From af0861ce2e4d87f06ce710f7da1e106c3f6b0aeb Mon Sep 17 00:00:00 2001 From: asarfaty Date: Sun, 22 Mar 2020 12:45:29 +0200 Subject: [PATCH] NSX|V: Fix security groups rules creation When updating a section, exising icmp echo request/reply rules cannot have icmp code field. Change-Id: I31141eb7a05ff508acb3cea12d7bdd7d8695d9e1 --- vmware_nsx/plugins/nsx_v/plugin.py | 1 + .../plugins/nsx_v/vshield/securitygroup_utils.py | 14 ++++++++++++++ 2 files changed, 15 insertions(+) diff --git a/vmware_nsx/plugins/nsx_v/plugin.py b/vmware_nsx/plugins/nsx_v/plugin.py index b2ebb5a25e..55d1db7f09 100644 --- a/vmware_nsx/plugins/nsx_v/plugin.py +++ b/vmware_nsx/plugins/nsx_v/plugin.py @@ -4802,6 +4802,7 @@ class NsxVPluginV2(addr_pair_db.AllowedAddressPairsMixin, _h, _c = self.nsx_v.vcns.get_section(section_uri) section = self.nsx_sg_utils.parse_section(_c) + self.nsx_sg_utils.fix_existing_section_rules(section) self.nsx_sg_utils.extend_section_with_rules(section, nsx_rules) try: h, c = self.nsx_v.vcns.update_section( diff --git a/vmware_nsx/plugins/nsx_v/vshield/securitygroup_utils.py b/vmware_nsx/plugins/nsx_v/vshield/securitygroup_utils.py index 16ae05d3b5..b14be5c81d 100644 --- a/vmware_nsx/plugins/nsx_v/vshield/securitygroup_utils.py +++ b/vmware_nsx/plugins/nsx_v/vshield/securitygroup_utils.py @@ -148,6 +148,20 @@ class NsxSecurityGroupUtils(object): pairs.append(pair) return pairs + def fix_existing_section_rules(self, section): + # fix section existing rules before extending it with new rules + for rule in section.iter('rule'): + services = rule.find('services') + if services: + for service in services: + subProt = service.find('subProtocolName') + icmpCode = service.find('icmpCode') + if (icmpCode is not None and icmpCode.text == '0' and + subProt is not None and + subProt.text in ('echo-request', 'echo-reply')): + # ICMP code should not exist in the payload + service.remove(icmpCode) + def extend_section_with_rules(self, section, nsx_rules): section.extend(nsx_rules)