From 0b7d97e0d94fec3342873f2d46317521cf5114ed Mon Sep 17 00:00:00 2001 From: Gary Kotton <gkotton@vmware.com> Date: Tue, 6 Feb 2018 14:10:23 -0800 Subject: [PATCH] NSX|V: spoofguard_enabled disabled enhancement If the global configuration flag is disabled then instances should be added to the global exclude list Change-Id: Ibe618db490867d7639d5a7362fab2cb1c933f0cf --- vmware_nsx/plugins/nsx_v/plugin.py | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/vmware_nsx/plugins/nsx_v/plugin.py b/vmware_nsx/plugins/nsx_v/plugin.py index c5f99c4592..731b9d2ffa 100644 --- a/vmware_nsx/plugins/nsx_v/plugin.py +++ b/vmware_nsx/plugins/nsx_v/plugin.py @@ -1242,6 +1242,10 @@ class NsxVPluginV2(addr_pair_db.AllowedAddressPairsMixin, netmoref, dvsmoref) try: net_data[psec.PORTSECURITY] = net_data.get(psec.PORTSECURITY, True) + if not cfg.CONF.nsxv.spoofguard_enabled: + LOG.info("Network %s will have port security disabled", + net_data['id']) + net_data[psec.PORTSECURITY] = False # Create SpoofGuard policy for network anti-spoofing sg_policy_id = None if cfg.CONF.nsxv.spoofguard_enabled and backend_network: @@ -2146,7 +2150,7 @@ class NsxVPluginV2(addr_pair_db.AllowedAddressPairsMixin, original_port['fixed_ips']) self._update_vnic_assigned_addresses( context.session, original_port, vnic_id) - elif cfg.CONF.nsxv.spoofguard_enabled: + else: # Add vm to the exclusion list, since it has no port security self._add_vm_to_exclude_list(context, device_id, id) # if service insertion is enabled - add this vnic to the service @@ -2465,8 +2469,7 @@ class NsxVPluginV2(addr_pair_db.AllowedAddressPairsMixin, LOG.error('Could not delete the spoofguard policy. ' 'Exception %s', e) - if (cfg.CONF.nsxv.spoofguard_enabled and - not neutron_db_port[psec.PORTSECURITY] and + if (not neutron_db_port[psec.PORTSECURITY] and self._is_compute_port(neutron_db_port)): device_id = neutron_db_port['device_id'] # Note that we expect to find 1 relevant port in the DB still