Accept icmpv6 as protocol of SG rule for backward compatibility

The patch https://review.openstack.org/#/c/252155/ renamed 'icmpv6' protocol to 'ipv6-icmp'. This leads to backward compatiblity of the security group API. This commit allows to specify 'icmpv6' as well. TODO(amotoki): The constant for 'icmpv6' will be moved to neutron-lib soon after Mitaka is shipped. Change-Id: I0d7e1cd9fc075902449c5eb5ef27069083ab95d4 Closes-Bug: #1558774
2016-03-18 17:41:23 +09:00 · 2016-03-18 17:41:23 +09:00 · 85d638af45
parent b2c60153c2
commit 85d638af45
5 changed files with 41 additions and 1 deletions
--- a/neutron/common/constants.py
+++ b/neutron/common/constants.py
@ -76,6 +76,12 @@ PROTO_NAME_UDP = 'udp'
 PROTO_NAME_UDPLITE = 'udplite'
 PROTO_NAME_VRRP = 'vrrp'

+# TODO(amotoki): It should be moved to neutron-lib.
+# For backward-compatibility of security group rule API,
+# we keep the old value for IPv6 ICMP.
+# It should be clean up in the future.
+PROTO_NAME_IPV6_ICMP_LEGACY = 'icmpv6'
+
 PROTO_NUM_AH = 51
 PROTO_NUM_DCCP = 33
 PROTO_NUM_EGP = 8
@ -120,6 +126,8 @@ IP_PROTOCOL_MAP = {PROTO_NAME_AH: PROTO_NUM_AH,
                   PROTO_NAME_UDPLITE: PROTO_NUM_UDPLITE,
                   PROTO_NAME_VRRP: PROTO_NUM_VRRP}

+IP_PROTOCOL_NAME_ALIASES = {PROTO_NAME_IPV6_ICMP_LEGACY: PROTO_NAME_IPV6_ICMP}
+
 VALID_DSCP_MARKS = [0, 8, 10, 12, 14, 16, 18, 20, 22, 24, 26, 28, 30, 32, 34,
                    36, 38, 40, 46, 48, 56]

--- a/neutron/db/securitygroups_db.py
+++ b/neutron/db/securitygroups_db.py
@ -420,6 +420,8 @@ class SecurityGroupDbMixin(ext_sg.SecurityGroupPluginBase):
        # problems with comparing int and string in PostgreSQL. Here this
        # string is converted to int to give an opportunity to use it as
        # before.
+        if protocol in constants.IP_PROTOCOL_NAME_ALIASES:
+            protocol = constants.IP_PROTOCOL_NAME_ALIASES[protocol]
        return int(constants.IP_PROTOCOL_MAP.get(protocol, protocol))

    def _validate_port_range(self, rule):
@ -455,6 +457,7 @@ class SecurityGroupDbMixin(ext_sg.SecurityGroupPluginBase):
        if rule['protocol'] in [constants.PROTO_NAME_IPV6_ENCAP,
                                constants.PROTO_NAME_IPV6_FRAG,
                                constants.PROTO_NAME_IPV6_ICMP,
+                                constants.PROTO_NAME_IPV6_ICMP_LEGACY,
                                constants.PROTO_NAME_IPV6_NONXT,
                                constants.PROTO_NAME_IPV6_OPTS,
                                constants.PROTO_NAME_IPV6_ROUTE]:
--- a/neutron/extensions/securitygroup.py
+++ b/neutron/extensions/securitygroup.py
@ -211,7 +211,12 @@ def _validate_name_not_default(data, valid_values=None):

 attr.validators['type:name_not_default'] = _validate_name_not_default

-sg_supported_protocols = [None] + list(const.IP_PROTOCOL_MAP.keys())
+# TODO(amotoki): const.IP_PROTOCOL_MAP now comes from neutron-lib,
+# so we cannot add PROTO_NAME_IPV6_ICMP_LEGACY to const.IP_PROTOCOL_MAP
+# in neutron.common.constants. IP_PROTOCOL_MAP in neutron-lib should
+# be updated and neutron should consume it once Mitaka backport is done.
+sg_supported_protocols = ([None] + list(const.IP_PROTOCOL_MAP.keys()) +
+                          list(const.IP_PROTOCOL_NAME_ALIASES.keys()))
 sg_supported_ethertypes = ['IPv4', 'IPv6']
 SECURITYGROUPS = 'security_groups'
 SECURITYGROUPRULES = 'security_group_rules'
--- a/neutron/tests/unit/db/test_securitygroups_db.py
+++ b/neutron/tests/unit/db/test_securitygroups_db.py
@ -106,6 +106,8 @@ class SecurityGroupDbMixinTestCase(testlib_api.SqlTestCase):
    def test_validate_ethertype_and_protocol(self):
        fake_ipv4_rules = [{'protocol': constants.PROTO_NAME_IPV6_ICMP,
                            'ethertype': constants.IPv4},
+                           {'protocol': constants.PROTO_NAME_IPV6_ICMP_LEGACY,
+                            'ethertype': constants.IPv4},
                           {'protocol': constants.PROTO_NAME_IPV6_ENCAP,
                            'ethertype': constants.IPv4},
                           {'protocol': constants.PROTO_NAME_IPV6_ROUTE,
--- a/neutron/tests/unit/extensions/test_securitygroup.py
+++ b/neutron/tests/unit/extensions/test_securitygroup.py
@ -834,6 +834,28 @@ class TestSecurityGroups(SecurityGroupDBTestCase):
                for k, v, in keys:
                    self.assertEqual(rule['security_group_rule'][k], v)

+    def test_create_security_group_rule_icmpv6_legacy_protocol_name(self):
+        name = 'webservers'
+        description = 'my webservers'
+        with self.security_group(name, description) as sg:
+            security_group_id = sg['security_group']['id']
+            direction = "ingress"
+            ethertype = const.IPv6
+            remote_ip_prefix = "2001::f401:56ff:fefe:d3dc/128"
+            protocol = const.PROTO_NAME_IPV6_ICMP_LEGACY
+            keys = [('remote_ip_prefix', remote_ip_prefix),
+                    ('security_group_id', security_group_id),
+                    ('direction', direction),
+                    ('ethertype', ethertype),
+                    ('protocol', protocol)]
+            with self.security_group_rule(security_group_id, direction,
+                                          protocol, None, None,
+                                          remote_ip_prefix,
+                                          None, None,
+                                          ethertype) as rule:
+                for k, v, in keys:
+                    self.assertEqual(rule['security_group_rule'][k], v)
+
    def test_create_security_group_source_group_ip_and_ip_prefix(self):
        security_group_id = "4cd70774-cc67-4a87-9b39-7d1db38eb087"
        direction = "ingress"