def _validate_port_range(self, rule):
"""Check that port_range is valid."""
if (rule['port_range_min'] is None and rule['port_range_max'] is None):
return
if not rule['protocol']:
raise ext_sg.SecurityGroupProtocolRequiredWithPorts()
ip_proto = self._get_ip_proto_number(rule['protocol'])
if ip_proto in [constants.PROTO_NUM_TCP, constants.PROTO_NUM_UDP]:
if rule['port_range_min'] == 0 or rule['port_range_max'] == 0:
raise ext_sg.SecurityGroupInvalidPortValue(port=0)
elif (rule['port_range_min'] is not None
and rule['port_range_max'] is not None
and rule['port_range_min'] <= rule['port_range_max']):
pass
else:
raise ext_sg.SecurityGroupInvalidPortRange()
elif ip_proto == constants.PROTO_NUM_ICMP:
for attr, field in [('port_range_min', 'type'),
('port_range_max', 'code')]:
if rule[attr] is not None and not (0 <= rule[attr] <= 255):
raise ext_sg.SecurityGroupInvalidIcmpValue(
field=field, attr=attr, value=rule[attr])
if (rule['port_range_min'] is None
and rule['port_range_max'] is not None):
raise ext_sg.SecurityGroupMissingIcmpType(
value=rule['port_range_max'])
def _validate_port_range(self, rule):
"""Check that port_range is valid."""
if (rule['port_range_min'] is None and rule['port_range_max'] is None):
return
if not rule['protocol']:
raise ext_sg.SecurityGroupProtocolRequiredWithPorts()
ip_proto = self._get_ip_proto_number(rule['protocol'])
# Not all firewall_driver support all these protocols,
# but being strict here doesn't hurt.
if ip_proto in [
constants.PROTO_NUM_DCCP, constants.PROTO_NUM_SCTP,
constants.PROTO_NUM_TCP, constants.PROTO_NUM_UDP,
constants.PROTO_NUM_UDPLITE
]:
if rule['port_range_min'] == 0 or rule['port_range_max'] == 0:
raise ext_sg.SecurityGroupInvalidPortValue(port=0)
elif (rule['port_range_min'] is not None
and rule['port_range_max'] is not None
and rule['port_range_min'] <= rule['port_range_max']):
pass
else:
raise ext_sg.SecurityGroupInvalidPortRange()
elif ip_proto in [
constants.PROTO_NUM_ICMP, constants.PROTO_NUM_IPV6_ICMP
]:
for attr, field in [('port_range_min', 'type'),
('port_range_max', 'code')]:
if rule[attr] is not None and not (0 <= rule[attr] <= 255):
raise ext_sg.SecurityGroupInvalidIcmpValue(
field=field, attr=attr, value=rule[attr])
if (rule['port_range_min'] is None
and rule['port_range_max'] is not None):
raise ext_sg.SecurityGroupMissingIcmpType(
value=rule['port_range_max'])
def _validate_port_range(self, rule):
"""Check that port_range is valid."""
if (rule['port_range_min'] is None and rule['port_range_max'] is None):
return
if not rule['protocol']:
raise ext_sg.SecurityGroupProtocolRequiredWithPorts()
ip_proto = self._get_ip_proto_number(rule['protocol'])
if ip_proto in [constants.TCP_PROTOCOL, constants.UDP_PROTOCOL]:
if (rule['port_range_min'] is not None
and rule['port_range_min'] <= rule['port_range_max']):
pass
else:
raise ext_sg.SecurityGroupInvalidPortRange()
elif ip_proto == constants.ICMP_PROTOCOL:
for attr, field in [('port_range_min', 'type'),
('port_range_max', 'code')]:
if rule[attr] > 255:
raise ext_sg.SecurityGroupInvalidIcmpValue(
field=field, attr=attr, value=rule[attr])
def validate_protocol_with_port_ranges(ethertype, protocol, port_range_min,
port_range_max):
if protocol in ALLOWED_WITH_RANGE:
if protocol == PROTOCOL_MAP[ethertype]["icmp"]:
if port_range_min is None and port_range_max is not None:
raise sg_ext.SecurityGroupMissingIcmpType(value=port_range_max)
elif port_range_min is not None:
attr = None
field = None
value = None
if port_range_min < 0 or port_range_min > 255:
field = "port_range_min"
attr = "type"
value = port_range_min
elif (port_range_max is not None and port_range_max < 0
or port_range_max > 255):
field = "port_range_max"
attr = "code"
value = port_range_max
if attr and field and value:
raise sg_ext.SecurityGroupInvalidIcmpValue(field=field,
attr=attr,
value=value)
else:
if (port_range_min is None) != (port_range_max is None):
# TODO(anyone): what exactly is a TCP or UDP rule withouts
# ports?
raise n_exc.InvalidInput(
error_message="For TCP/UDP rules, port_range_min and"
"port_range_max must either both be supplied"
", or neither of them")
if port_range_min is not None and port_range_max is not None:
if port_range_min > port_range_max:
raise sg_ext.SecurityGroupInvalidPortRange()
if port_range_min < MIN_PORT or port_range_max > MAX_PORT:
raise n_exc.InvalidInput(
error_message="port_range_min and port_range_max must "
"be >= %s and <= %s" % (MIN_PORT, MAX_PORT))
def _validate_port_range(self, rule):
"""Check that port_range is valid."""
if rule['port_range_min'] is None and rule['port_range_max'] is None:
return
if not rule['protocol']:
raise ext_sg.SecurityGroupProtocolRequiredWithPorts()
ip_proto = self._get_ip_proto_number(rule['protocol'])
# Not all firewall_driver support all these protocols,
# but being strict here doesn't hurt.
if (ip_proto in const.SG_PORT_PROTO_NUMS
or ip_proto in const.SG_PORT_PROTO_NAMES):
if rule['port_range_min'] == 0 or rule['port_range_max'] == 0:
raise ext_sg.SecurityGroupInvalidPortValue(port=0)
if (rule['port_range_min'] is not None
and rule['port_range_max'] is not None
and rule['port_range_min'] <= rule['port_range_max']):
# When min/max are the same it is just a single port
pass
else:
raise ext_sg.SecurityGroupInvalidPortRange()
elif ip_proto in [
constants.PROTO_NUM_ICMP, constants.PROTO_NUM_IPV6_ICMP
]:
for attr, field in [('port_range_min', 'type'),
('port_range_max', 'code')]:
if rule[attr] is not None and not (0 <= rule[attr] <= 255):
raise ext_sg.SecurityGroupInvalidIcmpValue(
field=field, attr=attr, value=rule[attr])
if (rule['port_range_min'] is None
and rule['port_range_max'] is not None):
raise ext_sg.SecurityGroupMissingIcmpType(
value=rule['port_range_max'])
else:
# Only the protocols above support ports, raise otherwise.
if (rule['port_range_min'] is not None
or rule['port_range_max'] is not None):
port_protocols = (', '.join(
s.upper() for s in const.SG_PORT_PROTO_NAMES))
raise ext_sg.SecurityGroupInvalidProtocolForPort(
protocol=ip_proto, valid_port_protocols=port_protocols)
