NSXv: Cleanup redundant FW rules from VDR

Change-Id: Ida99b5793e9537b581e562fa329d0dc880fc3621

vmware_nsx/plugins/nsx_v/plugin.py

@@ -4246,6 +4246,12 @@ class NsxVPluginV2(addr_pair_db.AllowedAddressPairsMixin,
         the NSX (in case of distributed router it can be plr or tlr)
         """
         fw_rules = []
+        distributed = False
+        if router_db:
+            nsx_attr = router_db.get('nsx_attributes', {})
+            distributed = (
+                nsx_attr.get('distributed', False) if nsx_attr else False)
+
         edge_id = self._get_edge_id_by_rtr_id(context, router_id)
 
         # Add FW rule/s to open subnets firewall flows and static routes
@@ -4258,7 +4264,7 @@ class NsxVPluginV2(addr_pair_db.AllowedAddressPairsMixin,
             fw_rules.extend(subnet_rules)
 
         # If metadata service is enabled, block access to inter-edge network
-        if self.metadata_proxy_handler:
+        if self.metadata_proxy_handler and not distributed:
             fw_rules += nsx_v_md_proxy.get_router_fw_rules()
 
         # Add FWaaS rules if FWaaS is enabled

vmware_nsx/shell/admin/plugins/nsxv/resources/routers.py

@@ -28,6 +28,7 @@ from vmware_nsx.common import locking
 from vmware_nsx.db import nsxv_db
 from vmware_nsx.extensions import routersize
 from vmware_nsx.plugins.nsx_v import availability_zones as nsx_az
+from vmware_nsx.plugins.nsx_v import md_proxy
 from vmware_nsx.plugins.nsx_v.vshield import edge_utils
 from vmware_nsx.plugins.nsx_v.vshield import vcns_driver
 
@@ -192,6 +193,9 @@ def migrate_distributed_routers_dhcp(resource, event, trigger, **kwargs):
     context = n_context.get_admin_context()
     nsxv = utils.get_nsxv_client()
     with utils.NsxVPluginWrapper() as plugin:
+        nsxv_manager = vcns_driver.VcnsDriver(
+            edge_utils.NsxVCallbacks(plugin))
+        edge_manager = edge_utils.EdgeManager(nsxv_manager, plugin)
         routers = plugin.get_routers(context)
         for router in routers:
             if router.get('distributed', False):
@@ -209,6 +213,30 @@ def migrate_distributed_routers_dhcp(resource, event, trigger, **kwargs):
 
                         nsxv.update_routes(edge_id, route_obj)
 
+                        _update_vdr_fw_config(nsxv, edge_id)
+                        plr_id = edge_manager.get_plr_by_tlr_id(context,
+                                                                router['id'])
+
+                        if plr_id:
+                            binding = nsxv_db.get_nsxv_router_binding(
+                                context.session, plr_id)
+                            if binding:
+                                _update_vdr_fw_config(nsxv, binding['edge_id'])
+
+
+def _update_vdr_fw_config(nsxv, edge_id):
+    fw_config = nsxv.get_firewall(edge_id)[1]
+
+    md_rule_names = [rule['name'] for rule in md_proxy.get_router_fw_rules()]
+
+    fw_rules = fw_config.get('firewallRules', {}).get('firewallRules', [])
+    if fw_rules:
+        fw_rules = [rule for rule in fw_rules
+                    if rule['name'] not in md_rule_names]
+
+        fw_config['firewallRules']['firewallRules'] = fw_rules
+        nsxv.update_firewall(edge_id, fw_config)
+
 
 def is_router_conflicting_on_edge(context, driver, router_id):
     edge_id = edge_utils.get_router_edge_id(context, router_id)

vmware_nsx/tests/unit/nsx_v/test_plugin.py

@@ -4187,6 +4187,9 @@ class TestVdrTestCase(L3NatTest, L3NatTestCaseBase,
         self._default_tenant_id = self._tenant_id
         self._router_tenant_id = 'test-router-tenant'
 
+    def _get_md_proxy_fw_rules(self):
+        return []
+
     @mock.patch.object(edge_utils.EdgeManager,
                        'update_interface_addr')
     def test_router_update_gateway_with_different_external_subnet(self, mock):