x/vmware-nsx
Code Issues Proposed changes

NSX|V: Fix security groups rules creation

Browse Source 
When updating a section, exising icmp echo request/reply rules cannot have
icmp code field.

Change-Id: I31141eb7a05ff508acb3cea12d7bdd7d8695d9e1
This commit is contained in:
asarfaty 2020-03-22 12:45:29 +02:00
parent 5b84dd5e4d
commit af0861ce2e
2 changed files with 15 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
vmware_nsx/plugins/nsx_v/plugin.py
View File

@ -4802,6 +4802,7 @@ class NsxVPluginV2(addr_pair_db.AllowedAddressPairsMixin,
_h, _c = self.nsx_v.vcns.get_section(section_uri) _h, _c = self.nsx_v.vcns.get_section(section_uri)
section = self.nsx_sg_utils.parse_section(_c) section = self.nsx_sg_utils.parse_section(_c)
self.nsx_sg_utils.fix_existing_section_rules(section)
self.nsx_sg_utils.extend_section_with_rules(section, nsx_rules) self.nsx_sg_utils.extend_section_with_rules(section, nsx_rules)
try: try:
h, c = self.nsx_v.vcns.update_section( h, c = self.nsx_v.vcns.update_section(

14
vmware_nsx/plugins/nsx_v/vshield/securitygroup_utils.py
View File

@ -148,6 +148,20 @@ class NsxSecurityGroupUtils(object):
pairs.append(pair) pairs.append(pair)
return pairs return pairs
def fix_existing_section_rules(self, section):
# fix section existing rules before extending it with new rules
for rule in section.iter('rule'):
services = rule.find('services')
if services:
for service in services:
subProt = service.find('subProtocolName')
icmpCode = service.find('icmpCode')
if (icmpCode is not None and icmpCode.text == '0' and
subProt is not None and
subProt.text in ('echo-request', 'echo-reply')):
# ICMP code should not exist in the payload
service.remove(icmpCode)
def extend_section_with_rules(self, section, nsx_rules): def extend_section_with_rules(self, section, nsx_rules):
section.extend(nsx_rules) section.extend(nsx_rules)