NSX: Add check for ICMP code / type for NSX zones

2025-11-02 20:02:29 +01:00 · 2024-01-20 21:13:14 -05:00 · 2024-01-20 21:13:14 -05:00 · 08f6928cfc
commit 08f6928cfc
parent 330c99ca57
1 changed files with 27 additions and 0 deletions
--- a/server/src/main/java/com/cloud/network/firewall/FirewallManagerImpl.java
+++ b/server/src/main/java/com/cloud/network/firewall/FirewallManagerImpl.java
@ -22,12 +22,18 @@ import java.util.Collection;
 import java.util.Collections;
 import java.util.HashSet;
 import java.util.List;
+import java.util.Locale;
 import java.util.Map;
+import java.util.Objects;
 import java.util.Set;

 import javax.inject.Inject;
 import javax.naming.ConfigurationException;

+import com.cloud.dc.DataCenter;
+import com.cloud.network.dao.NsxProviderDao;
+import com.cloud.network.element.NsxProviderVO;
+import com.cloud.utils.db.EntityManager;
 import org.apache.cloudstack.api.command.user.firewall.IListFirewallRulesCmd;
 import org.apache.cloudstack.api.command.user.ipv6.ListIpv6FirewallRulesCmd;
 import org.apache.cloudstack.context.CallContext;
@ -137,6 +143,10 @@ public class FirewallManagerImpl extends ManagerBase implements FirewallService,
    NetworkDao _networkDao;
    @Inject
    VpcManager _vpcMgr;
+    @Inject
+    EntityManager entityManager;
+    @Inject
+    NsxProviderDao nsxProviderDao;
    List<FirewallServiceProvider> _firewallElements;

    List<PortForwardingServiceProvider> _pfElements;
@ -689,6 +699,9 @@ public class FirewallManagerImpl extends ManagerBase implements FirewallService,
        }

        for (FirewallRuleVO rule : rules) {
+            // validate rule - for NSX
+            long networkId = rule.getNetworkId();
+            validateNsxConstraints(networkId, rule.getProtocol(), rule.getIcmpType(), rule.getIcmpCode());
            // load cidrs if any
            rule.setSourceCidrList(_firewallCidrsDao.getSourceCidrs(rule.getId()));
            rule.setDestinationCidrsList(_firewallDcidrsDao.getDestCidrs(rule.getId()));
@ -710,6 +723,20 @@ public class FirewallManagerImpl extends ManagerBase implements FirewallService,
        return true;
    }

+    private void validateNsxConstraints(long networkId, String protocol, Integer icpmType, Integer icmpCode) {
+        final Network network = entityManager.findById(Network.class, networkId);
+        final DataCenter dc = entityManager.findById(DataCenter.class, network.getDataCenterId());
+        final NsxProviderVO nsxProvider = nsxProviderDao.findByZoneId(dc.getId());
+        if (Objects.isNull(nsxProvider)) {
+            return;
+        }
+        if (NetUtils.ICMP_PROTO.equals(protocol.toLowerCase(Locale.ROOT)) && (icpmType == -1 || icmpCode == -1)) {
+            String errorMsg = "Passing -1 for ICMP type is not supported for NSX enabled zones";
+            s_logger.error(errorMsg);
+            throw new InvalidParameterValueException(errorMsg);
+        }
+    }
+
    @Override
    public boolean applyDefaultEgressFirewallRule(Long networkId, boolean defaultPolicy, boolean add) throws ResourceUnavailableException {