From e0ed18da2c18de36ef98e18d9f3768919b483e5f Mon Sep 17 00:00:00 2001
From: Vishvananda Ishaya <vishvananda@gmail.com>
Date: Wed, 6 Jun 2012 13:25:04 -0400
Subject: [PATCH] Fix up protocol case handling for security groups.
Fix bug 985184.
When creating security group rules, any case for the protocol was
accepted as input, such as TCP, Tcp, tcp, etc., and was stored in the
database as specified. However, unless specified as all lowercase, the
code to apply the rules would break and result in some rules not being
applied.
(cherry picked from commit ff06c7c885dc94ed7c828e8cdbb8b5d850a7e654)
Also includes backport of thix fix:
https://review.openstack.org/#/c/8392
Change-Id: I36af1db29c2bd97627d614df21b5da07db29a8ab
---
nova/api/ec2/cloud.py | 2 +-
nova/api/openstack/contrib/security_groups.py | 2 +-
nova/virt/libvirt/firewall.py | 15 ++++++++-------
3 files changed, 10 insertions(+), 9 deletions(-)
diff --git a/nova/api/ec2/cloud.py b/nova/api/ec2/cloud.py
index cd41921..de50b6a 100644
--- a/nova/api/ec2/cloud.py
+++ b/nova/api/ec2/cloud.py
@@ -740,7 +740,7 @@ class CloudController(object):
to_port=to_port, msg="For ICMP, the"
" type:code must be valid")
- values['protocol'] = ip_protocol
+ values['protocol'] = ip_protocol.lower()
values['from_port'] = from_port
values['to_port'] = to_port
else:
diff --git a/nova/api/openstack/contrib/security_groups.py b/nova/api/openstack/contrib/security_groups.py
index 78d4881..2844b19 100644
--- a/nova/api/openstack/contrib/security_groups.py
+++ b/nova/api/openstack/contrib/security_groups.py
@@ -331,7 +331,7 @@ class SecurityGroupRulesController(SecurityGroupController):
to_port=to_port, msg="For ICMP, the"
" type:code must be valid")
- values['protocol'] = ip_protocol
+ values['protocol'] = ip_protocol.lower()
values['from_port'] = from_port
values['to_port'] = to_port
else:
diff --git a/nova/virt/libvirt/firewall.py b/nova/virt/libvirt/firewall.py
index dfa1deb..f234b28 100644
--- a/nova/virt/libvirt/firewall.py
+++ b/nova/virt/libvirt/firewall.py
@@ -417,20 +417,21 @@ class NWFilterFirewall(FirewallDriver):
rule_xml += "<rule action='accept' direction='in' priority='300'>"
if rule.cidr:
version = netutils.get_ip_version(rule.cidr)
+ protocol = rule.protocol.lower()
if(FLAGS.use_ipv6 and version == 6):
net, prefixlen = netutils.get_net_and_prefixlen(rule.cidr)
rule_xml += "<%s srcipaddr='%s' srcipmask='%s' " % \
- (v6protocol[rule.protocol], net, prefixlen)
+ (v6protocol[protocol], net, prefixlen)
else:
net, mask = netutils.get_net_and_mask(rule.cidr)
rule_xml += "<%s srcipaddr='%s' srcipmask='%s' " % \
- (rule.protocol, net, mask)
- if rule.protocol in ['tcp', 'udp']:
+ (protocol, net, mask)
+ if protocol in ['tcp', 'udp']:
rule_xml += "dstportstart='%s' dstportend='%s' " % \
(rule.from_port, rule.to_port)
- elif rule.protocol == 'icmp':
+ elif protocol == 'icmp':
LOG.info('rule.protocol: %r, rule.from_port: %r, '
- 'rule.to_port: %r', rule.protocol,
+ 'rule.to_port: %r', protocol,
rule.from_port, rule.to_port)
if rule.from_port != -1:
rule_xml += "type='%s' " % rule.from_port
@@ -659,8 +660,8 @@ class IptablesFirewallDriver(FirewallDriver):
else:
fw_rules = ipv6_rules
- protocol = rule.protocol
- if version == 6 and rule.protocol == 'icmp':
+ protocol = rule.protocol.lower() if rule.protocol else None
+ if version == 6 and protocol == 'icmp':
protocol = 'icmpv6'
args = ['-j ACCEPT']
