def _validate_port_range(self, rule):
"""Check that port_range is valid."""
if (rule['port_range_min'] is None and rule['port_range_max'] is None):
return
if not rule['protocol']:
raise ext_sg.SecurityGroupProtocolRequiredWithPorts()
ip_proto = self._get_ip_proto_number(rule['protocol'])
if ip_proto in [constants.PROTO_NUM_TCP, constants.PROTO_NUM_UDP]:
if rule['port_range_min'] == 0 or rule['port_range_max'] == 0:
raise ext_sg.SecurityGroupInvalidPortValue(port=0)
elif (rule['port_range_min'] is not None
and rule['port_range_max'] is not None
and rule['port_range_min'] <= rule['port_range_max']):
pass
else:
raise ext_sg.SecurityGroupInvalidPortRange()
elif ip_proto == constants.PROTO_NUM_ICMP:
for attr, field in [('port_range_min', 'type'),
('port_range_max', 'code')]:
if rule[attr] is not None and not (0 <= rule[attr] <= 255):
raise ext_sg.SecurityGroupInvalidIcmpValue(
field=field, attr=attr, value=rule[attr])
if (rule['port_range_min'] is None
and rule['port_range_max'] is not None):
raise ext_sg.SecurityGroupMissingIcmpType(
value=rule['port_range_max'])
def _validate_port_range(self, rule):
"""Check that port_range is valid."""
if (rule['port_range_min'] is None and rule['port_range_max'] is None):
return
if not rule['protocol']:
raise ext_sg.SecurityGroupProtocolRequiredWithPorts()
ip_proto = self._get_ip_proto_number(rule['protocol'])
# Not all firewall_driver support all these protocols,
# but being strict here doesn't hurt.
if ip_proto in [
constants.PROTO_NUM_DCCP, constants.PROTO_NUM_SCTP,
constants.PROTO_NUM_TCP, constants.PROTO_NUM_UDP,
constants.PROTO_NUM_UDPLITE
]:
if rule['port_range_min'] == 0 or rule['port_range_max'] == 0:
raise ext_sg.SecurityGroupInvalidPortValue(port=0)
elif (rule['port_range_min'] is not None
and rule['port_range_max'] is not None
and rule['port_range_min'] <= rule['port_range_max']):
pass
else:
raise ext_sg.SecurityGroupInvalidPortRange()
elif ip_proto in [
constants.PROTO_NUM_ICMP, constants.PROTO_NUM_IPV6_ICMP
]:
for attr, field in [('port_range_min', 'type'),
('port_range_max', 'code')]:
if rule[attr] is not None and not (0 <= rule[attr] <= 255):
raise ext_sg.SecurityGroupInvalidIcmpValue(
field=field, attr=attr, value=rule[attr])
if (rule['port_range_min'] is None
and rule['port_range_max'] is not None):
raise ext_sg.SecurityGroupMissingIcmpType(
value=rule['port_range_max'])
def _validate_security_group_rule(context, rule):
PROTOCOLS = {"icmp": 1, "tcp": 6, "udp": 17}
ALLOWED_WITH_RANGE = [6, 17]
if rule.get("remote_ip_prefix") and rule.get("remote_group_id"):
raise sg_ext.SecurityGroupRemoteGroupAndRemoteIpPrefix()
protocol = rule.pop('protocol')
port_range_min = rule['port_range_min']
port_range_max = rule['port_range_max']
if protocol:
if isinstance(protocol, str):
protocol = protocol.lower()
protocol = PROTOCOLS.get(protocol)
if not protocol:
raise sg_ext.SecurityGroupRuleInvalidProtocol()
if protocol in ALLOWED_WITH_RANGE:
if (port_range_min is None) != (port_range_max is None):
raise exceptions.InvalidInput(
error_message="For TCP/UDP rules, cannot wildcard "
"only one end of port range.")
if port_range_min is not None and port_range_max is not None:
if port_range_min > port_range_max:
raise sg_ext.SecurityGroupInvalidPortRange()
rule['protocol'] = protocol
else:
if port_range_min is not None or port_range_max is not None:
raise sg_ext.SecurityGroupProtocolRequiredWithPorts()
return rule
def _validate_port_range(self, rule):
"""Check that port_range is valid."""
if (rule['port_range_min'] is None and rule['port_range_max'] is None):
return
if not rule['protocol']:
raise ext_sg.SecurityGroupProtocolRequiredWithPorts()
ip_proto = self._get_ip_proto_number(rule['protocol'])
if ip_proto in [constants.TCP_PROTOCOL, constants.UDP_PROTOCOL]:
if (rule['port_range_min'] is not None
and rule['port_range_min'] <= rule['port_range_max']):
pass
else:
raise ext_sg.SecurityGroupInvalidPortRange()
elif ip_proto == constants.ICMP_PROTOCOL:
for attr, field in [('port_range_min', 'type'),
('port_range_max', 'code')]:
if rule[attr] > 255:
raise ext_sg.SecurityGroupInvalidIcmpValue(
field=field, attr=attr, value=rule[attr])
def validate_protocol_with_port_ranges(ethertype, protocol, port_range_min,
port_range_max):
if protocol in ALLOWED_WITH_RANGE:
if protocol == PROTOCOL_MAP[ethertype]["icmp"]:
if port_range_min is None and port_range_max is not None:
raise sg_ext.SecurityGroupMissingIcmpType(value=port_range_max)
elif port_range_min is not None:
attr = None
field = None
value = None
if port_range_min < 0 or port_range_min > 255:
field = "port_range_min"
attr = "type"
value = port_range_min
elif (port_range_max is not None and port_range_max < 0
or port_range_max > 255):
field = "port_range_max"
attr = "code"
value = port_range_max
if attr and field and value:
raise sg_ext.SecurityGroupInvalidIcmpValue(field=field,
attr=attr,
value=value)
else:
if (port_range_min is None) != (port_range_max is None):
# TODO(anyone): what exactly is a TCP or UDP rule withouts
# ports?
raise n_exc.InvalidInput(
error_message="For TCP/UDP rules, port_range_min and"
"port_range_max must either both be supplied"
", or neither of them")
if port_range_min is not None and port_range_max is not None:
if port_range_min > port_range_max:
raise sg_ext.SecurityGroupInvalidPortRange()
if port_range_min < MIN_PORT or port_range_max > MAX_PORT:
raise n_exc.InvalidInput(
error_message="port_range_min and port_range_max must "
"be >= %s and <= %s" % (MIN_PORT, MAX_PORT))
def _validate_port_range(self, rule):
"""Check that port_range is valid."""
if rule['port_range_min'] is None and rule['port_range_max'] is None:
return
if not rule['protocol']:
raise ext_sg.SecurityGroupProtocolRequiredWithPorts()
ip_proto = self._get_ip_proto_number(rule['protocol'])
# Not all firewall_driver support all these protocols,
# but being strict here doesn't hurt.
if (ip_proto in const.SG_PORT_PROTO_NUMS
or ip_proto in const.SG_PORT_PROTO_NAMES):
if rule['port_range_min'] == 0 or rule['port_range_max'] == 0:
raise ext_sg.SecurityGroupInvalidPortValue(port=0)
if (rule['port_range_min'] is not None
and rule['port_range_max'] is not None
and rule['port_range_min'] <= rule['port_range_max']):
# When min/max are the same it is just a single port
pass
else:
raise ext_sg.SecurityGroupInvalidPortRange()
elif ip_proto in [
constants.PROTO_NUM_ICMP, constants.PROTO_NUM_IPV6_ICMP
]:
for attr, field in [('port_range_min', 'type'),
('port_range_max', 'code')]:
if rule[attr] is not None and not (0 <= rule[attr] <= 255):
raise ext_sg.SecurityGroupInvalidIcmpValue(
field=field, attr=attr, value=rule[attr])
if (rule['port_range_min'] is None
and rule['port_range_max'] is not None):
raise ext_sg.SecurityGroupMissingIcmpType(
value=rule['port_range_max'])
else:
# Only the protocols above support ports, raise otherwise.
if (rule['port_range_min'] is not None
or rule['port_range_max'] is not None):
port_protocols = (', '.join(
s.upper() for s in const.SG_PORT_PROTO_NAMES))
raise ext_sg.SecurityGroupInvalidProtocolForPort(
protocol=ip_proto, valid_port_protocols=port_protocols)
def _validate_security_group_rule(context, rule):
PROTOCOLS = {"icmp": 1, "tcp": 6, "udp": 17}
ALLOWED_WITH_RANGE = [6, 17]
if rule.get("remote_ip_prefix") and rule.get("remote_group_id"):
raise sg_ext.SecurityGroupRemoteGroupAndRemoteIpPrefix()
protocol = rule.pop('protocol')
port_range_min = rule['port_range_min']
port_range_max = rule['port_range_max']
if protocol:
try:
proto = int(protocol)
except ValueError:
proto = str(protocol).lower()
proto = PROTOCOLS.get(proto, -1)
# Please see http://en.wikipedia.org/wiki/List_of_IP_protocol_numbers
# The field is always 8 bits, and 255 is a reserved value
if not (0 <= proto <= 254):
raise sg_ext.SecurityGroupRuleInvalidProtocol(
protocol=protocol, values=PROTOCOLS.keys())
if protocol in ALLOWED_WITH_RANGE:
if (port_range_min is None) != (port_range_max is None):
raise exceptions.InvalidInput(
error_message="For TCP/UDP rules, cannot wildcard "
"only one end of port range.")
if port_range_min is not None and port_range_max is not None:
if port_range_min > port_range_max:
raise sg_ext.SecurityGroupInvalidPortRange()
rule['protocol'] = protocol
else:
if port_range_min is not None or port_range_max is not None:
raise sg_ext.SecurityGroupProtocolRequiredWithPorts()
return rule
def validate_protocol_with_port_ranges(protocol, port_range_min,
port_range_max):
if protocol in ALLOWED_WITH_RANGE:
# TODO(anyone): what exactly is a TCP or UDP rule without ports?
if (port_range_min is None) != (port_range_max is None):
raise exceptions.InvalidInput(
error_message="For TCP/UDP rules, port_range_min and"
"port_range_max must either both be supplied, "
"or neither of them")
if port_range_min is not None and port_range_max is not None:
if port_range_min > port_range_max:
raise sg_ext.SecurityGroupInvalidPortRange()
if port_range_min < MIN_PORT or port_range_max > MAX_PORT:
raise exceptions.InvalidInput(
error_message="port_range_min and port_range_max must be "
">= %s and <= %s" % (MIN_PORT, MAX_PORT))
else:
if port_range_min or port_range_max:
raise exceptions.InvalidInput(
error_message=("You may not supply ports for the requested "
"protocol"))