diff options
author | Soren Hansen <sorhanse@cisco.com> | 2012-06-11 09:23:33 +0200 |
---|---|---|
committer | Thierry Carrez <thierry@openstack.org> | 2012-06-11 15:15:19 +0200 |
commit | 3ee026e4252cd4140b50675e857695b195ab5065 (patch) | |
tree | 2b29b7229b9c677b5f0fde64dbfc1d2778624700 | |
parent | f0a9f475c5d82493f90debd1082b913511ebacf0 (diff) | |
download | nova-3ee026e4252cd4140b50675e857695b195ab5065.tar.gz |
Only invoke .lower() on non-None protocols
When using source group based security group rules (rather than CIDR
based ones), it's permissible to not set a protocol and port. However,
Nova would always try to convert the protocol to lower case, which would
fail if the protocol wasn't set.
Fixes bug 1010514
Change-Id: I9b1519a52ececd16a497acebfe022508cbe96126
-rw-r--r-- | .mailmap | 1 | ||||
-rw-r--r-- | nova/tests/test_libvirt.py | 7 | ||||
-rw-r--r-- | nova/virt/firewall.py | 6 |
3 files changed, 13 insertions, 1 deletions
@@ -59,6 +59,7 @@ <sandy.walsh@rackspace.com> <sandy@sandywalsh.com> <sleepsonthefloor@gmail.com> <root@tonbuntu> <soren.hansen@rackspace.com> <soren@linux2go.dk> +<soren@linux2go.dk> <sorhanse@cisco.com> <throughnothing@gmail.com> <will.wolf@rackspace.com> <tim.simpson@rackspace.com> <tim.simpson4@gmail.com> <todd@ansolabs.com> <todd@lapex> diff --git a/nova/tests/test_libvirt.py b/nova/tests/test_libvirt.py index ac8cdca397..af3005149b 100644 --- a/nova/tests/test_libvirt.py +++ b/nova/tests/test_libvirt.py @@ -1718,6 +1718,10 @@ class IptablesFirewallTestCase(test.TestCase): 'to_port': 81, 'group_id': src_secgroup['id']}) + db.security_group_rule_create(admin_ctxt, + {'parent_group_id': secgroup['id'], + 'group_id': src_secgroup['id']}) + db.instance_add_security_group(admin_ctxt, instance_ref['uuid'], secgroup['id']) db.instance_add_security_group(admin_ctxt, src_instance_ref['uuid'], @@ -1798,6 +1802,9 @@ class IptablesFirewallTestCase(test.TestCase): '--dports 80:81 -s %s' % ip['address']) self.assertTrue(len(filter(regex.match, self.out_rules)) > 0, "TCP port 80/81 acceptance rule wasn't added") + regex = re.compile('-A .* -j ACCEPT -s %s' % ip['address']) + self.assertTrue(len(filter(regex.match, self.out_rules)) > 0, + "Protocol/port-less acceptance rule wasn't added") regex = re.compile('-A .* -j ACCEPT -p tcp ' '-m multiport --dports 80:81 -s 192.168.10.0/24') diff --git a/nova/virt/firewall.py b/nova/virt/firewall.py index a41ece69fa..f0f1594938 100644 --- a/nova/virt/firewall.py +++ b/nova/virt/firewall.py @@ -300,7 +300,11 @@ class IptablesFirewallDriver(FirewallDriver): else: fw_rules = ipv6_rules - protocol = rule.protocol.lower() + protocol = rule.protocol + + if protocol: + protocol = rule.protocol.lower() + if version == 6 and protocol == 'icmp': protocol = 'icmpv6' |