NSX|V: Fix SG icmp rules creation

When updating a section, exising icmp echo request/reply rules cannot have icmp code field. In addition the icmpcode 0 should also be removed from the rule creation Change-Id: I380d5e45235fd0033bba924b42c6b83104f17241
2020-03-22 12:45:29 +02:00 · 2020-03-22 12:45:29 +02:00 · db659f9cb8
parent 990baaffc6
commit db659f9cb8
2 changed files with 24 additions and 2 deletions
--- a/vmware_nsx/plugins/nsx_v/plugin.py
+++ b/vmware_nsx/plugins/nsx_v/plugin.py
@ -4802,6 +4802,7 @@ class NsxVPluginV2(addr_pair_db.AllowedAddressPairsMixin,

            _h, _c = self.nsx_v.vcns.get_section(section_uri)
            section = self.nsx_sg_utils.parse_section(_c)
+            self.nsx_sg_utils.fix_existing_section_rules(section)
            self.nsx_sg_utils.extend_section_with_rules(section, nsx_rules)
            try:
                h, c = self.nsx_v.vcns.update_section(
--- a/vmware_nsx/plugins/nsx_v/vshield/securitygroup_utils.py
+++ b/vmware_nsx/plugins/nsx_v/vshield/securitygroup_utils.py
@ -117,8 +117,14 @@ class NsxSecurityGroupUtils(object):
                    svcPortTag = et.SubElement(svcTag, 'subProtocol')
                    svcPortTag.text = str(icmptype)
                if icmpcode is not None:
-                    svcPortTag = et.SubElement(svcTag, 'icmpCode')
-                    svcPortTag.text = str(icmpcode)
+                    if icmptype in ('0', '8') and icmpcode == '0':
+                        # icmpcode 0 should not be sent
+                        # TODO(asarfaty): Validate if this is needed for all
+                        # NSX versions and all icmp types
+                        pass
+                    else:
+                        svcPortTag = et.SubElement(svcTag, 'icmpCode')
+                        svcPortTag.text = str(icmpcode)

        if application_services:
            s = et.SubElement(ruleTag, 'services')
@ -148,6 +154,21 @@ class NsxSecurityGroupUtils(object):
            pairs.append(pair)
        return pairs

+    def fix_existing_section_rules(self, section):
+        # fix section existing rules before extending it with new rules
+        # TODO(asarfaty): Validate if this is needed for all NSX versions
+        for rule in section.iter('rule'):
+            services = rule.find('services')
+            if services:
+                for service in services:
+                    subProt = service.find('subProtocolName')
+                    icmpCode = service.find('icmpCode')
+                    if (icmpCode is not None and icmpCode.text == '0' and
+                        subProt is not None and
+                        subProt.text in ('echo-request', 'echo-reply')):
+                        # ICMP code should not exist in the payload
+                        service.remove(icmpCode)
+
    def extend_section_with_rules(self, section, nsx_rules):
        section.extend(nsx_rules)