Validate security group rules for port ranges

Port ranges validation has been done only for TCP and UDP.
Use the same validation logic for DCCP, SCTP and UDP-Lite, too.

APIImpact
DocImpact

Change-Id: Ife90be597d1a59a634d5474dad543dc1803e8242
This commit is contained in:
IWAMOTO Toshihiro 2017-08-22 12:55:32 +09:00
parent e711efc7db
commit f711ad78c5
3 changed files with 27 additions and 1 deletions

View File

@ -444,7 +444,11 @@ class SecurityGroupDbMixin(ext_sg.SecurityGroupPluginBase):
if not rule['protocol']: if not rule['protocol']:
raise ext_sg.SecurityGroupProtocolRequiredWithPorts() raise ext_sg.SecurityGroupProtocolRequiredWithPorts()
ip_proto = self._get_ip_proto_number(rule['protocol']) ip_proto = self._get_ip_proto_number(rule['protocol'])
if ip_proto in [constants.PROTO_NUM_TCP, constants.PROTO_NUM_UDP]: # Not all firewall_driver support all these protocols,
# but being strict here doesn't hurt.
if ip_proto in [constants.PROTO_NUM_DCCP, constants.PROTO_NUM_SCTP,
constants.PROTO_NUM_TCP, constants.PROTO_NUM_UDP,
constants.PROTO_NUM_UDPLITE]:
if rule['port_range_min'] == 0 or rule['port_range_max'] == 0: if rule['port_range_min'] == 0 or rule['port_range_max'] == 0:
raise ext_sg.SecurityGroupInvalidPortValue(port=0) raise ext_sg.SecurityGroupInvalidPortValue(port=0)
elif (rule['port_range_min'] is not None and elif (rule['port_range_min'] is not None and

View File

@ -440,3 +440,20 @@ class SecurityGroupDbMixinTestCase(testlib_api.SqlTestCase):
{'port_range_min': pmin, {'port_range_min': pmin,
'port_range_max': pmax, 'port_range_max': pmax,
'protocol': protocol}) 'protocol': protocol})
def test__validate_port_range_exception(self):
self.assertRaises(securitygroup.SecurityGroupInvalidPortValue,
self.mixin._validate_port_range,
{'port_range_min': 0,
'port_range_max': None,
'protocol': constants.PROTO_NAME_TCP})
self.assertRaises(securitygroup.SecurityGroupInvalidPortRange,
self.mixin._validate_port_range,
{'port_range_min': 1,
'port_range_max': None,
'protocol': constants.PROTO_NAME_SCTP})
self.assertRaises(securitygroup.SecurityGroupInvalidPortRange,
self.mixin._validate_port_range,
{'port_range_min': 1000,
'port_range_max': 1,
'protocol': constants.PROTO_NAME_UDPLITE})

View File

@ -0,0 +1,5 @@
---
fixes:
- In security group rules API, API level validation for port_range values
has been performed only against TCP and UDP. Now it is performed
against DCCP, SCTP and UDP-Lite, too.