NSX: Add check for ICMP code / type for NSX zones

server/src/main/java/com/cloud/network/firewall/FirewallManagerImpl.java

@@ -22,12 +22,18 @@ import java.util.Collection;
 import java.util.Collections;
 import java.util.HashSet;
 import java.util.List;
+import java.util.Locale;
 import java.util.Map;
+import java.util.Objects;
 import java.util.Set;
 
 import javax.inject.Inject;
 import javax.naming.ConfigurationException;
 
+import com.cloud.dc.DataCenter;
+import com.cloud.network.dao.NsxProviderDao;
+import com.cloud.network.element.NsxProviderVO;
+import com.cloud.utils.db.EntityManager;
 import org.apache.cloudstack.api.command.user.firewall.IListFirewallRulesCmd;
 import org.apache.cloudstack.api.command.user.ipv6.ListIpv6FirewallRulesCmd;
 import org.apache.cloudstack.context.CallContext;
@@ -137,6 +143,10 @@ public class FirewallManagerImpl extends ManagerBase implements FirewallService,
     NetworkDao _networkDao;
     @Inject
     VpcManager _vpcMgr;
+    @Inject
+    EntityManager entityManager;
+    @Inject
+    NsxProviderDao nsxProviderDao;
     List<FirewallServiceProvider> _firewallElements;
 
     List<PortForwardingServiceProvider> _pfElements;
@@ -689,6 +699,9 @@ public class FirewallManagerImpl extends ManagerBase implements FirewallService,
         }
 
         for (FirewallRuleVO rule : rules) {
+            // validate rule - for NSX
+            long networkId = rule.getNetworkId();
+            validateNsxConstraints(networkId, rule.getProtocol(), rule.getIcmpType(), rule.getIcmpCode());
             // load cidrs if any
             rule.setSourceCidrList(_firewallCidrsDao.getSourceCidrs(rule.getId()));
             rule.setDestinationCidrsList(_firewallDcidrsDao.getDestCidrs(rule.getId()));
@@ -710,6 +723,20 @@ public class FirewallManagerImpl extends ManagerBase implements FirewallService,
         return true;
     }
 
+    private void validateNsxConstraints(long networkId, String protocol, Integer icpmType, Integer icmpCode) {
+        final Network network = entityManager.findById(Network.class, networkId);
+        final DataCenter dc = entityManager.findById(DataCenter.class, network.getDataCenterId());
+        final NsxProviderVO nsxProvider = nsxProviderDao.findByZoneId(dc.getId());
+        if (Objects.isNull(nsxProvider)) {
+            return;
+        }
+        if (NetUtils.ICMP_PROTO.equals(protocol.toLowerCase(Locale.ROOT)) && (icpmType == -1 || icmpCode == -1)) {
+            String errorMsg = "Passing -1 for ICMP type is not supported for NSX enabled zones";
+            s_logger.error(errorMsg);
+            throw new InvalidParameterValueException(errorMsg);
+        }
+    }
+
     @Override
     public boolean applyDefaultEgressFirewallRule(Long networkId, boolean defaultPolicy, boolean add) throws ResourceUnavailableException {