ovsfw: Fix up port_range and ICMP type/code handling

port_range_min/max should be read as ICMP type/code for ICMP(V6).

Change-Id: I65157037038d11464902c0311eb4c54b84f60c72
Closes-bug: #1708358
(cherry picked from commit b82db0a9f2)
This commit is contained in:
IWAMOTO Toshihiro 2017-08-03 15:36:33 +09:00
parent 93d2e76391
commit 82e13a257c
2 changed files with 48 additions and 1 deletions

View File

@ -95,7 +95,10 @@ def create_protocol_flows(direction, flow_template, port, rule):
if protocol is not None:
flow_template['nw_proto'] = protocol
flows = create_port_range_flows(flow_template, rule)
if protocol in [n_consts.PROTO_NUM_ICMP, n_consts.PROTO_NUM_IPV6_ICMP]:
flows = create_icmp_flows(flow_template, rule)
else:
flows = create_port_range_flows(flow_template, rule)
return flows or [flow_template]
@ -138,6 +141,19 @@ def create_port_range_flows(flow_template, rule):
return flows
def create_icmp_flows(flow_template, rule):
icmp_type = rule.get('port_range_min')
if icmp_type is None:
return
flow = flow_template.copy()
flow['icmp_type'] = icmp_type
icmp_code = rule.get('port_range_max')
if icmp_code is not None:
flow['icmp_code'] = icmp_code
return [flow]
def create_flows_for_ip_address(ip_address, direction, ethertype,
vlan_tag, conj_ids):
"""Create flows from a rule and an ip_address derived from

View File

@ -240,6 +240,36 @@ class TestCreateProtocolFlows(base.BaseTestCase):
self._test_create_protocol_flows_helper(
firewall.EGRESS_DIRECTION, rule, expected_flows)
def test_create_protocol_flows_icmp(self):
rule = {'ethertype': constants.IPv4,
'protocol': constants.PROTO_NUM_ICMP,
'port_range_min': 0}
expected_flows = [{
'table': ovs_consts.RULES_EGRESS_TABLE,
'actions': 'resubmit(,{:d})'.format(
ovs_consts.ACCEPT_OR_INGRESS_TABLE),
'nw_proto': constants.PROTO_NUM_ICMP,
'icmp_type': 0
}]
self._test_create_protocol_flows_helper(
firewall.EGRESS_DIRECTION, rule, expected_flows)
def test_create_protocol_flows_ipv6_icmp(self):
rule = {'ethertype': constants.IPv6,
'protocol': constants.PROTO_NUM_IPV6_ICMP,
'port_range_min': 5,
'port_range_max': 0}
expected_flows = [{
'table': ovs_consts.RULES_EGRESS_TABLE,
'actions': 'resubmit(,{:d})'.format(
ovs_consts.ACCEPT_OR_INGRESS_TABLE),
'nw_proto': constants.PROTO_NUM_IPV6_ICMP,
'icmp_type': 5,
'icmp_code': 0,
}]
self._test_create_protocol_flows_helper(
firewall.EGRESS_DIRECTION, rule, expected_flows)
class TestCreatePortRangeFlows(base.BaseTestCase):
def _test_create_port_range_flows_helper(self, expected_flows, rule):
@ -294,6 +324,7 @@ class TestCreatePortRangeFlows(base.BaseTestCase):
self._test_create_port_range_flows_helper(expected_flows, rule)
def test_create_port_range_with_icmp_protocol(self):
# NOTE: such call is prevented by create_protocols_flows
rule = {
'protocol': constants.PROTO_NUM_ICMP,
'port_range_min': 10,