This is an automated email from the ASF dual-hosted git repository.
pearl11594 pushed a commit to branch fr03-nsx-reorder-acl-rules
in repository https://gitbox.apache.org/repos/asf/cloudstack.git
commit 228240fa49dc6770a0f278dee9b34155f19be7d0
Author: Pearl Dsilva <pearl1...@gmail.com>
AuthorDate: Mon Jan 29 10:48:17 2024 -0500
NSX: Fix custom ACL check (#2)
* NSX: Fix custom ACL check
* NSX: Fix custom ACL check
---
.../com/cloud/network/vpc/NetworkACLServiceImpl.java | 19 +++++++++++++++----
1 file changed, 15 insertions(+), 4 deletions(-)
diff --git
a/server/src/main/java/com/cloud/network/vpc/NetworkACLServiceImpl.java
b/server/src/main/java/com/cloud/network/vpc/NetworkACLServiceImpl.java
index 52d92f16117..d05ead6c143 100644
--- a/server/src/main/java/com/cloud/network/vpc/NetworkACLServiceImpl.java
+++ b/server/src/main/java/com/cloud/network/vpc/NetworkACLServiceImpl.java
@@ -20,6 +20,7 @@ import java.util.ArrayList;
import java.util.Collections;
import java.util.Comparator;
import java.util.List;
+import java.util.Locale;
import java.util.Map;
import java.util.Objects;
@@ -344,7 +345,7 @@ public class NetworkACLServiceImpl extends ManagerBase
implements NetworkACLServ
if (isGlobalAcl(acl.getVpcId()) &&
!Account.Type.ADMIN.equals(caller.getType())) {
throw new PermissionDeniedException("Only Root Admins can create
rules for a global ACL.");
}
- validateNsxConstraints(acl.getVpcId(), icmpType);
+ validateNsxConstraints(acl.getVpcId(), protocol, icmpType, icmpCode,
sourcePortStart, sourcePortEnd);
validateAclRuleNumber(createNetworkACLCmd, acl);
NetworkACLItem.Action ruleAction =
validateAndCreateNetworkAclRuleAction(action);
@@ -435,18 +436,27 @@ public class NetworkACLServiceImpl extends ManagerBase
implements NetworkACLServ
}
}
- private void validateNsxConstraints(Long vpcId, Integer icpmType) {
+ private void validateNsxConstraints(long vpcId, String protocol, Integer
icmpType,
+ Integer icmpCode, Integer
sourcePortStart, Integer sourcePortEnd) {
VpcVO vpc = _vpcDao.findById(vpcId);
final DataCenter dc = _entityMgr.findById(DataCenter.class,
vpc.getZoneId());
final NsxProviderVO nsxProvider =
nsxProviderDao.findByZoneId(dc.getId());
if (Objects.isNull(nsxProvider)) {
return;
}
- if (icpmType == -1) {
+
+ if (NetUtils.ICMP_PROTO.equals(protocol.toLowerCase(Locale.ROOT)) &&
(icmpType == -1 || icmpCode == -1)) {
String errorMsg = "Passing -1 for ICMP type is not supported for
NSX enabled zones";
s_logger.error(errorMsg);
throw new InvalidParameterValueException(errorMsg);
}
+
+ if (List.of(NetUtils.TCP_PROTO,
NetUtils.UDP_PROTO).contains(protocol.toLowerCase(Locale.ROOT)) &&
+ (Objects.isNull(sourcePortStart) ||
Objects.isNull(sourcePortEnd))) {
+ String errorMsg = "Source start and end ports are required to be
passed";
+ s_logger.error(errorMsg);
+ throw new InvalidParameterValueException(errorMsg);
+ }
}
/**
@@ -838,7 +848,8 @@ public class NetworkACLServiceImpl extends ManagerBase
implements NetworkACLServ
NetworkACL acl =
_networkAclMgr.getNetworkACL(networkACLItemVo.getAclId());
validateNetworkAcl(acl);
- validateNsxConstraints(acl.getVpcId(), networkACLItemVo.getIcmpType());
+ validateNsxConstraints(acl.getVpcId(), networkACLItemVo.getProtocol(),
networkACLItemVo.getIcmpType(),
+ networkACLItemVo.getIcmpCode(),
networkACLItemVo.getSourcePortStart(), networkACLItemVo.getSourcePortEnd());
Account account = CallContext.current().getCallingAccount();
validateGlobalAclPermissionAndAclAssociatedToVpc(acl, account, "Only
Root Admins can update global ACLs.");
