From 801c074587eac8b9ad7f98ad27ac392aa1f3bacc Mon Sep 17 00:00:00 2001
From: asarfaty <asarfaty@vmware.com>
Date: Thu, 4 Jun 2020 11:56:49 +0200
Subject: [PATCH] NSX|V3+P: Support ipv4 CIDR in allowed address pairs

Change-Id: Ifabf9451cd0d530677c8cb7da7d76a6878e5fae5
---
 vmware_nsx/plugins/common_v3/plugin.py | 26 +++++++++++++++++++++-----
 vmware_nsx/plugins/nsx_p/plugin.py     |  4 ++++
 vmware_nsx/plugins/nsx_v3/plugin.py    |  4 ++++
 3 files changed, 29 insertions(+), 5 deletions(-)

diff --git a/vmware_nsx/plugins/common_v3/plugin.py b/vmware_nsx/plugins/common_v3/plugin.py
index f9a2583c2e..a889b1e91a 100644
--- a/vmware_nsx/plugins/common_v3/plugin.py
+++ b/vmware_nsx/plugins/common_v3/plugin.py
@@ -320,13 +320,18 @@ class NsxPluginV3Base(agentschedulers_db.AZDhcpAgentSchedulerDbMixin,
                 return fixed
         return mac
 
+    def _support_address_pairs_ipv4_cidr(self):
+        """Can be implemented by each plugin"""
+        return False
+
     def _validate_address_pairs(self, address_pairs):
         for pair in address_pairs:
             ip = pair.get('ip_address')
             if ':' in ip:
-                # Validate ipv6 cidrs:
+                # IPv6 address pair
                 ip_split = ip.split('/')
                 if len(ip_split) > 1 and ip_split[1] != '128':
+                    # Validate ipv6 CIDR
                     try:
                         ipaddress.ip_network(ip)
                     except ValueError:
@@ -335,11 +340,22 @@ class NsxPluginV3Base(agentschedulers_db.AZDhcpAgentSchedulerDbMixin,
                                      "have host bits set") % ip)
                         raise n_exc.InvalidInput(error_message=err_msg)
             else:
-                # Validate ipv4 cidrs (No limitation on ipv6):
+                # IPv4 address pair
                 if len(ip.split('/')) > 1 and ip.split('/')[1] != '32':
-                    LOG.error("cidr %s is not supported in allowed address "
-                              "pairs", ip)
-                    raise nsx_exc.InvalidIPAddress(ip_address=ip)
+                    if self._support_address_pairs_ipv4_cidr():
+                        # validate host bits
+                        try:
+                            ipaddress.ip_network(ip)
+                        except ValueError:
+                            # This means the host bits are set
+                            err_msg = (_("Allowed address pairs Cidr %s "
+                                         "cannot have host bits set") % ip)
+                            raise n_exc.InvalidInput(error_message=err_msg)
+                    else:
+                        # IPv4 CIDR is not allowed
+                        LOG.error("Cidr %s is not supported in allowed "
+                                  "address pairs", ip)
+                        raise nsx_exc.InvalidIPAddress(ip_address=ip)
 
     def _validate_number_of_address_pairs(self, port):
         address_pairs = port.get(addr_apidef.ADDRESS_PAIRS)
diff --git a/vmware_nsx/plugins/nsx_p/plugin.py b/vmware_nsx/plugins/nsx_p/plugin.py
index 1098c8f26f..a179aeaa5d 100644
--- a/vmware_nsx/plugins/nsx_p/plugin.py
+++ b/vmware_nsx/plugins/nsx_p/plugin.py
@@ -4203,3 +4203,7 @@ class NsxPolicyPlugin(nsx_plugin_common.NsxPluginV3Base):
         if tz_uuid not in ec_tzs:
             return False
         return True
+
+    def _support_address_pairs_ipv4_cidr(self):
+        return self.nsxpolicy.feature_supported(
+            nsxlib_consts.FEATURE_SPOOFGUARD_CIDR)
diff --git a/vmware_nsx/plugins/nsx_v3/plugin.py b/vmware_nsx/plugins/nsx_v3/plugin.py
index 2fae9ad837..30b3aab93e 100644
--- a/vmware_nsx/plugins/nsx_v3/plugin.py
+++ b/vmware_nsx/plugins/nsx_v3/plugin.py
@@ -3453,3 +3453,7 @@ class NsxV3Plugin(nsx_plugin_common.NsxPluginV3Base,
         if tz_uuid not in ec_tzs:
             return False
         return True
+
+    def _support_address_pairs_ipv4_cidr(self):
+        return self.nsxlib.feature_supported(
+            nsxlib_consts.FEATURE_SPOOFGUARD_CIDR)