Validate security group rules for port ranges

Port ranges validation has been done only for TCP and UDP.
Use the same validation logic for DCCP, SCTP and UDP-Lite, too.

APIImpact
DocImpact

Change-Id: Ife90be597d1a59a634d5474dad543dc1803e8242

neutron/db/securitygroups_db.py

@@ -444,7 +444,11 @@ def _validate_port_range(self, rule):
         if not rule['protocol']:
             raise ext_sg.SecurityGroupProtocolRequiredWithPorts()
         ip_proto = self._get_ip_proto_number(rule['protocol'])
-        if ip_proto in [constants.PROTO_NUM_TCP, constants.PROTO_NUM_UDP]:
+        # Not all firewall_driver support all these protocols,
+        # but being strict here doesn't hurt.
+        if ip_proto in [constants.PROTO_NUM_DCCP, constants.PROTO_NUM_SCTP,
+                        constants.PROTO_NUM_TCP, constants.PROTO_NUM_UDP,
+                        constants.PROTO_NUM_UDPLITE]:
             if rule['port_range_min'] == 0 or rule['port_range_max'] == 0:
                 raise ext_sg.SecurityGroupInvalidPortValue(port=0)
             elif (rule['port_range_min'] is not None and

neutron/tests/unit/db/test_securitygroups_db.py

@@ -440,3 +440,20 @@ def test__validate_port_range_for_icmp_exception(self):
                     {'port_range_min': pmin,
                      'port_range_max': pmax,
                      'protocol': protocol})
+
+    def test__validate_port_range_exception(self):
+        self.assertRaises(securitygroup.SecurityGroupInvalidPortValue,
+                          self.mixin._validate_port_range,
+                          {'port_range_min': 0,
+                           'port_range_max': None,
+                           'protocol': constants.PROTO_NAME_TCP})
+        self.assertRaises(securitygroup.SecurityGroupInvalidPortRange,
+                          self.mixin._validate_port_range,
+                          {'port_range_min': 1,
+                           'port_range_max': None,
+                           'protocol': constants.PROTO_NAME_SCTP})
+        self.assertRaises(securitygroup.SecurityGroupInvalidPortRange,
+                          self.mixin._validate_port_range,
+                          {'port_range_min': 1000,
+                           'port_range_max': 1,
+                           'protocol': constants.PROTO_NAME_UDPLITE})

releasenotes/notes/security-group-port-range-check-73114bdcde459e53.yaml

@@ -0,0 +1,5 @@
+---
+fixes:
+  - In security group rules API, API level validation for port_range values
+    has been performed only against TCP and UDP. Now it is performed
+    against DCCP, SCTP and UDP-Lite, too.