Only invoke .lower() on non-None protocols

When using source group based security group rules (rather than CIDR based ones), it's permissible to not set a protocol and port. However, Nova would always try to convert the protocol to lower case, which would fail if the protocol wasn't set. Fixes bug 1010514 Change-Id: I9b1519a52ececd16a497acebfe022508cbe96126
author: Soren Hansen <sorhanse@cisco.com> 2012-06-11 09:23:33 +0200
committer: Thierry Carrez <thierry@openstack.org> 2012-06-11 15:15:19 +0200
commit: 3ee026e4252cd4140b50675e857695b195ab5065 (patch)
tree: 2b29b7229b9c677b5f0fde64dbfc1d2778624700
parent: f0a9f475c5d82493f90debd1082b913511ebacf0 (diff)
download: nova-3ee026e4252cd4140b50675e857695b195ab5065.tar.gz
3 files changed, 13 insertions, 1 deletions
diff --git a/.mailmap b/.mailmap
index 153773959d..38783c9f3b 100644
--- a/.mailmap
+++ b/.mailmap
@@ -59,6 +59,7 @@
 <sandy.walsh@rackspace.com> <sandy@sandywalsh.com>
 <sleepsonthefloor@gmail.com> <root@tonbuntu>
 <soren.hansen@rackspace.com> <soren@linux2go.dk>
+<soren@linux2go.dk> <sorhanse@cisco.com>
 <throughnothing@gmail.com> <will.wolf@rackspace.com>
 <tim.simpson@rackspace.com> <tim.simpson4@gmail.com>
 <todd@ansolabs.com> <todd@lapex>
diff --git a/nova/tests/test_libvirt.py b/nova/tests/test_libvirt.py
index ac8cdca397..af3005149b 100644
--- a/nova/tests/test_libvirt.py
+++ b/nova/tests/test_libvirt.py
@@ -1718,6 +1718,10 @@ class IptablesFirewallTestCase(test.TestCase):
                                        'to_port': 81,
                                        'group_id': src_secgroup['id']})
 
+        db.security_group_rule_create(admin_ctxt,
+                                      {'parent_group_id': secgroup['id'],
+                                       'group_id': src_secgroup['id']})
+
         db.instance_add_security_group(admin_ctxt, instance_ref['uuid'],
                                        secgroup['id'])
         db.instance_add_security_group(admin_ctxt, src_instance_ref['uuid'],
@@ -1798,6 +1802,9 @@ class IptablesFirewallTestCase(test.TestCase):
                                '--dports 80:81 -s %s' % ip['address'])
             self.assertTrue(len(filter(regex.match, self.out_rules)) > 0,
                             "TCP port 80/81 acceptance rule wasn't added")
+            regex = re.compile('-A .* -j ACCEPT -s %s' % ip['address'])
+            self.assertTrue(len(filter(regex.match, self.out_rules)) > 0,
+                            "Protocol/port-less acceptance rule wasn't added")
 
         regex = re.compile('-A .* -j ACCEPT -p tcp '
                            '-m multiport --dports 80:81 -s 192.168.10.0/24')
diff --git a/nova/virt/firewall.py b/nova/virt/firewall.py
index a41ece69fa..f0f1594938 100644
--- a/nova/virt/firewall.py
+++ b/nova/virt/firewall.py
@@ -300,7 +300,11 @@ class IptablesFirewallDriver(FirewallDriver):
                 else:
                     fw_rules = ipv6_rules
 
-                protocol = rule.protocol.lower()
+                protocol = rule.protocol
+
+                if protocol:
+                    protocol = rule.protocol.lower()
+
                 if version == 6 and protocol == 'icmp':
                     protocol = 'icmpv6'
author	Soren Hansen <sorhanse@cisco.com>	2012-06-11 09:23:33 +0200
committer	Thierry Carrez <thierry@openstack.org>	2012-06-11 15:15:19 +0200
commit	3ee026e4252cd4140b50675e857695b195ab5065 (patch)
tree	2b29b7229b9c677b5f0fde64dbfc1d2778624700
parent	f0a9f475c5d82493f90debd1082b913511ebacf0 (diff)
download	nova-3ee026e4252cd4140b50675e857695b195ab5065.tar.gz