Fix _port_arg for security rules with icmp/ipv6-icmp aliases
When a security group rule is created with icmp/ipv6-icmp alias such as
protocol number 1(ICMP), 58(ICMPv6) or string icmpv6(legacy name for
ipv6-icmp) as its protocol along with ICMP/ICMPv6 message type
specified, _port_arg will generate a wrong str for iptables/ip6tables.
Change-Id: Iae01b9a0da34797a5f061a110f06e18be9bbec5a
Closes-Bug: #1743552
(cherry picked from commit 0efe1aec18
)
This commit is contained in:
parent
8a943e4dbe
commit
f7207d4918
|
@ -652,6 +652,7 @@ class IptablesFirewallDriver(firewall.FirewallDriver):
|
|||
if port_range_min is None:
|
||||
return args
|
||||
|
||||
protocol = n_const.IPTABLES_PROTOCOL_NAME_MAP.get(protocol, protocol)
|
||||
if protocol in ['icmp', 'ipv6-icmp']:
|
||||
protocol_type = 'icmpv6' if protocol == 'ipv6-icmp' else 'icmp'
|
||||
# Note(xuhanp): port_range_min/port_range_max represent
|
||||
|
|
|
@ -550,6 +550,21 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase):
|
|||
ingress = None
|
||||
self._test_prepare_port_filter(rule, ingress, egress)
|
||||
|
||||
def test_filter_ipv4_egress_icmp_type_code_protocol_num(self):
|
||||
prefix = FAKE_PREFIX['IPv4']
|
||||
rule = {'ethertype': 'IPv4',
|
||||
'direction': 'egress',
|
||||
'protocol': '1',
|
||||
'port_range_min': 8,
|
||||
'port_range_max': 0,
|
||||
'dest_ip_prefix': prefix}
|
||||
egress = mock.call.add_rule(
|
||||
'ofake_dev',
|
||||
'-d %s -p icmp -m icmp --icmp-type 8/0 -j RETURN' % prefix,
|
||||
comment=None)
|
||||
ingress = None
|
||||
self._test_prepare_port_filter(rule, ingress, egress)
|
||||
|
||||
def test_filter_ipv4_egress_tcp_port(self):
|
||||
rule = {'ethertype': 'IPv4',
|
||||
'direction': 'egress',
|
||||
|
@ -934,6 +949,36 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase):
|
|||
ingress = None
|
||||
self._test_prepare_port_filter(rule, ingress, egress)
|
||||
|
||||
def test_filter_ipv6_egress_icmp_type_code_protocol_num(self):
|
||||
prefix = FAKE_PREFIX['IPv6']
|
||||
rule = {'ethertype': 'IPv6',
|
||||
'direction': 'egress',
|
||||
'protocol': '58',
|
||||
'port_range_min': 8,
|
||||
'port_range_max': 0,
|
||||
'dest_ip_prefix': prefix}
|
||||
egress = mock.call.add_rule(
|
||||
'ofake_dev',
|
||||
'-d %s -p ipv6-icmp -m icmp6 --icmpv6-type 8/0 -j RETURN' % prefix,
|
||||
comment=None)
|
||||
ingress = None
|
||||
self._test_prepare_port_filter(rule, ingress, egress)
|
||||
|
||||
def test_filter_ipv6_egress_icmp_type_code_protocol_legacy_name(self):
|
||||
prefix = FAKE_PREFIX['IPv6']
|
||||
rule = {'ethertype': 'IPv6',
|
||||
'direction': 'egress',
|
||||
'protocol': 'icmpv6',
|
||||
'port_range_min': 8,
|
||||
'port_range_max': 0,
|
||||
'dest_ip_prefix': prefix}
|
||||
egress = mock.call.add_rule(
|
||||
'ofake_dev',
|
||||
'-d %s -p ipv6-icmp -m icmp6 --icmpv6-type 8/0 -j RETURN' % prefix,
|
||||
comment=None)
|
||||
ingress = None
|
||||
self._test_prepare_port_filter(rule, ingress, egress)
|
||||
|
||||
def test_filter_ipv6_egress_tcp_port(self):
|
||||
rule = {'ethertype': 'IPv6',
|
||||
'direction': 'egress',
|
||||
|
|
Loading…
Reference in New Issue