From 02f0c8a784e101ce0875a1986497e7430b669f60 Mon Sep 17 00:00:00 2001
From: Gary Kotton <gkotton@vmware.com>
Date: Sun, 25 Dec 2016 03:21:06 -0800
Subject: [PATCH] NSX|V3: prevent a floating IP being configure on a no snat
 router

Ensure that a router that has no snat set will not have floating
IPs configured.

Change-Id: I428ea094614083f2509481522d5610559789427b
---
 vmware_nsx/plugins/nsx_v3/plugin.py | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/vmware_nsx/plugins/nsx_v3/plugin.py b/vmware_nsx/plugins/nsx_v3/plugin.py
index c08ce702f0..bc99024d48 100644
--- a/vmware_nsx/plugins/nsx_v3/plugin.py
+++ b/vmware_nsx/plugins/nsx_v3/plugin.py
@@ -2434,6 +2434,15 @@ class NsxV3Plugin(agentschedulers_db.AZDhcpAgentSchedulerDbMixin,
             self._get_external_attachment_info(
                 context, router))
 
+        # Ensure that a router cannot have SNAT disabled if there are
+        # floating IP's assigned
+        if (info and 'enable_snat' in info and
+            org_enable_snat != info.get('enable_snat') and
+            info.get('enable_snat') is False and
+            self.router_gw_port_has_floating_ips(context, router_id)):
+            msg = _("Unable to set SNAT disabled. Floating IPs assigned.")
+            raise n_exc.InvalidInput(error_message=msg)
+
         # TODO(berlin): For nonat use case, we actually don't need a gw port
         # which consumes one external ip. But after looking at the DB logic
         # and we need to make a big change so don't touch it at present.
@@ -2969,6 +2978,18 @@ class NsxV3Plugin(agentschedulers_db.AZDhcpAgentSchedulerDbMixin,
                              'int_ip': fip['fixed_ip_address']})
         super(NsxV3Plugin, self).delete_floatingip(context, fip_id)
 
+    def get_router_for_floatingip(self, context, internal_port,
+                                  internal_subnet, external_network_id):
+        router_id = super(NsxV3Plugin, self).get_router_for_floatingip(
+            context, internal_port, internal_subnet, external_network_id)
+        if router_id:
+            router = self._get_router(context.elevated(), router_id)
+            if not router.enable_snat:
+                msg = _("Unable to assign a floating IP to a router that "
+                        "has SNAT disabled")
+                raise n_exc.InvalidInput(error_message=msg)
+        return router_id
+
     def update_floatingip(self, context, fip_id, floatingip):
         old_fip = self.get_floatingip(context, fip_id)
         old_port_id = old_fip['port_id']