diff --git a/vmware_nsx/common/utils.py b/vmware_nsx/common/utils.py index 00206068f8..eb2a30e2d2 100644 --- a/vmware_nsx/common/utils.py +++ b/vmware_nsx/common/utils.py @@ -34,6 +34,7 @@ MAX_DISPLAY_NAME_LEN = 40 NEUTRON_VERSION = n_version.version_info.release_string() OS_NEUTRON_ID_SCOPE = 'os-neutron-id' NSXV3_VERSION_1_1_0 = '1.1.0' +NSXV3_VERSION_2_0_0 = '2.0.0' # Allowed network types for the NSX Plugin @@ -70,6 +71,11 @@ def is_nsx_version_1_1_0(nsx_version): version.LooseVersion(NSXV3_VERSION_1_1_0)) +def is_nsx_version_2_0_0(nsx_version): + return (version.LooseVersion(nsx_version) >= + version.LooseVersion(NSXV3_VERSION_2_0_0)) + + def is_nsxv_version_6_2(nsx_version): return (version.LooseVersion(nsx_version) >= version.LooseVersion('6.2')) diff --git a/vmware_nsx/plugins/nsx_v3/plugin.py b/vmware_nsx/plugins/nsx_v3/plugin.py index dd3b13ef39..a8faa95fd3 100644 --- a/vmware_nsx/plugins/nsx_v3/plugin.py +++ b/vmware_nsx/plugins/nsx_v3/plugin.py @@ -1525,13 +1525,17 @@ class NsxV3Plugin(agentschedulers_db.AZDhcpAgentSchedulerDbMixin, if resource_type: tags = nsxlib_utils.add_v3_tag(tags, resource_type, device_id) + add_to_exclude_list = False if device_owner != l3_db.DEVICE_OWNER_ROUTER_INTF: if ((device_owner == const.DEVICE_OWNER_DHCP and not cfg.CONF.nsx_v3.native_dhcp_metadata) or (device_owner != const.DEVICE_OWNER_DHCP and not psec_is_on)): - tags.append({'scope': security.PORT_SG_SCOPE, - 'tag': nsxlib_consts.EXCLUDE_PORT}) + if utils.is_nsx_version_2_0_0(self._nsx_version): + tags.append({'scope': security.PORT_SG_SCOPE, + 'tag': nsxlib_consts.EXCLUDE_PORT}) + else: + add_to_exclude_list = True if utils.is_nsx_version_1_1_0(self._nsx_version): # If port has no security-groups then we don't need to add any @@ -1623,6 +1627,10 @@ class NsxV3Plugin(agentschedulers_db.AZDhcpAgentSchedulerDbMixin, qos_com_utils.update_port_policy_binding(context, port_data['id'], qos_policy_id) + # Add the port to the exclude list if necessary + if add_to_exclude_list: + self.nsxlib.firewall_section.add_member_to_fw_exclude_list( + result['id'], nsxlib_consts.TARGET_TYPE_LOGICAL_PORT) return result def _validate_address_pairs(self, address_pairs): @@ -2141,6 +2149,11 @@ class NsxV3Plugin(agentschedulers_db.AZDhcpAgentSchedulerDbMixin, self._update_lport_with_security_groups( context, nsx_port_id, port.get(ext_sg.SECURITYGROUPS, []), []) + if (not utils.is_nsx_version_2_0_0(self._nsx_version) and + not port.get('port_security_enabled')): + fs = self.nsxlib.firewall_section + fs.remove_member_from_fw_exclude_list( + nsx_port_id, nsxlib_consts.TARGET_TYPE_LOGICAL_PORT) self.disassociate_floatingips(context, port_id) # Remove Mac/IP binding from native DHCP server and neutron DB. @@ -2267,9 +2280,20 @@ class NsxV3Plugin(agentschedulers_db.AZDhcpAgentSchedulerDbMixin, name = self._get_port_name(context, updated_port) updated_ps = updated_port.get('port_security_enabled') - if not updated_ps: - tags_update.append({'scope': security.PORT_SG_SCOPE, - 'tag': nsxlib_consts.EXCLUDE_PORT}) + if utils.is_nsx_version_2_0_0(self._nsx_version): + if not updated_ps: + tags_update.append({'scope': security.PORT_SG_SCOPE, + 'tag': nsxlib_consts.EXCLUDE_PORT}) + else: + original_ps = original_port.get('port_security_enabled') + if updated_ps != original_ps: + fs = self.nsxlib.firewall_section + if not updated_ps: + fs.add_member_to_fw_exclude_list( + lport_id, nsxlib_consts.TARGET_TYPE_LOGICAL_PORT) + else: + fs.remove_member_from_fw_exclude_list( + lport_id, nsxlib_consts.TARGET_TYPE_LOGICAL_PORT) if utils.is_nsx_version_1_1_0(self._nsx_version): tags_update += self.nsxlib.ns_group.get_lport_tags(