Merge "Set default rp_filter for NSXv 6.2"

vmware_nsx/neutron/plugins/vmware/plugins/nsx_v_drivers/distributed_router_driver.py

@@ -349,6 +349,10 @@ class RouterDistributedDriver(router_driver.RouterBaseDriver):
             # Detach network from VDR-dedicated DHCP Edge
             vdr_dhcp_binding = nsxv_db.get_vdr_dhcp_binding_by_vdr(
                 context.session, router_id)
+
+            self.edge_manager.reset_sysctl_rp_filter_for_vdr_dhcp(
+                context, vdr_dhcp_binding['dhcp_edge_id'], network_id)
+
             self.edge_manager.remove_network_from_dhcp_edge(
                 context, network_id, vdr_dhcp_binding['dhcp_edge_id'])
 

vmware_nsx/neutron/plugins/vmware/vshield/edge_utils.py

@@ -43,9 +43,9 @@ from vmware_nsx.neutron.plugins.vmware.vshield.tasks import tasks
 from vmware_nsx.neutron.plugins.vmware.vshield import vcns
 
 WORKER_POOL_SIZE = 8
-RP_FILTER_PROPERTY_OFF = 'sysctl.net.ipv4.conf.all.rp_filter=0'
-LOG = logging.getLogger(__name__)
+RP_FILTER_PROPERTY_OFF_TEMPLATE = 'sysctl.net.ipv4.conf.%s.rp_filter=%s'
 
+LOG = logging.getLogger(__name__)
 _uuid = uuidutils.generate_uuid
 
 
@@ -913,8 +913,6 @@ class EdgeManager(object):
             self.plugin.setup_dhcp_edge_fw_rules(
                 context, self.plugin, resource_id)
 
-            self.nsxv_manager.vcns.set_system_control(
-                dhcp_edge_id, RP_FILTER_PROPERTY_OFF)
             nsxv_db.add_vdr_dhcp_binding(context.session, vdr_router_id,
                                          str(resource_id), dhcp_edge_id)
 
@@ -923,6 +921,59 @@ class EdgeManager(object):
         self.update_dhcp_edge_service(
             context, network_id, address_groups=address_groups)
 
+        self.set_sysctl_rp_filter_for_vdr_dhcp(
+            context, dhcp_edge_id, network_id)
+
+    def _get_sub_interface_id(self, context, edge_id, network_id):
+        vnic_binding = nsxv_db.get_edge_vnic_binding(
+            context.session, edge_id, network_id)
+
+        if vnic_binding:
+            _, vnic_config = self.nsxv_manager.get_interface(
+                edge_id, vnic_binding.vnic_index)
+            sub_iface_dict = vnic_config.get('subInterfaces')
+            if sub_iface_dict:
+                sub_interfaces = sub_iface_dict.get('subInterfaces', [])
+
+                for sub_interface in sub_interfaces:
+                    if sub_interface['tunnelId'] == vnic_binding.tunnel_index:
+                        return sub_interface['index']
+
+    def set_sysctl_rp_filter_for_vdr_dhcp(self, context, edge_id, network_id):
+
+        vnic_index = self._get_sub_interface_id(context, edge_id, network_id)
+        if vnic_index:
+            vnic_id = 'vNic_%d' % vnic_index
+            with locking.LockManager.get_lock(
+                    str(edge_id), lock_file_prefix='nsxv-dhcp-config-',
+                    external=True):
+                sysctl_props = []
+                h, sysctl = self.nsxv_manager.vcns.get_system_control(edge_id)
+                if sysctl:
+                    sysctl_props = sysctl['property']
+                sysctl_props.append(
+                    RP_FILTER_PROPERTY_OFF_TEMPLATE % (vnic_id, '0'))
+                self.nsxv_manager.vcns.set_system_control(
+                    edge_id, sysctl_props)
+
+    def reset_sysctl_rp_filter_for_vdr_dhcp(self, context, edge_id,
+                                            network_id):
+        vnic_index = self._get_sub_interface_id(context, edge_id, network_id)
+        if vnic_index:
+            vnic_id = 'vNic_%d' % vnic_index
+            with locking.LockManager.get_lock(
+                    str(edge_id), lock_file_prefix='nsxv-dhcp-config-',
+                    external=True):
+                h, sysctl = self.nsxv_manager.vcns.get_system_control(edge_id)
+                if sysctl:
+                    sysctl_props = sysctl['property']
+                    sysctl_props.remove(
+                        RP_FILTER_PROPERTY_OFF_TEMPLATE % (vnic_id, '0'))
+                    sysctl_props.append(
+                        RP_FILTER_PROPERTY_OFF_TEMPLATE % (vnic_id, '1'))
+                    self.nsxv_manager.vcns.set_system_control(
+                        edge_id, sysctl_props)
+
     def get_plr_by_tlr_id(self, context, router_id):
         lswitch_id = nsxv_db.get_nsxv_router_binding(
             context.session, router_id).lswitch_id

vmware_nsx/neutron/plugins/vmware/vshield/vcns.py

@@ -567,12 +567,15 @@ class Vcns(object):
 
         payload = {
             'featureType': 'systemcontrol',
-            'property': [
-                prop
-            ]
+            'property': prop
         }
         return self.do_request(HTTP_PUT, uri, payload, decode=True)
 
+    def get_system_control(self, edge_id):
+        uri = self._build_uri_path(edge_id, SYSCTL_SERVICE)
+
+        return self.do_request(HTTP_GET, uri)
+
     @retry_upon_exception(exceptions.RequestBad)
     def create_spoofguard_policy(self, enforcement_point, name, enable):
         uri = '%s/policies/' % SPOOFGUARD_PREFIX