From 9ee4db829a4c2443cdf8900b99cbd56af4f9229e Mon Sep 17 00:00:00 2001
From: Gary Kotton <gkotton@vmware.com>
Date: Sun, 4 Dec 2016 03:05:06 -0800
Subject: [PATCH] Create NSGroup for port exclusion

This patch does the followings:
1. Create a NS Group for Excluded ports
2. Add this NS Group to NSX Exclude List

Change-Id: If33306c38790103f4d08c42a1be8bc1bb54a4a59
Co-Authored-By: Shih-Hao Li <shihli@vmware.com>
Co-Authored-By: Roey Chen <roeyc@vmware.com>
Depends-On: I5d5f92cbe19ba94d390c6fecbff1ae2083231657
---
 vmware_nsx/plugins/nsx_v3/plugin.py         | 42 +++++++++++++++++++++
 vmware_nsx/tests/unit/nsx_v3/test_plugin.py |  4 ++
 2 files changed, 46 insertions(+)

diff --git a/vmware_nsx/plugins/nsx_v3/plugin.py b/vmware_nsx/plugins/nsx_v3/plugin.py
index 66d6f1a7be..05409e81eb 100644
--- a/vmware_nsx/plugins/nsx_v3/plugin.py
+++ b/vmware_nsx/plugins/nsx_v3/plugin.py
@@ -104,6 +104,7 @@ NSX_V3_NO_PSEC_PROFILE_NAME = 'nsx-default-spoof-guard-vif-profile'
 NSX_V3_DHCP_PROFILE_NAME = 'neutron_port_dhcp_profile'
 NSX_V3_MAC_LEARNING_PROFILE_NAME = 'neutron_port_mac_learning_profile'
 NSX_V3_FW_DEFAULT_SECTION = 'OS Default Section for Neutron Security-Groups'
+NSX_V3_EXCLUDED_PORT_NSGROUP_NAME = 'neutron_excluded_port_nsgroup'
 
 
 # NOTE(asarfaty): the order of inheritance here is important. in order for the
@@ -202,6 +203,15 @@ class NsxV3Plugin(agentschedulers_db.AZDhcpAgentSchedulerDbMixin,
         (self._psec_profile, self._no_psec_profile_id, self._dhcp_profile,
          self._mac_learning_profile) = self._init_nsx_profiles()
 
+        # Include exclude NSGroup
+        LOG.debug("Initializing NSX v3 Excluded Port NSGroup")
+        self._excluded_port_nsgroup = None
+        self._excluded_port_nsgroup = self._init_excluded_port_nsgroup()
+        if not self._excluded_port_nsgroup:
+            msg = _("Unable to initialize NSX v3 Excluded Port NSGroup %s"
+                    ) % NSX_V3_EXCLUDED_PORT_NSGROUP_NAME
+            raise nsx_exc.NsxPluginException(err_msg=msg)
+
         # Bind QoS notifications
         callbacks_registry.subscribe(qos_utils.handle_qos_notification,
                                      callbacks_resources.QOS_POLICY)
@@ -309,6 +319,33 @@ class NsxV3Plugin(agentschedulers_db.AZDhcpAgentSchedulerDbMixin,
                 'nsx-logical-switch-id':
                 self._get_network_nsx_id(context, port_data['network_id'])}
 
+    @nsxlib_utils.retry_upon_exception(
+        Exception, max_attempts=cfg.CONF.nsx_v3.retries)
+    def _init_excluded_port_nsgroup(self):
+        with locking.LockManager.get_lock('nsxv3_excluded_port_nsgroup_init'):
+            nsgroup = self._get_excluded_port_nsgroup()
+            if not nsgroup:
+                # Create a new NSGroup for excluded ports.
+                membership_criteria = (
+                    self.nsxlib.ns_group.get_port_tag_expression(
+                        security.PORT_SG_SCOPE, nsxlib_consts.EXCLUDE_PORT))
+                nsgroup = self.nsxlib.ns_group.create(
+                    NSX_V3_EXCLUDED_PORT_NSGROUP_NAME,
+                    'Neutron Excluded Port NSGroup',
+                    tags=self.nsxlib.build_v3_api_version_tag(),
+                    membership_criteria=membership_criteria)
+                # Add this NSGroup to NSX Exclusion List.
+                self.nsxlib.add_member_to_fw_exclude_list(
+                    nsgroup['id'], nsxlib_consts.NSGROUP)
+            return self._get_excluded_port_nsgroup()
+
+    def _get_excluded_port_nsgroup(self):
+        if self._excluded_port_nsgroup:
+            return self._excluded_port_nsgroup
+        nsgroups = self.nsxlib.ns_group.find_by_display_name(
+            NSX_V3_EXCLUDED_PORT_NSGROUP_NAME)
+        return nsgroups[0] if nsgroups else None
+
     def _unsubscribe_callback_events(self):
         # l3_db explicitly subscribes to the port delete callback. This
         # callback is unsubscribed here since l3 APIs are handled by
@@ -1492,6 +1529,11 @@ class NsxV3Plugin(agentschedulers_db.AZDhcpAgentSchedulerDbMixin,
               port_data.get(mac_ext.MAC_LEARNING) is True))):
             profiles.append(self._mac_learning_profile)
 
+        if not cfg.CONF.nsx_v3.native_dhcp_metadata:
+            if device_owner == const.DEVICE_OWNER_DHCP:
+                tags.append({'scope': security.PORT_SG_SCOPE,
+                             'tag': nsxlib_consts.EXCLUDE_PORT})
+
         name = self._get_port_name(context, port_data)
 
         nsx_net_id = port_data[pbin.VIF_DETAILS]['nsx-logical-switch-id']
diff --git a/vmware_nsx/tests/unit/nsx_v3/test_plugin.py b/vmware_nsx/tests/unit/nsx_v3/test_plugin.py
index d8551c1c02..eddc4b138b 100644
--- a/vmware_nsx/tests/unit/nsx_v3/test_plugin.py
+++ b/vmware_nsx/tests/unit/nsx_v3/test_plugin.py
@@ -114,6 +114,10 @@ def _mock_nsx_backend_calls():
         "vmware_nsxlib.v3.NsxLibBridgeEndpoint.create",
         side_effect=_return_id_key).start()
 
+    mock.patch(
+        "vmware_nsxlib.v3.security.NsxLibNsGroup.find_by_display_name",
+    ).start()
+
     mock.patch(
         "vmware_nsxlib.v3.NsxLibLogicalSwitch.create",
         side_effect=_return_id_key).start()