NSX: fix router ports port_security_enabled=False

Previously there was a bug that resulted in a security group being
added to router ports which was not supported in NSX. Removing the
security group didn't actually completely solve the problem as we
never cleared the allowed_address_pairs on the router port. This
patch fixes this issue by disabling port_security_enabled on the
router port.

Change-Id: Ib61756e3bd5866318cbc3bb9856344571399d656
Closes-bug: 1344266
Related-bug: 1329043

neutron/plugins/vmware/plugins/base.py

@@ -1718,10 +1718,11 @@ class NsxPluginV2(addr_pair_db.AllowedAddressPairsMixin,
         if port_id:
             port_data = self.get_port(context, port_id)
             # If security groups are present we need to remove them as
-            # this is a router port.
+            # this is a router port and disable port security.
             if port_data['security_groups']:
                 self.update_port(context, port_id,
-                                 {'port': {'security_groups': []}})
+                                 {'port': {'security_groups': [],
+                                           psec.PORTSECURITY: False}})
             nsx_switch_id, nsx_port_id = nsx_utils.get_nsx_switch_and_port_id(
                 context.session, self.cluster, port_id)
             # Unplug current attachment from lswitch port

neutron/tests/unit/vmware/test_nsx_plugin.py

@@ -1007,6 +1007,7 @@ class TestL3NatTestCase(L3NatTest,
                 # fetch port and confirm no security-group on it.
                 body = self._show('ports', p['port']['id'])
                 self.assertEqual(body['port']['security_groups'], [])
+                self.assertFalse(body['port']['port_security_enabled'])
                 # clean-up
                 self._router_interface_action('remove',
                                               r['router']['id'],