Validate security group rules for port ranges

Port ranges validation has been done only for TCP and UDP. Use the same validation logic for DCCP, SCTP and UDP-Lite, too. APIImpact DocImpact Change-Id: Ife90be597d1a59a634d5474dad543dc1803e8242
2017-08-22 12:55:32 +09:00 · 2017-08-22 12:55:32 +09:00 · f711ad78c5
parent e711efc7db
commit f711ad78c5
3 changed files with 27 additions and 1 deletions
--- a/neutron/db/securitygroups_db.py
+++ b/neutron/db/securitygroups_db.py
@ -444,7 +444,11 @@ class SecurityGroupDbMixin(ext_sg.SecurityGroupPluginBase):
        if not rule['protocol']:
            raise ext_sg.SecurityGroupProtocolRequiredWithPorts()
        ip_proto = self._get_ip_proto_number(rule['protocol'])
-        if ip_proto in [constants.PROTO_NUM_TCP, constants.PROTO_NUM_UDP]:
+        # Not all firewall_driver support all these protocols,
+        # but being strict here doesn't hurt.
+        if ip_proto in [constants.PROTO_NUM_DCCP, constants.PROTO_NUM_SCTP,
+                        constants.PROTO_NUM_TCP, constants.PROTO_NUM_UDP,
+                        constants.PROTO_NUM_UDPLITE]:
            if rule['port_range_min'] == 0 or rule['port_range_max'] == 0:
                raise ext_sg.SecurityGroupInvalidPortValue(port=0)
            elif (rule['port_range_min'] is not None and
--- a/neutron/tests/unit/db/test_securitygroups_db.py
+++ b/neutron/tests/unit/db/test_securitygroups_db.py
@ -440,3 +440,20 @@ class SecurityGroupDbMixinTestCase(testlib_api.SqlTestCase):
                    {'port_range_min': pmin,
                     'port_range_max': pmax,
                     'protocol': protocol})
+
+    def test__validate_port_range_exception(self):
+        self.assertRaises(securitygroup.SecurityGroupInvalidPortValue,
+                          self.mixin._validate_port_range,
+                          {'port_range_min': 0,
+                           'port_range_max': None,
+                           'protocol': constants.PROTO_NAME_TCP})
+        self.assertRaises(securitygroup.SecurityGroupInvalidPortRange,
+                          self.mixin._validate_port_range,
+                          {'port_range_min': 1,
+                           'port_range_max': None,
+                           'protocol': constants.PROTO_NAME_SCTP})
+        self.assertRaises(securitygroup.SecurityGroupInvalidPortRange,
+                          self.mixin._validate_port_range,
+                          {'port_range_min': 1000,
+                           'port_range_max': 1,
+                           'protocol': constants.PROTO_NAME_UDPLITE})
--- a/releasenotes/notes/security-group-port-range-check-73114bdcde459e53.yaml
+++ b/releasenotes/notes/security-group-port-range-check-73114bdcde459e53.yaml
@ -0,0 +1,5 @@
+---
+fixes:
+  - In security group rules API, API level validation for port_range values
+    has been performed only against TCP and UDP. Now it is performed
+    against DCCP, SCTP and UDP-Lite, too.