From 4013b4ca65018f7cf88c9e027d58cf9917560a43 Mon Sep 17 00:00:00 2001 From: Gary Kotton Date: Sun, 8 Apr 2018 00:30:28 -0700 Subject: [PATCH] NSX|V3: ensure that 0.0.0.0/0 is treated correctly The NSX will not accept 0.0.0.0/0 for remote and local IP prefixes. This is changed internally to 'ANY' The 'ANY' will only be internal. The API for the user will not change, they will stell see the 0.0.0.0/0 Change-Id: I24adc9da9f52d17621117b46d8a535ccedf93227 --- vmware_nsx/plugins/nsx_v3/plugin.py | 12 +++++- .../test_secgroup_rule_local_ip_prefix.py | 38 +++++++++++++++++++ 2 files changed, 48 insertions(+), 2 deletions(-) diff --git a/vmware_nsx/plugins/nsx_v3/plugin.py b/vmware_nsx/plugins/nsx_v3/plugin.py index 4dff4bdf8e..15b9f6ec41 100644 --- a/vmware_nsx/plugins/nsx_v3/plugin.py +++ b/vmware_nsx/plugins/nsx_v3/plugin.py @@ -12,6 +12,7 @@ # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. +import copy import netaddr from neutron_lib.agent import topics @@ -4558,7 +4559,8 @@ class NsxV3Plugin(agentschedulers_db.AZDhcpAgentSchedulerDbMixin, # since the nsxlib does not have access to the nsx db, # we need to provide a mapping for the remote nsgroup ids. ruleid_2_remote_nsgroup_map = {} - for sg_rule in sg_rules: + _sg_rules = copy.deepcopy(sg_rules) + for sg_rule in _sg_rules: remote_nsgroup_id = None remote_group_id = sg_rule.get('remote_group_id') # skip unnecessary db access when possible @@ -4568,10 +4570,16 @@ class NsxV3Plugin(agentschedulers_db.AZDhcpAgentSchedulerDbMixin, remote_nsgroup_id = nsx_db.get_nsx_security_group_id( context.session, remote_group_id) ruleid_2_remote_nsgroup_map[sg_rule['id']] = remote_nsgroup_id + # 0.0.0.0/0 is not a valid entry for local and remote so we need + # to change this to 'ANY' + if sg_rule.get('remote_ip_prefix') == '0.0.0.0/0': + sg_rule['remote_ip_prefix'] = 'ANY' + if sg_rule.get('local_ip_prefix') == '0.0.0.0/0': + sg_rule['local_ip_prefix'] = 'ANY' return self.nsxlib.firewall_section.create_rules( context, section_id, nsgroup_id, - logging_enabled, action, sg_rules, + logging_enabled, action, _sg_rules, ruleid_2_remote_nsgroup_map) def _handle_api_replay_default_sg(self, context, secgroup_db): diff --git a/vmware_nsx/tests/unit/extensions/test_secgroup_rule_local_ip_prefix.py b/vmware_nsx/tests/unit/extensions/test_secgroup_rule_local_ip_prefix.py index d2b587bac3..815691b47e 100644 --- a/vmware_nsx/tests/unit/extensions/test_secgroup_rule_local_ip_prefix.py +++ b/vmware_nsx/tests/unit/extensions/test_secgroup_rule_local_ip_prefix.py @@ -145,3 +145,41 @@ class TestNSXv3ExtendedSGRule(test_nsxv3_plugin.NsxV3PluginTestCaseMixin, 'ALLOW', # action sg_rules, # sg_rules mock.ANY) # ruleid_2_remote_nsgroup_map + + def test_create_rule_with_remote_ip_prefix(self): + remote_ip_prefix = '0.0.0.0/0' + with self.security_group() as sg: + rule = self._build_security_group_rule( + sg['security_group']['id'], remote_ip_prefix=remote_ip_prefix, + direction='ingress', proto=const.PROTO_NAME_UDP) + res = self._make_security_group_rule(self.fmt, rule) + self.assertEqual(remote_ip_prefix, + res['security_group_rule']['remote_ip_prefix']) + + def test_create_nsx_rule_with_remote_ip_prefix_zeros(self): + sg_rules = [ + {'tenant_id': mock.ANY, + 'project_id': mock.ANY, + 'id': mock.ANY, + 'port_range_min': None, + 'local_ip_prefix': None, + 'ethertype': 'IPv4', + 'protocol': u'udp', 'remote_ip_prefix': 'ANY', + 'port_range_max': None, + 'security_group_id': mock.ANY, + 'remote_group_id': None, 'direction': u'ingress', + 'description': ''}] + + with mock.patch( + "vmware_nsxlib.v3.security.NsxLibFirewallSection.create_rules", + side_effect=test_nsxv3_plugin._mock_create_firewall_rules, + ) as mock_rule: + self.test_create_rule_with_remote_ip_prefix() + mock_rule.assert_called_with( + mock.ANY, # content + mock.ANY, # firewall_section_id + mock.ANY, # ns_group_id + False, # logging + 'ALLOW', # action + sg_rules, # sg_rules + mock.ANY) # ruleid_2_remote_nsgroup_map