From 48004c880624a92a3ec3a1185306cad08b4f7d7d Mon Sep 17 00:00:00 2001
From: Adit Sarfaty <asarfaty@vmware.com>
Date: Thu, 4 Oct 2018 12:02:41 +0300
Subject: [PATCH] NSX|V+V3: Prevent adding different projects routers to
 fwaas-V1

When a user tries to add a router from 1 project to a FW from another,
the driver should through InternalDriverError for hte FW to be in ERROR state.
This should not be done in case of a delete action, in order to allow
the deletion of an ERROR FW as well.

Commit Ia86ccc7906ff58b35dccb01f4c165822b9dbf2a9 removed the InternalDriverError
in a wrong attempt to handle the deletion case.

Change-Id: I2c88c6ff773235876253a0b194d30d1d417e03c4
---
 vmware_nsx/services/fwaas/common/fwaas_callbacks_v1.py | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/vmware_nsx/services/fwaas/common/fwaas_callbacks_v1.py b/vmware_nsx/services/fwaas/common/fwaas_callbacks_v1.py
index 6c6f2c7498..7c756f04a4 100644
--- a/vmware_nsx/services/fwaas/common/fwaas_callbacks_v1.py
+++ b/vmware_nsx/services/fwaas/common/fwaas_callbacks_v1.py
@@ -20,6 +20,7 @@ from neutron.agent.l3 import router_info
 from neutron.common import config as neutron_config  # noqa
 from neutron_lib import constants as nl_constants
 from neutron_lib import context as n_context
+from neutron_lib.exceptions import firewall_v1 as exceptions
 from neutron_lib.plugins import directory
 
 LOG = logging.getLogger(__name__)
@@ -72,7 +73,7 @@ class NsxFwaasCallbacks(firewall_l3_agent.L3WithFWaaS):
                    else fw['add-router-ids'])
             project_ids = [router['id'] for router in routers_in_proj
                            if router['id'] in ids]
-            if len(project_ids) < len(ids):
+            if len(project_ids) < len(ids) and not to_delete:
                 # This means that there is a router from another project.
                 LOG.error("Failed to attach routers from a different project "
                           "to firewall %(fw)s: %(routers)s",
@@ -82,6 +83,8 @@ class NsxFwaasCallbacks(firewall_l3_agent.L3WithFWaaS):
                     context,
                     fw['id'],
                     nl_constants.ERROR)
+                raise exceptions.FirewallInternalDriverError(
+                    driver=self.fwaas_driver.driver_name)
             return ids
         else:
             return [router['id'] for router in routers_in_proj]