Fix Security-rule's port should not set to 0 when Protocol is TCP/UDP

security rule port can be set value 0 when protocol is TCP/UDP

This patch add port check in def_validate_port_range(self, rule),when
protocol is TCP or UDP,port value 0 should not accepted

APIImpact
Change-Id: I57836d730db602de2a6704fd11a13c74ac38a716
Closes-Bug: #1527016

diff --git a/neutron/db/securitygroups_db.py b/neutron/db/securitygroups_db.py
index 8cbcc22e6064cffd12bbe441c0974e8b6dd66b6b..e914a04b9c8820a5826b37273a40f9725c345cb7 100644 (file)
--- a/neutron/db/securitygroups_db.py
+++ b/neutron/db/securitygroups_db.py
@@ -432,7 +432,9 @@ class SecurityGroupDbMixin(ext_sg.SecurityGroupPluginBase):
             raise ext_sg.SecurityGroupProtocolRequiredWithPorts()
         ip_proto = self._get_ip_proto_number(rule['protocol'])
         if ip_proto in [constants.PROTO_NUM_TCP, constants.PROTO_NUM_UDP]:
-            if (rule['port_range_min'] is not None and
+            if rule['port_range_min'] == 0 or rule['port_range_max'] == 0:
+                raise ext_sg.SecurityGroupInvalidPortValue(port=0)
+            elif (rule['port_range_min'] is not None and
                 rule['port_range_max'] is not None and
                 rule['port_range_min'] <= rule['port_range_max']):
                 pass

diff --git a/neutron/tests/unit/agent/test_securitygroups_rpc.py b/neutron/tests/unit/agent/test_securitygroups_rpc.py
index 7f63c31c8c7c186c5fd97182e010f97fa45852c2..ed1b8b5decfe4b7384d0ac7015e8cdca65510f89 100644 (file)
--- a/neutron/tests/unit/agent/test_securitygroups_rpc.py
+++ b/neutron/tests/unit/agent/test_securitygroups_rpc.py
@@ -245,9 +245,6 @@ class SGServerRpcCallBackTestCase(test_sg.SecurityGroupDBTestCase):
                              expected)
             self._delete('ports', port_id1)
 
-    def test_sg_rules_for_devices_ipv4_ingress_port_range_min_port_0(self):
-        self._test_sg_rules_for_devices_ipv4_ingress_port_range(0, 10)
-
     def test_sg_rules_for_devices_ipv4_ingress_port_range_min_port_1(self):
         self._test_sg_rules_for_devices_ipv4_ingress_port_range(1, 10)
 

diff --git a/neutron/tests/unit/extensions/test_securitygroup.py b/neutron/tests/unit/extensions/test_securitygroup.py
index c7195803b9d214477c5bad874547f51db774432c..31fc46e6f40a26d0af4302ac0c2c0cb30872e5c5 100644 (file)
--- a/neutron/tests/unit/extensions/test_securitygroup.py
+++ b/neutron/tests/unit/extensions/test_securitygroup.py
@@ -1503,6 +1503,23 @@ class TestSecurityGroups(SecurityGroupDBTestCase):
         self.deserialize(self.fmt, res)
         self.assertEqual(res.status_int, webob.exc.HTTPBadRequest.code)
 
+    def test_create_security_group_rule_with_invalid_tcp_or_udp_protocol(self):
+        security_group_id = "4cd70774-cc67-4a87-9b39-7d1db38eb087"
+        direction = "ingress"
+        remote_ip_prefix = "10.0.0.0/24"
+        protocol = 'tcp'
+        port_range_min = 0
+        port_range_max = 80
+        remote_group_id = "9cd70774-cc67-4a87-9b39-7d1db38eb087"
+        rule = self._build_security_group_rule(security_group_id, direction,
+                                               protocol, port_range_min,
+                                               port_range_max,
+                                               remote_ip_prefix,
+                                               remote_group_id)
+        res = self._create_security_group_rule(self.fmt, rule)
+        self.deserialize(self.fmt, res)
+        self.assertEqual(res.status_int, webob.exc.HTTPBadRequest.code)
+
     def test_create_port_with_non_uuid(self):
         with self.network() as n:
             with self.subnet(n):