NSX|V3+P: Support ipv4 CIDR in allowed address pairs

Change-Id: Ifabf9451cd0d530677c8cb7da7d76a6878e5fae5
2020-06-04 11:56:49 +02:00 · 2020-06-04 11:56:49 +02:00 · a29d498b49
parent 8a7ec0d50b
commit a29d498b49
3 changed files with 29 additions and 5 deletions
--- a/vmware_nsx/plugins/common_v3/plugin.py
+++ b/vmware_nsx/plugins/common_v3/plugin.py
@ -320,6 +320,10 @@ class NsxPluginV3Base(agentschedulers_db.AZDhcpAgentSchedulerDbMixin,
                return fixed
        return mac

+    def _support_address_pairs_ipv4_cidr(self):
+        """Can be implemented by each plugin"""
+        return False
+
    def _validate_address_pairs(self, address_pairs, fixed_ips=None):
        port_ips = []
        if fixed_ips:
@ -330,9 +334,10 @@ class NsxPluginV3Base(agentschedulers_db.AZDhcpAgentSchedulerDbMixin,
        for pair in address_pairs:
            ip = pair.get('ip_address')
            if ':' in ip:
-                # Validate ipv6 cidrs:
+                # IPv6 address pair
                ip_split = ip.split('/')
                if len(ip_split) > 1 and ip_split[1] != '128':
+                    # Validate ipv6 CIDR
                    try:
                        ipaddress.ip_network(ip)
                    except ValueError:
@ -341,11 +346,22 @@ class NsxPluginV3Base(agentschedulers_db.AZDhcpAgentSchedulerDbMixin,
                                     "have host bits set") % ip)
                        raise n_exc.InvalidInput(error_message=err_msg)
            else:
-                # Validate ipv4 cidrs (No limitation on ipv6):
+                # IPv4 address pair
                if len(ip.split('/')) > 1 and ip.split('/')[1] != '32':
-                    LOG.error("Cidr %s is not supported in allowed address "
-                              "pairs", ip)
-                    raise nsx_exc.InvalidIPAddress(ip_address=ip)
+                    if self._support_address_pairs_ipv4_cidr():
+                        # validate host bits
+                        try:
+                            ipaddress.ip_network(ip)
+                        except ValueError:
+                            # This means the host bits are set
+                            err_msg = (_("Allowed address pairs Cidr %s "
+                                         "cannot have host bits set") % ip)
+                            raise n_exc.InvalidInput(error_message=err_msg)
+                    else:
+                        # IPv4 CIDR is not allowed
+                        LOG.error("Cidr %s is not supported in allowed "
+                                  "address pairs", ip)
+                        raise nsx_exc.InvalidIPAddress(ip_address=ip)
            if ip in port_ips:
                err_msg = (_("Port cannot have duplicate values %s as part of "
                             "port manual bindings") % ip)
--- a/vmware_nsx/plugins/nsx_p/plugin.py
+++ b/vmware_nsx/plugins/nsx_p/plugin.py
@ -4182,3 +4182,7 @@ class NsxPolicyPlugin(nsx_plugin_common.NsxPluginV3Base):
        if tz_uuid not in ec_tzs:
            return False
        return True
+
+    def _support_address_pairs_ipv4_cidr(self):
+        return self.nsxpolicy.feature_supported(
+            nsxlib_consts.FEATURE_SPOOFGUARD_CIDR)
--- a/vmware_nsx/plugins/nsx_v3/plugin.py
+++ b/vmware_nsx/plugins/nsx_v3/plugin.py
@ -3277,3 +3277,7 @@ class NsxV3Plugin(nsx_plugin_common.NsxPluginV3Base,
        if tz_uuid not in ec_tzs:
            return False
        return True
+
+    def _support_address_pairs_ipv4_cidr(self):
+        return self.nsxlib.feature_supported(
+            nsxlib_consts.FEATURE_SPOOFGUARD_CIDR)