From 6b6e9c77217d6f27efc445e2eaf835259a45a766 Mon Sep 17 00:00:00 2001
From: Adit Sarfaty <asarfaty@vmware.com>
Date: Sun, 7 May 2017 11:01:06 +0300
Subject: [PATCH] NSX-v| Fix FWAAS rules in DB

fwaas backend rules don't have to be in the DB, since they are never
retrieved from there.
Also the Tag of the allow-external rule should be the last one, as it
originally was, before the FWaaS feature.

Change-Id: I6acfeef780ffd6d4aecb97e4b49e7907f7eee154
---
 vmware_nsx/db/nsxv_db.py                      |  3 +-
 .../nsx_v/vshield/edge_firewall_driver.py     | 28 ++++++++-----------
 2 files changed, 13 insertions(+), 18 deletions(-)

diff --git a/vmware_nsx/db/nsxv_db.py b/vmware_nsx/db/nsxv_db.py
index 8f782562fb..35e379977c 100644
--- a/vmware_nsx/db/nsxv_db.py
+++ b/vmware_nsx/db/nsxv_db.py
@@ -585,8 +585,7 @@ def get_nsxv_edge_firewallrule_binding_by_vseid(
             return (session.query(nsxv_models.NsxvEdgeFirewallRuleBinding).
                     filter_by(edge_id=edge_id, rule_vse_id=rule_vseid).one())
         except exc.NoResultFound:
-            msg = _("Rule Resource binding not found!")
-            raise nsx_exc.NsxPluginException(err_msg=msg)
+            return
 
 
 def cleanup_nsxv_edge_firewallrule_binding(session, edge_id):
diff --git a/vmware_nsx/plugins/nsx_v/vshield/edge_firewall_driver.py b/vmware_nsx/plugins/nsx_v/vshield/edge_firewall_driver.py
index 291632b2b0..fd4bbe13a1 100644
--- a/vmware_nsx/plugins/nsx_v/vshield/edge_firewall_driver.py
+++ b/vmware_nsx/plugins/nsx_v/vshield/edge_firewall_driver.py
@@ -154,14 +154,11 @@ class EdgeFirewallDriver(object):
 
     def _restore_firewall_rule(self, context, edge_id, rule):
         fw_rule = {}
-        try:
-            rule_binding = (
-                nsxv_db.get_nsxv_edge_firewallrule_binding_by_vseid(
-                    context.session, edge_id, rule['ruleId']))
-        except nsx_exc.NsxPluginException:
-            rule_binding = None
-        fw_rule['id'] = (rule_binding['rule_id']
-                         if rule_binding else rule['ruleId'])
+        rule_binding = nsxv_db.get_nsxv_edge_firewallrule_binding_by_vseid(
+            context.session, edge_id, rule['ruleId'])
+        if rule_binding:
+            fw_rule['id'] = rule_binding['rule_id']
+
         fw_rule['ruleId'] = rule['ruleId']
         if rule.get('source'):
             src = rule['source']
@@ -192,22 +189,21 @@ class EdgeFirewallDriver(object):
         return fw_rule
 
     def _convert_firewall(self, firewall, allow_external=False):
-        #bulk configuration on firewall and rescheduling the rule binding
         ruleTag = 1
         vcns_rules = []
-        if allow_external:
-            vcns_rules.append({'name': FWAAS_ALLOW_EXT_RULE_NAME,
-                               'action': "accept",
-                               'enabled': True,
-                               'destination': {'vnicGroupId': ["external"]},
-                               'ruleTag': ruleTag})
-            ruleTag += 1
         for rule in firewall['firewall_rule_list']:
             tag = rule.get('ruleTag', ruleTag)
             vcns_rule = self._convert_firewall_rule(rule, tag)
             vcns_rules.append(vcns_rule)
             if not rule.get('ruleTag'):
                 ruleTag += 1
+        if allow_external:
+            # Add the allow-external rule with the latest tag
+            vcns_rules.append({'name': FWAAS_ALLOW_EXT_RULE_NAME,
+                               'action': "accept",
+                               'enabled': True,
+                               'destination': {'vnicGroupId': ["external"]},
+                               'ruleTag': ruleTag})
         return {
             'featureType': "firewall_4.0",
             'globalConfig': {'tcpTimeoutEstablished': 7200},