NSX|V: ensure that no sec groups and port sec will discard traffic
Traffic to ports that have port security and port security enabled will by default be discarded. A configuration variable has been added with default False so that there is not a degradation with the current behaviour. The variable is use_default_block_all. Change-Id: I5569234de01c116d1ad3161cfaf54404467f6816
This commit is contained in:
parent
e9048e1712
commit
6362e710d9
@ -0,0 +1,9 @@
|
|||||||
|
---
|
||||||
|
prelude: >
|
||||||
|
Enable 'use_default_block_all' to ensure that traffic to a port that has
|
||||||
|
no security groups and has port security enabled will be discarded.
|
||||||
|
features:
|
||||||
|
- |
|
||||||
|
Enable 'use_default_block_all' to ensure that traffic to a port that has
|
||||||
|
no security groups and has port security enabled will be discarded. This
|
||||||
|
will ensure the same behaviours as the upstream security groups.
|
@ -719,6 +719,10 @@ nsxv_opts = [
|
|||||||
cfg.BoolOpt('housekeeping_readonly',
|
cfg.BoolOpt('housekeeping_readonly',
|
||||||
default=True,
|
default=True,
|
||||||
help=_("Housekeeping will only warn about breakage.")),
|
help=_("Housekeeping will only warn about breakage.")),
|
||||||
|
cfg.BoolOpt('use_default_block_all',
|
||||||
|
default=False,
|
||||||
|
help=_("Use default block all rule when no security groups "
|
||||||
|
"are set on a port and port security is enabled")),
|
||||||
]
|
]
|
||||||
|
|
||||||
# define the configuration of each NSX-V availability zone.
|
# define the configuration of each NSX-V availability zone.
|
||||||
|
@ -2175,6 +2175,10 @@ class NsxVPluginV2(addr_pair_db.AllowedAddressPairsMixin,
|
|||||||
original_port['fixed_ips'])
|
original_port['fixed_ips'])
|
||||||
self._update_vnic_assigned_addresses(
|
self._update_vnic_assigned_addresses(
|
||||||
context.session, original_port, vnic_id)
|
context.session, original_port, vnic_id)
|
||||||
|
if (cfg.CONF.nsxv.use_default_block_all and
|
||||||
|
not original_port[ext_sg.SECURITYGROUPS]):
|
||||||
|
self._add_member_to_security_group(
|
||||||
|
self.sg_container_id, vnic_id)
|
||||||
else:
|
else:
|
||||||
# Add vm to the exclusion list, since it has no port security
|
# Add vm to the exclusion list, since it has no port security
|
||||||
self._add_vm_to_exclude_list(context, device_id, id)
|
self._add_vm_to_exclude_list(context, device_id, id)
|
||||||
@ -2405,6 +2409,12 @@ class NsxVPluginV2(addr_pair_db.AllowedAddressPairsMixin,
|
|||||||
ret_port[ext_sg.SECURITYGROUPS])
|
ret_port[ext_sg.SECURITYGROUPS])
|
||||||
self._update_security_groups_port_mapping(
|
self._update_security_groups_port_mapping(
|
||||||
context.session, id, vnic_id, curr_sgids, new_sgids)
|
context.session, id, vnic_id, curr_sgids, new_sgids)
|
||||||
|
if (cfg.CONF.nsxv.use_default_block_all and
|
||||||
|
not ret_port[ext_sg.SECURITYGROUPS]):
|
||||||
|
# If there are no security groups ensure that the
|
||||||
|
# default is 'Drop All'
|
||||||
|
self._add_member_to_security_group(
|
||||||
|
self.sg_container_id, vnic_id)
|
||||||
|
|
||||||
# update mac learning on NSX
|
# update mac learning on NSX
|
||||||
if self._vcm:
|
if self._vcm:
|
||||||
|
Loading…
Reference in New Issue
Block a user