From 6be6f48309b49fc0e5e288f619755219a1c4a9c5 Mon Sep 17 00:00:00 2001
From: Adit Sarfaty <asarfaty@vmware.com>
Date: Wed, 11 Jul 2018 09:29:19 +0300
Subject: [PATCH] NSX|V3 prevent router SNAT with VPN service

When updating the router gateway to SNAT enabled, it should be blocked if
a VPN service is defined for this router.
This patch check for all relevant statuses of the vpn services

Change-Id: Ia68f4fdec7359ddd2c7e97d6bcfcf987650fd47e
---
 vmware_nsx/services/vpnaas/nsxv3/ipsec_driver.py | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/vmware_nsx/services/vpnaas/nsxv3/ipsec_driver.py b/vmware_nsx/services/vpnaas/nsxv3/ipsec_driver.py
index 109d2d58d0..da91e31e25 100644
--- a/vmware_nsx/services/vpnaas/nsxv3/ipsec_driver.py
+++ b/vmware_nsx/services/vpnaas/nsxv3/ipsec_driver.py
@@ -437,8 +437,11 @@ class NSXv3IPsecVpnDriver(service_drivers.VpnDriver):
         """Upon router gw update - verify no-snat"""
         # check if this router has a vpn service
         admin_con = context.elevated()
+        # get all relevant services, except those waiting to be deleted or in
+        # ERROR state
         filters = {'router_id': [router_id],
-                   'status': [constants.ACTIVE]}
+                   'status': [constants.ACTIVE, constants.PENDING_CREATE,
+                              constants.INACTIVE, constants.PENDING_UPDATE]}
         services = self.vpn_plugin.get_vpnservices(admin_con, filters=filters)
         if services:
             # do not allow enable-snat