From 1ac571ccafa8ff76bc14929437bc853e8b2032e0 Mon Sep 17 00:00:00 2001
From: Roey Chen <roeyc@vmware.com>
Date: Wed, 16 Sep 2015 05:44:35 -0700
Subject: [PATCH] NSXv3: Completing security-group implementation

This patch adds default dhcp allow rule to all security-group associated ports,
plus few minor changes.

Change-Id: I32be9006aed619471136c5290bcd63688dfb4d6f
---
 vmware_nsx/nsxlib/v3/security.py    | 38 ++++++++++++++++++++---------
 vmware_nsx/plugins/nsx_v3/plugin.py |  6 +----
 2 files changed, 28 insertions(+), 16 deletions(-)

diff --git a/vmware_nsx/nsxlib/v3/security.py b/vmware_nsx/nsxlib/v3/security.py
index ff0c3bf9e1..ec4b201859 100644
--- a/vmware_nsx/nsxlib/v3/security.py
+++ b/vmware_nsx/nsxlib/v3/security.py
@@ -37,21 +37,32 @@ def _get_l4_protocol_name(proto_num):
         return firewall.ICMPV4
 
 
+def _get_direction(sg_rule):
+    return firewall.IN if sg_rule['direction'] == 'ingress' else firewall.OUT
+
+
 def _decide_service(sg_rule):
     ip_proto = securitygroups_db.IP_PROTOCOL_MAP.get(sg_rule['protocol'],
                                                      sg_rule['protocol'])
     l4_protocol = _get_l4_protocol_name(ip_proto)
+    direction = _get_direction(sg_rule)
 
     if l4_protocol in [firewall.TCP, firewall.UDP]:
         # If port_range_min is not specified then we assume all ports are
         # matched, relying on neutron to perform validation.
+        source_ports = []
         if sg_rule['port_range_min'] is None:
-            source_ports = []
+            destination_ports = []
         else:
-            source_ports = ['%(port_range_min)s-%(port_range_max)s' % sg_rule]
+            destination_ports = ['%(port_range_min)s-%(port_range_max)s'
+                                 % sg_rule]
+        if direction == firewall.OUT:
+            source_ports, destination_ports = destination_ports, []
+
         return firewall.get_nsservice(firewall.L4_PORT_SET_NSSERVICE,
                                       l4_protocol=l4_protocol,
-                                      source_ports=source_ports)
+                                      source_ports=source_ports,
+                                      destination_ports=destination_ports)
     elif l4_protocol == firewall.ICMPV4:
         return firewall.get_nsservice(firewall.ICMP_TYPE_NSSERVICE,
                                       protocol=l4_protocol,
@@ -65,8 +76,7 @@ def _decide_service(sg_rule):
 def _get_fw_rule_from_sg_rule(sg_rule, nsgroup_id, rmt_nsgroup_id):
     # IPV4 or IPV6
     ip_protocol = sg_rule['ethertype'].upper()
-    direction = (
-        firewall.IN if sg_rule['direction'] == 'ingress' else firewall.OUT)
+    direction = _get_direction(sg_rule)
 
     source = None
     local_group = firewall.get_nsgroup_reference(nsgroup_id)
@@ -105,9 +115,9 @@ def create_firewall_rules(context, section_id, nsgroup_id,
         fw_rule = _get_fw_rule_from_sg_rule(
             sg_rule, nsgroup_id, remote_nsgroup_id)
 
-        firewall_rules.append(
-            firewall.add_rule_in_section(fw_rule, section_id))
-    return {'rules': firewall_rules}
+        firewall_rules.append(fw_rule)
+
+    return firewall.add_rules_in_section(firewall_rules, section_id)
 
 
 def get_nsgroup_name(security_group):
@@ -195,8 +205,7 @@ def _init_nsgroup_container(name, description):
     nsgroups = firewall.list_nsgroups()
     for nsg in nsgroups:
         if nsg['display_name'] == name:
-            # NSGroup container exists and so should the OS default
-            # security-groups section.
+            # NSGroup container exists.
             break
     else:
         # Need to create the nsgroup container and the OS default
@@ -216,6 +225,13 @@ def _init_default_section(name, description, nsgroup_id):
         # TODO(roeyc): Add aditional rules to allow IPV6 NDP.
         block_rule = firewall.get_firewall_rule_dict(
             'Block All', action=firewall.DROP)
-        firewall.add_rule_in_section(block_rule, section['id'])
+        dhcp_client = firewall.get_nsservice(firewall.L4_PORT_SET_NSSERVICE,
+                                             l4_protocol=firewall.TCP,
+                                             source_ports=[67],
+                                             destination_ports=[68])
+        dhcp_client_rule = firewall.get_firewall_rule_dict(
+            'DHCP-Client', direction=firewall.IN, service=dhcp_client)
+        firewall.add_rules_in_section([dhcp_client_rule, block_rule],
+                                      section['id'])
 
     return section['id']
diff --git a/vmware_nsx/plugins/nsx_v3/plugin.py b/vmware_nsx/plugins/nsx_v3/plugin.py
index a2e8bcbfbc..bb7c337e5e 100644
--- a/vmware_nsx/plugins/nsx_v3/plugin.py
+++ b/vmware_nsx/plugins/nsx_v3/plugin.py
@@ -475,10 +475,6 @@ class NsxV3Plugin(db_base_plugin_v2.NeutronDbPluginV2,
             if sgids is not None:
                 self._process_port_create_security_group(
                     context, neutron_db, sgids)
-                #FIXME(abhiraut): Security group should not be processed for
-                #                 a port belonging to an external network.
-                #                 Below call will fail since there is no lport
-                #                 in the backend.
                 security.update_lport_with_security_groups(
                     context, lport['id'], [], sgids)
         return neutron_db
@@ -1084,7 +1080,7 @@ class NsxV3Plugin(db_base_plugin_v2.NeutronDbPluginV2,
         except nsx_exc.ManagerError:
             with excutils.save_and_reraise_exception():
                 LOG.exception(_LE("Failed to create backend firewall rules "
-                                  " for security-group %(name)s (%(id)s), "
+                                  "for security-group %(name)s (%(id)s), "
                                   "rolling back changes."), secgroup_db)
                 # default security group deletion requires admin context
                 if default_sg: