def _validate_security_group_rule(context, rule):
PROTOCOLS = {"icmp": 1, "tcp": 6, "udp": 17}
ALLOWED_WITH_RANGE = [6, 17]
if rule.get("remote_ip_prefix") and rule.get("remote_group_id"):
raise sg_ext.SecurityGroupRemoteGroupAndRemoteIpPrefix()
protocol = rule.pop('protocol')
port_range_min = rule['port_range_min']
port_range_max = rule['port_range_max']
if protocol:
if isinstance(protocol, str):
protocol = protocol.lower()
protocol = PROTOCOLS.get(protocol)
if not protocol:
raise sg_ext.SecurityGroupRuleInvalidProtocol()
if protocol in ALLOWED_WITH_RANGE:
if (port_range_min is None) != (port_range_max is None):
raise exceptions.InvalidInput(
error_message="For TCP/UDP rules, cannot wildcard "
"only one end of port range.")
if port_range_min is not None and port_range_max is not None:
if port_range_min > port_range_max:
raise sg_ext.SecurityGroupInvalidPortRange()
rule['protocol'] = protocol
else:
if port_range_min is not None or port_range_max is not None:
raise sg_ext.SecurityGroupProtocolRequiredWithPorts()
return rule
def _convert_secgrp_rule_to_gce(self, rule, network_link, validate=False):
gce_rule = {
'sourceRanges': [],
'targetTags': [],
'allowed': [{}],
'priority': 1000
}
directions = {
'ingress': 'INGRESS',
}
if rule['direction'] in directions:
gce_rule['direction'] = directions[rule['direction']]
else:
raise SecurityGroupInvalidDirection(direction=rule['direction'],
values=directions.keys())
if rule['ethertype'] != 'IPv4':
raise sg.SecurityGroupRuleInvalidEtherType(
ethertype=rule['ethertype'], values=('IPv4', ))
if not validate:
gce_rule['name'] = self._gce_secgrp_id(rule['id'])
gce_rule['network'] = network_link
gce_protocols = ('tcp', 'udp', 'icmp', 'esp', 'ah', 'sctp')
protocol = rule['protocol']
if protocol is None:
gce_rule['allowed'][0]['IPProtocol'] = 'all'
elif protocol in gce_protocols:
gce_rule['allowed'][0]['IPProtocol'] = protocol
# GCE allows port specification for tcp and udp only
if protocol in ('tcp', 'udp'):
ports = []
port_range_max = rule['port_range_max']
port_range_min = rule['port_range_min']
if port_range_max is None or port_range_min is None:
ports.append('0-65535')
elif port_range_max == port_range_min:
ports.append(str(port_range_max))
else:
ports.append("%s-%s" % (port_range_min, port_range_max))
gce_rule['allowed'][0]['ports'] = ports
else:
raise sg.SecurityGroupRuleInvalidProtocol(protocol=protocol,
values=gce_protocols)
if rule['remote_ip_prefix'] is None:
gce_rule['sourceRanges'].append('0.0.0.0/0')
else:
gce_rule['sourceRanges'].append(rule['remote_ip_prefix'])
return gce_rule
def translate_protocol(protocol, ethertype):
ether = translate_ethertype(ethertype)
try:
proto = int(protocol)
except ValueError:
proto = str(protocol).lower()
proto = PROTOCOLS[ether].get(proto, -1)
if not _is_allowed(proto, ether):
# TODO(mdietz) This will change as neutron supports new protocols
value_list = PROTOCOLS[ETHERTYPES["IPv4"]].keys()
raise sg_ext.SecurityGroupRuleInvalidProtocol(protocol=protocol,
values=value_list)
return proto
def convert_sg_rule(openstack_rule, priority=None):
directions = {'ingress': 'Inbound', 'egress': 'Outbound'}
protocols = {'tcp': 'Tcp', 'udp': 'Udp'}
# Asterix '*' is used to match all possible values.
# E.g. In case of source_port_range it will allow all ports.
# The default security group is allow all traffic, based on
# user inputs we refine it further.
sg_rule = {
'source_port_range': '*',
'destination_port_range': '*',
'source_address_prefix': '*',
'destination_address_prefix': '*',
'access': 'Allow',
'priority': priority
}
sg_rule['direction'] = directions[openstack_rule['direction']]
if openstack_rule['ethertype'] != 'IPv4':
raise sg.SecurityGroupRuleInvalidEtherType(
ethertype=openstack_rule['ethertype'], values=('IPv4', ))
protocol = openstack_rule['protocol']
if protocol is None:
sg_rule['protocol'] = '*'
elif protocol and protocol in protocols:
sg_rule['protocol'] = protocols[protocol]
else:
raise sg.SecurityGroupRuleInvalidProtocol(protocol=protocol,
values=protocols.keys())
port_range_min = openstack_rule['port_range_min']
port_range_max = openstack_rule['port_range_max']
if port_range_min and port_range_min == port_range_max:
sg_rule['destination_port_range'] = str(port_range_min)
elif port_range_min and port_range_max:
sg_rule['destination_port_range'] = "%s-%s" % (port_range_min,
port_range_max)
if openstack_rule['remote_ip_prefix']:
# TODO(ssudake21): Allow support for tags in source_address_prefix
sg_rule['source_address_prefix'] = openstack_rule['remote_ip_prefix']
return sg_rule
def _validate_security_group_rule(context, rule):
PROTOCOLS = {"icmp": 1, "tcp": 6, "udp": 17}
ALLOWED_WITH_RANGE = [6, 17]
if rule.get("remote_ip_prefix") and rule.get("remote_group_id"):
raise sg_ext.SecurityGroupRemoteGroupAndRemoteIpPrefix()
protocol = rule.pop('protocol')
port_range_min = rule['port_range_min']
port_range_max = rule['port_range_max']
if protocol:
try:
proto = int(protocol)
except ValueError:
proto = str(protocol).lower()
proto = PROTOCOLS.get(proto, -1)
# Please see http://en.wikipedia.org/wiki/List_of_IP_protocol_numbers
# The field is always 8 bits, and 255 is a reserved value
if not (0 <= proto <= 254):
raise sg_ext.SecurityGroupRuleInvalidProtocol(
protocol=protocol, values=PROTOCOLS.keys())
if protocol in ALLOWED_WITH_RANGE:
if (port_range_min is None) != (port_range_max is None):
raise exceptions.InvalidInput(
error_message="For TCP/UDP rules, cannot wildcard "
"only one end of port range.")
if port_range_min is not None and port_range_max is not None:
if port_range_min > port_range_max:
raise sg_ext.SecurityGroupInvalidPortRange()
rule['protocol'] = protocol
else:
if port_range_min is not None or port_range_max is not None:
raise sg_ext.SecurityGroupProtocolRequiredWithPorts()
return rule
