Merge "Allow security group rules other than tcp,icmp,udp and any"

src/config/api-server/vnc_cfg_types.py

@@ -933,13 +933,24 @@ def validate_dns_record(cls, obj_dict, db_conn):
     # end validate_dns_record
 # end class VirtualDnsRecordServer
 
-def _check_policy_rule_uuid(entries):
+def _check_policy_rules(entries):
     if not entries:
-        return
+        return True, ""
     for rule in entries.get('policy_rule') or []:
         if not rule.get('rule_uuid'):
             rule['rule_uuid'] = str(uuid.uuid4())
-# end _check_policy_rule_uuid
+        protocol = rule['protocol']
+        if protocol.isdigit():
+            if int(protocol) < 0 or int(protocol) > 255:
+                return (False, (400, 'Rule with invalid protocol : %s' % \
+                    rule['protocol']))
+        else:
+            valids = ['any', 'icmp', 'tcp', 'udp']
+            if protocol not in valids:
+                return (False, (400, 'Rule with invalid protocol : %s' % \
+                    rule['protocol']))
+    return True, ""
+# end _check_policy_rules
 
 class SecurityGroupServer(SecurityGroupServerGen):
     generate_default_instance = False
@@ -958,9 +969,7 @@ def http_post_collection(cls, tenant_name, obj_dict, db_conn):
         if not ok:
             return (ok, response)
 
-        _check_policy_rule_uuid(obj_dict.get('security_group_entries'))
-
-        return True, ""
+        return _check_policy_rules(obj_dict.get('security_group_entries'))
     # end http_post_collection
 
     @classmethod
@@ -991,8 +1000,7 @@ def http_put(cls, id, fq_name, obj_dict, db_conn):
                 if not ok:
                     return (False, (403, pformat(fq_name) + ' : ' + quota_limit))
 
-        _check_policy_rule_uuid(obj_dict.get('security_group_entries'))
-        return True, ""
+        return _check_policy_rules(obj_dict.get('security_group_entries'))
     # end http_put
 
 # end class SecurityGroupServer
@@ -1014,13 +1022,12 @@ def http_post_collection(cls, tenant_name, obj_dict, db_conn):
         if not ok:
             return (ok, response)
 
-        _check_policy_rule_uuid(obj_dict.get('network_policy_entries'))
         try:
             cls._check_policy(obj_dict)
         except Exception as e:
             return (False, (500, str(e)))
 
-        return True, ""
+        return _check_policy_rules(obj_dict.get('network_policy_entries'))
     # end http_post_collection
 
     @classmethod
@@ -1029,8 +1036,8 @@ def http_put(cls, id, fq_name, obj_dict, db_conn):
         (read_ok, read_result) = db_conn.dbe_read('network-policy', p_id)
         if not read_ok:
             return (False, (500, read_result))
-        _check_policy_rule_uuid(obj_dict.get('network_policy_entries'))
-        return True, ""
+
+        return _check_policy_rules(obj_dict.get('network_policy_entries'))
     # end http_put
 
     @classmethod

src/config/vnc_openstack/vnc_openstack/neutron_plugin_db.py

@@ -1134,15 +1134,25 @@ def _security_group_rule_neutron_to_vnc(self, sgr_q, oper):
 
             if not sgr_q['protocol']:
                 sgr_q['protocol'] = 'any'
-            protos = ['any', constants.PROTO_NAME_TCP, str(constants.PROTO_NUM_TCP),
-                      constants.PROTO_NAME_UDP, str(constants.PROTO_NUM_UDP),
-                      constants.PROTO_NAME_ICMP, str(constants.PROTO_NUM_ICMP)]
-            if sgr_q['protocol'] not in protos:
-                protos = [constants.PROTO_NAME_TCP, constants.PROTO_NAME_UDP,
-                          constants.PROTO_NAME_ICMP]
+
+            invalid = False
+            protos = ['any',
+                      constants.PROTO_NAME_TCP,
+                      constants.PROTO_NAME_UDP,
+                      constants.PROTO_NAME_ICMP]
+            if sgr_q['protocol'].isdigit():
+                protocol = int(sgr_q['protocol'])
+                if protocol < 0 or protocol > 255:
+                    invalid = True
+            else:
+                if sgr_q['protocol'] not in protos:
+                    invalid = True
+
+            if invalid:
                 self._raise_contrail_exception(
                     'SecurityGroupRuleInvalidProtocol',
-                    protocol=sgr_q['protocol'], values=protos)
+                    protocol=sgr_q['protocol'],
+                    values=protos)
 
             if not sgr_q['remote_ip_prefix'] and not sgr_q['remote_group_id']:
                 if not sgr_q['ethertype']:

src/schema/vnc_cfg.xsd

@@ -118,20 +118,6 @@ targetNamespace="http://www.contrailsystems.com/2012/VNC-CONFIG/0">
     </xsd:all>
 </xsd:complexType>
 
-<xsd:simpleType name="ProtocolType">
-    <xsd:restriction base="xsd:string">
-        <xsd:enumeration value="tcp"/>
-        <xsd:enumeration value="udp"/>
-        <xsd:enumeration value="icmp"/>
-        <xsd:enumeration value="any"/>
-        <xsd:enumeration value="1"/>
-        <xsd:enumeration value="6"/>
-        <xsd:enumeration value="17"/>
-    </xsd:restriction>
-</xsd:simpleType>
-<!--#IFMAP-SEMANTICS-IDL 
-     Type('ProtocolType', ['string-enum']) -->
-
 <xsd:complexType name="AddressType">
     <xsd:choice>
         <xsd:element name="subnet" type="SubnetType"/>
@@ -232,7 +218,7 @@ targetNamespace="http://www.contrailsystems.com/2012/VNC-CONFIG/0">
         <xsd:element name="rule-sequence"    type="SequenceType"/> <!-- dummy till ui etc. remove it -->
         <xsd:element name="rule-uuid"        type="xsd:string"/>
         <xsd:element name="direction"        type="DirectionType"/>
-        <xsd:element name="protocol"         type="ProtocolType"/>
+        <xsd:element name="protocol"         type="xsd:string"/>
         <xsd:element name="src-addresses"      type="AddressType"
                                              maxOccurs="unbounded"/>
         <xsd:element name="src-ports"         type="PortType"