This is an automated email from the ASF dual-hosted git repository. pearl11594 pushed a commit to branch nsx-egress-check in repository https://gitbox.apache.org/repos/asf/cloudstack.git
commit 08f6928cfc3ae26dda557fd452a9af35a724f8b8 Author: Pearl Dsilva <[email protected]> AuthorDate: Sat Jan 20 21:13:14 2024 -0500 NSX: Add check for ICMP code / type for NSX zones --- .../network/firewall/FirewallManagerImpl.java | 27 ++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/server/src/main/java/com/cloud/network/firewall/FirewallManagerImpl.java b/server/src/main/java/com/cloud/network/firewall/FirewallManagerImpl.java index b08df5a3d1b..a816a70cdf3 100644 --- a/server/src/main/java/com/cloud/network/firewall/FirewallManagerImpl.java +++ b/server/src/main/java/com/cloud/network/firewall/FirewallManagerImpl.java @@ -22,12 +22,18 @@ import java.util.Collection; import java.util.Collections; import java.util.HashSet; import java.util.List; +import java.util.Locale; import java.util.Map; +import java.util.Objects; import java.util.Set; import javax.inject.Inject; import javax.naming.ConfigurationException; +import com.cloud.dc.DataCenter; +import com.cloud.network.dao.NsxProviderDao; +import com.cloud.network.element.NsxProviderVO; +import com.cloud.utils.db.EntityManager; import org.apache.cloudstack.api.command.user.firewall.IListFirewallRulesCmd; import org.apache.cloudstack.api.command.user.ipv6.ListIpv6FirewallRulesCmd; import org.apache.cloudstack.context.CallContext; @@ -137,6 +143,10 @@ public class FirewallManagerImpl extends ManagerBase implements FirewallService, NetworkDao _networkDao; @Inject VpcManager _vpcMgr; + @Inject + EntityManager entityManager; + @Inject + NsxProviderDao nsxProviderDao; List<FirewallServiceProvider> _firewallElements; List<PortForwardingServiceProvider> _pfElements; @@ -689,6 +699,9 @@ public class FirewallManagerImpl extends ManagerBase implements FirewallService, } for (FirewallRuleVO rule : rules) { + // validate rule - for NSX + long networkId = rule.getNetworkId(); + validateNsxConstraints(networkId, rule.getProtocol(), rule.getIcmpType(), rule.getIcmpCode()); // load cidrs if any rule.setSourceCidrList(_firewallCidrsDao.getSourceCidrs(rule.getId())); rule.setDestinationCidrsList(_firewallDcidrsDao.getDestCidrs(rule.getId())); @@ -710,6 +723,20 @@ public class FirewallManagerImpl extends ManagerBase implements FirewallService, return true; } + private void validateNsxConstraints(long networkId, String protocol, Integer icpmType, Integer icmpCode) { + final Network network = entityManager.findById(Network.class, networkId); + final DataCenter dc = entityManager.findById(DataCenter.class, network.getDataCenterId()); + final NsxProviderVO nsxProvider = nsxProviderDao.findByZoneId(dc.getId()); + if (Objects.isNull(nsxProvider)) { + return; + } + if (NetUtils.ICMP_PROTO.equals(protocol.toLowerCase(Locale.ROOT)) && (icpmType == -1 || icmpCode == -1)) { + String errorMsg = "Passing -1 for ICMP type is not supported for NSX enabled zones"; + s_logger.error(errorMsg); + throw new InvalidParameterValueException(errorMsg); + } + } + @Override public boolean applyDefaultEgressFirewallRule(Long networkId, boolean defaultPolicy, boolean add) throws ResourceUnavailableException {
