Juniper Openstack

Disallow a Firewall rule without both service and servicegroup specified

Bug #1743641 reported by Senthilnathan Murugappan
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Juniper Openstack
Status tracked in Trunk
Trunk
Fix Committed
Undecided
Édouard Thuleau
Juniper Openstack r5.0.0

Bug Description

Config needs to disallow a Firewall rule without both service and servicegroup specified.

{
"firewall-rule": {
"direction": "<>",
"parent_uuid": "a52caf0e-d98c-4a68-b9f9-7b1102cee7ce",
"action_list": {
"gateway_name": null,
"log": false,
"alert": false,
"qos_action": null,
"assign_routing_instance": null,
"mirror_to": null,
"simple_action": "pass",
"apply_service": []
},
"parent_href": "https://10.84.7.18:8143/proxy?proxyURL=http://10.84.7.18:8082/policy-management/a52caf0e-d98c-4a68-b9f9-7b1102cee7ce",
"parent_type": "policy-management",
"href": "https://10.84.7.18:8143/proxy?proxyURL=http://10.84.7.18:8082/firewall-rule/5e33c3b4-0ec1-4205-89b8-7db75520b920",
"id_perms": {
"enable": true,
"description": null,
"creator": null,
"created": "2018-01-16T19:35:58.395332",
"user_visible": true,
"last_modified": "2018-01-16T19:43:34.463893",
"permissions": {
"owner": "ctest-TestFirewallBasic-11113808",
"owner_access": 7,
"other_access": 7,
"group": "admin",
"group_access": 7
},
"uuid": {
"uuid_mslong": 6787984241486546000,
"uuid_lslong": 9923820005271583000
}
},
"fq_name": [
"default-policy-management",
"ctest-TestFirewallBasic-11113808-39826813"
],
"match_tags": {
"tag_list": [
"deployment"
]
},
"name": "ctest-TestFirewallBasic-11113808-39826813",
"match_tag_types": {
"tag_type": [
3
]
},
"endpoint_1": {
"subnet": null,
"tags": [
"global:site=blr"
],
"address_group": null,
"tag_ids": [
262346
],
"virtual_network": null,
"any": false
},
"endpoint_2": {
"subnet": null,
"tags": [
"global:site=blr"
],
"address_group": null,
"tag_ids": [
262346
],
"virtual_network": null,
"any": false
},
"display_name": "ctest-TestFirewallBasic-11113808-39826813",
"uuid": "5e33c3b4-0ec1-4205-89b8-7db75520b920",
"tag_refs": [
{
"to": [
"site=blr"
],
"href": "https://10.84.7.18:8143/proxy?proxyURL=http://10.84.7.18:8082/tag/62ee7b10-4411-48c1-9769-367853dc716c",
"attr": null,
"uuid": "62ee7b10-4411-48c1-9769-367853dc716c"
}
],
"perms2": {
"owner": "cloud-admin",
"owner_access": 7,
"global_access": 0,
"share": []
},
"firewall_policy_back_refs": [
{
"to": [
"default-domain",
"ctest-TestFirewallBasic-11113808",
"ctest-TestFirewallBasic-11113808-01131362"
],
"href": "https://10.84.7.18:8143/proxy?proxyURL=http://10.84.7.18:8082/firewall-policy/7e65253c-0ce2-4ab8-a2d3-14888e517a37",
"attr": {
"sequence": "20"
},
"uuid": "7e65253c-0ce2-4ab8-a2d3-14888e517a37"
},
{
"to": [
"default-policy-management",
"ctest-TestFirewallBasic-11113808-83007885"
],
"href": "https://10.84.7.18:8143/proxy?proxyURL=http://10.84.7.18:8082/firewall-policy/ec2e6595-fd82-4998-975d-a1411290edea",
"attr": {
"sequence": "20"
},
"uuid": "ec2e6595-fd82-4998-975d-a1411290edea"
}
]
}
}

Sachin Bansal (sbansal)
Changed in juniperopenstack:
assignee: Sachin Bansal (sbansal) → Édouard Thuleau (ethuleau)
Édouard Thuleau (ethuleau)
information type: Proprietary → Public
Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] master

Review in progress for https://review.opencontrail.org/39186
Submitter: Édouard Thuleau (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : A change has been merged

Reviewed: https://review.opencontrail.org/39186
Committed: http://github.com/Juniper/contrail-controller/commit/4058f109f4ef86d271532be4ee3e5a59d7498afc
Submitter: Zuul v3 CI (<email address hidden>)
Branch: master

commit 4058f109f4ef86d271532be4ee3e5a59d7498afc
Author: Édouard Thuleau <email address hidden>
Date: Wed Jan 24 12:29:31 2018 +0100

[config] Firewall rule needs at least defined service

The firewall rule resource can have a defined service (ie. protocol
and ports) or reference service group which can defined a list of
service. That patch restricts at least, one of them is defined to create
a firewall rule but also to forbidden to define both.

Change-Id: I0c0b9d8b18226f97ca68e49d9876383262f887c3
Closes-Bug: #1743641

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.