From fe1c97ff4c36d1cc2642d9a485f82874e4b3bda2 Mon Sep 17 00:00:00 2001 From: Deepak Garg Date: Fri, 13 Jan 2012 16:03:45 +0530 Subject: Blueprint xenapi-provider-firewall and Bug #915403. 1. Provides dom0 IPtables driver to implement the Provider firewall rules. 2. Existing libvirt code has been refactored to reduce the amount of duplicated code to a minimum 3. The three provider apis in ec2/admin.py file are now fixed the following way: a. remove_external_address_block returned 'OK' on removing blocks which didn't exist. This is now fixed. b. block_external_addresses raised exception earlier on duplicate network blocks. Now the exception is logged and failed status message is returned. c. all the three provider apis now logs for invalid and improper inputs and return uniform (a dictionary ) and proper status messages for all cases. 4. appropriate unit tests added to cover the same Change-Id: I27d83186f850423a6268947aed0c9a349d8f8d65 --- nova/api/ec2/admin.py | 41 ++++++++++++++++++++++++++++++++--------- 1 file changed, 32 insertions(+), 9 deletions(-) (limited to 'nova/api') diff --git a/nova/api/ec2/admin.py b/nova/api/ec2/admin.py index 80a30659d..4e81debe4 100644 --- a/nova/api/ec2/admin.py +++ b/nova/api/ec2/admin.py @@ -349,8 +349,15 @@ class AdminController(object): LOG.audit(_('Blocking traffic to all projects incoming from %s'), cidr, context=context) cidr = urllib.unquote(cidr).decode() - # raise if invalid - netaddr.IPNetwork(cidr) + failed = {'status': 'Failed', 'message': ' 0 rules added'} + if not utils.is_valid_cidr(cidr): + msg = 'Improper input. Please provide a valid cidr: ' \ + 'e.g. 121.12.10.11/24.' + failed['message'] = msg + failed['message'] + return failed + #Normalizing cidr. e.g. '20.20.20.11/24' -> '20.20.20.0/24', so that + #db values stay in sync with filters' values (e.g. in iptables) + cidr = str(netaddr.IPNetwork(cidr).cidr) rule = {'cidr': cidr} tcp_rule = rule.copy() tcp_rule.update({'protocol': 'tcp', 'from_port': 1, 'to_port': 65535}) @@ -370,7 +377,9 @@ class AdminController(object): db.provider_fw_rule_create(context, icmp_rule) rules_added += 1 if not rules_added: - raise exception.ApiError(_('Duplicate rule')) + msg = 'Duplicate Rule.' + failed['message'] = msg + failed['message'] + return failed self.compute_api.trigger_provider_fw_rules_refresh(context) return {'status': 'OK', 'message': 'Added %s rules' % rules_added} @@ -385,11 +394,25 @@ class AdminController(object): def remove_external_address_block(self, context, cidr): LOG.audit(_('Removing ip block from %s'), cidr, context=context) cidr = urllib.unquote(cidr).decode() - # raise if invalid - netaddr.IPNetwork(cidr) + # Catch the exception and LOG for improper or malicious inputs. + # Also return a proper status and message in that case + failed = {'status': 'Failed', 'message': ' 0 rules deleted'} + if not utils.is_valid_cidr(cidr): + msg = 'Improper input. Please provide a valid cidr: ' \ + 'e.g. 121.12.10.11/24.' + failed['message'] = msg + failed['message'] + return failed + #Normalizing cidr. e.g. '20.20.20.11/24' -> '20.20.20.0/24', so that + #db values stay in sync with filters' values (e.g. in iptables) + cidr = str(netaddr.IPNetwork(cidr).cidr) rules = db.provider_fw_rule_get_all_by_cidr(context, cidr) - for rule in rules: - db.provider_fw_rule_destroy(context, rule['id']) - if rules: + + if not rules: + msg = 'No such CIDR currently blocked.' + failed['message'] = msg + failed['message'] + return failed + else: + for rule in rules: + db.provider_fw_rule_destroy(context, rule['id']) self.compute_api.trigger_provider_fw_rules_refresh(context) - return {'status': 'OK', 'message': 'Deleted %s rules' % len(rules)} + return {'status': 'OK', 'message': 'Deleted %s rules' % len(rules)} -- cgit