NSX|V3: ensure that 0.0.0.0/0 is treated correctly
The NSX will not accept 0.0.0.0/0 for remote and local IP prefixes. This is changed internally to 'ANY' The 'ANY' will only be internal. The API for the user will not change, they will stell see the 0.0.0.0/0 Change-Id: I24adc9da9f52d17621117b46d8a535ccedf93227
This commit is contained in:
Gary Kotton
Adit Sarfaty
parent
b9cbacb1c5
commit
4013b4ca65
|
|
@ -12,6 +12,7 @@
|
|||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
import copy
|
||||
|
||||
import netaddr
|
||||
from neutron_lib.agent import topics
|
||||
|
|
@ -4558,7 +4559,8 @@ class NsxV3Plugin(agentschedulers_db.AZDhcpAgentSchedulerDbMixin,
|
|||
# since the nsxlib does not have access to the nsx db,
|
||||
# we need to provide a mapping for the remote nsgroup ids.
|
||||
ruleid_2_remote_nsgroup_map = {}
|
||||
for sg_rule in sg_rules:
|
||||
_sg_rules = copy.deepcopy(sg_rules)
|
||||
for sg_rule in _sg_rules:
|
||||
remote_nsgroup_id = None
|
||||
remote_group_id = sg_rule.get('remote_group_id')
|
||||
# skip unnecessary db access when possible
|
||||
|
|
@ -4568,10 +4570,16 @@ class NsxV3Plugin(agentschedulers_db.AZDhcpAgentSchedulerDbMixin,
|
|||
remote_nsgroup_id = nsx_db.get_nsx_security_group_id(
|
||||
context.session, remote_group_id)
|
||||
ruleid_2_remote_nsgroup_map[sg_rule['id']] = remote_nsgroup_id
|
||||
# 0.0.0.0/0 is not a valid entry for local and remote so we need
|
||||
# to change this to 'ANY'
|
||||
if sg_rule.get('remote_ip_prefix') == '0.0.0.0/0':
|
||||
sg_rule['remote_ip_prefix'] = 'ANY'
|
||||
if sg_rule.get('local_ip_prefix') == '0.0.0.0/0':
|
||||
sg_rule['local_ip_prefix'] = 'ANY'
|
||||
|
||||
return self.nsxlib.firewall_section.create_rules(
|
||||
context, section_id, nsgroup_id,
|
||||
logging_enabled, action, sg_rules,
|
||||
logging_enabled, action, _sg_rules,
|
||||
ruleid_2_remote_nsgroup_map)
|
||||
|
||||
def _handle_api_replay_default_sg(self, context, secgroup_db):
|
||||
|
|
|
|||
|
|
@ -145,3 +145,41 @@ class TestNSXv3ExtendedSGRule(test_nsxv3_plugin.NsxV3PluginTestCaseMixin,
|
|||
'ALLOW', # action
|
||||
sg_rules, # sg_rules
|
||||
mock.ANY) # ruleid_2_remote_nsgroup_map
|
||||
|
||||
def test_create_rule_with_remote_ip_prefix(self):
|
||||
remote_ip_prefix = '0.0.0.0/0'
|
||||
with self.security_group() as sg:
|
||||
rule = self._build_security_group_rule(
|
||||
sg['security_group']['id'], remote_ip_prefix=remote_ip_prefix,
|
||||
direction='ingress', proto=const.PROTO_NAME_UDP)
|
||||
res = self._make_security_group_rule(self.fmt, rule)
|
||||
self.assertEqual(remote_ip_prefix,
|
||||
res['security_group_rule']['remote_ip_prefix'])
|
||||
|
||||
def test_create_nsx_rule_with_remote_ip_prefix_zeros(self):
|
||||
sg_rules = [
|
||||
{'tenant_id': mock.ANY,
|
||||
'project_id': mock.ANY,
|
||||
'id': mock.ANY,
|
||||
'port_range_min': None,
|
||||
'local_ip_prefix': None,
|
||||
'ethertype': 'IPv4',
|
||||
'protocol': u'udp', 'remote_ip_prefix': 'ANY',
|
||||
'port_range_max': None,
|
||||
'security_group_id': mock.ANY,
|
||||
'remote_group_id': None, 'direction': u'ingress',
|
||||
'description': ''}]
|
||||
|
||||
with mock.patch(
|
||||
"vmware_nsxlib.v3.security.NsxLibFirewallSection.create_rules",
|
||||
side_effect=test_nsxv3_plugin._mock_create_firewall_rules,
|
||||
) as mock_rule:
|
||||
self.test_create_rule_with_remote_ip_prefix()
|
||||
mock_rule.assert_called_with(
|
||||
mock.ANY, # content
|
||||
mock.ANY, # firewall_section_id
|
||||
mock.ANY, # ns_group_id
|
||||
False, # logging
|
||||
'ALLOW', # action
|
||||
sg_rules, # sg_rules
|
||||
mock.ANY) # ruleid_2_remote_nsgroup_map
|
||||
|
|
|
|||
Loading…
Reference in New Issue