FWaas: Handle rules with protocol any

If the user specifies protocol any via the FWaaS OpenStack API we end up with a rule having protocol None. With the old behavior this results in an empty protocol field, which is not accepted by our hardware router. Hence, we have to provide a protocol for the ACL. If we don't want to specify an protocol (tcp, udp, icmp), we need to specify the address family ("ip") instead, so we now default to that value. Leaving out the protocol tag from the netconf yang, does not work. It is accepted by the device (i.e. the YANG stack), but with the empty protocol field, the YANG stack replaces this with the value "any" (which I would have done as well if I hadn't read the Cisco device help) and the IOS-XE cli does not accept any as a valid value here, resulting in a <bad-cli> error.
sapcc · Jan 14, 2025 · bf0a69b · bf0a69b
1 parent 29b2e38
commit bf0a69b
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/asr1k_neutron_l3/models/neutron/l3/firewall.py b/asr1k_neutron_l3/models/neutron/l3/firewall.py
@@ -84,6 +84,10 @@ def __init__(self, policy_id: str, rules: List[dict]):
                 'protocol': rule['protocol']
             }
 
+            if rule_args['protocol'] is None:
+                # protocol "any" on IPv4 means we need to specify protocol 'ip'
+                rule_args['protocol'] = 'ip'
+
             # check if there is an IP address/CIDR for each direction
             # if so do the whole mask, wildcard dance
             for direction in ('source', 'destination'):