From cb083bdbcfc15a2c5f1ed0e0273b607752d7194e Mon Sep 17 00:00:00 2001
From: Nguyen Thanh Cong <ntcong1705@gmail.com>
Date: Thu, 11 Nov 2021 21:00:23 +0700
Subject: [PATCH] [OVN] Fix port disable security dead when run
 neutron-ovn-db-sync-util

Port disable security should not have been in acl neutron_pg_drop, but
when run neutron-ovn-db-sync-util, port disable security still added
to ACL neutron_pg_drop. It because port disable security is not
trusted port.

Co-authored-by: archiephan <chungphan7819@gmail.com>

Closes-Bug: #1939723
Change-Id: Iebce0929e3e68ac5be0acaf5cdac4f5833cb9f2f
(cherry picked from commit 4511290b726f605384285228a28ad7b32a4b8c43)
---
 .../ml2/drivers/ovn/mech_driver/ovsdb/ovn_client.py       | 4 ++--
 .../ml2/drivers/ovn/mech_driver/test_mech_driver.py       | 8 +++++++-
 2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/neutron/plugins/ml2/drivers/ovn/mech_driver/ovsdb/ovn_client.py b/neutron/plugins/ml2/drivers/ovn/mech_driver/ovsdb/ovn_client.py
index 336e9d473f7..100c15cf076 100644
--- a/neutron/plugins/ml2/drivers/ovn/mech_driver/ovsdb/ovn_client.py
+++ b/neutron/plugins/ml2/drivers/ovn/mech_driver/ovsdb/ovn_client.py
@@ -412,10 +412,10 @@ class OVNClient(object):
                 **kwargs))
 
             sg_ids = utils.get_lsp_security_groups(port)
-            # If this is not a trusted port or port security is enabled,
+            # If this is not a trusted port and port security is enabled,
             # add it to the default drop Port Group so that all traffic
             # is dropped by default.
-            if not utils.is_lsp_trusted(port) or port_info.port_security:
+            if not utils.is_lsp_trusted(port) and port_info.port_security:
                 self._add_port_to_drop_port_group(port_cmd, txn)
             # Just add the port to its Port Group.
             for sg in sg_ids:
diff --git a/neutron/tests/unit/plugins/ml2/drivers/ovn/mech_driver/test_mech_driver.py b/neutron/tests/unit/plugins/ml2/drivers/ovn/mech_driver/test_mech_driver.py
index f118273987e..90227b8c0c9 100644
--- a/neutron/tests/unit/plugins/ml2/drivers/ovn/mech_driver/test_mech_driver.py
+++ b/neutron/tests/unit/plugins/ml2/drivers/ovn/mech_driver/test_mech_driver.py
@@ -2914,7 +2914,12 @@ class TestOVNMechanismDriverSecurityGroup(
     # test acl methods invoking. Content correctness of args of acl methods
     # is mainly guaranteed by acl_test.py.
 
+    _extension_drivers = ['port_security']
+
     def setUp(self):
+        cfg.CONF.set_override('extension_drivers',
+                              self._extension_drivers,
+                              group='ml2')
         cfg.CONF.set_override('mechanism_drivers',
                               ['logger', 'ovn'],
                               'ml2')
@@ -3106,8 +3111,9 @@ class TestOVNMechanismDriverSecurityGroup(
             req = self.new_update_request('ports', data, p['id'])
             req.get_response(self.api)
 
+            # Default neutron_pg_drop, 2 security group
             self.assertEqual(
-                2, self.mech_driver._nb_ovn.pg_add_ports.call_count)
+                3, self.mech_driver._nb_ovn.pg_add_ports.call_count)
 
     def test_update_sg_change_rule(self):
         with self.network() as n, self.subnet(n):