From cf604d580015d73e3d0bd3ef34aff62364dd8ca1 Mon Sep 17 00:00:00 2001 From: Aaron Rosen Date: Fri, 18 Jul 2014 12:09:12 -0700 Subject: [PATCH] NSX: fix router ports port_security_enabled=False Previously there was a bug that resulted in a security group being added to router ports which was not supported in NSX. Removing the security group didn't actually completely solve the problem as we never cleared the allowed_address_pairs on the router port. This patch fixes this issue by disabling port_security_enabled on the router port. Change-Id: Ib61756e3bd5866318cbc3bb9856344571399d656 Closes-bug: 1344266 Related-bug: 1329043 --- neutron/plugins/vmware/plugins/base.py | 5 +++-- neutron/tests/unit/vmware/test_nsx_plugin.py | 1 + 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/neutron/plugins/vmware/plugins/base.py b/neutron/plugins/vmware/plugins/base.py index d437828083..e1d8a2d89c 100644 --- a/neutron/plugins/vmware/plugins/base.py +++ b/neutron/plugins/vmware/plugins/base.py @@ -1718,10 +1718,11 @@ class NsxPluginV2(addr_pair_db.AllowedAddressPairsMixin, if port_id: port_data = self.get_port(context, port_id) # If security groups are present we need to remove them as - # this is a router port. + # this is a router port and disable port security. if port_data['security_groups']: self.update_port(context, port_id, - {'port': {'security_groups': []}}) + {'port': {'security_groups': [], + psec.PORTSECURITY: False}}) nsx_switch_id, nsx_port_id = nsx_utils.get_nsx_switch_and_port_id( context.session, self.cluster, port_id) # Unplug current attachment from lswitch port diff --git a/neutron/tests/unit/vmware/test_nsx_plugin.py b/neutron/tests/unit/vmware/test_nsx_plugin.py index 62f48842a8..d85c95baa4 100644 --- a/neutron/tests/unit/vmware/test_nsx_plugin.py +++ b/neutron/tests/unit/vmware/test_nsx_plugin.py @@ -1007,6 +1007,7 @@ class TestL3NatTestCase(L3NatTest, # fetch port and confirm no security-group on it. body = self._show('ports', p['port']['id']) self.assertEqual(body['port']['security_groups'], []) + self.assertFalse(body['port']['port_security_enabled']) # clean-up self._router_interface_action('remove', r['router']['id'],