From fbcf8e6b141906632af2d387767b58ece269538d Mon Sep 17 00:00:00 2001 From: lei zhang Date: Thu, 26 Nov 2015 23:36:05 +0800 Subject: [PATCH] Fix Security-rule's port should not set to 0 when Protocol is TCP/UDP security rule port can be set value 0 when protocol is TCP/UDP This patch add port check in def_validate_port_range(self, rule),when protocol is TCP or UDP,port value 0 should not accepted APIImpact Change-Id: I57836d730db602de2a6704fd11a13c74ac38a716 Closes-Bug: #1527016 --- neutron/db/securitygroups_db.py | 4 +++- .../tests/unit/agent/test_securitygroups_rpc.py | 3 --- .../tests/unit/extensions/test_securitygroup.py | 17 +++++++++++++++++ 3 files changed, 20 insertions(+), 4 deletions(-) diff --git a/neutron/db/securitygroups_db.py b/neutron/db/securitygroups_db.py index 8cbcc22e6..e914a04b9 100644 --- a/neutron/db/securitygroups_db.py +++ b/neutron/db/securitygroups_db.py @@ -432,7 +432,9 @@ class SecurityGroupDbMixin(ext_sg.SecurityGroupPluginBase): raise ext_sg.SecurityGroupProtocolRequiredWithPorts() ip_proto = self._get_ip_proto_number(rule['protocol']) if ip_proto in [constants.PROTO_NUM_TCP, constants.PROTO_NUM_UDP]: - if (rule['port_range_min'] is not None and + if rule['port_range_min'] == 0 or rule['port_range_max'] == 0: + raise ext_sg.SecurityGroupInvalidPortValue(port=0) + elif (rule['port_range_min'] is not None and rule['port_range_max'] is not None and rule['port_range_min'] <= rule['port_range_max']): pass diff --git a/neutron/tests/unit/agent/test_securitygroups_rpc.py b/neutron/tests/unit/agent/test_securitygroups_rpc.py index 7f63c31c8..ed1b8b5de 100644 --- a/neutron/tests/unit/agent/test_securitygroups_rpc.py +++ b/neutron/tests/unit/agent/test_securitygroups_rpc.py @@ -245,9 +245,6 @@ class SGServerRpcCallBackTestCase(test_sg.SecurityGroupDBTestCase): expected) self._delete('ports', port_id1) - def test_sg_rules_for_devices_ipv4_ingress_port_range_min_port_0(self): - self._test_sg_rules_for_devices_ipv4_ingress_port_range(0, 10) - def test_sg_rules_for_devices_ipv4_ingress_port_range_min_port_1(self): self._test_sg_rules_for_devices_ipv4_ingress_port_range(1, 10) diff --git a/neutron/tests/unit/extensions/test_securitygroup.py b/neutron/tests/unit/extensions/test_securitygroup.py index c7195803b..31fc46e6f 100644 --- a/neutron/tests/unit/extensions/test_securitygroup.py +++ b/neutron/tests/unit/extensions/test_securitygroup.py @@ -1503,6 +1503,23 @@ class TestSecurityGroups(SecurityGroupDBTestCase): self.deserialize(self.fmt, res) self.assertEqual(res.status_int, webob.exc.HTTPBadRequest.code) + def test_create_security_group_rule_with_invalid_tcp_or_udp_protocol(self): + security_group_id = "4cd70774-cc67-4a87-9b39-7d1db38eb087" + direction = "ingress" + remote_ip_prefix = "10.0.0.0/24" + protocol = 'tcp' + port_range_min = 0 + port_range_max = 80 + remote_group_id = "9cd70774-cc67-4a87-9b39-7d1db38eb087" + rule = self._build_security_group_rule(security_group_id, direction, + protocol, port_range_min, + port_range_max, + remote_ip_prefix, + remote_group_id) + res = self._create_security_group_rule(self.fmt, rule) + self.deserialize(self.fmt, res) + self.assertEqual(res.status_int, webob.exc.HTTPBadRequest.code) + def test_create_port_with_non_uuid(self): with self.network() as n: with self.subnet(n): -- 2.45.2