Only invoke .lower() on non-None protocols
When using source group based security group rules (rather than CIDR based ones), it's permissible to not set a protocol and port. However, Nova would always try to convert the protocol to lower case, which would fail if the protocol wasn't set. Fixes bug 1010514 Change-Id: I9b1519a52ececd16a497acebfe022508cbe96126
This commit is contained in:
Soren Hansen
parent
3ea7dcc643
commit
bbdf82c5ec
1
.mailmap
1
.mailmap
@ -60,6 +60,7 @@
|
|||||||
<sandy.walsh@rackspace.com> <sandy@sandywalsh.com>
|
<sandy.walsh@rackspace.com> <sandy@sandywalsh.com>
|
||||||
<sleepsonthefloor@gmail.com> <root@tonbuntu>
|
<sleepsonthefloor@gmail.com> <root@tonbuntu>
|
||||||
<soren.hansen@rackspace.com> <soren@linux2go.dk>
|
<soren.hansen@rackspace.com> <soren@linux2go.dk>
|
||||||
|
<soren@linux2go.dk> <sorhanse@cisco.com>
|
||||||
<throughnothing@gmail.com> <will.wolf@rackspace.com>
|
<throughnothing@gmail.com> <will.wolf@rackspace.com>
|
||||||
<tim.simpson@rackspace.com> <tim.simpson4@gmail.com>
|
<tim.simpson@rackspace.com> <tim.simpson4@gmail.com>
|
||||||
<todd@ansolabs.com> <todd@lapex>
|
<todd@ansolabs.com> <todd@lapex>
|
||||||
|
|||||||
@ -1871,6 +1871,10 @@ class IptablesFirewallTestCase(test.TestCase):
|
|||||||
'to_port': 81,
|
'to_port': 81,
|
||||||
'group_id': src_secgroup['id']})
|
'group_id': src_secgroup['id']})
|
||||||
|
|
||||||
|
db.security_group_rule_create(admin_ctxt,
|
||||||
|
{'parent_group_id': secgroup['id'],
|
||||||
|
'group_id': src_secgroup['id']})
|
||||||
|
|
||||||
db.instance_add_security_group(admin_ctxt, instance_ref['uuid'],
|
db.instance_add_security_group(admin_ctxt, instance_ref['uuid'],
|
||||||
secgroup['id'])
|
secgroup['id'])
|
||||||
db.instance_add_security_group(admin_ctxt, src_instance_ref['uuid'],
|
db.instance_add_security_group(admin_ctxt, src_instance_ref['uuid'],
|
||||||
@ -1951,6 +1955,9 @@ class IptablesFirewallTestCase(test.TestCase):
|
|||||||
'--dports 80:81 -s %s' % ip['address'])
|
'--dports 80:81 -s %s' % ip['address'])
|
||||||
self.assertTrue(len(filter(regex.match, self.out_rules)) > 0,
|
self.assertTrue(len(filter(regex.match, self.out_rules)) > 0,
|
||||||
"TCP port 80/81 acceptance rule wasn't added")
|
"TCP port 80/81 acceptance rule wasn't added")
|
||||||
|
regex = re.compile('-A .* -j ACCEPT -s %s' % ip['address'])
|
||||||
|
self.assertTrue(len(filter(regex.match, self.out_rules)) > 0,
|
||||||
|
"Protocol/port-less acceptance rule wasn't added")
|
||||||
|
|
||||||
regex = re.compile('-A .* -j ACCEPT -p tcp '
|
regex = re.compile('-A .* -j ACCEPT -p tcp '
|
||||||
'-m multiport --dports 80:81 -s 192.168.10.0/24')
|
'-m multiport --dports 80:81 -s 192.168.10.0/24')
|
||||||
|
|||||||
@ -331,7 +331,11 @@ class IptablesFirewallDriver(FirewallDriver):
|
|||||||
else:
|
else:
|
||||||
fw_rules = ipv6_rules
|
fw_rules = ipv6_rules
|
||||||
|
|
||||||
|
protocol = rule.protocol
|
||||||
|
|
||||||
|
if protocol:
|
||||||
protocol = rule.protocol.lower()
|
protocol = rule.protocol.lower()
|
||||||
|
|
||||||
if version == 6 and protocol == 'icmp':
|
if version == 6 and protocol == 'icmp':
|
||||||
protocol = 'icmpv6'
|
protocol = 'icmpv6'
|
||||||
|
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user