From 5b7452b4e57343ed481ba008373d189a873b3b1d Mon Sep 17 00:00:00 2001
From: Sachin Bansal <sachin@contrailsystems.com>
Date: Thu, 1 Oct 2015 17:20:32 -0700
Subject: [PATCH] SG rule should be ignored if neither source or destination is
 'local'

It was was earlier possible to create a security group rule without specifying
direction. Such rule cannot be applied, and hence should be ignored. We have
already added check in api server to disallow such rules, but for pre-existing
rules, adding a check in schema transforemer also.

Change-Id: If67fd89dfcd718ad45b0f51f1b069e1f55ded522
Closes-Bug: 1474665
---
 src/config/schema-transformer/config_db.py | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/config/schema-transformer/config_db.py b/src/config/schema-transformer/config_db.py
index 45b8ff79dd4..6d46ecd9def 100644
--- a/src/config/schema-transformer/config_db.py
+++ b/src/config/schema-transformer/config_db.py
@@ -1525,6 +1525,12 @@ def policy_to_acl_rule(self, prule):
                     if daddr.security_group == 'local':
                         daddr_match.security_group = None
                         acl_rule_list = ingress_acl_rule_list
+                    if acl_rule_list is None:
+                        self._logger.error("SG rule must have either source "
+                                           "or destination as 'local': " +
+                                           self.name)
+                        continue
+
                     for dp in prule.dst_ports:
                         action = ActionListType(simple_action='pass')
                         match = MatchConditionType(arule_proto,