NSX: neutron router-interface-add should clear security-groups

NSX does not support security groups on router ports so in the case
where someone uses a port that has a security group on it as the router
port we need to clear the security group off the port.

Change-Id: Ia0fb331516887dcd7e9a435094ce1eb082d72575
closes-bug: 1329043
This commit is contained in:
Aaron Rosen 2014-07-09 10:02:09 -07:00
parent bcc0319e31
commit 44438e864c
2 changed files with 25 additions and 1 deletions

View File

@ -1716,7 +1716,12 @@ class NsxPluginV2(addr_pair_db.AllowedAddressPairsMixin,
nsx_router_id = nsx_utils.get_nsx_router_id(
context.session, self.cluster, router_id)
if port_id:
port_data = self._get_port(context, port_id)
port_data = self.get_port(context, port_id)
# If security groups are present we need to remove them as
# this is a router port.
if port_data['security_groups']:
self.update_port(context, port_id,
{'port': {'security_groups': []}})
nsx_switch_id, nsx_port_id = nsx_utils.get_nsx_switch_and_port_id(
context.session, self.cluster, port_id)
# Unplug current attachment from lswitch port

View File

@ -993,6 +993,25 @@ class TestL3NatTestCase(L3NatTest,
self.assertEqual(webob.exc.HTTPServiceUnavailable.code,
res.status_int)
def test_router_add_interface_port_removes_security_group(self):
with self.router() as r:
with self.port(no_delete=True) as p:
body = self._router_interface_action('add',
r['router']['id'],
None,
p['port']['id'])
self.assertIn('port_id', body)
self.assertEqual(body['port_id'], p['port']['id'])
# fetch port and confirm no security-group on it.
body = self._show('ports', p['port']['id'])
self.assertEqual(body['port']['security_groups'], [])
# clean-up
self._router_interface_action('remove',
r['router']['id'],
None,
p['port']['id'])
class ExtGwModeTestCase(NsxPluginV2TestCase,
test_ext_gw_mode.ExtGwModeIntTestCase):