From 0b7d97e0d94fec3342873f2d46317521cf5114ed Mon Sep 17 00:00:00 2001
From: Gary Kotton <gkotton@vmware.com>
Date: Tue, 6 Feb 2018 14:10:23 -0800
Subject: [PATCH] NSX|V: spoofguard_enabled disabled enhancement

If the global configuration flag is disabled then instances should
be added to the global exclude list

Change-Id: Ibe618db490867d7639d5a7362fab2cb1c933f0cf
---
 vmware_nsx/plugins/nsx_v/plugin.py | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/vmware_nsx/plugins/nsx_v/plugin.py b/vmware_nsx/plugins/nsx_v/plugin.py
index c5f99c4592..731b9d2ffa 100644
--- a/vmware_nsx/plugins/nsx_v/plugin.py
+++ b/vmware_nsx/plugins/nsx_v/plugin.py
@@ -1242,6 +1242,10 @@ class NsxVPluginV2(addr_pair_db.AllowedAddressPairsMixin,
                                         netmoref, dvsmoref)
         try:
             net_data[psec.PORTSECURITY] = net_data.get(psec.PORTSECURITY, True)
+            if not cfg.CONF.nsxv.spoofguard_enabled:
+                LOG.info("Network %s will have port security disabled",
+                         net_data['id'])
+                net_data[psec.PORTSECURITY] = False
             # Create SpoofGuard policy for network anti-spoofing
             sg_policy_id = None
             if cfg.CONF.nsxv.spoofguard_enabled and backend_network:
@@ -2146,7 +2150,7 @@ class NsxVPluginV2(addr_pair_db.AllowedAddressPairsMixin,
                           original_port['fixed_ips'])
                 self._update_vnic_assigned_addresses(
                     context.session, original_port, vnic_id)
-            elif cfg.CONF.nsxv.spoofguard_enabled:
+            else:
                 # Add vm to the exclusion list, since it has no port security
                 self._add_vm_to_exclude_list(context, device_id, id)
             # if service insertion is enabled - add this vnic to the service
@@ -2465,8 +2469,7 @@ class NsxVPluginV2(addr_pair_db.AllowedAddressPairsMixin,
                     LOG.error('Could not delete the spoofguard policy. '
                               'Exception %s', e)
 
-            if (cfg.CONF.nsxv.spoofguard_enabled and
-                not neutron_db_port[psec.PORTSECURITY] and
+            if (not neutron_db_port[psec.PORTSECURITY] and
                 self._is_compute_port(neutron_db_port)):
                 device_id = neutron_db_port['device_id']
                 # Note that we expect to find 1 relevant port in the DB still