6_OPTS),
|
||||
str(constants.PROTO_NUM_IPV6_ROUTE)]:
|
||||
if rule['ethertype'] == constants.IPv4:
|
||||
raise ext_sg.SecurityGroupEthertypeConflictWithProtocol(
|
||||
ethertype=rule['ethertype'], protocol=rule['protocol'])
|
||||
|
|
|
@ -217,6 +217,18 @@ class SecurityGroupDbMixinTestCase(testlib_api.SqlTestCase):
|
|||
{'protocol': constants.PROTO_NAME_IPV6_NONXT,
|
||||
'ethertype': constants.IPv4},
|
||||
{'protocol': constants.PROTO_NAME_IPV6_OPTS,
|
||||
'ethertype': constants.IPv4},
|
||||
{'protocol': str(constants.PROTO_NUM_IPV6_ICMP),
|
||||
'ethertype': constants.IPv4},
|
||||
{'protocol': str(constants.PROTO_NUM_IPV6_ENCAP),
|
||||
'ethertype': constants.IPv4},
|
||||
{'protocol': str(constants.PROTO_NUM_IPV6_ROUTE),
|
||||
'ethertype': constants.IPv4},
|
||||
{'protocol': str(constants.PROTO_NUM_IPV6_FRAG),
|
||||
'ethertype': constants.IPv4},
|
||||
{'protocol': str(constants.PROTO_NUM_IPV6_NONXT),
|
||||
'ethertype': constants.IPv4},
|
||||
{'protocol': str(constants.PROTO_NUM_IPV6_OPTS),
|
||||
'ethertype': constants.IPv4}]
|
||||
# test wrong protocols
|
||||
for rule in fake_ipv4_rules:
|
||||
|
|
Loading…
Reference in New Issue