* Match label 'or' subnet in address-group.

Current Agent matches label and subnet group in case of address-group, expectation is packet should either match subnet or label, correcting the same. Test case for same. Change-Id: I12946f156f5e3c131f67ef61339900b7f5498616 Closes-bug: #1733684
Juniper · Dec 5, 2017 · dab4dc3 · dab4dc3
1 parent 12bad88
commit dab4dc3
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 5 deletions.
diff --git a/src/vnsw/agent/filter/acl_entry.cc b/src/vnsw/agent/filter/acl_entry.cc
@@ -471,6 +471,20 @@ static bool SubnetMatch(const std::vector<AclAddressInfo> &list,
     return false;
 }
 
+bool AddressMatch::AddressGroupMatch(const IpAddress &data,
+                                     const TagList &tag_list) const {
+
+    if (TagsMatch(tag_list)) {
+        return true;
+    }
+
+    if (ip_list_.size() && SubnetMatch(ip_list_, data)) {
+        return true;
+    }
+
+    return false;
+}
+
 bool AddressMatch::Match(const PacketHeader *pheader,
                          FlowPolicyInfo *info) const
 {
@@ -498,8 +512,7 @@ bool AddressMatch::Match(const PacketHeader *pheader,
         } else if (addr_type_ == TAGS) {
             return TagsMatch(pheader->src_tags_);
         } else if (addr_type_ == ADDRESS_GROUP) {
-            return (SubnetMatch(ip_list_, pheader->src_ip) &&
-                    TagsMatch(pheader->src_tags_));
+            return AddressGroupMatch(pheader->src_ip, pheader->src_tags_);
         }
     } else { 
         if (addr_type_ == IP_ADDR) {
@@ -522,8 +535,7 @@ bool AddressMatch::Match(const PacketHeader *pheader,
         } else if (addr_type_ == TAGS) {
             return TagsMatch(pheader->dst_tags_);
         } else if (addr_type_ == ADDRESS_GROUP) {
-            return (SubnetMatch(ip_list_, pheader->dst_ip) &&
-                    TagsMatch(pheader->dst_tags_));
+            return AddressGroupMatch(pheader->dst_ip, pheader->dst_tags_);
         }
     }
     return false;

diff --git a/src/vnsw/agent/filter/acl_entry_match.h b/src/vnsw/agent/filter/acl_entry_match.h
@@ -255,5 +255,6 @@ class AddressMatch : public AclEntryMatch {
     bool SGMatch(const SecurityGroupList &sg_l, int id) const;
     bool SGMatch(const SecurityGroupList *sg_l, int id) const;
     bool TagsMatch(const TagList &tags) const;
+    bool AddressGroupMatch(const IpAddress &ip, const TagList &tags) const;
 };
 #endif
diff --git a/src/vnsw/agent/filter/test/test_firewall_policy.cc b/src/vnsw/agent/filter/test/test_firewall_policy.cc
@@ -606,15 +606,19 @@ TEST_F(FirewallPolicy, Test10) {
     EXPECT_EQ(am->ip_list_size(), 3);
 
     PacketHeader *packet1 = new PacketHeader();
+    packet1->src_ip = Ip4Address::from_string("17.1.1.1");
+    packet1->dst_ip = Ip4Address::from_string("1.8.8.8");
     packet1->src_tags_.push_back(100);
     packet1->dst_tags_.push_back(100);
     MatchAclParams m_acl;
-    EXPECT_FALSE(acl->PacketMatch(*packet1, m_acl, NULL));
+    EXPECT_TRUE(acl->PacketMatch(*packet1, m_acl, NULL));
 
     packet1->src_ip = Ip4Address::from_string("16.1.1.1");
     packet1->dst_ip = Ip4Address::from_string("8.8.8.8");
     EXPECT_TRUE(acl->PacketMatch(*packet1, m_acl, NULL));
 
+    packet1->src_ip = Ip4Address::from_string("17.1.1.1");
+    packet1->dst_ip = Ip4Address::from_string("1.8.8.8");
     packet1->src_tags_.clear();
     packet1->dst_tags_.clear();
     EXPECT_FALSE(acl->PacketMatch(*packet1, m_acl, NULL));