NSX|V: Validate SG rule remote-ip-prefix is not 0.0.0.0/x
This is not supported by the backend and should be replaced with 'Any' Change-Id: I96081d7e88863f9bc1d091cc3a5f7be0b9dde4e0
This commit is contained in:
parent
27a93cb2e6
commit
2696f331e6
@ -41,6 +41,7 @@ from neutron_lib.utils import net as nl_net_utils
|
|||||||
|
|
||||||
from vmware_nsx._i18n import _
|
from vmware_nsx._i18n import _
|
||||||
from vmware_nsx.common import exceptions as nsx_exc
|
from vmware_nsx.common import exceptions as nsx_exc
|
||||||
|
from vmware_nsx.extensions import secgroup_rule_local_ip_prefix as sg_prefix
|
||||||
from vmware_nsx.services.qos.common import utils as qos_com_utils
|
from vmware_nsx.services.qos.common import utils as qos_com_utils
|
||||||
|
|
||||||
LOG = logging.getLogger(__name__)
|
LOG = logging.getLogger(__name__)
|
||||||
@ -426,6 +427,19 @@ class NsxPluginBase(db_base_plugin_v2.NeutronDbPluginV2,
|
|||||||
'restricted') % dev_owner
|
'restricted') % dev_owner
|
||||||
raise n_exc.BadRequest(resource='floatingip', msg=msg)
|
raise n_exc.BadRequest(resource='floatingip', msg=msg)
|
||||||
|
|
||||||
|
def _fix_sg_rule_dict_ips(self, sg_rule):
|
||||||
|
# 0.0.0.0/# and ::/ are not valid entries for local and remote so we
|
||||||
|
# need to change this to None
|
||||||
|
if (sg_rule.get('remote_ip_prefix') and
|
||||||
|
(sg_rule['remote_ip_prefix'].startswith('0.0.0.0/') or
|
||||||
|
sg_rule['remote_ip_prefix'].startswith('::/'))):
|
||||||
|
sg_rule['remote_ip_prefix'] = None
|
||||||
|
if (sg_rule.get(sg_prefix.LOCAL_IP_PREFIX) and
|
||||||
|
validators.is_attr_set(sg_rule[sg_prefix.LOCAL_IP_PREFIX]) and
|
||||||
|
(sg_rule[sg_prefix.LOCAL_IP_PREFIX].startswith('0.0.0.0/') or
|
||||||
|
sg_rule[sg_prefix.LOCAL_IP_PREFIX].startswith('::/'))):
|
||||||
|
sg_rule[sg_prefix.LOCAL_IP_PREFIX] = None
|
||||||
|
|
||||||
def get_housekeeper(self, context, name, fields=None):
|
def get_housekeeper(self, context, name, fields=None):
|
||||||
# run the job in readonly mode and get the results
|
# run the job in readonly mode and get the results
|
||||||
self.housekeeper.run(context, name, readonly=True)
|
self.housekeeper.run(context, name, readonly=True)
|
||||||
|
@ -87,7 +87,6 @@ from vmware_nsx.db import nsx_portbindings_db as pbin_db
|
|||||||
from vmware_nsx.extensions import advancedserviceproviders as as_providers
|
from vmware_nsx.extensions import advancedserviceproviders as as_providers
|
||||||
from vmware_nsx.extensions import maclearning as mac_ext
|
from vmware_nsx.extensions import maclearning as mac_ext
|
||||||
from vmware_nsx.extensions import providersecuritygroup as provider_sg
|
from vmware_nsx.extensions import providersecuritygroup as provider_sg
|
||||||
from vmware_nsx.extensions import secgroup_rule_local_ip_prefix as sg_prefix
|
|
||||||
from vmware_nsx.plugins.common import plugin
|
from vmware_nsx.plugins.common import plugin
|
||||||
from vmware_nsx.services.qos.common import utils as qos_com_utils
|
from vmware_nsx.services.qos.common import utils as qos_com_utils
|
||||||
from vmware_nsx.services.vpnaas.common_v3 import ipsec_utils
|
from vmware_nsx.services.vpnaas.common_v3 import ipsec_utils
|
||||||
@ -301,19 +300,6 @@ class NsxPluginV3Base(agentschedulers_db.AZDhcpAgentSchedulerDbMixin,
|
|||||||
interface_info['subnet_id'])['network_id']
|
interface_info['subnet_id'])['network_id']
|
||||||
return net_id
|
return net_id
|
||||||
|
|
||||||
def _fix_sg_rule_dict_ips(self, sg_rule):
|
|
||||||
# 0.0.0.0/# and ::/ are not valid entries for local and remote so we
|
|
||||||
# need to change this to None
|
|
||||||
if (sg_rule.get('remote_ip_prefix') and
|
|
||||||
(sg_rule['remote_ip_prefix'].startswith('0.0.0.0/') or
|
|
||||||
sg_rule['remote_ip_prefix'].startswith('::/'))):
|
|
||||||
sg_rule['remote_ip_prefix'] = None
|
|
||||||
if (sg_rule.get(sg_prefix.LOCAL_IP_PREFIX) and
|
|
||||||
validators.is_attr_set(sg_rule[sg_prefix.LOCAL_IP_PREFIX]) and
|
|
||||||
(sg_rule[sg_prefix.LOCAL_IP_PREFIX].startswith('0.0.0.0/') or
|
|
||||||
sg_rule[sg_prefix.LOCAL_IP_PREFIX].startswith('::/'))):
|
|
||||||
sg_rule[sg_prefix.LOCAL_IP_PREFIX] = None
|
|
||||||
|
|
||||||
def _validate_interface_address_scope(self, context, router_db,
|
def _validate_interface_address_scope(self, context, router_db,
|
||||||
interface_subnet):
|
interface_subnet):
|
||||||
gw_network_id = (router_db.gw_port.network_id if router_db.gw_port
|
gw_network_id = (router_db.gw_port.network_id if router_db.gw_port
|
||||||
|
@ -4786,6 +4786,7 @@ class NsxVPluginV2(addr_pair_db.AllowedAddressPairsMixin,
|
|||||||
rule = r['security_group_rule']
|
rule = r['security_group_rule']
|
||||||
if not self._check_local_ip_prefix(context, rule):
|
if not self._check_local_ip_prefix(context, rule):
|
||||||
rule[secgroup_rule_local_ip_prefix.LOCAL_IP_PREFIX] = None
|
rule[secgroup_rule_local_ip_prefix.LOCAL_IP_PREFIX] = None
|
||||||
|
self._fix_sg_rule_dict_ips(rule)
|
||||||
rule['id'] = rule.get('id') or uuidutils.generate_uuid()
|
rule['id'] = rule.get('id') or uuidutils.generate_uuid()
|
||||||
ruleids.add(rule['id'])
|
ruleids.add(rule['id'])
|
||||||
nsx_rules.append(
|
nsx_rules.append(
|
||||||
|
Loading…
x
Reference in New Issue
Block a user