NSX: Add appropriate error message when icmp type is set to -1 for NSX

server/src/main/java/com/cloud/network/vpc/NetworkACLServiceImpl.java

@@ -21,10 +21,14 @@ import java.util.Collections;
 import java.util.Comparator;
 import java.util.List;
 import java.util.Map;
+import java.util.Objects;
 
 import javax.inject.Inject;
 
+import com.cloud.dc.DataCenter;
 import com.cloud.exception.PermissionDeniedException;
+import com.cloud.network.dao.NsxProviderDao;
+import com.cloud.network.element.NsxProviderVO;
 import org.apache.cloudstack.api.ApiErrorCode;
 import org.apache.cloudstack.api.ServerApiException;
 import org.apache.cloudstack.api.command.user.network.CreateNetworkACLCmd;
@@ -99,6 +103,10 @@ public class NetworkACLServiceImpl extends ManagerBase implements NetworkACLServ
     private VpcDao _vpcDao;
     @Inject
     private VpcService _vpcSvc;
+    @Inject
+    private NsxProviderDao nsxProviderDao;
+    @Inject
+    private NetworkACLDao networkACLDao;
 
     private String supportedProtocolsForAclRules = "tcp,udp,icmp,all";
 
@@ -338,6 +346,7 @@ public class NetworkACLServiceImpl extends ManagerBase implements NetworkACLServ
         if (isGlobalAcl(acl.getVpcId()) && !Account.Type.ADMIN.equals(caller.getType())) {
             throw new PermissionDeniedException("Only Root Admins can create rules for a global ACL.");
         }
+        validateNsxConstraints(acl.getVpcId(), icmpType);
         validateAclRuleNumber(createNetworkACLCmd, acl);
 
         NetworkACLItem.Action ruleAction = validateAndCreateNetworkAclRuleAction(action);
@@ -428,6 +437,18 @@ public class NetworkACLServiceImpl extends ManagerBase implements NetworkACLServ
         }
     }
 
+    private void validateNsxConstraints(Long vpcId, Integer icpmType) {
+        VpcVO vpc = _vpcDao.findById(vpcId);
+        final DataCenter dc = _entityMgr.findById(DataCenter.class, vpc.getZoneId());
+        final NsxProviderVO nsxProvider = nsxProviderDao.findByZoneId(dc.getId());
+        if (Objects.isNull(nsxProvider)) {
+            return;
+        }
+        if (icpmType == -1) {
+            throw new InvalidParameterValueException("Passing -1 for ICMP type is not supported for NSX enabled zones");
+        }
+    }
+
     /**
      * This methods will simply return the ACL rule list ID if it has been provided by the parameter 'createNetworkACLCmd'.
      * If no ACL rule List ID has been provided the method behave as follows:
@@ -817,7 +838,7 @@ public class NetworkACLServiceImpl extends ManagerBase implements NetworkACLServ
 
         NetworkACL acl = _networkAclMgr.getNetworkACL(networkACLItemVo.getAclId());
         validateNetworkAcl(acl);
-
+        validateNsxConstraints(acl.getVpcId(), networkACLItemVo.getIcmpType());
         Account account = CallContext.current().getCallingAccount();
         validateGlobalAclPermissionAndAclAssociatedToVpc(acl, account, "Only Root Admins can update global ACLs.");
 

ui/public/locales/en.json

@@ -15,8 +15,8 @@
 "error.release.dedicate.zone": "Failed to release dedicated zone.",
 "error.unable.to.proceed": "Unable to proceed. Please contact your administrator.",
 "firewall.close": "Firewall",
-"icmp.code.desc": "Please specify -1 if you want to allow all ICMP codes.",
-"icmp.type.desc": "Please specify -1 if you want to allow all ICMP types.",
+"icmp.code.desc": "Please specify -1 if you want to allow all ICMP codes for non-NSX zones.",
+"icmp.type.desc": "Please specify -1 if you want to allow all ICMP types for non-NSX zones.",
 "inline": "Inline",
 "label.about": "About",
 "label.about.app": "About CloudStack",