x/vmware-nsx
Code Issues Proposed changes

NSX|V3: fix issues with disabling port security

Browse Source 
A port that does not have port security will be added to the exclude
list via the NSGroup

Change-Id: Ied45e173982865a93a396fa735246d5156525065
This commit is contained in:
Gary Kotton 2016-12-04 00:16:00 -08:00 committed by garyk
parent 9ee4db829a
commit 37c2593d53
1 changed files with 18 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
vmware_nsx/plugins/nsx_v3/plugin.py
View File

@ -1468,6 +1468,14 @@ class NsxV3Plugin(agentschedulers_db.AZDhcpAgentSchedulerDbMixin,
if resource_type: if resource_type:
tags = nsxlib_utils.add_v3_tag(tags, resource_type, device_id) tags = nsxlib_utils.add_v3_tag(tags, resource_type, device_id)
if device_owner != l3_db.DEVICE_OWNER_ROUTER_INTF:
if ((device_owner == const.DEVICE_OWNER_DHCP and
not cfg.CONF.nsx_v3.native_dhcp_metadata) or
(device_owner != const.DEVICE_OWNER_DHCP and
not psec_is_on)):
tags.append({'scope': security.PORT_SG_SCOPE,
'tag': nsxlib_consts.EXCLUDE_PORT})
if utils.is_nsx_version_1_1_0(self._nsx_version): if utils.is_nsx_version_1_1_0(self._nsx_version):
# If port has no security-groups then we don't need to add any # If port has no security-groups then we don't need to add any
# security criteria tag. # security criteria tag.
@ -1529,11 +1537,6 @@ class NsxV3Plugin(agentschedulers_db.AZDhcpAgentSchedulerDbMixin,
port_data.get(mac_ext.MAC_LEARNING) is True))): port_data.get(mac_ext.MAC_LEARNING) is True))):
profiles.append(self._mac_learning_profile) profiles.append(self._mac_learning_profile)
if not cfg.CONF.nsx_v3.native_dhcp_metadata:
if device_owner == const.DEVICE_OWNER_DHCP:
tags.append({'scope': security.PORT_SG_SCOPE,
'tag': nsxlib_consts.EXCLUDE_PORT})
name = self._get_port_name(context, port_data) name = self._get_port_name(context, port_data)
nsx_net_id = port_data[pbin.VIF_DETAILS]['nsx-logical-switch-id'] nsx_net_id = port_data[pbin.VIF_DETAILS]['nsx-logical-switch-id']
@ -2115,6 +2118,13 @@ class NsxV3Plugin(agentschedulers_db.AZDhcpAgentSchedulerDbMixin,
name = self._get_port_name(context, updated_port) name = self._get_port_name(context, updated_port)
original_ps = original_port.get('port_security_enabled')
updated_ps = updated_port.get('port_security_enabled')
if original_ps != updated_ps:
if not updated_ps:
tags_update.append({'scope': security.PORT_SG_SCOPE,
'tag': nsxlib_consts.EXCLUDE_PORT})
if utils.is_nsx_version_1_1_0(self._nsx_version): if utils.is_nsx_version_1_1_0(self._nsx_version):
tags_update += self.nsxlib.ns_group.get_lport_tags( tags_update += self.nsxlib.ns_group.get_lport_tags(
updated_port.get(ext_sg.SECURITYGROUPS, []) + updated_port.get(ext_sg.SECURITYGROUPS, []) +
@ -2143,10 +2153,12 @@ class NsxV3Plugin(agentschedulers_db.AZDhcpAgentSchedulerDbMixin,
if qos_profile_id is not None: if qos_profile_id is not None:
switch_profile_ids.append(qos_profile_id) switch_profile_ids.append(qos_profile_id)
psec_is_on = self._get_port_security_profile_id() in switch_profile_ids
address_pairs = updated_port.get(addr_pair.ADDRESS_PAIRS) address_pairs = updated_port.get(addr_pair.ADDRESS_PAIRS)
mac_learning_profile_set = ( mac_learning_profile_set = (
validators.is_attr_set(address_pairs) and address_pairs and validators.is_attr_set(address_pairs) and address_pairs and
self._get_port_security_profile_id() in switch_profile_ids) psec_is_on)
# Add mac_learning profile if it exists and is configured # Add mac_learning profile if it exists and is configured
if (self._mac_learning_profile and if (self._mac_learning_profile and
(mac_learning_profile_set or (mac_learning_profile_set or