From a9003e29a7a48015aba8ccf146f9259ec2f6023d Mon Sep 17 00:00:00 2001 From: Gary Kotton <gkotton@vmware.com> Date: Thu, 8 Feb 2018 14:26:55 -0800 Subject: [PATCH] Add logging to help detect port security conflicts Add logs that indicate if there are conflicting flags on a port for port security and security groups. Change-Id: I0eeadfcfaf2b90b7006b26ab59b61d9449ec37de --- vmware_nsx/plugins/nsx_v/plugin.py | 6 ++++++ vmware_nsx/plugins/nsx_v3/plugin.py | 4 ++++ 2 files changed, 10 insertions(+) diff --git a/vmware_nsx/plugins/nsx_v/plugin.py b/vmware_nsx/plugins/nsx_v/plugin.py index eb1bca0771..033e93baa3 100644 --- a/vmware_nsx/plugins/nsx_v/plugin.py +++ b/vmware_nsx/plugins/nsx_v/plugin.py @@ -1895,6 +1895,8 @@ class NsxVPluginV2(addr_pair_db.AllowedAddressPairsMixin, (sgids, ssgids) = self._get_port_security_groups_lists( context, port) elif (has_security_groups or provider_sg_specified): + LOG.error("Port has conflicting port security status and " + "security groups") raise psec_exc.PortSecurityAndIPRequiredForSecurityGroups() else: sgids = ssgids = [] @@ -2205,11 +2207,15 @@ class NsxVPluginV2(addr_pair_db.AllowedAddressPairsMixin, # then port has ip and port-security if not (has_ip and has_port_security): if has_security_groups or provider_sgs_specified: + LOG.error("Port has conflicting port security status and " + "security groups") raise psec_exc.PortSecurityAndIPRequiredForSecurityGroups() if ((not delete_security_groups and original_port[ext_sg.SECURITYGROUPS]) or (not delete_provider_sg and original_port[provider_sg.PROVIDER_SECURITYGROUPS])): + LOG.error("Port has conflicting port security status and " + "security groups") raise psec_exc.PortSecurityAndIPRequiredForSecurityGroups() if delete_security_groups or has_security_groups: diff --git a/vmware_nsx/plugins/nsx_v3/plugin.py b/vmware_nsx/plugins/nsx_v3/plugin.py index 0a32ef4ab3..ce7161a896 100644 --- a/vmware_nsx/plugins/nsx_v3/plugin.py +++ b/vmware_nsx/plugins/nsx_v3/plugin.py @@ -2057,6 +2057,8 @@ class NsxV3Plugin(agentschedulers_db.AZDhcpAgentSchedulerDbMixin, elif (self._check_update_has_security_groups({'port': port_data}) or self._provider_sgs_specified(port_data) or self._get_provider_security_groups_on_port(context, port)): + LOG.error("Port has conflicting port security status and " + "security groups") raise psec_exc.PortSecurityAndIPRequiredForSecurityGroups() else: sgids = psgids = [] @@ -2730,6 +2732,8 @@ class NsxV3Plugin(agentschedulers_db.AZDhcpAgentSchedulerDbMixin, if (validate_port_sec and not (has_ip and updated_port[psec.PORTSECURITY])): if has_security_groups or provider_sgs_specified: + LOG.error("Port has conflicting port security status and " + "security groups") raise psec_exc.PortSecurityAndIPRequiredForSecurityGroups() # Update did not have security groups passed in. Check # that port does not have any security groups already on it.