def _validate_security_group_rule(context, rule): PROTOCOLS = {"icmp": 1, "tcp": 6, "udp": 17} ALLOWED_WITH_RANGE = [6, 17] if rule.get("remote_ip_prefix") and rule.get("remote_group_id"): raise sg_ext.SecurityGroupRemoteGroupAndRemoteIpPrefix() protocol = rule.pop('protocol') port_range_min = rule['port_range_min'] port_range_max = rule['port_range_max'] if protocol: if isinstance(protocol, str): protocol = protocol.lower() protocol = PROTOCOLS.get(protocol) if not protocol: raise sg_ext.SecurityGroupRuleInvalidProtocol() if protocol in ALLOWED_WITH_RANGE: if (port_range_min is None) != (port_range_max is None): raise exceptions.InvalidInput( error_message="For TCP/UDP rules, cannot wildcard " "only one end of port range.") if port_range_min is not None and port_range_max is not None: if port_range_min > port_range_max: raise sg_ext.SecurityGroupInvalidPortRange() rule['protocol'] = protocol else: if port_range_min is not None or port_range_max is not None: raise sg_ext.SecurityGroupProtocolRequiredWithPorts() return rule
def _convert_secgrp_rule_to_gce(self, rule, network_link, validate=False): gce_rule = { 'sourceRanges': [], 'targetTags': [], 'allowed': [{}], 'priority': 1000 } directions = { 'ingress': 'INGRESS', } if rule['direction'] in directions: gce_rule['direction'] = directions[rule['direction']] else: raise SecurityGroupInvalidDirection(direction=rule['direction'], values=directions.keys()) if rule['ethertype'] != 'IPv4': raise sg.SecurityGroupRuleInvalidEtherType( ethertype=rule['ethertype'], values=('IPv4', )) if not validate: gce_rule['name'] = self._gce_secgrp_id(rule['id']) gce_rule['network'] = network_link gce_protocols = ('tcp', 'udp', 'icmp', 'esp', 'ah', 'sctp') protocol = rule['protocol'] if protocol is None: gce_rule['allowed'][0]['IPProtocol'] = 'all' elif protocol in gce_protocols: gce_rule['allowed'][0]['IPProtocol'] = protocol # GCE allows port specification for tcp and udp only if protocol in ('tcp', 'udp'): ports = [] port_range_max = rule['port_range_max'] port_range_min = rule['port_range_min'] if port_range_max is None or port_range_min is None: ports.append('0-65535') elif port_range_max == port_range_min: ports.append(str(port_range_max)) else: ports.append("%s-%s" % (port_range_min, port_range_max)) gce_rule['allowed'][0]['ports'] = ports else: raise sg.SecurityGroupRuleInvalidProtocol(protocol=protocol, values=gce_protocols) if rule['remote_ip_prefix'] is None: gce_rule['sourceRanges'].append('0.0.0.0/0') else: gce_rule['sourceRanges'].append(rule['remote_ip_prefix']) return gce_rule
def translate_protocol(protocol, ethertype): ether = translate_ethertype(ethertype) try: proto = int(protocol) except ValueError: proto = str(protocol).lower() proto = PROTOCOLS[ether].get(proto, -1) if not _is_allowed(proto, ether): # TODO(mdietz) This will change as neutron supports new protocols value_list = PROTOCOLS[ETHERTYPES["IPv4"]].keys() raise sg_ext.SecurityGroupRuleInvalidProtocol(protocol=protocol, values=value_list) return proto
def convert_sg_rule(openstack_rule, priority=None): directions = {'ingress': 'Inbound', 'egress': 'Outbound'} protocols = {'tcp': 'Tcp', 'udp': 'Udp'} # Asterix '*' is used to match all possible values. # E.g. In case of source_port_range it will allow all ports. # The default security group is allow all traffic, based on # user inputs we refine it further. sg_rule = { 'source_port_range': '*', 'destination_port_range': '*', 'source_address_prefix': '*', 'destination_address_prefix': '*', 'access': 'Allow', 'priority': priority } sg_rule['direction'] = directions[openstack_rule['direction']] if openstack_rule['ethertype'] != 'IPv4': raise sg.SecurityGroupRuleInvalidEtherType( ethertype=openstack_rule['ethertype'], values=('IPv4', )) protocol = openstack_rule['protocol'] if protocol is None: sg_rule['protocol'] = '*' elif protocol and protocol in protocols: sg_rule['protocol'] = protocols[protocol] else: raise sg.SecurityGroupRuleInvalidProtocol(protocol=protocol, values=protocols.keys()) port_range_min = openstack_rule['port_range_min'] port_range_max = openstack_rule['port_range_max'] if port_range_min and port_range_min == port_range_max: sg_rule['destination_port_range'] = str(port_range_min) elif port_range_min and port_range_max: sg_rule['destination_port_range'] = "%s-%s" % (port_range_min, port_range_max) if openstack_rule['remote_ip_prefix']: # TODO(ssudake21): Allow support for tags in source_address_prefix sg_rule['source_address_prefix'] = openstack_rule['remote_ip_prefix'] return sg_rule
def _validate_security_group_rule(context, rule): PROTOCOLS = {"icmp": 1, "tcp": 6, "udp": 17} ALLOWED_WITH_RANGE = [6, 17] if rule.get("remote_ip_prefix") and rule.get("remote_group_id"): raise sg_ext.SecurityGroupRemoteGroupAndRemoteIpPrefix() protocol = rule.pop('protocol') port_range_min = rule['port_range_min'] port_range_max = rule['port_range_max'] if protocol: try: proto = int(protocol) except ValueError: proto = str(protocol).lower() proto = PROTOCOLS.get(proto, -1) # Please see http://en.wikipedia.org/wiki/List_of_IP_protocol_numbers # The field is always 8 bits, and 255 is a reserved value if not (0 <= proto <= 254): raise sg_ext.SecurityGroupRuleInvalidProtocol( protocol=protocol, values=PROTOCOLS.keys()) if protocol in ALLOWED_WITH_RANGE: if (port_range_min is None) != (port_range_max is None): raise exceptions.InvalidInput( error_message="For TCP/UDP rules, cannot wildcard " "only one end of port range.") if port_range_min is not None and port_range_max is not None: if port_range_min > port_range_max: raise sg_ext.SecurityGroupInvalidPortRange() rule['protocol'] = protocol else: if port_range_min is not None or port_range_max is not None: raise sg_ext.SecurityGroupProtocolRequiredWithPorts() return rule