From 23ab43b3ae33e866788fdb3ef653cef3c4dfd195 Mon Sep 17 00:00:00 2001 From: Adit Sarfaty Date: Thu, 1 Aug 2019 09:55:15 +0300 Subject: [PATCH] NSX|V: Fix FWaaS V2 handling 0.0.0.0 ips Change-Id: Ib1de24b8a0d57ab0dcb43ae971f7084d308f6991 --- .../fwaas/nsx_v/fwaas_callbacks_v2.py | 14 +++++++--- .../tests/unit/nsx_v/test_fwaas_v2_driver.py | 28 +++++++++++++------ 2 files changed, 30 insertions(+), 12 deletions(-) diff --git a/vmware_nsx/services/fwaas/nsx_v/fwaas_callbacks_v2.py b/vmware_nsx/services/fwaas/nsx_v/fwaas_callbacks_v2.py index e9ccc09e72..b071524801 100644 --- a/vmware_nsx/services/fwaas/nsx_v/fwaas_callbacks_v2.py +++ b/vmware_nsx/services/fwaas/nsx_v/fwaas_callbacks_v2.py @@ -155,13 +155,19 @@ class NsxvFwaasCallbacksV2(com_callbacks.NsxFwaasCallbacksV2): not rule['destination_ip_address'].startswith('0.0.0.0')): rule['destination_ip_address'] = [ rule['destination_ip_address']] - elif replace_dest: - rule['destination_vnic_groups'] = [replace_dest] + else: + if replace_dest: + rule['destination_vnic_groups'] = [replace_dest] + if 'destination_ip_address' in rule: + del rule['destination_ip_address'] if (rule.get('source_ip_address') and not rule['source_ip_address'].startswith('0.0.0.0')): rule['source_ip_address'] = [rule['source_ip_address']] - elif replace_src: - rule['source_vnic_groups'] = [replace_src] + else: + if replace_src: + rule['source_vnic_groups'] = [replace_src] + if 'source_ip_address' in rule: + del rule['source_ip_address'] if logged: rule['logged'] = True translated_rules.append(rule) diff --git a/vmware_nsx/tests/unit/nsx_v/test_fwaas_v2_driver.py b/vmware_nsx/tests/unit/nsx_v/test_fwaas_v2_driver.py index 57fca2a2e8..f469f182f0 100644 --- a/vmware_nsx/tests/unit/nsx_v/test_fwaas_v2_driver.py +++ b/vmware_nsx/tests/unit/nsx_v/test_fwaas_v2_driver.py @@ -119,17 +119,25 @@ class NsxvFwaasTestCase(test_v_plugin.NsxVPluginV2TestCase): if logged: rule['logged'] = True if is_ingress: - if not rule.get('destination_ip_address'): + if (not rule.get('destination_ip_address') or + rule['destination_ip_address'].startswith('0.0.0.0')): rule['destination_vnic_groups'] = ['vnic-index-1'] else: - if not rule.get('source_ip_address'): + if (not rule.get('source_ip_address') or + rule['source_ip_address'].startswith('0.0.0.0')): rule['source_vnic_groups'] = ['vnic-index-1'] if rule.get('destination_ip_address'): - rule['destination_ip_address'] = [ - rule['destination_ip_address']] + if rule['destination_ip_address'].startswith('0.0.0.0'): + del rule['destination_ip_address'] + else: + rule['destination_ip_address'] = [ + rule['destination_ip_address']] if rule.get('source_ip_address'): - rule['source_ip_address'] = [ - rule['source_ip_address']] + if rule['source_ip_address'].startswith('0.0.0.0'): + del rule['source_ip_address'] + else: + rule['source_ip_address'] = [ + rule['source_ip_address']] rule['name'] = (fwaas_callbacks_v2.RULE_NAME_PREFIX + (rule.get('name') or rule['id']))[:30] if rule.get('id'): @@ -210,10 +218,10 @@ class NsxvFwaasTestCase(test_v_plugin.NsxVPluginV2TestCase): {'firewall_rule_list': expected_rules}) def _setup_firewall_with_rules(self, func, is_ingress=True, - is_conflict=False): + is_conflict=False, cidr='10.24.4.0/24'): apply_list = self._fake_apply_list() rule_list = self._fake_rules_v4(is_ingress=is_ingress, - is_conflict=is_conflict) + is_conflict=is_conflict, cidr=cidr) firewall = self._fake_firewall_group(rule_list, is_ingress=is_ingress) with mock.patch.object(self.plugin.fwaas_callbacks, 'get_port_fwg', return_value=firewall),\ @@ -255,6 +263,10 @@ class NsxvFwaasTestCase(test_v_plugin.NsxVPluginV2TestCase): self._setup_firewall_with_rules(self.firewall.create_firewall_group, is_ingress=False) + def test_create_firewall_with_illegal_cidr(self): + self._setup_firewall_with_rules(self.firewall.create_firewall_group, + cidr='0.0.0.0/24') + def test_update_firewall_with_egress_rules(self): self._setup_firewall_with_rules(self.firewall.update_firewall_group, is_ingress=False)