From 32e3f9b70431f3bb8f712e303c06c31af326b22f Mon Sep 17 00:00:00 2001
From: Adit Sarfaty <asarfaty@vmware.com>
Date: Sun, 9 Jul 2017 11:25:54 +0300
Subject: [PATCH] NSX|V: support big ranges in fw rules ports

Adding a range of source/destination ports in a firewall rule should
not be done by adding each specific port, but sending it to the NSX as
a range.

Change-Id: Icbfbb7b02a4dff4863a1e69ccea2777f538fc7c4
---
 .../nsx_v/vshield/edge_firewall_driver.py     |  4 +--
 .../tests/unit/nsx_v/test_fwaas_driver.py     | 32 +++++++++++++++++++
 2 files changed, 34 insertions(+), 2 deletions(-)

diff --git a/vmware_nsx/plugins/nsx_v/vshield/edge_firewall_driver.py b/vmware_nsx/plugins/nsx_v/vshield/edge_firewall_driver.py
index c462bc4fa1..96437f0bad 100644
--- a/vmware_nsx/plugins/nsx_v/vshield/edge_firewall_driver.py
+++ b/vmware_nsx/plugins/nsx_v/vshield/edge_firewall_driver.py
@@ -85,8 +85,8 @@ class EdgeFirewallDriver(object):
             return []
         if ':' in port_str:
             min_port, sep, max_port = port_str.partition(":")
-            return list(range(int(min_port.strip()),
-                              int(max_port.strip()) + 1))
+            return ["%s-%s" % (int(min_port.strip()),
+                               int(max_port.strip()))]
         if ',' in port_str:
             # remove duplications (using set) and empty/non numeric entries
             ports_set = set()
diff --git a/vmware_nsx/tests/unit/nsx_v/test_fwaas_driver.py b/vmware_nsx/tests/unit/nsx_v/test_fwaas_driver.py
index ee5a755177..06872859d1 100644
--- a/vmware_nsx/tests/unit/nsx_v/test_fwaas_driver.py
+++ b/vmware_nsx/tests/unit/nsx_v/test_fwaas_driver.py
@@ -36,6 +36,7 @@ class NsxvFwaasTestCase(test_v_plugin.NsxVPluginV2TestCase):
                  'ip_version': 4,
                  'protocol': 'tcp',
                  'destination_port': '80',
+                 'source_port': '1-65535',
                  'source_ip_address': '10.24.4.2',
                  'id': 'fake-fw-rule1'}
         rule2 = {'enabled': True,
@@ -52,6 +53,36 @@ class NsxvFwaasTestCase(test_v_plugin.NsxVPluginV2TestCase):
                  'id': 'fake-fw-rule3'}
         return [rule1, rule2, rule3]
 
+    def _fake_backend_rules_v4(self):
+        rule1 = {'enabled': True,
+                 'action': 'allow',
+                 'ip_version': 4,
+                 'protocol': 'tcp',
+                 'destination_port': '80',
+                 'source_port': '1-65535',
+                 'source_ip_address': ['10.24.4.2'],
+                 'position': '0',
+                 'id': 'fake-fw-rule1',
+                 'name': 'Fwaas-fake-fw-rule1'}
+        rule2 = {'enabled': True,
+                 'action': 'deny',
+                 'ip_version': 4,
+                 'protocol': 'tcp',
+                 'destination_port': '22',
+                 'id': 'fake-fw-rule2',
+                 'position': '1',
+                 'name': 'Fwaas-fake-fw-rule2'}
+        rule3 = {'enabled': True,
+                 'action': 'reject',
+                 'ip_version': 4,
+                 'protocol': 'tcp',
+                 'destination_port': '23',
+                 'position': '2',
+                 'id': 'fake-fw-rule3',
+                 'name': 'Fwaas-fake-fw-rule3'}
+
+        return [rule1, rule2, rule3]
+
     def _fake_firewall_no_rule(self):
         rule_list = []
         fw_inst = {'id': FAKE_FW_ID,
@@ -116,6 +147,7 @@ class NsxvFwaasTestCase(test_v_plugin.NsxVPluginV2TestCase):
                              update_fw.call_args[0][1])
             backend_rules = update_fw.call_args[1]['fwaas_rules']
             self.assertEqual(len(rule_list), len(backend_rules))
+            self.assertEqual(self._fake_backend_rules_v4(), backend_rules)
 
     def test_create_firewall_no_rules(self):
         apply_list = self._fake_apply_list()