NSX|V remove vnic from spoofguard only if port-security is enabled
When detaching a port from a vm, we should remove the vnic from the spoofguard policy only if it was added there before, meaning that the port-security is enabled Change-Id: If6d0c8623214a54825acbc3b1c4be9f9b7dd21d1
This commit is contained in:
parent
69219cd132
commit
251e164216
|
@ -1471,8 +1471,11 @@ class NsxVPluginV2(addr_pair_db.AllowedAddressPairsMixin,
|
|||
self._delete_security_groups_port_mapping(
|
||||
context.session, vnic_id, curr_sgids)
|
||||
if cfg.CONF.nsxv.spoofguard_enabled:
|
||||
self._remove_vnic_from_spoofguard_policy(
|
||||
context.session, original_port['network_id'], vnic_id)
|
||||
if original_port[psec.PORTSECURITY]:
|
||||
self._remove_vnic_from_spoofguard_policy(
|
||||
context.session,
|
||||
original_port['network_id'],
|
||||
vnic_id)
|
||||
# remove vm from the exclusion list when it is detached
|
||||
# from the device if it has no port security
|
||||
if not original_port[psec.PORTSECURITY]:
|
||||
|
|
|
@ -3723,6 +3723,36 @@ class TestNSXPortSecurity(test_psec.TestPortSecurity,
|
|||
self._del_port_with_vnic(port2['port']['id'], False)
|
||||
self._del_port_with_vnic(port1['port']['id'], True)
|
||||
|
||||
def test_detach_port_no_sec(self):
|
||||
device_id = _uuid()
|
||||
# create a compute port without port security
|
||||
port = self._create_compute_port('net1', device_id, False)
|
||||
# add vnic to the port
|
||||
self._add_vnic_to_port(port['port']['id'], True, 3)
|
||||
|
||||
# detach the port
|
||||
with mock.patch.object(
|
||||
self.fc2,
|
||||
'inactivate_vnic_assigned_addresses') as mock_inactivte:
|
||||
self._del_vnic_from_port(port['port']['id'], True)
|
||||
# inactivate spoofguard should not be called
|
||||
self.assertFalse(mock_inactivte.called)
|
||||
|
||||
def test_detach_port_with_sec(self):
|
||||
device_id = _uuid()
|
||||
# create a compute port without port security
|
||||
port = self._create_compute_port('net1', device_id, True)
|
||||
# add vnic to the port
|
||||
self._add_vnic_to_port(port['port']['id'], False, 3)
|
||||
|
||||
# detach the port
|
||||
with mock.patch.object(
|
||||
self.fc2,
|
||||
'inactivate_vnic_assigned_addresses') as mock_inactivte:
|
||||
self._del_vnic_from_port(port['port']['id'], False)
|
||||
# inactivate spoofguard should be called
|
||||
self.assertTrue(mock_inactivte.called)
|
||||
|
||||
def _toggle_port_security(self, port_id, enable_port_security,
|
||||
update_exclude):
|
||||
"""Enable/disable port security on a port, and verify that the exclude
|
||||
|
|
Loading…
Reference in New Issue