From ce3bcb9d5bbf3574788cd4c7bea34d38b5d173c0 Mon Sep 17 00:00:00 2001
From: Adit Sarfaty <asarfaty@vmware.com>
Date: Wed, 1 Mar 2017 08:51:39 +0200
Subject: [PATCH] NSX|V Fix lbaas l7 reject action

For LBAAS l7 policy with reject action we should configure the backend
action as 'http-request deny' in order to receive 403 response.

Change-Id: I26128eb239ebe16175f1901fc4442b12ecb2b8ca
---
 vmware_nsx/services/lbaas/nsx_v/v2/l7policy_mgr.py     |  3 ++-
 .../unit/nsx_v/test_edge_loadbalancer_driver_v2.py     | 10 +++++-----
 2 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/vmware_nsx/services/lbaas/nsx_v/v2/l7policy_mgr.py b/vmware_nsx/services/lbaas/nsx_v/v2/l7policy_mgr.py
index 31bdf168b6..fdd2f1b18f 100644
--- a/vmware_nsx/services/lbaas/nsx_v/v2/l7policy_mgr.py
+++ b/vmware_nsx/services/lbaas/nsx_v/v2/l7policy_mgr.py
@@ -114,7 +114,8 @@ def policy_to_application_rule(policy):
 
     # prepare the action
     if policy.action == lb_const.L7_POLICY_ACTION_REJECT:
-        action = 'tcp-request content reject'
+        # return HTTP 403 response
+        action = 'http-request deny'
     elif policy.action == lb_const.L7_POLICY_ACTION_REDIRECT_TO_POOL:
         action = 'use_backend pool_%s' % policy.redirect_pool_id
     elif policy.action == lb_const.L7_POLICY_ACTION_REDIRECT_TO_URL:
diff --git a/vmware_nsx/tests/unit/nsx_v/test_edge_loadbalancer_driver_v2.py b/vmware_nsx/tests/unit/nsx_v/test_edge_loadbalancer_driver_v2.py
index c96210eb2c..87e68cf1f2 100644
--- a/vmware_nsx/tests/unit/nsx_v/test_edge_loadbalancer_driver_v2.py
+++ b/vmware_nsx/tests/unit/nsx_v/test_edge_loadbalancer_driver_v2.py
@@ -77,7 +77,7 @@ EDGE_RULE_ID = 'app-rule-xx'
 L7POL_BINDING = {'policy_id': L7POL_ID,
                  'edge_id': LB_EDGE_ID,
                  'edge_app_rule_id': EDGE_RULE_ID}
-EDGE_L7POL_DEF = {'script': 'tcp-request content reject if TRUE',
+EDGE_L7POL_DEF = {'script': 'http-request deny if TRUE',
                   'name': 'pol_' + L7POL_ID}
 
 L7RULE_ID1 = 'l7rule-111'
@@ -808,7 +808,7 @@ class TestEdgeLbaasV2L7Rule(BaseTestEdgeLbaasV2):
             edge_rule_def = EDGE_L7POL_DEF.copy()
             edge_rule_def['script'] = (
                 "acl %(rule_id)s hdr(key1) -i val1\n"
-                "tcp-request content reject if %(rule_id)s" %
+                "http-request deny if %(rule_id)s" %
                 {'rule_id': L7RULE_ID1})
             mock_update_rule.assert_called_with(
                 LB_EDGE_ID, EDGE_RULE_ID, edge_rule_def)
@@ -826,7 +826,7 @@ class TestEdgeLbaasV2L7Rule(BaseTestEdgeLbaasV2):
             edge_rule_def['script'] = (
                 "acl %(rule_id1)s hdr(key1) -i val1\n"
                 "acl %(rule_id2)s path_beg -i /images\n"
-                "tcp-request content reject if %(rule_id1)s !%(rule_id2)s" %
+                "http-request deny if %(rule_id1)s !%(rule_id2)s" %
                 {'rule_id1': L7RULE_ID1,
                  'rule_id2': L7RULE_ID2})
             mock_update_rule.assert_called_with(
@@ -860,7 +860,7 @@ class TestEdgeLbaasV2L7Rule(BaseTestEdgeLbaasV2):
             edge_rule_def = EDGE_L7POL_DEF.copy()
             edge_rule_def['script'] = (
                 "acl %(rule_id)s hdr(key2) -i val1\n"
-                "tcp-request content reject if %(rule_id)s" %
+                "http-request deny if %(rule_id)s" %
                 {'rule_id': L7RULE_ID1})
             mock_update_rule.assert_called_with(
                 LB_EDGE_ID, EDGE_RULE_ID, edge_rule_def)
@@ -882,7 +882,7 @@ class TestEdgeLbaasV2L7Rule(BaseTestEdgeLbaasV2):
 
             edge_rule_def = EDGE_L7POL_DEF.copy()
             edge_rule_def['script'] = (
-                "tcp-request content reject if TRUE")
+                "http-request deny if TRUE")
             mock_update_rule.assert_called_with(
                 LB_EDGE_ID, EDGE_RULE_ID, edge_rule_def)