NSX|V: support big ranges in fw rules ports

Adding a range of source/destination ports in a firewall rule should not be done by adding each specific port, but sending it to the NSX as a range. Change-Id: Icbfbb7b02a4dff4863a1e69ccea2777f538fc7c4
2017-07-09 11:25:54 +03:00 · 2017-07-09 11:25:54 +03:00 · 32e3f9b704
commit 32e3f9b704
parent d0af9b5a9d
2 changed files with 34 additions and 2 deletions
--- a/vmware_nsx/plugins/nsx_v/vshield/edge_firewall_driver.py
+++ b/vmware_nsx/plugins/nsx_v/vshield/edge_firewall_driver.py
@ -85,8 +85,8 @@ class EdgeFirewallDriver(object):
            return []
        if ':' in port_str:
            min_port, sep, max_port = port_str.partition(":")
-            return list(range(int(min_port.strip()),
-                              int(max_port.strip()) + 1))
+            return ["%s-%s" % (int(min_port.strip()),
+                               int(max_port.strip()))]
        if ',' in port_str:
            # remove duplications (using set) and empty/non numeric entries
            ports_set = set()
--- a/vmware_nsx/tests/unit/nsx_v/test_fwaas_driver.py
+++ b/vmware_nsx/tests/unit/nsx_v/test_fwaas_driver.py
@ -36,6 +36,7 @@ class NsxvFwaasTestCase(test_v_plugin.NsxVPluginV2TestCase):
                 'ip_version': 4,
                 'protocol': 'tcp',
                 'destination_port': '80',
+                 'source_port': '1-65535',
                 'source_ip_address': '10.24.4.2',
                 'id': 'fake-fw-rule1'}
        rule2 = {'enabled': True,
@ -52,6 +53,36 @@ class NsxvFwaasTestCase(test_v_plugin.NsxVPluginV2TestCase):
                 'id': 'fake-fw-rule3'}
        return [rule1, rule2, rule3]

+    def _fake_backend_rules_v4(self):
+        rule1 = {'enabled': True,
+                 'action': 'allow',
+                 'ip_version': 4,
+                 'protocol': 'tcp',
+                 'destination_port': '80',
+                 'source_port': '1-65535',
+                 'source_ip_address': ['10.24.4.2'],
+                 'position': '0',
+                 'id': 'fake-fw-rule1',
+                 'name': 'Fwaas-fake-fw-rule1'}
+        rule2 = {'enabled': True,
+                 'action': 'deny',
+                 'ip_version': 4,
+                 'protocol': 'tcp',
+                 'destination_port': '22',
+                 'id': 'fake-fw-rule2',
+                 'position': '1',
+                 'name': 'Fwaas-fake-fw-rule2'}
+        rule3 = {'enabled': True,
+                 'action': 'reject',
+                 'ip_version': 4,
+                 'protocol': 'tcp',
+                 'destination_port': '23',
+                 'position': '2',
+                 'id': 'fake-fw-rule3',
+                 'name': 'Fwaas-fake-fw-rule3'}
+
+        return [rule1, rule2, rule3]
+
    def _fake_firewall_no_rule(self):
        rule_list = []
        fw_inst = {'id': FAKE_FW_ID,
@ -116,6 +147,7 @@ class NsxvFwaasTestCase(test_v_plugin.NsxVPluginV2TestCase):
                             update_fw.call_args[0][1])
            backend_rules = update_fw.call_args[1]['fwaas_rules']
            self.assertEqual(len(rule_list), len(backend_rules))
+            self.assertEqual(self._fake_backend_rules_v4(), backend_rules)

    def test_create_firewall_no_rules(self):
        apply_list = self._fake_apply_list()