NSX|V3: ensure that 0.0.0.0/0 is treated correctly

The NSX will not accept 0.0.0.0/0 for remote and local IP
prefixes. This is changed internally to 'ANY'

The 'ANY' will only be internal. The API for the user will not
change, they will stell see the 0.0.0.0/0

Change-Id: I24adc9da9f52d17621117b46d8a535ccedf93227

vmware_nsx/plugins/nsx_v3/plugin.py

@@ -12,6 +12,7 @@
 #    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
 #    License for the specific language governing permissions and limitations
 #    under the License.
+import copy
 
 import netaddr
 from neutron_lib.agent import topics
@@ -4558,7 +4559,8 @@ class NsxV3Plugin(agentschedulers_db.AZDhcpAgentSchedulerDbMixin,
         # since the nsxlib does not have access to the nsx db,
         # we need to provide a mapping for the remote nsgroup ids.
         ruleid_2_remote_nsgroup_map = {}
-        for sg_rule in sg_rules:
+        _sg_rules = copy.deepcopy(sg_rules)
+        for sg_rule in _sg_rules:
             remote_nsgroup_id = None
             remote_group_id = sg_rule.get('remote_group_id')
             # skip unnecessary db access when possible
@@ -4568,10 +4570,16 @@ class NsxV3Plugin(agentschedulers_db.AZDhcpAgentSchedulerDbMixin,
                 remote_nsgroup_id = nsx_db.get_nsx_security_group_id(
                     context.session, remote_group_id)
             ruleid_2_remote_nsgroup_map[sg_rule['id']] = remote_nsgroup_id
+            # 0.0.0.0/0 is not a valid entry for local and remote so we need
+            # to change this to 'ANY'
+            if sg_rule.get('remote_ip_prefix') == '0.0.0.0/0':
+                sg_rule['remote_ip_prefix'] = 'ANY'
+            if sg_rule.get('local_ip_prefix') == '0.0.0.0/0':
+                sg_rule['local_ip_prefix'] = 'ANY'
 
         return self.nsxlib.firewall_section.create_rules(
             context, section_id, nsgroup_id,
-            logging_enabled, action, sg_rules,
+            logging_enabled, action, _sg_rules,
             ruleid_2_remote_nsgroup_map)
 
     def _handle_api_replay_default_sg(self, context, secgroup_db):

vmware_nsx/tests/unit/extensions/test_secgroup_rule_local_ip_prefix.py

@@ -145,3 +145,41 @@ class TestNSXv3ExtendedSGRule(test_nsxv3_plugin.NsxV3PluginTestCaseMixin,
                 'ALLOW',  # action
                 sg_rules,  # sg_rules
                 mock.ANY)  # ruleid_2_remote_nsgroup_map
+
+    def test_create_rule_with_remote_ip_prefix(self):
+        remote_ip_prefix = '0.0.0.0/0'
+        with self.security_group() as sg:
+            rule = self._build_security_group_rule(
+                sg['security_group']['id'], remote_ip_prefix=remote_ip_prefix,
+                direction='ingress', proto=const.PROTO_NAME_UDP)
+            res = self._make_security_group_rule(self.fmt, rule)
+            self.assertEqual(remote_ip_prefix,
+                             res['security_group_rule']['remote_ip_prefix'])
+
+    def test_create_nsx_rule_with_remote_ip_prefix_zeros(self):
+        sg_rules = [
+            {'tenant_id': mock.ANY,
+             'project_id': mock.ANY,
+             'id': mock.ANY,
+             'port_range_min': None,
+             'local_ip_prefix': None,
+             'ethertype': 'IPv4',
+             'protocol': u'udp', 'remote_ip_prefix': 'ANY',
+             'port_range_max': None,
+             'security_group_id': mock.ANY,
+             'remote_group_id': None, 'direction': u'ingress',
+             'description': ''}]
+
+        with mock.patch(
+            "vmware_nsxlib.v3.security.NsxLibFirewallSection.create_rules",
+            side_effect=test_nsxv3_plugin._mock_create_firewall_rules,
+        ) as mock_rule:
+            self.test_create_rule_with_remote_ip_prefix()
+            mock_rule.assert_called_with(
+                mock.ANY,  # content
+                mock.ANY,  # firewall_section_id
+                mock.ANY,  # ns_group_id
+                False,  # logging
+                'ALLOW',  # action
+                sg_rules,  # sg_rules
+                mock.ANY)  # ruleid_2_remote_nsgroup_map