Add support for protocol numbers

This patch adds support for passing in protocol numbers into the API.
For example, 1 instead of ICMP. This allows all protocols besides
just TCP/UDP/ICMP to be used. This patch includes changes to support
this for the NVP Plugin. Existing plugins using securitygroups_rpc_base
and OVSHybridIptablesFirewallDriver require no change to leverage this.

Implements blueprint security-group-rules-protocol-numbers

Change-Id: I7d3b6986d9d0dadbefac0ea7798475a573dac046

diff --git a/quantum/extensions/securitygroup.py b/quantum/extensions/securitygroup.py
index 3609af5a5cf48b5656e9763ee56a3e5c1ad23321..f3ec56f318b86030688b518a802e9a823cc1c198 100644 (file)
--- a/quantum/extensions/securitygroup.py
+++ b/quantum/extensions/securitygroup.py
@@ -57,7 +57,8 @@ class SecurityGroupDefaultAlreadyExists(qexception.InUse):
 
 class SecurityGroupRuleInvalidProtocol(qexception.InvalidInput):
     message = _("Security group rule protocol %(protocol)s not supported. "
-                "Only protocol values %(values)s supported.")
+                "Only protocol values %(values)s and their integer "
+                "representation (0 to 255) are supported.")
 
 
 class SecurityGroupRulesNotSingleTenant(qexception.InvalidInput):
@@ -95,11 +96,20 @@ class SecurityGroupRuleExists(qexception.InUse):
     message = _("Security group rule already exists. Group id is %(id)s.")
 
 
-def convert_protocol_to_case_insensitive(value):
+def convert_protocol(value):
     if value is None:
-        return value
+        return
     try:
-        return value.lower()
+        val = int(value)
+        if val >= 0 and val <= 255:
+            return val
+        raise SecurityGroupRuleInvalidProtocol(
+            protocol=value, values=sg_supported_protocols)
+    except (ValueError, TypeError):
+        if value.lower() in sg_supported_protocols:
+            return value.lower()
+        raise SecurityGroupRuleInvalidProtocol(
+            protocol=value, values=sg_supported_protocols)
     except AttributeError:
         raise SecurityGroupRuleInvalidProtocol(
             protocol=value, values=sg_supported_protocols)
@@ -178,8 +188,7 @@ RESOURCE_ATTRIBUTE_MAP = {
                       'validate': {'type:values': ['ingress', 'egress']}},
         'protocol': {'allow_post': True, 'allow_put': False,
                      'is_visible': True, 'default': None,
-                     'convert_to': convert_protocol_to_case_insensitive,
-                     'validate': {'type:values': sg_supported_protocols}},
+                     'convert_to': convert_protocol},
         'port_range_min': {'allow_post': True, 'allow_put': False,
                            'convert_to': convert_validate_port_value,
                            'default': None, 'is_visible': True},

diff --git a/quantum/plugins/nicira/common/securitygroups.py b/quantum/plugins/nicira/common/securitygroups.py
index db80f70845edb3819d234709514ec659c8b22d86..6e0cbc6609c56265a330337ce389a0b25d2dd4b5 100644 (file)
--- a/quantum/plugins/nicira/common/securitygroups.py
+++ b/quantum/plugins/nicira/common/securitygroups.py
@@ -45,7 +45,11 @@ class NVPSecurityGroups(object):
             elif param == 'remote_group_id':
                 nvp_rule['profile_uuid'] = rule['remote_group_id']
             elif param == 'protocol':
-                nvp_rule['protocol'] = protocol_num_look_up[rule['protocol']]
+                try:
+                    nvp_rule['protocol'] = int(rule['protocol'])
+                except (ValueError, TypeError):
+                    nvp_rule['protocol'] = (
+                        protocol_num_look_up[rule['protocol']])
             else:
                 nvp_rule[param] = value
         return nvp_rule

diff --git a/quantum/tests/unit/test_extension_security_group.py b/quantum/tests/unit/test_extension_security_group.py
index 31c76a09cc7930f2948d58d0d2b1d5ce53225422..5fa85568c098759edd0b80cad6d240defe50fa87 100644 (file)
--- a/quantum/tests/unit/test_extension_security_group.py
+++ b/quantum/tests/unit/test_extension_security_group.py
@@ -404,11 +404,11 @@ class TestSecurityGroups(SecurityGroupDBTestCase):
             rule = self._build_security_group_rule(
                 security_group_id, 'ingress', 'tcp', '22', '22', None, None,
                 ethertype=ethertype)
-            res = self._create_security_group_rule('json', rule)
-            self.deserialize('json', res)
+            res = self._create_security_group_rule(self.fmt, rule)
+            self.deserialize(self.fmt, res)
             self.assertEqual(res.status_int, 400)
 
-    def test_create_security_group_rule_protocol_invalid_as_number(self):
+    def test_create_security_group_rule_protocol_as_number(self):
         name = 'webservers'
         description = 'my webservers'
         with self.security_group(name, description) as sg:
@@ -417,9 +417,9 @@ class TestSecurityGroups(SecurityGroupDBTestCase):
             rule = self._build_security_group_rule(
                 security_group_id, 'ingress', protocol, '22', '22',
                 None, None)
-            res = self._create_security_group_rule('json', rule)
-            self.deserialize('json', res)
-            self.assertEqual(res.status_int, 400)
+            res = self._create_security_group_rule(self.fmt, rule)
+            self.deserialize(self.fmt, res)
+            self.assertEqual(res.status_int, 201)
 
     def test_create_security_group_rule_case_insensitive(self):
         name = 'webservers'