Attach psec profile only with IP addr

This patch updates the psec logic for the nsx v3 plugin such that our spoofguard profile is only associated with the port once the port gets an IP address. This allows us to remove the use of the 'dummy IP' we currently have in the code with a TODO for which was necessary as our spoofguard profile requires at least 1 address binding on its whitelist. Change-Id: I1068db097f7474468ee5a2754e06717bd327fabc
2015-10-12 09:18:17 -06:00 · 2015-10-12 09:18:17 -06:00 · 88f6ae6fdc
commit 88f6ae6fdc
parent 7c19b419bd
1 changed files with 9 additions and 7 deletions
--- a/vmware_nsx/plugins/nsx_v3/plugin.py
+++ b/vmware_nsx/plugins/nsx_v3/plugin.py
@ -468,9 +468,6 @@ class NsxV3Plugin(addr_pair_db.AllowedAddressPairsMixin,
            address_bindings.append(nsx_resources.PacketAddressClassifier(
                pair['ip_address'], pair['mac_address'], None))

-        # TODO(boden): this default pair is not needed with nsxv3 for dhcp
-        address_bindings.append(nsx_resources.PacketAddressClassifier(
-            '0.0.0.0', port['mac_address'], None))
        return address_bindings

    def get_network(self, context, id, fields=None):
@ -554,7 +551,7 @@ class NsxV3Plugin(addr_pair_db.AllowedAddressPairsMixin,
            attachment_type = port_data.get('device_owner')

        profiles = []
-        if psec_is_on:
+        if psec_is_on and address_bindings:
            profiles = [self._get_port_security_profile_id()]
        if port_data.get('device_owner') == const.DEVICE_OWNER_DHCP:
            if self._dhcp_profile:
@ -755,6 +752,7 @@ class NsxV3Plugin(addr_pair_db.AllowedAddressPairsMixin,
        original_port = super(NsxV3Plugin, self).get_port(context, id)
        _, nsx_lport_id = nsx_db.get_nsx_switch_and_port_id(
            context.session, id)
+        switch_profile_ids = None

        with context.session.begin(subtransactions=True):
            updated_port = super(NsxV3Plugin, self).update_port(context,
@ -776,13 +774,17 @@ class NsxV3Plugin(addr_pair_db.AllowedAddressPairsMixin,
                context, id, port, original_port, updated_port)
            (port_security, has_ip) = self._determine_port_security_and_has_ip(
                context, updated_port)
+
+        address_bindings = self._build_address_bindings(updated_port)
+        if port_security and address_bindings:
+            switch_profile_ids = [self._get_port_security_profile_id()]
+
        try:
            self._port_client.update(
                nsx_lport_id, name=updated_port.get('name'),
                admin_state=updated_port.get('admin_state_up'),
-                address_bindings=self._build_address_bindings(updated_port),
-                switch_profile_ids=[self._get_port_security_profile_id()]
-                if port_security else None)
+                address_bindings=address_bindings,
+                switch_profile_ids=switch_profile_ids)

            security.update_lport_with_security_groups(
                context, nsx_lport_id,