NSX|V: Fix SG icmp rules creation
When updating a section, exising icmp echo request/reply rules cannot have icmp code field. In addition the icmpcode 0 should also be removed from the rule creation Change-Id: I380d5e45235fd0033bba924b42c6b83104f17241
This commit is contained in:
parent
990baaffc6
commit
db659f9cb8
|
@ -4802,6 +4802,7 @@ class NsxVPluginV2(addr_pair_db.AllowedAddressPairsMixin,
|
|||
|
||||
_h, _c = self.nsx_v.vcns.get_section(section_uri)
|
||||
section = self.nsx_sg_utils.parse_section(_c)
|
||||
self.nsx_sg_utils.fix_existing_section_rules(section)
|
||||
self.nsx_sg_utils.extend_section_with_rules(section, nsx_rules)
|
||||
try:
|
||||
h, c = self.nsx_v.vcns.update_section(
|
||||
|
|
|
@ -117,6 +117,12 @@ class NsxSecurityGroupUtils(object):
|
|||
svcPortTag = et.SubElement(svcTag, 'subProtocol')
|
||||
svcPortTag.text = str(icmptype)
|
||||
if icmpcode is not None:
|
||||
if icmptype in ('0', '8') and icmpcode == '0':
|
||||
# icmpcode 0 should not be sent
|
||||
# TODO(asarfaty): Validate if this is needed for all
|
||||
# NSX versions and all icmp types
|
||||
pass
|
||||
else:
|
||||
svcPortTag = et.SubElement(svcTag, 'icmpCode')
|
||||
svcPortTag.text = str(icmpcode)
|
||||
|
||||
|
@ -148,6 +154,21 @@ class NsxSecurityGroupUtils(object):
|
|||
pairs.append(pair)
|
||||
return pairs
|
||||
|
||||
def fix_existing_section_rules(self, section):
|
||||
# fix section existing rules before extending it with new rules
|
||||
# TODO(asarfaty): Validate if this is needed for all NSX versions
|
||||
for rule in section.iter('rule'):
|
||||
services = rule.find('services')
|
||||
if services:
|
||||
for service in services:
|
||||
subProt = service.find('subProtocolName')
|
||||
icmpCode = service.find('icmpCode')
|
||||
if (icmpCode is not None and icmpCode.text == '0' and
|
||||
subProt is not None and
|
||||
subProt.text in ('echo-request', 'echo-reply')):
|
||||
# ICMP code should not exist in the payload
|
||||
service.remove(icmpCode)
|
||||
|
||||
def extend_section_with_rules(self, section, nsx_rules):
|
||||
section.extend(nsx_rules)
|
||||
|
||||
|
|
Loading…
Reference in New Issue