def _convert_secgrp_rule_to_gce(self, rule, network_link, validate=False):
gce_rule = {
'sourceRanges': [],
'targetTags': [],
'allowed': [{}],
'priority': 1000
}
directions = {
'ingress': 'INGRESS',
}
if rule['direction'] in directions:
gce_rule['direction'] = directions[rule['direction']]
else:
raise SecurityGroupInvalidDirection(direction=rule['direction'],
values=directions.keys())
if rule['ethertype'] != 'IPv4':
raise sg.SecurityGroupRuleInvalidEtherType(
ethertype=rule['ethertype'], values=('IPv4', ))
if not validate:
gce_rule['name'] = self._gce_secgrp_id(rule['id'])
gce_rule['network'] = network_link
gce_protocols = ('tcp', 'udp', 'icmp', 'esp', 'ah', 'sctp')
protocol = rule['protocol']
if protocol is None:
gce_rule['allowed'][0]['IPProtocol'] = 'all'
elif protocol in gce_protocols:
gce_rule['allowed'][0]['IPProtocol'] = protocol
# GCE allows port specification for tcp and udp only
if protocol in ('tcp', 'udp'):
ports = []
port_range_max = rule['port_range_max']
port_range_min = rule['port_range_min']
if port_range_max is None or port_range_min is None:
ports.append('0-65535')
elif port_range_max == port_range_min:
ports.append(str(port_range_max))
else:
ports.append("%s-%s" % (port_range_min, port_range_max))
gce_rule['allowed'][0]['ports'] = ports
else:
raise sg.SecurityGroupRuleInvalidProtocol(protocol=protocol,
values=gce_protocols)
if rule['remote_ip_prefix'] is None:
gce_rule['sourceRanges'].append('0.0.0.0/0')
else:
gce_rule['sourceRanges'].append(rule['remote_ip_prefix'])
return gce_rule
def convert_sg_rule(openstack_rule, priority=None):
directions = {'ingress': 'Inbound', 'egress': 'Outbound'}
protocols = {'tcp': 'Tcp', 'udp': 'Udp'}
# Asterix '*' is used to match all possible values.
# E.g. In case of source_port_range it will allow all ports.
# The default security group is allow all traffic, based on
# user inputs we refine it further.
sg_rule = {
'source_port_range': '*',
'destination_port_range': '*',
'source_address_prefix': '*',
'destination_address_prefix': '*',
'access': 'Allow',
'priority': priority
}
sg_rule['direction'] = directions[openstack_rule['direction']]
if openstack_rule['ethertype'] != 'IPv4':
raise sg.SecurityGroupRuleInvalidEtherType(
ethertype=openstack_rule['ethertype'], values=('IPv4', ))
protocol = openstack_rule['protocol']
if protocol is None:
sg_rule['protocol'] = '*'
elif protocol and protocol in protocols:
sg_rule['protocol'] = protocols[protocol]
else:
raise sg.SecurityGroupRuleInvalidProtocol(protocol=protocol,
values=protocols.keys())
port_range_min = openstack_rule['port_range_min']
port_range_max = openstack_rule['port_range_max']
if port_range_min and port_range_min == port_range_max:
sg_rule['destination_port_range'] = str(port_range_min)
elif port_range_min and port_range_max:
sg_rule['destination_port_range'] = "%s-%s" % (port_range_min,
port_range_max)
if openstack_rule['remote_ip_prefix']:
# TODO(ssudake21): Allow support for tags in source_address_prefix
sg_rule['source_address_prefix'] = openstack_rule['remote_ip_prefix']
return sg_rule