Browse Source

NSX|V3: Do not enable port security on router interface

Router interface ports are created with port security disabled
as they are trusted ports.
The plugin should not allow to enable the port security on such ports.

Change-Id: I0271e225f9fdeed8493296ed81348ab4e73679f0
changes/50/500350/2
Adit Sarfaty 4 years ago
parent
commit
67fcf5b804
  1. 15
      vmware_nsx/plugins/nsx_v3/plugin.py

15
vmware_nsx/plugins/nsx_v3/plugin.py

@ -65,6 +65,7 @@ from neutron_lib import constants as const
from neutron_lib import context as q_context
from neutron_lib import exceptions as n_exc
from neutron_lib.utils import helpers
from neutron_lib.utils import net as nlib_net
from oslo_config import cfg
from oslo_db import exception as db_exc
from oslo_log import log
@ -1820,6 +1821,19 @@ class NsxV3Plugin(agentschedulers_db.AZDhcpAgentSchedulerDbMixin,
LOG.warning(err_msg)
raise n_exc.InvalidInput(error_message=err_msg)
def _assert_on_port_sec_change(self, port_data, device_owner):
"""Do not allow enabling port security of some ports
Trusted ports are created with port security disabled in neutron,
and it should not change.
"""
if nlib_net.is_port_trusted({'device_owner': device_owner}):
if port_data.get(psec.PORTSECURITY) is True:
err_msg = _("port_security_enabled=True is not supported for "
"trusted ports")
LOG.warning(err_msg)
raise n_exc.InvalidInput(error_message=err_msg)
def _filter_ipv4_dhcp_fixed_ips(self, context, fixed_ips):
ips = []
for fixed_ip in fixed_ips:
@ -2596,6 +2610,7 @@ class NsxV3Plugin(agentschedulers_db.AZDhcpAgentSchedulerDbMixin,
self._assert_on_router_port_with_qos(
port_data, device_owner)
self._assert_on_port_admin_state(port_data, device_owner)
self._assert_on_port_sec_change(port_data, device_owner)
self._validate_max_ips_per_port(
port_data.get('fixed_ips', []), device_owner)

Loading…
Cancel
Save