From ffaf285425cc3b13f712b0372e7058adaf7ee752 Mon Sep 17 00:00:00 2001 From: Tong Liu Date: Tue, 1 Dec 2015 00:18:42 +0000 Subject: [PATCH] Add tag for os default dfw section The OS default firewall section doesn't have tags. To be consistent with other resources created from our plugin, adding tags on this firewall section. Moreover, the cleanup util will clean up backend resources created by our plugin based on the tags. If the resource doesn't have tag, cleanup util cannot clean it up. Also changing the shared tenant-id to use predefined string in nsx_constants for dhcp and port switching profile. Closes-bug: #1519091 Change-Id: Ib6db65b36030e863e1630c118910c168e9ab1a13 --- vmware_nsx/common/nsx_constants.py | 3 +++ vmware_nsx/nsxlib/v3/security.py | 8 +++++++- vmware_nsx/plugins/nsx_v3/plugin.py | 4 ++-- 3 files changed, 12 insertions(+), 3 deletions(-) diff --git a/vmware_nsx/common/nsx_constants.py b/vmware_nsx/common/nsx_constants.py index f84a8f744f..a3033ed83a 100644 --- a/vmware_nsx/common/nsx_constants.py +++ b/vmware_nsx/common/nsx_constants.py @@ -54,3 +54,6 @@ VIF_TYPE_DVS = 'dvs' # NSXv3 L2 Gateway constants BRIDGE_ENDPOINT = "BRIDGEENDPOINT" + +# NSXv3 tag constants +SHARED_TAG_TENANT_ID = "neutron-nsx-plugin" diff --git a/vmware_nsx/nsxlib/v3/security.py b/vmware_nsx/nsxlib/v3/security.py index 54e7b5727d..d17a7f126e 100644 --- a/vmware_nsx/nsxlib/v3/security.py +++ b/vmware_nsx/nsxlib/v3/security.py @@ -20,12 +20,15 @@ NSX-V3 Plugin security integration module from neutron.db import securitygroups_db +from vmware_nsx.common import nsx_constants +from vmware_nsx.common import utils from vmware_nsx.db import nsx_models from vmware_nsx.nsxlib.v3 import dfw_api as firewall NSGROUP_CONTAINER = 'NSGroup Container' DEFAULT_SECTION = 'OS default section for security-groups' +DEFAULT_SECTION_TAG_NAME = 'neutron_default_dfw_section' def _get_l4_protocol_name(protocol_number): @@ -230,7 +233,10 @@ def _init_default_section(name, description, nsgroup_id): break else: section = firewall.create_empty_section( - name, description, [nsgroup_id], []) + name, description, [nsgroup_id], + utils.build_v3_tags_payload({ + 'id': DEFAULT_SECTION_TAG_NAME, + 'tenant_id': nsx_constants.SHARED_TAG_TENANT_ID})) block_rule = firewall.get_firewall_rule_dict( 'Block All', action=firewall.DROP) # TODO(roeyc): Add additional rules to allow IPV6 NDP. diff --git a/vmware_nsx/plugins/nsx_v3/plugin.py b/vmware_nsx/plugins/nsx_v3/plugin.py index 93096e1b10..65e99c6435 100644 --- a/vmware_nsx/plugins/nsx_v3/plugin.py +++ b/vmware_nsx/plugins/nsx_v3/plugin.py @@ -181,7 +181,7 @@ class NsxV3Plugin(addr_pair_db.AllowedAddressPairsMixin, NSX_V3_DHCP_PROFILE_NAME, 'Neutron DHCP Security Profile', tags=utils.build_v3_tags_payload({ 'id': NSX_V3_DHCP_PROFILE_NAME, - 'tenant_id': 'neutron-nsx-plugin'})) + 'tenant_id': nsx_constants.SHARED_TAG_TENANT_ID})) return self._get_dhcp_security_profile() def _get_dhcp_security_profile(self): @@ -222,7 +222,7 @@ class NsxV3Plugin(addr_pair_db.AllowedAddressPairsMixin, whitelist_ports=True, whitelist_switches=False, tags=utils.build_v3_tags_payload({ 'id': NSX_V3_PSEC_PROFILE_NAME, - 'tenant_id': 'neutron-nsx-plugin'})) + 'tenant_id': nsx_constants.SHARED_TAG_TENANT_ID})) return self._get_port_security_profile()