NSX|V: ensure that no sec groups and port sec will discard traffic

Traffic to ports that have port security and port security enabled will by default be discarded. A configuration variable has been added with default False so that there is not a degradation with the current behaviour. The variable is use_default_block_all. Change-Id: I5569234de01c116d1ad3161cfaf54404467f6816 (cherry picked from commit 6362e710d9)
2018-02-16 21:57:54 +02:00 · 2018-02-16 21:57:54 +02:00 · 8845df922c
commit 8845df922c
parent 9966812134
3 changed files with 23 additions and 0 deletions
--- a/releasenotes/notes/block-all-no-security-groups-47af550349dbc85a.yaml
+++ b/releasenotes/notes/block-all-no-security-groups-47af550349dbc85a.yaml
@ -0,0 +1,9 @@
+---
+prelude: >
+    Enable 'use_default_block_all' to ensure that traffic to a port that has
+    no security groups and has port security enabled will be discarded.
+features:
+  - |
+    Enable 'use_default_block_all' to ensure that traffic to a port that has
+    no security groups and has port security enabled will be discarded. This
+    will ensure the same behaviours as the upstream security groups.
--- a/vmware_nsx/common/config.py
+++ b/vmware_nsx/common/config.py
@ -719,6 +719,10 @@ nsxv_opts = [
    cfg.BoolOpt('housekeeping_readonly',
                default=True,
                help=_("Housekeeping will only warn about breakage.")),
+    cfg.BoolOpt('use_default_block_all',
+                default=False,
+                help=_("Use default block all rule when no security groups "
+                       "are set on a port and port security is enabled")),
 ]

 # define the configuration of each NSX-V availability zone.
--- a/vmware_nsx/plugins/nsx_v/plugin.py
+++ b/vmware_nsx/plugins/nsx_v/plugin.py
@ -2174,6 +2174,10 @@ class NsxVPluginV2(addr_pair_db.AllowedAddressPairsMixin,
                          original_port['fixed_ips'])
                self._update_vnic_assigned_addresses(
                    context.session, original_port, vnic_id)
+                if (cfg.CONF.nsxv.use_default_block_all and
+                    not original_port[ext_sg.SECURITYGROUPS]):
+                    self._add_member_to_security_group(
+                        self.sg_container_id, vnic_id)
            else:
                # Add vm to the exclusion list, since it has no port security
                self._add_vm_to_exclude_list(context, device_id, id)
@ -2404,6 +2408,12 @@ class NsxVPluginV2(addr_pair_db.AllowedAddressPairsMixin,
                        ret_port[ext_sg.SECURITYGROUPS])
                    self._update_security_groups_port_mapping(
                        context.session, id, vnic_id, curr_sgids, new_sgids)
+                    if (cfg.CONF.nsxv.use_default_block_all and
+                        not ret_port[ext_sg.SECURITYGROUPS]):
+                        # If there are no security groups ensure that the
+                        # default is 'Drop All'
+                        self._add_member_to_security_group(
+                            self.sg_container_id, vnic_id)

        # update mac learning on NSX
        if self._vcm: