NSX|V3: ensure that the DHCP switch profile is not too permissive

Ensures the following: - BPDU Filter: Enabled - BPDU Filter Allow List: None - DHCP Server Block: Disabled - DHCP Client Block: Enabled - Block Non-IP Traffic: Enabled Change-Id: Ie6212d9df918e77912814e8d332cb5ae404b234f Closes-bug: #1527141
2015-12-17 00:58:26 -08:00 · 2015-12-17 00:58:26 -08:00 · 54bea56e9f
commit 54bea56e9f
parent bcb424ac8d
2 changed files with 8 additions and 6 deletions
--- a/vmware_nsx/nsxlib/v3/resources.py
+++ b/vmware_nsx/nsxlib/v3/resources.py
@ -127,7 +127,7 @@ class SwitchingProfile(AbstractRESTResource):
    def create_dhcp_profile(self, display_name,
                            description, tags=None):
        dhcp_filter = {
-            'client_block_enabled': False,
+            'client_block_enabled': True,
            'server_block_enabled': False
        }
        rate_limits = {
@ -138,7 +138,7 @@ class SwitchingProfile(AbstractRESTResource):
            'tx_multicast': 0
        }
        bpdu_filter = {
-            'enabled': False,
+            'enabled': True,
            'white_list': []
        }
        return self.create(SwitchingProfileTypes.SWITCH_SECURITY,
@ -147,7 +147,8 @@ class SwitchingProfile(AbstractRESTResource):
                           tags=tags or [],
                           dhcp_filter=dhcp_filter,
                           rate_limits=rate_limits,
-                           bpdu_filter=bpdu_filter)
+                           bpdu_filter=bpdu_filter,
+                           block_non_ip_traffic=True)

    @classmethod
    def build_switch_profile_ids(cls, client, *profiles):
--- a/vmware_nsx/tests/unit/nsxlib/v3/test_resources.py
+++ b/vmware_nsx/tests/unit/nsxlib/v3/test_resources.py
@ -129,7 +129,7 @@ class TestSwitchingProfileTestCase(nsxlib_testcase.NsxClientTestCase):
            'https://1.2.3.4/api/v1/switching-profiles',
            data=jsonutils.dumps({
                'bpdu_filter': {
-                    'enabled': False,
+                    'enabled': True,
                    'white_list': []
                },
                'resource_type': profile_types.SWITCH_SECURITY,
@ -137,7 +137,7 @@ class TestSwitchingProfileTestCase(nsxlib_testcase.NsxClientTestCase):
                'description': 'dhcp-for-neutron',
                'tags': tags,
                'dhcp_filter': {
-                    'client_block_enabled': False,
+                    'client_block_enabled': True,
                    'server_block_enabled': False
                },
                'rate_limits': {
@ -146,7 +146,8 @@ class TestSwitchingProfileTestCase(nsxlib_testcase.NsxClientTestCase):
                    'tx_broadcast': 0,
                    'rx_multicast': 0,
                    'tx_multicast': 0
-                }
+                },
+                'block_non_ip_traffic': True
            }, sort_keys=True))

    def test_find_by_display_name(self):