From 8f39db15b8f349eed3d48e59283b1dc3ee9fac29 Mon Sep 17 00:00:00 2001
From: Michal Kelner Mishali <mkelnermishal@vmware.com>
Date: Sun, 2 Sep 2018 11:08:44 +0300
Subject: [PATCH] NSX|V3: restrict allowed-address-pairs on LB port

allowed-address-pairs is not supported on LB port

Change-Id: I7588a14b94886e25354a900c4fc0b77cf5e03154
Signed-off-by: Michal Kelner Mishali <mkelnermishal@vmware.com>
---
 vmware_nsx/plugins/common/plugin.py         |  6 ++++++
 vmware_nsx/tests/unit/nsx_v3/test_plugin.py | 17 +++++++++++++++++
 2 files changed, 23 insertions(+)

diff --git a/vmware_nsx/plugins/common/plugin.py b/vmware_nsx/plugins/common/plugin.py
index 9432423e8c..29ddaf9784 100644
--- a/vmware_nsx/plugins/common/plugin.py
+++ b/vmware_nsx/plugins/common/plugin.py
@@ -481,6 +481,12 @@ class NsxPluginBase(db_base_plugin_v2.NeutronDbPluginV2,
     def _assert_on_device_owner_change(self, port_data, orig_dev_own):
         """Prevent illegal device owner modifications
         """
+        if orig_dev_own == constants.DEVICE_OWNER_LOADBALANCERV2:
+            if port_data['allowed_address_pairs']:
+                msg = _('Loadbalancer port can not be updated '
+                        'with address pairs')
+                raise n_exc.InvalidInput(error_message=msg)
+
         if 'device_owner' not in port_data:
             return
         new_dev_own = port_data['device_owner']
diff --git a/vmware_nsx/tests/unit/nsx_v3/test_plugin.py b/vmware_nsx/tests/unit/nsx_v3/test_plugin.py
index c23ca0b70b..4ce56b1aa2 100644
--- a/vmware_nsx/tests/unit/nsx_v3/test_plugin.py
+++ b/vmware_nsx/tests/unit/nsx_v3/test_plugin.py
@@ -980,6 +980,23 @@ class TestPortsV2(test_plugin.TestPortsV2, NsxV3PluginTestCaseMixin,
                     self.assertEqual(exc.HTTPBadRequest.code,
                                      res.status_int)
 
+    def test_fail_update_lb_port_with_allowed_address_pairs(self):
+        with self.network() as network:
+            data = {'port': {
+                        'network_id': network['network']['id'],
+                        'tenant_id': self._tenant_id,
+                        'name': 'pair_port',
+                        'admin_state_up': True,
+                        'device_id': 'fake_device',
+                        'device_owner': constants.DEVICE_OWNER_LOADBALANCERV2,
+                        'fixed_ips': []}
+                    }
+            port = self.plugin.create_port(self.ctx, data)
+            data['port']['allowed_address_pairs'] = '10.0.0.1'
+            self.assertRaises(
+                n_exc.InvalidInput,
+                self.plugin.update_port, self.ctx, port['id'], data)
+
     def test_create_port_with_qos(self):
         with self.network() as network:
             policy_id = uuidutils.generate_uuid()