From 11d3da3ef54bdd2d1eb80a5f94a974c6dbef6bc0 Mon Sep 17 00:00:00 2001
From: Gary Kotton <gkotton@vmware.com>
Date: Tue, 25 Apr 2017 22:14:18 -0700
Subject: [PATCH] NSX|V3: fix issues with exclude list

In NSX 2.0.0 onwards we are able to make use of the tags
for the exclude list. Prior to this we need to make use of the
exclude list directly.

Co-Authored-By: Shih-Hao Li <shihli@vmware.com>

Change-Id: I31fec57ec7db7db5066c446251917720a043339e
---
 vmware_nsx/common/utils.py          |  6 +++++
 vmware_nsx/plugins/nsx_v3/plugin.py | 34 ++++++++++++++++++++++++-----
 2 files changed, 35 insertions(+), 5 deletions(-)

diff --git a/vmware_nsx/common/utils.py b/vmware_nsx/common/utils.py
index 00206068f8..eb2a30e2d2 100644
--- a/vmware_nsx/common/utils.py
+++ b/vmware_nsx/common/utils.py
@@ -34,6 +34,7 @@ MAX_DISPLAY_NAME_LEN = 40
 NEUTRON_VERSION = n_version.version_info.release_string()
 OS_NEUTRON_ID_SCOPE = 'os-neutron-id'
 NSXV3_VERSION_1_1_0 = '1.1.0'
+NSXV3_VERSION_2_0_0 = '2.0.0'
 
 
 # Allowed network types for the NSX Plugin
@@ -70,6 +71,11 @@ def is_nsx_version_1_1_0(nsx_version):
             version.LooseVersion(NSXV3_VERSION_1_1_0))
 
 
+def is_nsx_version_2_0_0(nsx_version):
+    return (version.LooseVersion(nsx_version) >=
+            version.LooseVersion(NSXV3_VERSION_2_0_0))
+
+
 def is_nsxv_version_6_2(nsx_version):
     return (version.LooseVersion(nsx_version) >=
             version.LooseVersion('6.2'))
diff --git a/vmware_nsx/plugins/nsx_v3/plugin.py b/vmware_nsx/plugins/nsx_v3/plugin.py
index dd3b13ef39..a8faa95fd3 100644
--- a/vmware_nsx/plugins/nsx_v3/plugin.py
+++ b/vmware_nsx/plugins/nsx_v3/plugin.py
@@ -1525,13 +1525,17 @@ class NsxV3Plugin(agentschedulers_db.AZDhcpAgentSchedulerDbMixin,
         if resource_type:
             tags = nsxlib_utils.add_v3_tag(tags, resource_type, device_id)
 
+        add_to_exclude_list = False
         if device_owner != l3_db.DEVICE_OWNER_ROUTER_INTF:
             if ((device_owner == const.DEVICE_OWNER_DHCP and
                  not cfg.CONF.nsx_v3.native_dhcp_metadata) or
                 (device_owner != const.DEVICE_OWNER_DHCP and
                  not psec_is_on)):
-                    tags.append({'scope': security.PORT_SG_SCOPE,
-                                 'tag': nsxlib_consts.EXCLUDE_PORT})
+                    if utils.is_nsx_version_2_0_0(self._nsx_version):
+                        tags.append({'scope': security.PORT_SG_SCOPE,
+                                     'tag': nsxlib_consts.EXCLUDE_PORT})
+                    else:
+                        add_to_exclude_list = True
 
         if utils.is_nsx_version_1_1_0(self._nsx_version):
             # If port has no security-groups then we don't need to add any
@@ -1623,6 +1627,10 @@ class NsxV3Plugin(agentschedulers_db.AZDhcpAgentSchedulerDbMixin,
             qos_com_utils.update_port_policy_binding(context,
                                                      port_data['id'],
                                                      qos_policy_id)
+        # Add the port to the exclude list if necessary
+        if add_to_exclude_list:
+            self.nsxlib.firewall_section.add_member_to_fw_exclude_list(
+                result['id'], nsxlib_consts.TARGET_TYPE_LOGICAL_PORT)
         return result
 
     def _validate_address_pairs(self, address_pairs):
@@ -2141,6 +2149,11 @@ class NsxV3Plugin(agentschedulers_db.AZDhcpAgentSchedulerDbMixin,
                 self._update_lport_with_security_groups(
                     context, nsx_port_id,
                     port.get(ext_sg.SECURITYGROUPS, []), [])
+            if (not utils.is_nsx_version_2_0_0(self._nsx_version) and
+                not port.get('port_security_enabled')):
+                fs = self.nsxlib.firewall_section
+                fs.remove_member_from_fw_exclude_list(
+                    nsx_port_id, nsxlib_consts.TARGET_TYPE_LOGICAL_PORT)
         self.disassociate_floatingips(context, port_id)
 
         # Remove Mac/IP binding from native DHCP server and neutron DB.
@@ -2267,9 +2280,20 @@ class NsxV3Plugin(agentschedulers_db.AZDhcpAgentSchedulerDbMixin,
         name = self._get_port_name(context, updated_port)
 
         updated_ps = updated_port.get('port_security_enabled')
-        if not updated_ps:
-            tags_update.append({'scope': security.PORT_SG_SCOPE,
-                                'tag': nsxlib_consts.EXCLUDE_PORT})
+        if utils.is_nsx_version_2_0_0(self._nsx_version):
+            if not updated_ps:
+                tags_update.append({'scope': security.PORT_SG_SCOPE,
+                                    'tag': nsxlib_consts.EXCLUDE_PORT})
+        else:
+            original_ps = original_port.get('port_security_enabled')
+            if updated_ps != original_ps:
+                fs = self.nsxlib.firewall_section
+                if not updated_ps:
+                    fs.add_member_to_fw_exclude_list(
+                        lport_id, nsxlib_consts.TARGET_TYPE_LOGICAL_PORT)
+                else:
+                    fs.remove_member_from_fw_exclude_list(
+                        lport_id, nsxlib_consts.TARGET_TYPE_LOGICAL_PORT)
 
         if utils.is_nsx_version_1_1_0(self._nsx_version):
             tags_update += self.nsxlib.ns_group.get_lport_tags(