From a29d498b490b4a873e50b8729e439fc714189b11 Mon Sep 17 00:00:00 2001 From: asarfaty Date: Thu, 4 Jun 2020 11:56:49 +0200 Subject: [PATCH] NSX|V3+P: Support ipv4 CIDR in allowed address pairs Change-Id: Ifabf9451cd0d530677c8cb7da7d76a6878e5fae5 --- vmware_nsx/plugins/common_v3/plugin.py | 26 +++++++++++++++++++++----- vmware_nsx/plugins/nsx_p/plugin.py | 4 ++++ vmware_nsx/plugins/nsx_v3/plugin.py | 4 ++++ 3 files changed, 29 insertions(+), 5 deletions(-) diff --git a/vmware_nsx/plugins/common_v3/plugin.py b/vmware_nsx/plugins/common_v3/plugin.py index a2047a6711..34e68e2603 100644 --- a/vmware_nsx/plugins/common_v3/plugin.py +++ b/vmware_nsx/plugins/common_v3/plugin.py @@ -320,6 +320,10 @@ class NsxPluginV3Base(agentschedulers_db.AZDhcpAgentSchedulerDbMixin, return fixed return mac + def _support_address_pairs_ipv4_cidr(self): + """Can be implemented by each plugin""" + return False + def _validate_address_pairs(self, address_pairs, fixed_ips=None): port_ips = [] if fixed_ips: @@ -330,9 +334,10 @@ class NsxPluginV3Base(agentschedulers_db.AZDhcpAgentSchedulerDbMixin, for pair in address_pairs: ip = pair.get('ip_address') if ':' in ip: - # Validate ipv6 cidrs: + # IPv6 address pair ip_split = ip.split('/') if len(ip_split) > 1 and ip_split[1] != '128': + # Validate ipv6 CIDR try: ipaddress.ip_network(ip) except ValueError: @@ -341,11 +346,22 @@ class NsxPluginV3Base(agentschedulers_db.AZDhcpAgentSchedulerDbMixin, "have host bits set") % ip) raise n_exc.InvalidInput(error_message=err_msg) else: - # Validate ipv4 cidrs (No limitation on ipv6): + # IPv4 address pair if len(ip.split('/')) > 1 and ip.split('/')[1] != '32': - LOG.error("Cidr %s is not supported in allowed address " - "pairs", ip) - raise nsx_exc.InvalidIPAddress(ip_address=ip) + if self._support_address_pairs_ipv4_cidr(): + # validate host bits + try: + ipaddress.ip_network(ip) + except ValueError: + # This means the host bits are set + err_msg = (_("Allowed address pairs Cidr %s " + "cannot have host bits set") % ip) + raise n_exc.InvalidInput(error_message=err_msg) + else: + # IPv4 CIDR is not allowed + LOG.error("Cidr %s is not supported in allowed " + "address pairs", ip) + raise nsx_exc.InvalidIPAddress(ip_address=ip) if ip in port_ips: err_msg = (_("Port cannot have duplicate values %s as part of " "port manual bindings") % ip) diff --git a/vmware_nsx/plugins/nsx_p/plugin.py b/vmware_nsx/plugins/nsx_p/plugin.py index 9a7057bab0..e9e0a6d05d 100644 --- a/vmware_nsx/plugins/nsx_p/plugin.py +++ b/vmware_nsx/plugins/nsx_p/plugin.py @@ -4182,3 +4182,7 @@ class NsxPolicyPlugin(nsx_plugin_common.NsxPluginV3Base): if tz_uuid not in ec_tzs: return False return True + + def _support_address_pairs_ipv4_cidr(self): + return self.nsxpolicy.feature_supported( + nsxlib_consts.FEATURE_SPOOFGUARD_CIDR) diff --git a/vmware_nsx/plugins/nsx_v3/plugin.py b/vmware_nsx/plugins/nsx_v3/plugin.py index 595d37a7d4..931f18bd19 100644 --- a/vmware_nsx/plugins/nsx_v3/plugin.py +++ b/vmware_nsx/plugins/nsx_v3/plugin.py @@ -3277,3 +3277,7 @@ class NsxV3Plugin(nsx_plugin_common.NsxPluginV3Base, if tz_uuid not in ec_tzs: return False return True + + def _support_address_pairs_ipv4_cidr(self): + return self.nsxlib.feature_supported( + nsxlib_consts.FEATURE_SPOOFGUARD_CIDR)