NSX: Fix custom ACL check (#2)

* NSX: Fix custom ACL check * NSX: Fix custom ACL check
2024-01-29 10:48:17 -05:00 · 2024-01-29 10:48:17 -05:00 · 228240fa49
parent 85bf6f239b
commit 228240fa49
1 changed files with 15 additions and 4 deletions
--- a/server/src/main/java/com/cloud/network/vpc/NetworkACLServiceImpl.java
+++ b/server/src/main/java/com/cloud/network/vpc/NetworkACLServiceImpl.java
@ -20,6 +20,7 @@ import java.util.ArrayList;
 import java.util.Collections;
 import java.util.Comparator;
 import java.util.List;
+import java.util.Locale;
 import java.util.Map;
 import java.util.Objects;

@ -344,7 +345,7 @@ public class NetworkACLServiceImpl extends ManagerBase implements NetworkACLServ
        if (isGlobalAcl(acl.getVpcId()) && !Account.Type.ADMIN.equals(caller.getType())) {
            throw new PermissionDeniedException("Only Root Admins can create rules for a global ACL.");
        }
-        validateNsxConstraints(acl.getVpcId(), icmpType);
+        validateNsxConstraints(acl.getVpcId(), protocol, icmpType, icmpCode, sourcePortStart, sourcePortEnd);
        validateAclRuleNumber(createNetworkACLCmd, acl);

        NetworkACLItem.Action ruleAction = validateAndCreateNetworkAclRuleAction(action);
@ -435,18 +436,27 @@ public class NetworkACLServiceImpl extends ManagerBase implements NetworkACLServ
        }
    }

-    private void validateNsxConstraints(Long vpcId, Integer icpmType) {
+    private void validateNsxConstraints(long vpcId, String protocol, Integer icmpType,
+                                        Integer icmpCode, Integer sourcePortStart, Integer sourcePortEnd) {
        VpcVO vpc = _vpcDao.findById(vpcId);
        final DataCenter dc = _entityMgr.findById(DataCenter.class, vpc.getZoneId());
        final NsxProviderVO nsxProvider = nsxProviderDao.findByZoneId(dc.getId());
        if (Objects.isNull(nsxProvider)) {
            return;
        }
-        if (icpmType == -1) {
+
+        if (NetUtils.ICMP_PROTO.equals(protocol.toLowerCase(Locale.ROOT)) && (icmpType == -1 || icmpCode == -1)) {
            String errorMsg = "Passing -1 for ICMP type is not supported for NSX enabled zones";
            s_logger.error(errorMsg);
            throw new InvalidParameterValueException(errorMsg);
        }
+
+        if (List.of(NetUtils.TCP_PROTO, NetUtils.UDP_PROTO).contains(protocol.toLowerCase(Locale.ROOT)) &&
+                (Objects.isNull(sourcePortStart) || Objects.isNull(sourcePortEnd))) {
+            String errorMsg = "Source start and end ports are required to be passed";
+            s_logger.error(errorMsg);
+            throw new InvalidParameterValueException(errorMsg);
+        }
    }

    /**
@ -838,7 +848,8 @@ public class NetworkACLServiceImpl extends ManagerBase implements NetworkACLServ

        NetworkACL acl = _networkAclMgr.getNetworkACL(networkACLItemVo.getAclId());
        validateNetworkAcl(acl);
-        validateNsxConstraints(acl.getVpcId(), networkACLItemVo.getIcmpType());
+        validateNsxConstraints(acl.getVpcId(), networkACLItemVo.getProtocol(), networkACLItemVo.getIcmpType(),
+                networkACLItemVo.getIcmpCode(), networkACLItemVo.getSourcePortStart(), networkACLItemVo.getSourcePortEnd());
        Account account = CallContext.current().getCallingAccount();
        validateGlobalAclPermissionAndAclAssociatedToVpc(acl, account, "Only Root Admins can update global ACLs.");