Only invoke .lower() on non-None protocols

When using source group based security group rules (rather than CIDR based ones), it's permissible to not set a protocol and port. However, Nova would always try to convert the protocol to lower case, which would fail if the protocol wasn't set. Fixes bug 1010514 Change-Id: I9b1519a52ececd16a497acebfe022508cbe96126
openstack · Jun 11, 2012 · bbdf82c · bbdf82c
1 parent 3ea7dcc
commit bbdf82c
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 1 deletion.
diff --git a/.mailmap b/.mailmap
@@ -60,6 +60,7 @@
 <sandy.walsh@rackspace.com> <sandy@sandywalsh.com>
 <sleepsonthefloor@gmail.com> <root@tonbuntu>
 <soren.hansen@rackspace.com> <soren@linux2go.dk>
+<soren@linux2go.dk> <sorhanse@cisco.com>
 <throughnothing@gmail.com> <will.wolf@rackspace.com>
 <tim.simpson@rackspace.com> <tim.simpson4@gmail.com>
 <todd@ansolabs.com> <todd@lapex>

diff --git a/nova/tests/test_libvirt.py b/nova/tests/test_libvirt.py
@@ -1871,6 +1871,10 @@ def test_static_filters(self):
                                        'to_port': 81,
                                        'group_id': src_secgroup['id']})
 
+        db.security_group_rule_create(admin_ctxt,
+                                      {'parent_group_id': secgroup['id'],
+                                       'group_id': src_secgroup['id']})
+
         db.instance_add_security_group(admin_ctxt, instance_ref['uuid'],
                                        secgroup['id'])
         db.instance_add_security_group(admin_ctxt, src_instance_ref['uuid'],
@@ -1951,6 +1955,9 @@ def fake_iptables_execute(*cmd, **kwargs):
                                '--dports 80:81 -s %s' % ip['address'])
             self.assertTrue(len(filter(regex.match, self.out_rules)) > 0,
                             "TCP port 80/81 acceptance rule wasn't added")
+            regex = re.compile('-A .* -j ACCEPT -s %s' % ip['address'])
+            self.assertTrue(len(filter(regex.match, self.out_rules)) > 0,
+                            "Protocol/port-less acceptance rule wasn't added")
 
         regex = re.compile('-A .* -j ACCEPT -p tcp '
                            '-m multiport --dports 80:81 -s 192.168.10.0/24')

diff --git a/nova/virt/firewall.py b/nova/virt/firewall.py
@@ -331,7 +331,11 @@ def instance_rules(self, instance, network_info):
                 else:
                     fw_rules = ipv6_rules
 
-                protocol = rule.protocol.lower()
+                protocol = rule.protocol
+
+                if protocol:
+                    protocol = rule.protocol.lower()
+
                 if version == 6 and protocol == 'icmp':
                     protocol = 'icmpv6'