NSX|V: Validate SG rule remote-ip-prefix is not 0.0.0.0/x

This is not supported by the backend and should be replaced with 'Any'

Change-Id: I96081d7e88863f9bc1d091cc3a5f7be0b9dde4e0

vmware_nsx/plugins/common/plugin.py

@@ -41,6 +41,7 @@ from neutron_lib.utils import net as nl_net_utils
 
 from vmware_nsx._i18n import _
 from vmware_nsx.common import exceptions as nsx_exc
+from vmware_nsx.extensions import secgroup_rule_local_ip_prefix as sg_prefix
 from vmware_nsx.services.qos.common import utils as qos_com_utils
 
 LOG = logging.getLogger(__name__)
@@ -426,6 +427,19 @@ class NsxPluginBase(db_base_plugin_v2.NeutronDbPluginV2,
                     'restricted') % dev_owner
             raise n_exc.BadRequest(resource='floatingip', msg=msg)
 
+    def _fix_sg_rule_dict_ips(self, sg_rule):
+        # 0.0.0.0/# and ::/ are not valid entries for local and remote so we
+        # need to change this to None
+        if (sg_rule.get('remote_ip_prefix') and
+            (sg_rule['remote_ip_prefix'].startswith('0.0.0.0/') or
+             sg_rule['remote_ip_prefix'].startswith('::/'))):
+            sg_rule['remote_ip_prefix'] = None
+        if (sg_rule.get(sg_prefix.LOCAL_IP_PREFIX) and
+            validators.is_attr_set(sg_rule[sg_prefix.LOCAL_IP_PREFIX]) and
+            (sg_rule[sg_prefix.LOCAL_IP_PREFIX].startswith('0.0.0.0/') or
+             sg_rule[sg_prefix.LOCAL_IP_PREFIX].startswith('::/'))):
+            sg_rule[sg_prefix.LOCAL_IP_PREFIX] = None
+
     def get_housekeeper(self, context, name, fields=None):
         # run the job in readonly mode and get the results
         self.housekeeper.run(context, name, readonly=True)

vmware_nsx/plugins/common_v3/plugin.py

@@ -87,7 +87,6 @@ from vmware_nsx.db import nsx_portbindings_db as pbin_db
 from vmware_nsx.extensions import advancedserviceproviders as as_providers
 from vmware_nsx.extensions import maclearning as mac_ext
 from vmware_nsx.extensions import providersecuritygroup as provider_sg
-from vmware_nsx.extensions import secgroup_rule_local_ip_prefix as sg_prefix
 from vmware_nsx.plugins.common import plugin
 from vmware_nsx.services.qos.common import utils as qos_com_utils
 from vmware_nsx.services.vpnaas.common_v3 import ipsec_utils
@@ -301,19 +300,6 @@ class NsxPluginV3Base(agentschedulers_db.AZDhcpAgentSchedulerDbMixin,
                                      interface_info['subnet_id'])['network_id']
         return net_id
 
-    def _fix_sg_rule_dict_ips(self, sg_rule):
-        # 0.0.0.0/# and ::/ are not valid entries for local and remote so we
-        # need to change this to None
-        if (sg_rule.get('remote_ip_prefix') and
-            (sg_rule['remote_ip_prefix'].startswith('0.0.0.0/') or
-             sg_rule['remote_ip_prefix'].startswith('::/'))):
-            sg_rule['remote_ip_prefix'] = None
-        if (sg_rule.get(sg_prefix.LOCAL_IP_PREFIX) and
-            validators.is_attr_set(sg_rule[sg_prefix.LOCAL_IP_PREFIX]) and
-            (sg_rule[sg_prefix.LOCAL_IP_PREFIX].startswith('0.0.0.0/') or
-             sg_rule[sg_prefix.LOCAL_IP_PREFIX].startswith('::/'))):
-            sg_rule[sg_prefix.LOCAL_IP_PREFIX] = None
-
     def _validate_interface_address_scope(self, context, router_db,
                                           interface_subnet):
         gw_network_id = (router_db.gw_port.network_id if router_db.gw_port

vmware_nsx/plugins/nsx_v/plugin.py

@@ -4786,6 +4786,7 @@ class NsxVPluginV2(addr_pair_db.AllowedAddressPairsMixin,
                 rule = r['security_group_rule']
                 if not self._check_local_ip_prefix(context, rule):
                     rule[secgroup_rule_local_ip_prefix.LOCAL_IP_PREFIX] = None
+                self._fix_sg_rule_dict_ips(rule)
                 rule['id'] = rule.get('id') or uuidutils.generate_uuid()
                 ruleids.add(rule['id'])
                 nsx_rules.append(