This is an automated email from the ASF dual-hosted git repository. pearl11594 pushed a commit to branch fr03-nsx-reorder-acl-rules in repository https://gitbox.apache.org/repos/asf/cloudstack.git
commit 228240fa49dc6770a0f278dee9b34155f19be7d0 Author: Pearl Dsilva <pearl1...@gmail.com> AuthorDate: Mon Jan 29 10:48:17 2024 -0500 NSX: Fix custom ACL check (#2) * NSX: Fix custom ACL check * NSX: Fix custom ACL check --- .../com/cloud/network/vpc/NetworkACLServiceImpl.java | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/server/src/main/java/com/cloud/network/vpc/NetworkACLServiceImpl.java b/server/src/main/java/com/cloud/network/vpc/NetworkACLServiceImpl.java index 52d92f16117..d05ead6c143 100644 --- a/server/src/main/java/com/cloud/network/vpc/NetworkACLServiceImpl.java +++ b/server/src/main/java/com/cloud/network/vpc/NetworkACLServiceImpl.java @@ -20,6 +20,7 @@ import java.util.ArrayList; import java.util.Collections; import java.util.Comparator; import java.util.List; +import java.util.Locale; import java.util.Map; import java.util.Objects; @@ -344,7 +345,7 @@ public class NetworkACLServiceImpl extends ManagerBase implements NetworkACLServ if (isGlobalAcl(acl.getVpcId()) && !Account.Type.ADMIN.equals(caller.getType())) { throw new PermissionDeniedException("Only Root Admins can create rules for a global ACL."); } - validateNsxConstraints(acl.getVpcId(), icmpType); + validateNsxConstraints(acl.getVpcId(), protocol, icmpType, icmpCode, sourcePortStart, sourcePortEnd); validateAclRuleNumber(createNetworkACLCmd, acl); NetworkACLItem.Action ruleAction = validateAndCreateNetworkAclRuleAction(action); @@ -435,18 +436,27 @@ public class NetworkACLServiceImpl extends ManagerBase implements NetworkACLServ } } - private void validateNsxConstraints(Long vpcId, Integer icpmType) { + private void validateNsxConstraints(long vpcId, String protocol, Integer icmpType, + Integer icmpCode, Integer sourcePortStart, Integer sourcePortEnd) { VpcVO vpc = _vpcDao.findById(vpcId); final DataCenter dc = _entityMgr.findById(DataCenter.class, vpc.getZoneId()); final NsxProviderVO nsxProvider = nsxProviderDao.findByZoneId(dc.getId()); if (Objects.isNull(nsxProvider)) { return; } - if (icpmType == -1) { + + if (NetUtils.ICMP_PROTO.equals(protocol.toLowerCase(Locale.ROOT)) && (icmpType == -1 || icmpCode == -1)) { String errorMsg = "Passing -1 for ICMP type is not supported for NSX enabled zones"; s_logger.error(errorMsg); throw new InvalidParameterValueException(errorMsg); } + + if (List.of(NetUtils.TCP_PROTO, NetUtils.UDP_PROTO).contains(protocol.toLowerCase(Locale.ROOT)) && + (Objects.isNull(sourcePortStart) || Objects.isNull(sourcePortEnd))) { + String errorMsg = "Source start and end ports are required to be passed"; + s_logger.error(errorMsg); + throw new InvalidParameterValueException(errorMsg); + } } /** @@ -838,7 +848,8 @@ public class NetworkACLServiceImpl extends ManagerBase implements NetworkACLServ NetworkACL acl = _networkAclMgr.getNetworkACL(networkACLItemVo.getAclId()); validateNetworkAcl(acl); - validateNsxConstraints(acl.getVpcId(), networkACLItemVo.getIcmpType()); + validateNsxConstraints(acl.getVpcId(), networkACLItemVo.getProtocol(), networkACLItemVo.getIcmpType(), + networkACLItemVo.getIcmpCode(), networkACLItemVo.getSourcePortStart(), networkACLItemVo.getSourcePortEnd()); Account account = CallContext.current().getCallingAccount(); validateGlobalAclPermissionAndAclAssociatedToVpc(acl, account, "Only Root Admins can update global ACLs.");