You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by pe...@apache.org on 2024/02/06 17:41:06 UTC
(cloudstack) 02/17: NSX: Fix custom ACL check (#2)
This is an automated email from the ASF dual-hosted git repository.
pearl11594 pushed a commit to branch fr03-nsx-reorder-acl-rules
in repository https://gitbox.apache.org/repos/asf/cloudstack.git
commit 228240fa49dc6770a0f278dee9b34155f19be7d0
Author: Pearl Dsilva <pe...@gmail.com>
AuthorDate: Mon Jan 29 10:48:17 2024 -0500
NSX: Fix custom ACL check (#2)
* NSX: Fix custom ACL check
* NSX: Fix custom ACL check
---
.../com/cloud/network/vpc/NetworkACLServiceImpl.java | 19 +++++++++++++++----
1 file changed, 15 insertions(+), 4 deletions(-)
diff --git a/server/src/main/java/com/cloud/network/vpc/NetworkACLServiceImpl.java b/server/src/main/java/com/cloud/network/vpc/NetworkACLServiceImpl.java
index 52d92f16117..d05ead6c143 100644
--- a/server/src/main/java/com/cloud/network/vpc/NetworkACLServiceImpl.java
+++ b/server/src/main/java/com/cloud/network/vpc/NetworkACLServiceImpl.java
@@ -20,6 +20,7 @@ import java.util.ArrayList;
import java.util.Collections;
import java.util.Comparator;
import java.util.List;
+import java.util.Locale;
import java.util.Map;
import java.util.Objects;
@@ -344,7 +345,7 @@ public class NetworkACLServiceImpl extends ManagerBase implements NetworkACLServ
if (isGlobalAcl(acl.getVpcId()) && !Account.Type.ADMIN.equals(caller.getType())) {
throw new PermissionDeniedException("Only Root Admins can create rules for a global ACL.");
}
- validateNsxConstraints(acl.getVpcId(), icmpType);
+ validateNsxConstraints(acl.getVpcId(), protocol, icmpType, icmpCode, sourcePortStart, sourcePortEnd);
validateAclRuleNumber(createNetworkACLCmd, acl);
NetworkACLItem.Action ruleAction = validateAndCreateNetworkAclRuleAction(action);
@@ -435,18 +436,27 @@ public class NetworkACLServiceImpl extends ManagerBase implements NetworkACLServ
}
}
- private void validateNsxConstraints(Long vpcId, Integer icpmType) {
+ private void validateNsxConstraints(long vpcId, String protocol, Integer icmpType,
+ Integer icmpCode, Integer sourcePortStart, Integer sourcePortEnd) {
VpcVO vpc = _vpcDao.findById(vpcId);
final DataCenter dc = _entityMgr.findById(DataCenter.class, vpc.getZoneId());
final NsxProviderVO nsxProvider = nsxProviderDao.findByZoneId(dc.getId());
if (Objects.isNull(nsxProvider)) {
return;
}
- if (icpmType == -1) {
+
+ if (NetUtils.ICMP_PROTO.equals(protocol.toLowerCase(Locale.ROOT)) && (icmpType == -1 || icmpCode == -1)) {
String errorMsg = "Passing -1 for ICMP type is not supported for NSX enabled zones";
s_logger.error(errorMsg);
throw new InvalidParameterValueException(errorMsg);
}
+
+ if (List.of(NetUtils.TCP_PROTO, NetUtils.UDP_PROTO).contains(protocol.toLowerCase(Locale.ROOT)) &&
+ (Objects.isNull(sourcePortStart) || Objects.isNull(sourcePortEnd))) {
+ String errorMsg = "Source start and end ports are required to be passed";
+ s_logger.error(errorMsg);
+ throw new InvalidParameterValueException(errorMsg);
+ }
}
/**
@@ -838,7 +848,8 @@ public class NetworkACLServiceImpl extends ManagerBase implements NetworkACLServ
NetworkACL acl = _networkAclMgr.getNetworkACL(networkACLItemVo.getAclId());
validateNetworkAcl(acl);
- validateNsxConstraints(acl.getVpcId(), networkACLItemVo.getIcmpType());
+ validateNsxConstraints(acl.getVpcId(), networkACLItemVo.getProtocol(), networkACLItemVo.getIcmpType(),
+ networkACLItemVo.getIcmpCode(), networkACLItemVo.getSourcePortStart(), networkACLItemVo.getSourcePortEnd());
Account account = CallContext.current().getCallingAccount();
validateGlobalAclPermissionAndAclAssociatedToVpc(acl, account, "Only Root Admins can update global ACLs.");