diff options
| author | Soren Hansen <sorhanse@cisco.com> | 2012-06-11 09:23:33 +0200 |
|---|---|---|
| committer | Soren Hansen <sorhanse@cisco.com> | 2012-06-11 11:37:30 +0200 |
| commit | bbdf82c5ec3e31a5dc43948291c4f37ce1098714 (patch) | |
| tree | f9637239d753b9a31870b22b5f31333e490d3ce2 | |
| parent | 3ea7dcc6432d6247cb1dc536c31684b595841633 (diff) | |
| download | nova-bbdf82c5ec3e31a5dc43948291c4f37ce1098714.tar.gz nova-bbdf82c5ec3e31a5dc43948291c4f37ce1098714.tar.xz nova-bbdf82c5ec3e31a5dc43948291c4f37ce1098714.zip | |
Only invoke .lower() on non-None protocols
When using source group based security group rules (rather than CIDR
based ones), it's permissible to not set a protocol and port. However,
Nova would always try to convert the protocol to lower case, which would
fail if the protocol wasn't set.
Fixes bug 1010514
Change-Id: I9b1519a52ececd16a497acebfe022508cbe96126
| -rw-r--r-- | .mailmap | 1 | ||||
| -rw-r--r-- | nova/tests/test_libvirt.py | 7 | ||||
| -rw-r--r-- | nova/virt/firewall.py | 6 |
3 files changed, 13 insertions, 1 deletions
@@ -60,6 +60,7 @@ <sandy.walsh@rackspace.com> <sandy@sandywalsh.com> <sleepsonthefloor@gmail.com> <root@tonbuntu> <soren.hansen@rackspace.com> <soren@linux2go.dk> +<soren@linux2go.dk> <sorhanse@cisco.com> <throughnothing@gmail.com> <will.wolf@rackspace.com> <tim.simpson@rackspace.com> <tim.simpson4@gmail.com> <todd@ansolabs.com> <todd@lapex> diff --git a/nova/tests/test_libvirt.py b/nova/tests/test_libvirt.py index ef2374fca..937c47867 100644 --- a/nova/tests/test_libvirt.py +++ b/nova/tests/test_libvirt.py @@ -1871,6 +1871,10 @@ class IptablesFirewallTestCase(test.TestCase): 'to_port': 81, 'group_id': src_secgroup['id']}) + db.security_group_rule_create(admin_ctxt, + {'parent_group_id': secgroup['id'], + 'group_id': src_secgroup['id']}) + db.instance_add_security_group(admin_ctxt, instance_ref['uuid'], secgroup['id']) db.instance_add_security_group(admin_ctxt, src_instance_ref['uuid'], @@ -1951,6 +1955,9 @@ class IptablesFirewallTestCase(test.TestCase): '--dports 80:81 -s %s' % ip['address']) self.assertTrue(len(filter(regex.match, self.out_rules)) > 0, "TCP port 80/81 acceptance rule wasn't added") + regex = re.compile('-A .* -j ACCEPT -s %s' % ip['address']) + self.assertTrue(len(filter(regex.match, self.out_rules)) > 0, + "Protocol/port-less acceptance rule wasn't added") regex = re.compile('-A .* -j ACCEPT -p tcp ' '-m multiport --dports 80:81 -s 192.168.10.0/24') diff --git a/nova/virt/firewall.py b/nova/virt/firewall.py index be6a0f7c9..89559a829 100644 --- a/nova/virt/firewall.py +++ b/nova/virt/firewall.py @@ -331,7 +331,11 @@ class IptablesFirewallDriver(FirewallDriver): else: fw_rules = ipv6_rules - protocol = rule.protocol.lower() + protocol = rule.protocol + + if protocol: + protocol = rule.protocol.lower() + if version == 6 and protocol == 'icmp': protocol = 'icmpv6' |