diff options
| author | Deepak Garg <deepak.garg@citrix.com> | 2012-01-13 16:03:45 +0530 |
|---|---|---|
| committer | Vishvananda Ishaya <vishvananda@gmail.com> | 2012-01-24 22:31:35 -0800 |
| commit | fe1c97ff4c36d1cc2642d9a485f82874e4b3bda2 (patch) | |
| tree | 522e18112c95cb2006dbb6798af98ee9b11fa08c /nova/api | |
| parent | 2594e480b2d90490a92865afbeecda35b29320d6 (diff) | |
| download | nova-fe1c97ff4c36d1cc2642d9a485f82874e4b3bda2.tar.gz nova-fe1c97ff4c36d1cc2642d9a485f82874e4b3bda2.tar.xz nova-fe1c97ff4c36d1cc2642d9a485f82874e4b3bda2.zip | |
Blueprint xenapi-provider-firewall and Bug #915403.
1. Provides dom0 IPtables driver to implement the Provider firewall rules.
2. Existing libvirt code has been refactored to reduce the amount of duplicated code to a minimum
3. The three provider apis in ec2/admin.py file are now fixed the following way:
a. remove_external_address_block returned 'OK' on removing blocks which didn't exist. This is now fixed.
b. block_external_addresses raised exception earlier on duplicate network blocks. Now the exception is logged and failed status message is returned.
c. all the three provider apis now logs for invalid and improper inputs and return uniform (a dictionary ) and proper status messages for all cases.
4. appropriate unit tests added to cover the same
Change-Id: I27d83186f850423a6268947aed0c9a349d8f8d65
Diffstat (limited to 'nova/api')
| -rw-r--r-- | nova/api/ec2/admin.py | 41 |
1 files changed, 32 insertions, 9 deletions
diff --git a/nova/api/ec2/admin.py b/nova/api/ec2/admin.py index 80a30659d..4e81debe4 100644 --- a/nova/api/ec2/admin.py +++ b/nova/api/ec2/admin.py @@ -349,8 +349,15 @@ class AdminController(object): LOG.audit(_('Blocking traffic to all projects incoming from %s'), cidr, context=context) cidr = urllib.unquote(cidr).decode() - # raise if invalid - netaddr.IPNetwork(cidr) + failed = {'status': 'Failed', 'message': ' 0 rules added'} + if not utils.is_valid_cidr(cidr): + msg = 'Improper input. Please provide a valid cidr: ' \ + 'e.g. 121.12.10.11/24.' + failed['message'] = msg + failed['message'] + return failed + #Normalizing cidr. e.g. '20.20.20.11/24' -> '20.20.20.0/24', so that + #db values stay in sync with filters' values (e.g. in iptables) + cidr = str(netaddr.IPNetwork(cidr).cidr) rule = {'cidr': cidr} tcp_rule = rule.copy() tcp_rule.update({'protocol': 'tcp', 'from_port': 1, 'to_port': 65535}) @@ -370,7 +377,9 @@ class AdminController(object): db.provider_fw_rule_create(context, icmp_rule) rules_added += 1 if not rules_added: - raise exception.ApiError(_('Duplicate rule')) + msg = 'Duplicate Rule.' + failed['message'] = msg + failed['message'] + return failed self.compute_api.trigger_provider_fw_rules_refresh(context) return {'status': 'OK', 'message': 'Added %s rules' % rules_added} @@ -385,11 +394,25 @@ class AdminController(object): def remove_external_address_block(self, context, cidr): LOG.audit(_('Removing ip block from %s'), cidr, context=context) cidr = urllib.unquote(cidr).decode() - # raise if invalid - netaddr.IPNetwork(cidr) + # Catch the exception and LOG for improper or malicious inputs. + # Also return a proper status and message in that case + failed = {'status': 'Failed', 'message': ' 0 rules deleted'} + if not utils.is_valid_cidr(cidr): + msg = 'Improper input. Please provide a valid cidr: ' \ + 'e.g. 121.12.10.11/24.' + failed['message'] = msg + failed['message'] + return failed + #Normalizing cidr. e.g. '20.20.20.11/24' -> '20.20.20.0/24', so that + #db values stay in sync with filters' values (e.g. in iptables) + cidr = str(netaddr.IPNetwork(cidr).cidr) rules = db.provider_fw_rule_get_all_by_cidr(context, cidr) - for rule in rules: - db.provider_fw_rule_destroy(context, rule['id']) - if rules: + + if not rules: + msg = 'No such CIDR currently blocked.' + failed['message'] = msg + failed['message'] + return failed + else: + for rule in rules: + db.provider_fw_rule_destroy(context, rule['id']) self.compute_api.trigger_provider_fw_rules_refresh(context) - return {'status': 'OK', 'message': 'Deleted %s rules' % len(rules)} + return {'status': 'OK', 'message': 'Deleted %s rules' % len(rules)} |