Skip to content

Commit 27e9f06

Browse files
authored
Truncate NSX DFW rule ID to 255 characters (#1479)
* Truncate NSX DFW rule ID to 255 characters When a SecurityPolicy contains many ports in a rule, the generated NSX Rule ID can exceed the maximum limit of 255 characters, leading to NSX API errors during policy creation. This change uses `util.NormalizeId` in `buildExpandedRuleID` to properly truncate and hash the rule ID, ensuring it remains within the 255-character limit while avoiding name collisions.
1 parent 1dc7884 commit 27e9f06

2 files changed

Lines changed: 33 additions & 2 deletions

File tree

pkg/nsx/services/securitypolicy/builder.go

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -670,7 +670,7 @@ func (service *SecurityPolicyService) buildExpandedRuleID(obj *v1alpha1.Security
670670
} else {
671671
portNumberSuffix = service.buildRulePortsNumberString(obj.Spec.Rules[ruleIdx].Ports)
672672
}
673-
return strings.Join([]string{ruleBaseID, portNumberSuffix}, common.ConnectorUnderline)
673+
return util.NormalizeId(strings.Join([]string{ruleBaseID, portNumberSuffix}, common.ConnectorUnderline))
674674
}
675675

676676
// With T1 topology, the NSX Rule ID includes the index of the rule's SecurityPolicyPort and the
@@ -680,7 +680,7 @@ func (service *SecurityPolicyService) buildExpandedRuleID(obj *v1alpha1.Security
680680
if namedPort != nil {
681681
idSuffix = namedPort.idSuffix
682682
}
683-
return strings.Join([]string{ruleBaseID, idSuffix}, common.ConnectorUnderline)
683+
return util.NormalizeId(strings.Join([]string{ruleBaseID, idSuffix}, common.ConnectorUnderline))
684684
}
685685

686686
func (service *SecurityPolicyService) buildRuleDisplayName(rule *v1alpha1.SecurityPolicyRule, createdFor string, namedPortInfo *portInfo) (string, error) {

pkg/nsx/services/securitypolicy/builder_test.go

Lines changed: 31 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -994,6 +994,28 @@ func Test_UpdateMixedExpressionsMatchExpression(t *testing.T) {
994994
assert.NotEqual(t, nil, err)
995995
}
996996

997+
var securityPolicyWithManyPorts = v1alpha1.SecurityPolicy{
998+
ObjectMeta: v1.ObjectMeta{Namespace: "ns1", Name: "spManyPorts", UID: "spManyPortsuidA"},
999+
Spec: v1alpha1.SecurityPolicySpec{
1000+
Rules: []v1alpha1.SecurityPolicyRule{
1001+
{
1002+
Action: &allowAction,
1003+
Direction: &directionIn,
1004+
Ports: []v1alpha1.SecurityPolicyPort{},
1005+
},
1006+
},
1007+
},
1008+
}
1009+
1010+
func init() {
1011+
for i := 10001; i <= 10060; i++ {
1012+
securityPolicyWithManyPorts.Spec.Rules[0].Ports = append(securityPolicyWithManyPorts.Spec.Rules[0].Ports, v1alpha1.SecurityPolicyPort{
1013+
Protocol: "TCP",
1014+
Port: intstr.IntOrString{Type: intstr.Int, IntVal: int32(i)},
1015+
})
1016+
}
1017+
}
1018+
9971019
var securityPolicyWithMultipleNormalPorts = v1alpha1.SecurityPolicy{
9981020
ObjectMeta: v1.ObjectMeta{Namespace: "ns1", Name: "spMulPorts", UID: "spMulPortsuidA"},
9991021
Spec: v1alpha1.SecurityPolicySpec{
@@ -1353,6 +1375,15 @@ func Test_BuildExpandedRuleID(t *testing.T) {
13531375
namedPort: newPortInfoForNamedPort(nsxutil.PortAddress{Port: 80}, "TCP"),
13541376
expectedRuleID: "sp_spNamedPortsuidA_3f7c7d8c8449687178002f23599add04bf0c3250_0_0_0",
13551377
},
1378+
{
1379+
name: "build-ruleID-for-many-ports-exceed-255-chars-vpc",
1380+
vpcEnabled: true,
1381+
inputSecurityPolicy: &securityPolicyWithManyPorts,
1382+
inputRule: &securityPolicyWithManyPorts.Spec.Rules[0],
1383+
ruleIdx: 0,
1384+
namedPort: nil,
1385+
expectedRuleID: "spManyPorts-6a4a02aa_5b4f2_10001_10002_10003_10004_10005_10006_10007_10008_10009_10010_10011_10012_10013_10014_10015_10016_10017_10018_10019_10020_10021_10022_10023_10024_10025_10026_10027_10028_10029_10030_10031_10032_10033_10034_10035_10036_100-9133c868",
1386+
},
13561387
}
13571388

13581389
for _, tt := range tests {

0 commit comments

Comments
 (0)