From 2913dae7a3108d1b2bc72e8d892da302f41ca8bc Mon Sep 17 00:00:00 2001
From: Anton Kurbatov <Anton.Kurbatov@acronis.com>
Date: Thu, 23 Feb 2023 15:07:11 +0000
Subject: [PATCH] Prevent router_ha_interface port from being removed via API

If someone removes the port with device owner router_ha_interface,
then we can get unexpected router behavior like doubling
arp response packets. This patch prohibits removing such a port.

Closes-Bug: #2008270
Change-Id: Ief031801c1a3e3dd64e6cbf65e27f04f2bef9cba
(cherry picked from commit e68e4162cebfa8e5d8f70d4220119d5ca54666bf)
---
 neutron/db/l3_hamode_db.py                 |  4 ++++
 neutron/tests/unit/db/test_l3_hamode_db.py | 12 ++++++++++++
 2 files changed, 16 insertions(+)

diff --git a/neutron/db/l3_hamode_db.py b/neutron/db/l3_hamode_db.py
index 0ec256c4a54..1df76221ba8 100644
--- a/neutron/db/l3_hamode_db.py
+++ b/neutron/db/l3_hamode_db.py
@@ -68,6 +68,10 @@ class L3_HA_NAT_db_mixin(l3_dvr_db.L3_NAT_with_dvr_db_mixin,
                          router_az_db.RouterAvailabilityZoneMixin):
     """Mixin class to add high availability capability to routers."""
 
+    router_device_owners = (
+        l3_dvr_db.L3_NAT_with_dvr_db_mixin.router_device_owners +
+        (constants.DEVICE_OWNER_ROUTER_HA_INTF, ))
+
     def _verify_configuration(self):
         self.ha_cidr = cfg.CONF.l3_ha_net_cidr
         try:
diff --git a/neutron/tests/unit/db/test_l3_hamode_db.py b/neutron/tests/unit/db/test_l3_hamode_db.py
index d0f15d38822..277bfcb753f 100644
--- a/neutron/tests/unit/db/test_l3_hamode_db.py
+++ b/neutron/tests/unit/db/test_l3_hamode_db.py
@@ -669,6 +669,18 @@ class L3HATestCase(L3HATestFramework):
                           self.admin_ctx, ports[0]['id'],
                           port)
 
+    def test_delete_router_ha_interface_port(self):
+        router = self._create_router()
+        network = self.plugin.get_ha_network(self.admin_ctx,
+                                             router['tenant_id'])
+        binding = self.plugin.add_ha_port(
+            self.admin_ctx, router['id'], network.network_id,
+            router['tenant_id'])
+
+        self.assertRaises(n_exc.ServicePortInUse,
+                          self.core_plugin.delete_port,
+                          self.admin_ctx, binding.port_id)
+
     def test_create_ha_network_tenant_binding_raises_duplicate(self):
         router = self._create_router()
         network = self.plugin.get_ha_network(self.admin_ctx,