Skip to content
This repository has been archived by the owner on Aug 1, 2023. It is now read-only.

Openstack: FWaaS rules do not support "any" protocol #605

Open
carlpett opened this issue Jul 6, 2016 · 2 comments
Open

Openstack: FWaaS rules do not support "any" protocol #605

carlpett opened this issue Jul 6, 2016 · 2 comments

Comments

@carlpett
Copy link
Contributor

carlpett commented Jul 6, 2016

Setting protocol "any" when creating a new rule gives an error

Expected HTTP response code [201 202] when accessing [POST https://OPENSTACK-PROVIDER:9696/v2.0/fw/firewall_rules], but got 400 instead {"NeutronError": {"message": "Firewall Rule protocol any is not supported. Only protocol values [None, 'tcp', 'udp', 'icmp'] and their integer representation (0 to 255) are supported.", "type": "FirewallRuleInvalidProtocol", "detail": ""}}

Setting protocol = "" gives A protocol is required (tcp, udp, icmp or any), and protocol = "0" (since the error message indicated that numerals would be accepted) gives Invalid input for protocol. Reason: '0' is not in [None, 'tcp', 'udp', 'icmp'].

I made a quick attempt at a fix, but it is not very pretty: https://gist.github.com/carlpett/cfef6867d2f5445774fb6a9ca6728efa. Also, it does not manage the read part, since that just passes the result into the pager.

Is there some better way to do the any to nil mapping, which Openstack seems to want?

@jtopjian
Copy link
Contributor

jtopjian commented Jul 8, 2016

@carlpett I think this is actually an upstream OpenStack FWaaS issue. The error message you're seeing is from Neutron and not Gophercloud.

According to the FWaaS code, "any" is really not supported:

https://github.com/openstack/neutron-fwaas/blob/905c798db15e0a02bffe2014013be99f9943f56f/neutron_fwaas/extensions/firewall.py#L170-L172

Edit: Ah - None. So having a nil/None/empty key of protocol allows for all protocols? In that case, maybe something like this will work in Gophercloud:

if opts.Protocol != "" {
    r["protocol"] = opts.Protocol
} else {
    r["protocol"] = nil
}

Which is almost exactly what you have in your gist 😄

@carlpett
Copy link
Contributor Author

@jtopjian Yep 😄
I guess the question is if it is preferrable for the user to explicitly say "any", or if it should be the default. I guess having it as the default (which would be the result of your snippet, right?) would be easier, even if it might be a bit unexpected. Can be solved by documentation, of course.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants