Issue 4404: Add support for "icmpv6" protocol to ASGs

app/messages/validators/security_group_rule_validator.rb

@@ -26,29 +26,28 @@ def validate(record)
       end
 
       validate_allowed_keys(rule, record, index)
-
-      add_rule_error("protocol must be 'tcp', 'udp', 'icmp', or 'all'", record, index) unless valid_protocol(rule[:protocol])
+      add_rule_error("protocol must be 'tcp', 'udp', 'icmp', 'icmpv6' or 'all'", record, index) unless valid_protocol(rule[:protocol])
 
       if valid_destination_type(rule[:destination], record, index)
         destinations = rule[:destination].split(',', -1)
         add_rule_error("maximum destinations per rule exceeded - must be under #{MAX_DESTINATIONS_PER_RULE}", record, index) unless destinations.length <= MAX_DESTINATIONS_PER_RULE
 
         destinations.each do |d|
-          validate_destination(d, record, index)
+          validate_destination(d, rule[:protocol], get_allowed_ip_version(rule), record, index)
         end
       end
 
       validate_description(rule, record, index)
       validate_log(rule, record, index)
+      validate_protocol(rule, record, index)
+    end
+  end
 
-      case rule[:protocol]
-      when 'tcp', 'udp'
-        validate_tcp_udp_protocol(rule, record, index)
-      when 'icmp'
-        validate_icmp_protocol(rule, record, index)
-      when 'all'
-        add_rule_error('ports are not allowed for protocols of type all', record, index) if rule[:ports]
-      end
+  def get_allowed_ip_version(rule)
+    if rule[:protocol] == 'icmp'
+      4
+    elsif rule[:protocol] == 'icmpv6'
+      6
     end
   end
 
@@ -57,7 +56,7 @@ def boolean?(value)
   end
 
   def valid_protocol(protocol)
-    protocol.is_a?(String) && %w[tcp udp icmp all].include?(protocol)
+    protocol.is_a?(String) && %w[tcp udp icmp icmpv6 all].include?(protocol)
   end
 
   def validate_allowed_keys(rule, record, index)
@@ -73,6 +72,20 @@ def validate_log(rule, record, index)
     add_rule_error('log must be a boolean', record, index) if rule[:log] && !boolean?(rule[:log])
   end
 
+  def validate_protocol(rule, record, index)
+    case rule[:protocol]
+    when 'tcp', 'udp'
+      validate_tcp_udp_protocol(rule, record, index)
+    when 'icmp'
+      validate_icmp_protocol(rule, record, index)
+    when 'icmpv6'
+      add_rule_error('icmpv6 cannot be used if enable_ipv6 is false', record, index) unless CloudController::RuleValidator.ipv6_enabled?
+      validate_icmp_protocol(rule, record, index)
+    when 'all'
+      add_rule_error('ports are not allowed for protocols of type all', record, index) if rule[:ports]
+    end
+  end
+
   def validate_tcp_udp_protocol(rule, record, index)
     add_rule_error('ports are required for protocols of type TCP and UDP', record, index) unless rule[:ports]
 
@@ -128,7 +141,7 @@ def valid_destination_type(destination, record, index)
     true
   end
 
-  def validate_destination(destination, record, index)
+  def validate_destination(destination, protocol, allowed_ip_version, record, index)
     error_message = 'destination must be a valid CIDR, IP address, or IP address range'
     error_message = 'destination must contain valid CIDR(s), IP address(es), or IP address range(s)' if CloudController::RuleValidator.comma_delimited_destinations_enabled?
     add_rule_error('empty destination specified in comma-delimited list', record, index) if destination.empty?
@@ -137,12 +150,14 @@ def validate_destination(destination, record, index)
 
     zeros_error_message = 'destination octets cannot contain leading zeros'
     add_rule_error(zeros_error_message, record, index) unless CloudController::RuleValidator.no_leading_zeros(address_list)
-
     if address_list.length == 1
-      add_rule_error(error_message, record, index) unless CloudController::RuleValidator.parse_ip(address_list.first)
-
+      parsed_ip = CloudController::RuleValidator.parse_ip(address_list.first)
+      add_rule_error(error_message, record, index) unless parsed_ip
+      add_rule_error("for protocol \"#{protocol}\" you cannot use IPv#{parsed_ip.version} addresses", record, index) \
+        unless valid_ip_version?(allowed_ip_version, parsed_ip)
     elsif address_list.length == 2
       ips = CloudController::RuleValidator.parse_ip(address_list)
+
       return add_rule_error('destination IP address range is invalid', record, index) unless ips
 
       sorted_ips = if ips.first.is_a?(NetAddr::IPv4)
@@ -153,12 +168,17 @@ def validate_destination(destination, record, index)
 
       reversed_range_error = 'beginning of IP address range is numerically greater than the end of its range (range endpoints are inverted)'
       add_rule_error(reversed_range_error, record, index) unless ips.first == sorted_ips.first
-
+      add_rule_error("for protocol \"#{protocol}\" you cannot use IPv#{ips.first.version} addresses", record, index) \
+        unless valid_ip_version?(allowed_ip_version, sorted_ips.first)
     else
       add_rule_error(error_message, record, index)
     end
   end
 
+  def valid_ip_version?(allowed_ip_version, parsed_ip)
+    parsed_ip.nil? || allowed_ip_version.nil? || parsed_ip.version == allowed_ip_version
+  end
+
   def add_rule_error(message, record, index)
     record.errors.add("Rules[#{index}]:", message)
   end

app/models/runtime/security_group.rb

@@ -71,7 +71,7 @@ def validate_rules
         validation_errors = case protocol
                             when 'tcp', 'udp'
                               CloudController::TransportRuleValidator.validate(stringified_rule)
-                            when 'icmp'
+                            when 'icmp', 'icmpv6'
                               CloudController::ICMPRuleValidator.validate(stringified_rule)
                             when 'all'
                               CloudController::RuleValidator.validate(stringified_rule)

lib/cloud_controller/rule_validator.rb

@@ -77,6 +77,10 @@ def self.parse_ip(val)
       ipv4 || ipv6
     end
 
+    def self.ipv6_enabled?
+      config.get(:enable_ipv6)
+    end
+
     def self.comma_delimited_destinations_enabled?
       config.get(:security_groups, :enable_comma_delimited_destinations)
     end