From 6362e710d9a65cf9aff39033dd6885e1bfaeaae1 Mon Sep 17 00:00:00 2001
From: Gary Kotton <gkotton@vmware.com>
Date: Fri, 16 Feb 2018 21:57:54 +0200
Subject: [PATCH] NSX|V: ensure that no sec groups and port sec will discard
traffic
Traffic to ports that have port security and port security enabled
will by default be discarded. A configuration variable has been added
with default False so that there is not a degradation with the current
behaviour.
The variable is use_default_block_all.
Change-Id: I5569234de01c116d1ad3161cfaf54404467f6816
---
.../block-all-no-security-groups-47af550349dbc85a.yaml | 9 +++++++++
vmware_nsx/common/config.py | 4 ++++
vmware_nsx/plugins/nsx_v/plugin.py | 10 ++++++++++
3 files changed, 23 insertions(+)
create mode 100644 releasenotes/notes/block-all-no-security-groups-47af550349dbc85a.yaml
diff --git a/releasenotes/notes/block-all-no-security-groups-47af550349dbc85a.yaml b/releasenotes/notes/block-all-no-security-groups-47af550349dbc85a.yaml
new file mode 100644
index 0000000000..3c5efe3229
--- /dev/null
+++ b/releasenotes/notes/block-all-no-security-groups-47af550349dbc85a.yaml
@@ -0,0 +1,9 @@
+---
+prelude: >
+ Enable 'use_default_block_all' to ensure that traffic to a port that has
+ no security groups and has port security enabled will be discarded.
+features:
+ - |
+ Enable 'use_default_block_all' to ensure that traffic to a port that has
+ no security groups and has port security enabled will be discarded. This
+ will ensure the same behaviours as the upstream security groups.
diff --git a/vmware_nsx/common/config.py b/vmware_nsx/common/config.py
index 0e2fa124a2..2c7a29e153 100644
--- a/vmware_nsx/common/config.py
+++ b/vmware_nsx/common/config.py
@@ -719,6 +719,10 @@ nsxv_opts = [
cfg.BoolOpt('housekeeping_readonly',
default=True,
help=_("Housekeeping will only warn about breakage.")),
+ cfg.BoolOpt('use_default_block_all',
+ default=False,
+ help=_("Use default block all rule when no security groups "
+ "are set on a port and port security is enabled")),
]
# define the configuration of each NSX-V availability zone.
diff --git a/vmware_nsx/plugins/nsx_v/plugin.py b/vmware_nsx/plugins/nsx_v/plugin.py
index 002de85d94..0be7f31b74 100644
--- a/vmware_nsx/plugins/nsx_v/plugin.py
+++ b/vmware_nsx/plugins/nsx_v/plugin.py
@@ -2175,6 +2175,10 @@ class NsxVPluginV2(addr_pair_db.AllowedAddressPairsMixin,
original_port['fixed_ips'])
self._update_vnic_assigned_addresses(
context.session, original_port, vnic_id)
+ if (cfg.CONF.nsxv.use_default_block_all and
+ not original_port[ext_sg.SECURITYGROUPS]):
+ self._add_member_to_security_group(
+ self.sg_container_id, vnic_id)
else:
# Add vm to the exclusion list, since it has no port security
self._add_vm_to_exclude_list(context, device_id, id)
@@ -2405,6 +2409,12 @@ class NsxVPluginV2(addr_pair_db.AllowedAddressPairsMixin,
ret_port[ext_sg.SECURITYGROUPS])
self._update_security_groups_port_mapping(
context.session, id, vnic_id, curr_sgids, new_sgids)
+ if (cfg.CONF.nsxv.use_default_block_all and
+ not ret_port[ext_sg.SECURITYGROUPS]):
+ # If there are no security groups ensure that the
+ # default is 'Drop All'
+ self._add_member_to_security_group(
+ self.sg_container_id, vnic_id)
# update mac learning on NSX
if self._vcm: