Browse Source

[NSX-v] Improve handling of port security transition

- When network port security is set to True, ensure the same IP
  is not used for multiple ports
- Extend checks for netork port security to all ports, not only
  ports with a nova compute device_id
- When creating or updating a port, perform checks if port security
  is enabled for the network or the flag for allowing multiple
  addresses is unset.

Change-Id: I5d81257b55730d4544537bb269030ec7f1a277c1
changes/76/668976/4
Salvatore Orlando 2 months ago
parent
commit
6bdba91a82
1 changed files with 28 additions and 11 deletions
  1. 28
    11
      vmware_nsx/plugins/nsx_v/plugin.py

+ 28
- 11
vmware_nsx/plugins/nsx_v/plugin.py View File

@@ -1706,23 +1706,39 @@ class NsxVPluginV2(addr_pair_db.AllowedAddressPairsMixin,
1706 1706
         # User requires port-security-enabled set to True and thus requires
1707 1707
         # spoofguard installed for this network
1708 1708
         else:
1709
-            # Verifying that all ports are legal, i.e. not CIDR/subnet
1709
+            # Verifying that all ports are legal, i.e. not CIDR/subnet, and
1710
+            # that the same IP address is not used multiple times for a given
1711
+            # neutron network
1710 1712
             filters = {'network_id': [id]}
1711 1713
             ports = self.get_ports(context, filters=filters)
1712 1714
             valid_ports = []
1715
+            ip_addresses = set()
1713 1716
             if ports:
1714 1717
                 for port in ports:
1715
-                    if self._is_compute_port(port):
1716
-                        for ap in port[addr_apidef.ADDRESS_PAIRS]:
1717
-                            if len(ap['ip_address'].split('/')) > 1:
1718
-                                msg = _('Port %s contains CIDR/subnet, '
1719
-                                        'which is not supported at the '
1720
-                                        'backend ') % port['id']
1718
+                    for ap in port[addr_apidef.ADDRESS_PAIRS]:
1719
+                        if len(ap['ip_address'].split('/')) > 1:
1720
+                            msg = _('Port %s contains CIDR/subnet, '
1721
+                                    'which is not supported at the '
1722
+                                    'backend ') % port['id']
1723
+                            raise n_exc.BadRequest(
1724
+                                    resource='networks',
1725
+                                    msg=msg)
1726
+                        else:
1727
+                            set_len = len(ip_addresses)
1728
+                            ip_addresses.add(ap['ip_address'])
1729
+                            if len(ip_addresses) == set_len:
1730
+                                msg = _('IP address %(ip)s is allowed '
1731
+                                        'by more than 1 logical port. '
1732
+                                        'This is not supported by the '
1733
+                                        'backend. Port security cannot '
1734
+                                        'be enabled for network '
1735
+                                        '%(id)s') % {'ip': ap['ip_address'],
1736
+                                                     'id': id}
1737
+                                LOG.error(msg)
1721 1738
                                 raise n_exc.BadRequest(
1722
-                                        resource='ports',
1723
-                                        msg=msg)
1724
-                            else:
1725
-                                valid_ports.append(port)
1739
+                                    resource='networks',
1740
+                                    msg=msg)
1741
+                            valid_ports.append(port)
1726 1742
             try:
1727 1743
                 sg_policy_id, predefined = (
1728 1744
                         self._prepare_spoofguard_policy(
@@ -1947,6 +1963,7 @@ class NsxVPluginV2(addr_pair_db.AllowedAddressPairsMixin,
1947 1963
             self._validate_unique_address_pair_across_network(
1948 1964
                      context, db_port, attrs[addr_apidef.ADDRESS_PAIRS])
1949 1965
             self._verify_cidr_defined(attrs)
1966
+
1950 1967
         # Check that the MAC address is the same as the port
1951 1968
         for ap in attrs[addr_apidef.ADDRESS_PAIRS]:
1952 1969
             if ('mac_address' in ap and

Loading…
Cancel
Save