Browse Source

NSX|V: no spoofguard policy for portgroup provider network

The patch ensures that we do not create a spoofguard policy
for provider network port groups. This makes sure that the network
continues to behave as it did prior to attaching it to
OpenStack

Change-Id: I2466f3e3168afe68724d65f8a6463a0453bdf8db
changes/90/524090/5
Gary Kotton 4 years ago
parent
commit
51756e568a
  1. 10
      vmware_nsx/plugins/nsx_v/plugin.py
  2. 11
      vmware_nsx/tests/unit/nsx_v/vshield/fake_vcns.py

10
vmware_nsx/plugins/nsx_v/plugin.py

@ -1030,6 +1030,9 @@ class NsxVPluginV2(addr_pair_db.AllowedAddressPairsMixin,
for ep in policy['enforcementPoints']:
if ep['id'] == net_morefs[0]:
return policy['policyId'], True
LOG.warning("No spoofguard policy will be created for %s",
net_data['id'])
return None, False
# Always use enabled spoofguard policy. ports with disabled port
# security will be added to the exclude list
sg_policy_id = self.nsx_v.vcns.create_spoofguard_policy(
@ -1284,7 +1287,8 @@ class NsxVPluginV2(addr_pair_db.AllowedAddressPairsMixin,
nsx_db.add_neutron_nsx_network_mapping(
context.session, new_net['id'],
net_moref)
if cfg.CONF.nsxv.spoofguard_enabled and backend_network:
if (cfg.CONF.nsxv.spoofguard_enabled and
backend_network and sg_policy_id):
nsxv_db.map_spoofguard_policy_for_network(
context.session, new_net['id'], sg_policy_id)
@ -4356,6 +4360,10 @@ class NsxVPluginV2(addr_pair_db.AllowedAddressPairsMixin,
def _update_vnic_assigned_addresses(self, session, port, vnic_id):
sg_policy_id = nsxv_db.get_spoofguard_policy_id(
session, port['network_id'])
if not sg_policy_id:
LOG.warning("Spoofguard not defined for network %s",
port['network_id'])
return
mac_addr = port['mac_address']
approved_addrs = [addr['ip_address'] for addr in port['fixed_ips']]
# add in the address pair

11
vmware_nsx/tests/unit/nsx_v/vshield/fake_vcns.py

@ -1113,22 +1113,25 @@ class FakeVcns(object):
'operationMode': 'MANUAL' if enable else 'DISABLE'}
policy_id = len(self._spoofguard_policies)
self._spoofguard_policies.append(policy)
return None, policy_id
return None, 'spoofguardpolicy-%s' % policy_id
def _get_index(self, policy_id):
return int(policy_id.split('-')[-1])
def update_spoofguard_policy(self, policy_id,
enforcement_points, name, enable):
policy = {'name': name,
'enforcementPoints': [{'id': enforcement_points[0]}],
'operationMode': 'MANUAL' if enable else 'DISABLE'}
self._spoofguard_policies[int(policy_id)] = policy
self._spoofguard_policies[self._get_index(policy_id)] = policy
return None, ''
def delete_spoofguard_policy(self, policy_id):
self._spoofguard_policies[int(policy_id)] = {}
self._spoofguard_policies[self._get_index(policy_id)] = {}
def get_spoofguard_policy(self, policy_id):
try:
return None, self._spoofguard_policies[int(policy_id)]
return None, self._spoofguard_policies[self._get_index(policy_id)]
except IndexError:
raise exceptions.VcnsGeneralException(
_("Spoofguard policy not found"))

Loading…
Cancel
Save