From 46259140855e45066491c971d8eb26742a18e01a Mon Sep 17 00:00:00 2001
From: Adit Sarfaty <asarfaty@vmware.com>
Date: Sun, 8 Jan 2017 10:10:49 +0200
Subject: [PATCH] NSX-V| Fix SG creation with nsx policy

When using NSX policies, the new security groups should not have
the default rules. Until now those rules where created on neutron and
immediately deleted.
Now they will not be created at all.

Change-Id: Id052181329a7ca29d4e492ad883b774a9be5f858
---
 vmware_nsx/db/extended_security_group.py | 34 +++++++++++++++++++++---
 vmware_nsx/plugins/nsx_v/plugin.py       | 17 ++++--------
 2 files changed, 36 insertions(+), 15 deletions(-)

diff --git a/vmware_nsx/db/extended_security_group.py b/vmware_nsx/db/extended_security_group.py
index 33c0dcd311..fde0fbbe6b 100644
--- a/vmware_nsx/db/extended_security_group.py
+++ b/vmware_nsx/db/extended_security_group.py
@@ -21,10 +21,13 @@ from sqlalchemy.orm import exc
 from sqlalchemy import sql
 
 from neutron.api.v2 import attributes
+from neutron.callbacks import events
+from neutron.callbacks import registry
+from neutron.callbacks import resources
 from neutron.common import utils as n_utils
 from neutron.db import api as db_api
 from neutron.db import db_base_plugin_v2
-from neutron.db.models import securitygroup as securitygroups_db  # noqa
+from neutron.db.models import securitygroup as securitygroups_db
 from neutron.extensions import securitygroup as ext_sg
 from neutron_lib.api import validators
 from neutron_lib import constants as n_constants
@@ -69,14 +72,30 @@ class ExtendedSecurityGroupPropertiesMixin(object):
                      "==SecurityGroupPortBinding.security_group_id"))
 
     def create_provider_security_group(self, context, security_group):
-        """Create a provider security group.
+        return self.create_security_group_without_rules(
+            context, security_group, False, True)
+
+    def create_security_group_without_rules(self, context, security_group,
+                                            default_sg, is_provider):
+        """Create a neutron security group, without any default rules.
 
         This method creates a security group that does not by default
         enable egress traffic which normal neutron security groups do.
         """
         s = security_group['security_group']
+        kwargs = {
+            'context': context,
+            'security_group': s,
+            'is_default': default_sg,
+        }
+
+        self._registry_notify(resources.SECURITY_GROUP, events.BEFORE_CREATE,
+                              exc_cls=ext_sg.SecurityGroupConflict, **kwargs)
         tenant_id = s['tenant_id']
 
+        if not default_sg:
+            self._ensure_default_security_group(context, tenant_id)
+
         with db_api.autonested_transaction(context.session):
             security_group_db = securitygroups_db.SecurityGroup(
                 id=s.get('id') or (uuidutils.generate_uuid()),
@@ -84,8 +103,17 @@ class ExtendedSecurityGroupPropertiesMixin(object):
                 tenant_id=tenant_id,
                 name=s.get('name', ''))
             context.session.add(security_group_db)
+            if default_sg:
+                context.session.add(securitygroups_db.DefaultSecurityGroup(
+                    security_group=security_group_db,
+                    tenant_id=tenant_id))
+
         secgroup_dict = self._make_security_group_dict(security_group_db)
-        secgroup_dict[provider_sg.PROVIDER] = True
+        secgroup_dict[sg_policy.POLICY] = s.get(sg_policy.POLICY)
+        secgroup_dict[provider_sg.PROVIDER] = is_provider
+        kwargs['security_group'] = secgroup_dict
+        registry.notify(resources.SECURITY_GROUP, events.AFTER_CREATE, self,
+                        **kwargs)
         return secgroup_dict
 
     def _process_security_group_properties_create(self, context,
diff --git a/vmware_nsx/plugins/nsx_v/plugin.py b/vmware_nsx/plugins/nsx_v/plugin.py
index aedf646016..f431de8a7c 100644
--- a/vmware_nsx/plugins/nsx_v/plugin.py
+++ b/vmware_nsx/plugins/nsx_v/plugin.py
@@ -3177,15 +3177,6 @@ class NsxVPluginV2(addr_pair_db.AllowedAddressPairsMixin,
             # just add the security group to the policy on the backend.
             self._update_nsx_security_group_policies(
                 policy, None, nsx_sg_id)
-
-            # Delete the neutron default rules (do not exist on the backend)
-            if securitygroup.get(ext_sg.SECURITYGROUPRULES):
-                with context.session.begin(subtransactions=True):
-                    for rule in securitygroup[ext_sg.SECURITYGROUPRULES]:
-                        rule_db = self._get_security_group_rule(context,
-                                                                rule['id'])
-                        context.session.delete(rule_db)
-                securitygroup.pop(ext_sg.SECURITYGROUPRULES)
         else:
             try:
                 self._create_fw_section_for_security_group(
@@ -3274,9 +3265,11 @@ class NsxVPluginV2(addr_pair_db.AllowedAddressPairsMixin,
         self._validate_security_group(context, sg_data, default_sg)
 
         with context.session.begin(subtransactions=True):
-            if sg_data.get(provider_sg.PROVIDER):
-                new_sg = self.create_provider_security_group(
-                    context, security_group)
+            is_provider = True if sg_data.get(provider_sg.PROVIDER) else False
+            is_policy = True if sg_data.get(sg_policy.POLICY) else False
+            if is_provider or is_policy:
+                new_sg = self.create_security_group_without_rules(
+                    context, security_group, default_sg, is_provider)
             else:
                 new_sg = super(NsxVPluginV2, self).create_security_group(
                     context, security_group, default_sg)