x/vmware-nsx
Code Issues Proposed changes

NSX|V: support big ranges in fw rules ports

Browse Source 
Adding a range of source/destination ports in a firewall rule should
not be done by adding each specific port, but sending it to the NSX as
a range.

Change-Id: Icbfbb7b02a4dff4863a1e69ccea2777f538fc7c4
This commit is contained in:
Adit Sarfaty 2017-07-09 11:25:54 +03:00
parent d0af9b5a9d
commit 32e3f9b704
2 changed files with 34 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
vmware_nsx/plugins/nsx_v/vshield/edge_firewall_driver.py
View File

@ -85,8 +85,8 @@ class EdgeFirewallDriver(object):
return [] return []
if ':' in port_str: if ':' in port_str:
min_port, sep, max_port = port_str.partition(":") min_port, sep, max_port = port_str.partition(":")
return list(range(int(min_port.strip()), return ["%s-%s" % (int(min_port.strip()),
int(max_port.strip()) + 1)) int(max_port.strip()))]
if ',' in port_str: if ',' in port_str:
# remove duplications (using set) and empty/non numeric entries # remove duplications (using set) and empty/non numeric entries
ports_set = set() ports_set = set()

32
vmware_nsx/tests/unit/nsx_v/test_fwaas_driver.py
View File

@ -36,6 +36,7 @@ class NsxvFwaasTestCase(test_v_plugin.NsxVPluginV2TestCase):
'ip_version': 4, 'ip_version': 4,
'protocol': 'tcp', 'protocol': 'tcp',
'destination_port': '80', 'destination_port': '80',
'source_port': '1-65535',
'source_ip_address': '10.24.4.2', 'source_ip_address': '10.24.4.2',
'id': 'fake-fw-rule1'} 'id': 'fake-fw-rule1'}
rule2 = {'enabled': True, rule2 = {'enabled': True,
@ -52,6 +53,36 @@ class NsxvFwaasTestCase(test_v_plugin.NsxVPluginV2TestCase):
'id': 'fake-fw-rule3'} 'id': 'fake-fw-rule3'}
return [rule1, rule2, rule3] return [rule1, rule2, rule3]
def _fake_backend_rules_v4(self):
rule1 = {'enabled': True,
'action': 'allow',
'ip_version': 4,
'protocol': 'tcp',
'destination_port': '80',
'source_port': '1-65535',
'source_ip_address': ['10.24.4.2'],
'position': '0',
'id': 'fake-fw-rule1',
'name': 'Fwaas-fake-fw-rule1'}
rule2 = {'enabled': True,
'action': 'deny',
'ip_version': 4,
'protocol': 'tcp',
'destination_port': '22',
'id': 'fake-fw-rule2',
'position': '1',
'name': 'Fwaas-fake-fw-rule2'}
rule3 = {'enabled': True,
'action': 'reject',
'ip_version': 4,
'protocol': 'tcp',
'destination_port': '23',
'position': '2',
'id': 'fake-fw-rule3',
'name': 'Fwaas-fake-fw-rule3'}
return [rule1, rule2, rule3]
def _fake_firewall_no_rule(self): def _fake_firewall_no_rule(self):
rule_list = [] rule_list = []
fw_inst = {'id': FAKE_FW_ID, fw_inst = {'id': FAKE_FW_ID,
@ -116,6 +147,7 @@ class NsxvFwaasTestCase(test_v_plugin.NsxVPluginV2TestCase):
update_fw.call_args[0][1]) update_fw.call_args[0][1])
backend_rules = update_fw.call_args[1]['fwaas_rules'] backend_rules = update_fw.call_args[1]['fwaas_rules']
self.assertEqual(len(rule_list), len(backend_rules)) self.assertEqual(len(rule_list), len(backend_rules))
self.assertEqual(self._fake_backend_rules_v4(), backend_rules)
def test_create_firewall_no_rules(self): def test_create_firewall_no_rules(self):
apply_list = self._fake_apply_list() apply_list = self._fake_apply_list()