NSX|V: Fix SG icmp rules creation

In addition to the fix introduced in I31141eb7a05ff508acb3cea12d7bdd7d8695d9e1 the icmpcode 0 should also be removed from the rule creation Change-Id: I380d5e45235fd0033bba924b42c6b83104f17241
2020-03-25 07:05:45 +02:00 · 2020-03-25 07:05:45 +02:00 · 51c5072c3d
commit 51c5072c3d
parent 04db6e24d7
1 changed files with 9 additions and 2 deletions
--- a/vmware_nsx/plugins/nsx_v/vshield/securitygroup_utils.py
+++ b/vmware_nsx/plugins/nsx_v/vshield/securitygroup_utils.py
@ -117,8 +117,14 @@ class NsxSecurityGroupUtils(object):
                    svcPortTag = et.SubElement(svcTag, 'subProtocol')
                    svcPortTag.text = str(icmptype)
                if icmpcode is not None:
-                    svcPortTag = et.SubElement(svcTag, 'icmpCode')
-                    svcPortTag.text = str(icmpcode)
+                    if icmptype in ('0', '8') and icmpcode == '0':
+                        # icmpcode 0 should not be sent
+                        # TODO(asarfaty): Validate if this is needed for all
+                        # NSX versions and all icmp types
+                        pass
+                    else:
+                        svcPortTag = et.SubElement(svcTag, 'icmpCode')
+                        svcPortTag.text = str(icmpcode)

        if application_services:
            s = et.SubElement(ruleTag, 'services')
@ -150,6 +156,7 @@ class NsxSecurityGroupUtils(object):

    def fix_existing_section_rules(self, section):
        # fix section existing rules before extending it with new rules
+        # TODO(asarfaty): Validate if this is needed for all NSX versions
        for rule in section.iter('rule'):
            services = rule.find('services')
            if services: