Fix section rules protocols handling

- Add ipip (ip over ip) to the list of supported protocols
- Raise an InvalidInput error on unsupported protocols

Change-Id: I44a84d8c5111440bb2be21440174a8c125bbc4c2

vmware_nsxlib/tests/unit/v3/test_security.py

@@ -20,6 +20,7 @@ from oslo_utils import uuidutils
 
 from vmware_nsxlib.tests.unit.v3 import nsxlib_testcase
 from vmware_nsxlib.tests.unit.v3 import test_constants
+from vmware_nsxlib.v3 import exceptions as nsxlib_exc
 from vmware_nsxlib.v3 import nsx_constants as const
 
 
@@ -59,6 +60,34 @@ class TestNsxLibFirewallSection(nsxlib_testcase.NsxLibTestCase):
         }
         self.assertEqual(expected, result)
 
+    def test_create_rules(self):
+        with mock.patch("vmware_nsxlib.v3.security.NsxLibFirewallSection"
+                        ".add_rules") as add_rules:
+            rule_id = uuidutils.generate_uuid()
+            rule = {'id': rule_id,
+                    'ethertype': 'IPv4',
+                    'protocol': 'ipip',
+                    'direction': 'ingress',
+                    'remote_ip_prefix': None}
+            rules = [rule]
+            self.nsxlib.firewall_section.create_rules(
+                None, 'section-id', 'nsgroup-id', False,
+                "ALLOW", rules, {rule_id: 'dummy'})
+            add_rules.assert_called_once()
+
+    def test_create_rule_with_illegal_protocol(self):
+        rule_id = uuidutils.generate_uuid()
+        rule = {'id': rule_id,
+                'ethertype': 'IPv4',
+                'protocol': 'bad',
+                'direction': 'ingress',
+                'remote_ip_prefix': None}
+        rules = [rule]
+        self.assertRaises(nsxlib_exc.InvalidInput,
+                          self.nsxlib.firewall_section.create_rules,
+                          None, 'section-id', 'nsgroup-id', False,
+                          "ALLOW", rules, {rule_id: 'dummy'})
+
     def test_create_with_rules(self):
         expected_body = {
             'display_name': 'display-name',

vmware_nsxlib/v3/constants.py

@@ -23,6 +23,7 @@ PROTO_NAME_ESP = 'esp'
 PROTO_NAME_GRE = 'gre'
 PROTO_NAME_ICMP = 'icmp'
 PROTO_NAME_IGMP = 'igmp'
+PROTO_NAME_IPIP = 'ipip'
 PROTO_NAME_IPV6_ENCAP = 'ipv6-encap'
 PROTO_NAME_IPV6_FRAG = 'ipv6-frag'
 PROTO_NAME_IPV6_ICMP = 'ipv6-icmp'
@@ -48,6 +49,7 @@ PROTO_NUM_ESP = 50
 PROTO_NUM_GRE = 47
 PROTO_NUM_ICMP = 1
 PROTO_NUM_IGMP = 2
+PROTO_NUM_IPIP = 4
 PROTO_NUM_IPV6_ENCAP = 41
 PROTO_NUM_IPV6_FRAG = 44
 PROTO_NUM_IPV6_ICMP = 58
@@ -70,6 +72,7 @@ IP_PROTOCOL_MAP = {PROTO_NAME_AH: PROTO_NUM_AH,
                    PROTO_NAME_GRE: PROTO_NUM_GRE,
                    PROTO_NAME_ICMP: PROTO_NUM_ICMP,
                    PROTO_NAME_IGMP: PROTO_NUM_IGMP,
+                   PROTO_NAME_IPIP: PROTO_NUM_IPIP,
                    PROTO_NAME_IPV6_ENCAP: PROTO_NUM_IPV6_ENCAP,
                    PROTO_NAME_IPV6_FRAG: PROTO_NUM_IPV6_FRAG,
                    PROTO_NAME_IPV6_ICMP: PROTO_NUM_IPV6_ICMP,

vmware_nsxlib/v3/security.py

@@ -270,7 +270,13 @@ class NsxLibFirewallSection(utils.NsxLibApiBase):
             return
         protocol_number = constants.IP_PROTOCOL_MAP.get(protocol_number,
                                                         protocol_number)
-        protocol_number = int(protocol_number)
+        try:
+            protocol_number = int(protocol_number)
+        except ValueError:
+            raise exceptions.InvalidInput(
+                operation='create_rule',
+                arg_val=protocol_number,
+                arg_name='protocol')
         if protocol_number == 6:
             return consts.TCP
         elif protocol_number == 17:
@@ -530,7 +536,6 @@ class NsxLibFirewallSection(utils.NsxLibApiBase):
                 logging_enabled, action)
 
             firewall_rules.append(fw_rule)
-
         return self.add_rules(firewall_rules, section_id)
 
     def set_rule_logging(self, section_id, logging):