NSX|V: no spoofguard policy for portgroup provider network

The patch ensures that we do not create a spoofguard policy
for provider network port groups. This makes sure that the network
continues to behave as it did prior to attaching it to
OpenStack

Change-Id: I2466f3e3168afe68724d65f8a6463a0453bdf8db

vmware_nsx/plugins/nsx_v/plugin.py

@@ -1030,6 +1030,9 @@ class NsxVPluginV2(addr_pair_db.AllowedAddressPairsMixin,
                 for ep in policy['enforcementPoints']:
                     if ep['id'] == net_morefs[0]:
                         return policy['policyId'], True
+            LOG.warning("No spoofguard policy will be created for %s",
+                        net_data['id'])
+            return None, False
         # Always use enabled spoofguard policy. ports with disabled port
         # security will be added to the exclude list
         sg_policy_id = self.nsx_v.vcns.create_spoofguard_policy(
@@ -1284,7 +1287,8 @@ class NsxVPluginV2(addr_pair_db.AllowedAddressPairsMixin,
                             nsx_db.add_neutron_nsx_network_mapping(
                                 context.session, new_net['id'],
                                 net_moref)
-                    if cfg.CONF.nsxv.spoofguard_enabled and backend_network:
+                    if (cfg.CONF.nsxv.spoofguard_enabled and
+                        backend_network and sg_policy_id):
                         nsxv_db.map_spoofguard_policy_for_network(
                             context.session, new_net['id'], sg_policy_id)
 
@@ -4356,6 +4360,10 @@ class NsxVPluginV2(addr_pair_db.AllowedAddressPairsMixin,
     def _update_vnic_assigned_addresses(self, session, port, vnic_id):
         sg_policy_id = nsxv_db.get_spoofguard_policy_id(
             session, port['network_id'])
+        if not sg_policy_id:
+            LOG.warning("Spoofguard not defined for network %s",
+                        port['network_id'])
+            return
         mac_addr = port['mac_address']
         approved_addrs = [addr['ip_address'] for addr in port['fixed_ips']]
         # add in the address pair

vmware_nsx/tests/unit/nsx_v/vshield/fake_vcns.py

@@ -1113,22 +1113,25 @@ class FakeVcns(object):
                   'operationMode': 'MANUAL' if enable else 'DISABLE'}
         policy_id = len(self._spoofguard_policies)
         self._spoofguard_policies.append(policy)
-        return None, policy_id
+        return None, 'spoofguardpolicy-%s' % policy_id
+
+    def _get_index(self, policy_id):
+        return int(policy_id.split('-')[-1])
 
     def update_spoofguard_policy(self, policy_id,
                                  enforcement_points, name, enable):
         policy = {'name': name,
                   'enforcementPoints': [{'id': enforcement_points[0]}],
                   'operationMode': 'MANUAL' if enable else 'DISABLE'}
-        self._spoofguard_policies[int(policy_id)] = policy
+        self._spoofguard_policies[self._get_index(policy_id)] = policy
         return None, ''
 
     def delete_spoofguard_policy(self, policy_id):
-        self._spoofguard_policies[int(policy_id)] = {}
+        self._spoofguard_policies[self._get_index(policy_id)] = {}
 
     def get_spoofguard_policy(self, policy_id):
         try:
-            return None, self._spoofguard_policies[int(policy_id)]
+            return None, self._spoofguard_policies[self._get_index(policy_id)]
         except IndexError:
             raise exceptions.VcnsGeneralException(
                 _("Spoofguard policy not found"))