def _validate_port_range(self, rule): """Check that port_range is valid.""" if (rule['port_range_min'] is None and rule['port_range_max'] is None): return if not rule['protocol']: raise ext_sg.SecurityGroupProtocolRequiredWithPorts() ip_proto = self._get_ip_proto_number(rule['protocol']) if ip_proto in [constants.PROTO_NUM_TCP, constants.PROTO_NUM_UDP]: if rule['port_range_min'] == 0 or rule['port_range_max'] == 0: raise ext_sg.SecurityGroupInvalidPortValue(port=0) elif (rule['port_range_min'] is not None and rule['port_range_max'] is not None and rule['port_range_min'] <= rule['port_range_max']): pass else: raise ext_sg.SecurityGroupInvalidPortRange() elif ip_proto == constants.PROTO_NUM_ICMP: for attr, field in [('port_range_min', 'type'), ('port_range_max', 'code')]: if rule[attr] is not None and not (0 <= rule[attr] <= 255): raise ext_sg.SecurityGroupInvalidIcmpValue( field=field, attr=attr, value=rule[attr]) if (rule['port_range_min'] is None and rule['port_range_max'] is not None): raise ext_sg.SecurityGroupMissingIcmpType( value=rule['port_range_max'])
def _validate_port_range(self, rule): """Check that port_range is valid.""" if (rule['port_range_min'] is None and rule['port_range_max'] is None): return if not rule['protocol']: raise ext_sg.SecurityGroupProtocolRequiredWithPorts() ip_proto = self._get_ip_proto_number(rule['protocol']) # Not all firewall_driver support all these protocols, # but being strict here doesn't hurt. if ip_proto in [ constants.PROTO_NUM_DCCP, constants.PROTO_NUM_SCTP, constants.PROTO_NUM_TCP, constants.PROTO_NUM_UDP, constants.PROTO_NUM_UDPLITE ]: if rule['port_range_min'] == 0 or rule['port_range_max'] == 0: raise ext_sg.SecurityGroupInvalidPortValue(port=0) elif (rule['port_range_min'] is not None and rule['port_range_max'] is not None and rule['port_range_min'] <= rule['port_range_max']): pass else: raise ext_sg.SecurityGroupInvalidPortRange() elif ip_proto in [ constants.PROTO_NUM_ICMP, constants.PROTO_NUM_IPV6_ICMP ]: for attr, field in [('port_range_min', 'type'), ('port_range_max', 'code')]: if rule[attr] is not None and not (0 <= rule[attr] <= 255): raise ext_sg.SecurityGroupInvalidIcmpValue( field=field, attr=attr, value=rule[attr]) if (rule['port_range_min'] is None and rule['port_range_max'] is not None): raise ext_sg.SecurityGroupMissingIcmpType( value=rule['port_range_max'])
def validate_protocol_with_port_ranges(ethertype, protocol, port_range_min, port_range_max): if protocol in ALLOWED_WITH_RANGE: if protocol == PROTOCOL_MAP[ethertype]["icmp"]: if port_range_min is None and port_range_max is not None: raise sg_ext.SecurityGroupMissingIcmpType(value=port_range_max) elif port_range_min is not None: attr = None field = None value = None if port_range_min < 0 or port_range_min > 255: field = "port_range_min" attr = "type" value = port_range_min elif (port_range_max is not None and port_range_max < 0 or port_range_max > 255): field = "port_range_max" attr = "code" value = port_range_max if attr and field and value: raise sg_ext.SecurityGroupInvalidIcmpValue(field=field, attr=attr, value=value) else: if (port_range_min is None) != (port_range_max is None): # TODO(anyone): what exactly is a TCP or UDP rule withouts # ports? raise n_exc.InvalidInput( error_message="For TCP/UDP rules, port_range_min and" "port_range_max must either both be supplied" ", or neither of them") if port_range_min is not None and port_range_max is not None: if port_range_min > port_range_max: raise sg_ext.SecurityGroupInvalidPortRange() if port_range_min < MIN_PORT or port_range_max > MAX_PORT: raise n_exc.InvalidInput( error_message="port_range_min and port_range_max must " "be >= %s and <= %s" % (MIN_PORT, MAX_PORT))
def _validate_port_range(self, rule): """Check that port_range is valid.""" if rule['port_range_min'] is None and rule['port_range_max'] is None: return if not rule['protocol']: raise ext_sg.SecurityGroupProtocolRequiredWithPorts() ip_proto = self._get_ip_proto_number(rule['protocol']) # Not all firewall_driver support all these protocols, # but being strict here doesn't hurt. if (ip_proto in const.SG_PORT_PROTO_NUMS or ip_proto in const.SG_PORT_PROTO_NAMES): if rule['port_range_min'] == 0 or rule['port_range_max'] == 0: raise ext_sg.SecurityGroupInvalidPortValue(port=0) if (rule['port_range_min'] is not None and rule['port_range_max'] is not None and rule['port_range_min'] <= rule['port_range_max']): # When min/max are the same it is just a single port pass else: raise ext_sg.SecurityGroupInvalidPortRange() elif ip_proto in [ constants.PROTO_NUM_ICMP, constants.PROTO_NUM_IPV6_ICMP ]: for attr, field in [('port_range_min', 'type'), ('port_range_max', 'code')]: if rule[attr] is not None and not (0 <= rule[attr] <= 255): raise ext_sg.SecurityGroupInvalidIcmpValue( field=field, attr=attr, value=rule[attr]) if (rule['port_range_min'] is None and rule['port_range_max'] is not None): raise ext_sg.SecurityGroupMissingIcmpType( value=rule['port_range_max']) else: # Only the protocols above support ports, raise otherwise. if (rule['port_range_min'] is not None or rule['port_range_max'] is not None): port_protocols = (', '.join( s.upper() for s in const.SG_PORT_PROTO_NAMES)) raise ext_sg.SecurityGroupInvalidProtocolForPort( protocol=ip_proto, valid_port_protocols=port_protocols)