NSX|V: no spoofguard policy for portgroup provider network

The patch ensures that we do not create a spoofguard policy for provider network port groups. This makes sure that the network continues to behave as it did prior to attaching it to OpenStack Change-Id: I2466f3e3168afe68724d65f8a6463a0453bdf8db
2017-11-29 23:40:43 -08:00 · 2017-11-29 23:40:43 -08:00 · 51756e568a
commit 51756e568a
parent 78aae2093d
2 changed files with 16 additions and 5 deletions
--- a/vmware_nsx/plugins/nsx_v/plugin.py
+++ b/vmware_nsx/plugins/nsx_v/plugin.py
@ -1030,6 +1030,9 @@ class NsxVPluginV2(addr_pair_db.AllowedAddressPairsMixin,
                for ep in policy['enforcementPoints']:
                    if ep['id'] == net_morefs[0]:
                        return policy['policyId'], True
+            LOG.warning("No spoofguard policy will be created for %s",
+                        net_data['id'])
+            return None, False
        # Always use enabled spoofguard policy. ports with disabled port
        # security will be added to the exclude list
        sg_policy_id = self.nsx_v.vcns.create_spoofguard_policy(
@ -1284,7 +1287,8 @@ class NsxVPluginV2(addr_pair_db.AllowedAddressPairsMixin,
                            nsx_db.add_neutron_nsx_network_mapping(
                                context.session, new_net['id'],
                                net_moref)
-                    if cfg.CONF.nsxv.spoofguard_enabled and backend_network:
+                    if (cfg.CONF.nsxv.spoofguard_enabled and
+                        backend_network and sg_policy_id):
                        nsxv_db.map_spoofguard_policy_for_network(
                            context.session, new_net['id'], sg_policy_id)

@ -4356,6 +4360,10 @@ class NsxVPluginV2(addr_pair_db.AllowedAddressPairsMixin,
    def _update_vnic_assigned_addresses(self, session, port, vnic_id):
        sg_policy_id = nsxv_db.get_spoofguard_policy_id(
            session, port['network_id'])
+        if not sg_policy_id:
+            LOG.warning("Spoofguard not defined for network %s",
+                        port['network_id'])
+            return
        mac_addr = port['mac_address']
        approved_addrs = [addr['ip_address'] for addr in port['fixed_ips']]
        # add in the address pair
--- a/vmware_nsx/tests/unit/nsx_v/vshield/fake_vcns.py
+++ b/vmware_nsx/tests/unit/nsx_v/vshield/fake_vcns.py
@ -1113,22 +1113,25 @@ class FakeVcns(object):
                  'operationMode': 'MANUAL' if enable else 'DISABLE'}
        policy_id = len(self._spoofguard_policies)
        self._spoofguard_policies.append(policy)
-        return None, policy_id
+        return None, 'spoofguardpolicy-%s' % policy_id
+
+    def _get_index(self, policy_id):
+        return int(policy_id.split('-')[-1])

    def update_spoofguard_policy(self, policy_id,
                                 enforcement_points, name, enable):
        policy = {'name': name,
                  'enforcementPoints': [{'id': enforcement_points[0]}],
                  'operationMode': 'MANUAL' if enable else 'DISABLE'}
-        self._spoofguard_policies[int(policy_id)] = policy
+        self._spoofguard_policies[self._get_index(policy_id)] = policy
        return None, ''

    def delete_spoofguard_policy(self, policy_id):
-        self._spoofguard_policies[int(policy_id)] = {}
+        self._spoofguard_policies[self._get_index(policy_id)] = {}

    def get_spoofguard_policy(self, policy_id):
        try:
-            return None, self._spoofguard_policies[int(policy_id)]
+            return None, self._spoofguard_policies[self._get_index(policy_id)]
        except IndexError:
            raise exceptions.VcnsGeneralException(
                _("Spoofguard policy not found"))