From 51c5072c3d6e15c14a6bdb595040bda41e898f2c Mon Sep 17 00:00:00 2001 From: asarfaty Date: Wed, 25 Mar 2020 07:05:45 +0200 Subject: [PATCH] NSX|V: Fix SG icmp rules creation In addition to the fix introduced in I31141eb7a05ff508acb3cea12d7bdd7d8695d9e1 the icmpcode 0 should also be removed from the rule creation Change-Id: I380d5e45235fd0033bba924b42c6b83104f17241 --- .../plugins/nsx_v/vshield/securitygroup_utils.py | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/vmware_nsx/plugins/nsx_v/vshield/securitygroup_utils.py b/vmware_nsx/plugins/nsx_v/vshield/securitygroup_utils.py index b14be5c81d..c3561a007a 100644 --- a/vmware_nsx/plugins/nsx_v/vshield/securitygroup_utils.py +++ b/vmware_nsx/plugins/nsx_v/vshield/securitygroup_utils.py @@ -117,8 +117,14 @@ class NsxSecurityGroupUtils(object): svcPortTag = et.SubElement(svcTag, 'subProtocol') svcPortTag.text = str(icmptype) if icmpcode is not None: - svcPortTag = et.SubElement(svcTag, 'icmpCode') - svcPortTag.text = str(icmpcode) + if icmptype in ('0', '8') and icmpcode == '0': + # icmpcode 0 should not be sent + # TODO(asarfaty): Validate if this is needed for all + # NSX versions and all icmp types + pass + else: + svcPortTag = et.SubElement(svcTag, 'icmpCode') + svcPortTag.text = str(icmpcode) if application_services: s = et.SubElement(ruleTag, 'services') @@ -150,6 +156,7 @@ class NsxSecurityGroupUtils(object): def fix_existing_section_rules(self, section): # fix section existing rules before extending it with new rules + # TODO(asarfaty): Validate if this is needed for all NSX versions for rule in section.iter('rule'): services = rule.find('services') if services: