Validate security group rules for port ranges
Port ranges validation has been done only for TCP and UDP. Use the same validation logic for DCCP, SCTP and UDP-Lite, too. APIImpact DocImpact Change-Id: Ife90be597d1a59a634d5474dad543dc1803e8242
This commit is contained in:
parent
e711efc7db
commit
f711ad78c5
@ -444,7 +444,11 @@ class SecurityGroupDbMixin(ext_sg.SecurityGroupPluginBase):
|
|||||||
if not rule['protocol']:
|
if not rule['protocol']:
|
||||||
raise ext_sg.SecurityGroupProtocolRequiredWithPorts()
|
raise ext_sg.SecurityGroupProtocolRequiredWithPorts()
|
||||||
ip_proto = self._get_ip_proto_number(rule['protocol'])
|
ip_proto = self._get_ip_proto_number(rule['protocol'])
|
||||||
if ip_proto in [constants.PROTO_NUM_TCP, constants.PROTO_NUM_UDP]:
|
# Not all firewall_driver support all these protocols,
|
||||||
|
# but being strict here doesn't hurt.
|
||||||
|
if ip_proto in [constants.PROTO_NUM_DCCP, constants.PROTO_NUM_SCTP,
|
||||||
|
constants.PROTO_NUM_TCP, constants.PROTO_NUM_UDP,
|
||||||
|
constants.PROTO_NUM_UDPLITE]:
|
||||||
if rule['port_range_min'] == 0 or rule['port_range_max'] == 0:
|
if rule['port_range_min'] == 0 or rule['port_range_max'] == 0:
|
||||||
raise ext_sg.SecurityGroupInvalidPortValue(port=0)
|
raise ext_sg.SecurityGroupInvalidPortValue(port=0)
|
||||||
elif (rule['port_range_min'] is not None and
|
elif (rule['port_range_min'] is not None and
|
||||||
|
@ -440,3 +440,20 @@ class SecurityGroupDbMixinTestCase(testlib_api.SqlTestCase):
|
|||||||
{'port_range_min': pmin,
|
{'port_range_min': pmin,
|
||||||
'port_range_max': pmax,
|
'port_range_max': pmax,
|
||||||
'protocol': protocol})
|
'protocol': protocol})
|
||||||
|
|
||||||
|
def test__validate_port_range_exception(self):
|
||||||
|
self.assertRaises(securitygroup.SecurityGroupInvalidPortValue,
|
||||||
|
self.mixin._validate_port_range,
|
||||||
|
{'port_range_min': 0,
|
||||||
|
'port_range_max': None,
|
||||||
|
'protocol': constants.PROTO_NAME_TCP})
|
||||||
|
self.assertRaises(securitygroup.SecurityGroupInvalidPortRange,
|
||||||
|
self.mixin._validate_port_range,
|
||||||
|
{'port_range_min': 1,
|
||||||
|
'port_range_max': None,
|
||||||
|
'protocol': constants.PROTO_NAME_SCTP})
|
||||||
|
self.assertRaises(securitygroup.SecurityGroupInvalidPortRange,
|
||||||
|
self.mixin._validate_port_range,
|
||||||
|
{'port_range_min': 1000,
|
||||||
|
'port_range_max': 1,
|
||||||
|
'protocol': constants.PROTO_NAME_UDPLITE})
|
||||||
|
@ -0,0 +1,5 @@
|
|||||||
|
---
|
||||||
|
fixes:
|
||||||
|
- In security group rules API, API level validation for port_range values
|
||||||
|
has been performed only against TCP and UDP. Now it is performed
|
||||||
|
against DCCP, SCTP and UDP-Lite, too.
|
Loading…
Reference in New Issue
Block a user