[OVN] Fix port disable security dead when run neutron-ovn-db-sync-util

Port disable security should not have been in acl neutron_pg_drop, but when run neutron-ovn-db-sync-util, port disable security still added to ACL neutron_pg_drop. It because port disable security is not trusted port. Co-authored-by: archiephan <chungphan7819@gmail.com> Closes-Bug: #1939723 Change-Id: Iebce0929e3e68ac5be0acaf5cdac4f5833cb9f2f
2021-11-11 21:00:23 +07:00 · 2021-11-11 21:00:23 +07:00 · 4511290b72
parent 3ddc6dcbd9
commit 4511290b72
2 changed files with 9 additions and 3 deletions
--- a/neutron/plugins/ml2/drivers/ovn/mech_driver/ovsdb/ovn_client.py
+++ b/neutron/plugins/ml2/drivers/ovn/mech_driver/ovsdb/ovn_client.py
@ -488,10 +488,10 @@ class OVNClient(object):
                **kwargs))

            sg_ids = utils.get_lsp_security_groups(port)
-            # If this is not a trusted port or port security is enabled,
+            # If this is not a trusted port and port security is enabled,
            # add it to the default drop Port Group so that all traffic
            # is dropped by default.
-            if not utils.is_lsp_trusted(port) or port_info.port_security:
+            if not utils.is_lsp_trusted(port) and port_info.port_security:
                self._add_port_to_drop_port_group(port_cmd, txn)
            # Just add the port to its Port Group.
            for sg in sg_ids:
--- a/neutron/tests/unit/plugins/ml2/drivers/ovn/mech_driver/test_mech_driver.py
+++ b/neutron/tests/unit/plugins/ml2/drivers/ovn/mech_driver/test_mech_driver.py
@ -3133,7 +3133,12 @@ class TestOVNMechanismDriverSecurityGroup(MechDriverSetupBase,
    # test acl methods invoking. Content correctness of args of acl methods
    # is mainly guaranteed by acl_test.py.

+    _extension_drivers = ['port_security']
+
    def setUp(self):
+        cfg.CONF.set_override('extension_drivers',
+                              self._extension_drivers,
+                              group='ml2')
        cfg.CONF.set_override('mechanism_drivers',
                              ['logger', 'ovn'],
                              'ml2')
@ -3324,8 +3329,9 @@ class TestOVNMechanismDriverSecurityGroup(MechDriverSetupBase,
            req = self.new_update_request('ports', data, p['id'])
            req.get_response(self.api)

+            # Default neutron_pg_drop, 2 security group
            self.assertEqual(
-                2, self.mech_driver.nb_ovn.pg_add_ports.call_count)
+                3, self.mech_driver.nb_ovn.pg_add_ports.call_count)

    def test_update_sg_change_rule(self):
        with self.network() as n, self.subnet(n):