From 044c0ad269f1c69a60241f776f0b7a08bf54ba6a Mon Sep 17 00:00:00 2001
From: Adit Sarfaty <asarfaty@vmware.com>
Date: Wed, 23 Oct 2019 13:25:09 +0300
Subject: [PATCH] NSX|V: Validate SG rule remote-ip-prefix is not 0.0.0.0/x

This is not supported by the backend and should be replaced with 'Any'

Change-Id: I96081d7e88863f9bc1d091cc3a5f7be0b9dde4e0
(cherry picked from commit 2696f331e6609920894d4e962d1a89d5e695a6a2)
---
 vmware_nsx/plugins/common/plugin.py    | 14 ++++++++++++++
 vmware_nsx/plugins/common_v3/plugin.py | 14 --------------
 vmware_nsx/plugins/nsx_v/plugin.py     |  1 +
 3 files changed, 15 insertions(+), 14 deletions(-)

diff --git a/vmware_nsx/plugins/common/plugin.py b/vmware_nsx/plugins/common/plugin.py
index e6070bf755..f03d2338a4 100644
--- a/vmware_nsx/plugins/common/plugin.py
+++ b/vmware_nsx/plugins/common/plugin.py
@@ -41,6 +41,7 @@ from neutron_lib.utils import net as nl_net_utils
 
 from vmware_nsx._i18n import _
 from vmware_nsx.common import exceptions as nsx_exc
+from vmware_nsx.extensions import secgroup_rule_local_ip_prefix as sg_prefix
 from vmware_nsx.services.qos.common import utils as qos_com_utils
 
 LOG = logging.getLogger(__name__)
@@ -426,6 +427,19 @@ class NsxPluginBase(db_base_plugin_v2.NeutronDbPluginV2,
                     'restricted') % dev_owner
             raise n_exc.BadRequest(resource='floatingip', msg=msg)
 
+    def _fix_sg_rule_dict_ips(self, sg_rule):
+        # 0.0.0.0/# and ::/ are not valid entries for local and remote so we
+        # need to change this to None
+        if (sg_rule.get('remote_ip_prefix') and
+            (sg_rule['remote_ip_prefix'].startswith('0.0.0.0/') or
+             sg_rule['remote_ip_prefix'].startswith('::/'))):
+            sg_rule['remote_ip_prefix'] = None
+        if (sg_rule.get(sg_prefix.LOCAL_IP_PREFIX) and
+            validators.is_attr_set(sg_rule[sg_prefix.LOCAL_IP_PREFIX]) and
+            (sg_rule[sg_prefix.LOCAL_IP_PREFIX].startswith('0.0.0.0/') or
+             sg_rule[sg_prefix.LOCAL_IP_PREFIX].startswith('::/'))):
+            sg_rule[sg_prefix.LOCAL_IP_PREFIX] = None
+
     def get_housekeeper(self, context, name, fields=None):
         # run the job in readonly mode and get the results
         self.housekeeper.run(context, name, readonly=True)
diff --git a/vmware_nsx/plugins/common_v3/plugin.py b/vmware_nsx/plugins/common_v3/plugin.py
index d25a2c3dc2..5577f2d6fb 100644
--- a/vmware_nsx/plugins/common_v3/plugin.py
+++ b/vmware_nsx/plugins/common_v3/plugin.py
@@ -87,7 +87,6 @@ from vmware_nsx.db import nsx_portbindings_db as pbin_db
 from vmware_nsx.extensions import advancedserviceproviders as as_providers
 from vmware_nsx.extensions import maclearning as mac_ext
 from vmware_nsx.extensions import providersecuritygroup as provider_sg
-from vmware_nsx.extensions import secgroup_rule_local_ip_prefix as sg_prefix
 from vmware_nsx.plugins.common import plugin
 from vmware_nsx.services.qos.common import utils as qos_com_utils
 from vmware_nsx.services.vpnaas.common_v3 import ipsec_utils
@@ -301,19 +300,6 @@ class NsxPluginV3Base(agentschedulers_db.AZDhcpAgentSchedulerDbMixin,
                                      interface_info['subnet_id'])['network_id']
         return net_id
 
-    def _fix_sg_rule_dict_ips(self, sg_rule):
-        # 0.0.0.0/# and ::/ are not valid entries for local and remote so we
-        # need to change this to None
-        if (sg_rule.get('remote_ip_prefix') and
-            (sg_rule['remote_ip_prefix'].startswith('0.0.0.0/') or
-             sg_rule['remote_ip_prefix'].startswith('::/'))):
-            sg_rule['remote_ip_prefix'] = None
-        if (sg_rule.get(sg_prefix.LOCAL_IP_PREFIX) and
-            validators.is_attr_set(sg_rule[sg_prefix.LOCAL_IP_PREFIX]) and
-            (sg_rule[sg_prefix.LOCAL_IP_PREFIX].startswith('0.0.0.0/') or
-             sg_rule[sg_prefix.LOCAL_IP_PREFIX].startswith('::/'))):
-            sg_rule[sg_prefix.LOCAL_IP_PREFIX] = None
-
     def _validate_interface_address_scope(self, context, router_db,
                                           interface_subnet):
         gw_network_id = (router_db.gw_port.network_id if router_db.gw_port
diff --git a/vmware_nsx/plugins/nsx_v/plugin.py b/vmware_nsx/plugins/nsx_v/plugin.py
index 9181cf012e..7f34292e23 100644
--- a/vmware_nsx/plugins/nsx_v/plugin.py
+++ b/vmware_nsx/plugins/nsx_v/plugin.py
@@ -4786,6 +4786,7 @@ class NsxVPluginV2(addr_pair_db.AllowedAddressPairsMixin,
                 rule = r['security_group_rule']
                 if not self._check_local_ip_prefix(context, rule):
                     rule[secgroup_rule_local_ip_prefix.LOCAL_IP_PREFIX] = None
+                self._fix_sg_rule_dict_ips(rule)
                 rule['id'] = rule.get('id') or uuidutils.generate_uuid()
                 ruleids.add(rule['id'])
                 nsx_rules.append(