From a9003e29a7a48015aba8ccf146f9259ec2f6023d Mon Sep 17 00:00:00 2001
From: Gary Kotton <gkotton@vmware.com>
Date: Thu, 8 Feb 2018 14:26:55 -0800
Subject: [PATCH] Add logging to help detect port security conflicts

Add logs that indicate if there are conflicting flags on a port for
port security and security groups.

Change-Id: I0eeadfcfaf2b90b7006b26ab59b61d9449ec37de
---
 vmware_nsx/plugins/nsx_v/plugin.py  | 6 ++++++
 vmware_nsx/plugins/nsx_v3/plugin.py | 4 ++++
 2 files changed, 10 insertions(+)

diff --git a/vmware_nsx/plugins/nsx_v/plugin.py b/vmware_nsx/plugins/nsx_v/plugin.py
index eb1bca0771..033e93baa3 100644
--- a/vmware_nsx/plugins/nsx_v/plugin.py
+++ b/vmware_nsx/plugins/nsx_v/plugin.py
@@ -1895,6 +1895,8 @@ class NsxVPluginV2(addr_pair_db.AllowedAddressPairsMixin,
                 (sgids, ssgids) = self._get_port_security_groups_lists(
                     context, port)
             elif (has_security_groups or provider_sg_specified):
+                LOG.error("Port has conflicting port security status and "
+                          "security groups")
                 raise psec_exc.PortSecurityAndIPRequiredForSecurityGroups()
             else:
                 sgids = ssgids = []
@@ -2205,11 +2207,15 @@ class NsxVPluginV2(addr_pair_db.AllowedAddressPairsMixin,
             # then port has ip and port-security
             if not (has_ip and has_port_security):
                 if has_security_groups or provider_sgs_specified:
+                    LOG.error("Port has conflicting port security status and "
+                              "security groups")
                     raise psec_exc.PortSecurityAndIPRequiredForSecurityGroups()
                 if ((not delete_security_groups
                      and original_port[ext_sg.SECURITYGROUPS]) or
                         (not delete_provider_sg and
                          original_port[provider_sg.PROVIDER_SECURITYGROUPS])):
+                    LOG.error("Port has conflicting port security status and "
+                              "security groups")
                     raise psec_exc.PortSecurityAndIPRequiredForSecurityGroups()
 
             if delete_security_groups or has_security_groups:
diff --git a/vmware_nsx/plugins/nsx_v3/plugin.py b/vmware_nsx/plugins/nsx_v3/plugin.py
index 0a32ef4ab3..ce7161a896 100644
--- a/vmware_nsx/plugins/nsx_v3/plugin.py
+++ b/vmware_nsx/plugins/nsx_v3/plugin.py
@@ -2057,6 +2057,8 @@ class NsxV3Plugin(agentschedulers_db.AZDhcpAgentSchedulerDbMixin,
         elif (self._check_update_has_security_groups({'port': port_data}) or
               self._provider_sgs_specified(port_data) or
               self._get_provider_security_groups_on_port(context, port)):
+            LOG.error("Port has conflicting port security status and "
+                      "security groups")
             raise psec_exc.PortSecurityAndIPRequiredForSecurityGroups()
         else:
             sgids = psgids = []
@@ -2730,6 +2732,8 @@ class NsxV3Plugin(agentschedulers_db.AZDhcpAgentSchedulerDbMixin,
         if (validate_port_sec and
             not (has_ip and updated_port[psec.PORTSECURITY])):
             if has_security_groups or provider_sgs_specified:
+                LOG.error("Port has conflicting port security status and "
+                          "security groups")
                 raise psec_exc.PortSecurityAndIPRequiredForSecurityGroups()
             # Update did not have security groups passed in. Check
             # that port does not have any security groups already on it.