Merge "NSX|V: prevent a floating IP being configure on a no snat router"

2017-06-24 07:44:26 +00:00 · 2017-06-24 07:44:26 +00:00 · 3f43c10bcf
commit 3f43c10bcf
parent 481290f8fd 5857ccbc61
3 changed files with 78 additions and 0 deletions
--- a/vmware_nsx/plugins/nsx_v/plugin.py
+++ b/vmware_nsx/plugins/nsx_v/plugin.py
@ -3255,6 +3255,17 @@ class NsxVPluginV2(addr_pair_db.AllowedAddressPairsMixin,
                network_id = info.get('network_id')
                router_db = self._get_router(context, router_id)

+                org_enable_snat = router_db.enable_snat
+                # Ensure that a router cannot have SNAT disabled if there are
+                # floating IP's assigned
+                if ('enable_snat' in info and
+                    org_enable_snat != info.get('enable_snat') and
+                    info.get('enable_snat') is False and
+                    self.router_gw_port_has_floating_ips(context, router_id)):
+                    msg = _("Unable to set SNAT disabled. Floating IPs "
+                            "assigned.")
+                    raise n_exc.InvalidInput(error_message=msg)
+
                # for multiple external subnets support, we need to set gw
                # port first on subnet which has gateway. If can't get one
                # subnet with gateway or allocate one available ip from
@ -3578,6 +3589,18 @@ class NsxVPluginV2(addr_pair_db.AllowedAddressPairsMixin,
        if router_id:
            self._update_edge_router(context, router_id)

+    def get_router_for_floatingip(self, context, internal_port,
+                                  internal_subnet, external_network_id):
+        router_id = super(NsxVPluginV2, self).get_router_for_floatingip(
+            context, internal_port, internal_subnet, external_network_id)
+        if router_id:
+            router = self._get_router(context.elevated(), router_id)
+            if not router.enable_snat:
+                msg = _("Unable to assign a floating IP to a router that "
+                        "has SNAT disabled")
+                raise n_exc.InvalidInput(error_message=msg)
+        return router_id
+
    def disassociate_floatingips(self, context, port_id):
        router_id = None
        try:
--- a/vmware_nsx/tests/unit/nsx_v/test_plugin.py
+++ b/vmware_nsx/tests/unit/nsx_v/test_plugin.py
@ -3002,6 +3002,49 @@ class TestExclusiveRouterTestCase(L3NatTest, L3NatTestCaseBase,
        super(TestExclusiveRouterTestCase, self).test_floatingip_update(
            constants.FLOATINGIP_STATUS_DOWN)

+    def test_floating_ip_no_snat(self):
+        """Cannot add floating ips to a router with disabled snat"""
+        with self.router() as r1,\
+            self.subnet() as ext_subnet,\
+            self.subnet(cidr='11.0.0.0/24') as s1,\
+            self.port(subnet=s1) as private_port:
+            # Add interfaces to the router
+            self._router_interface_action(
+                'add', r1['router']['id'],
+                s1['subnet']['id'], None)
+            self._set_net_external(ext_subnet['subnet']['network_id'])
+            self._add_external_gateway_to_router(
+                r1['router']['id'],
+                ext_subnet['subnet']['network_id'])
+            # disable snat
+            self._update_router_enable_snat(
+                r1['router']['id'],
+                ext_subnet['subnet']['network_id'],
+                False)
+            # create a floating ip and associate it to the router should fail
+            self.assertRaises(
+                object,
+                self._make_floatingip,
+                self.fmt, ext_subnet['subnet']['network_id'],
+                private_port['port']['id'])
+
+            # now enable snat and try again
+            self._update_router_enable_snat(
+                r1['router']['id'],
+                ext_subnet['subnet']['network_id'],
+                True)
+            self._make_floatingip(
+                self.fmt, ext_subnet['subnet']['network_id'],
+                private_port['port']['id'])
+
+            # now shouldn't be able to disable snat
+            self.assertRaises(
+                object,
+                self._update_router_enable_snat,
+                r1['router']['id'],
+                ext_subnet['subnet']['network_id'],
+                False)
+
    def test_floatingip_disassociate(self):
        with self.port() as p:
            private_sub = {'subnet': {'id':
--- a/vmware_nsx/tests/unit/services/dynamic_routing/test_nsxv_bgp_driver.py
+++ b/vmware_nsx/tests/unit/services/dynamic_routing/test_nsxv_bgp_driver.py
@ -234,3 +234,15 @@ class TestNSXvBgpPlugin(test_plugin.NsxVPluginV2TestCase,

    def test_get_ipv6_tenant_subnet_routes_by_bgp_speaker_ipv6(self):
        pass
+
+    def test_get_routes_by_bgp_speaker_id_with_fip(self):
+        # base class tests uses no-snat router with floating ips
+        self.skipTest('No SNAT with floating ips not supported')
+
+    def test_get_routes_by_bgp_speaker_binding_with_fip(self):
+        # base class tests uses no-snat router with floating ips
+        self.skipTest('No SNAT with floating ips not supported')
+
+    def test__get_routes_by_router_with_fip(self):
+        # base class tests uses no-snat router with floating ips
+        self.skipTest('No SNAT with floating ips not supported')