NSXv3: Update existing default firewall section on init

When Neutron service starts, we want to make sure that the default firewall section is applied to the right nested-groups, in case that new groups were created at initialization and the default section exists, we'll have to update the list of nested-group which the section is applied to. Change-Id: I9d67b3385d691680e170c9a12b180c537404dfc7
2016-03-09 01:57:59 -08:00 · 2016-03-09 01:57:59 -08:00 · 0977b90e1d
commit 0977b90e1d
parent 57aa0ffd5e
2 changed files with 6 additions and 2 deletions
--- a/vmware_nsx/nsxlib/v3/dfw_api.py
+++ b/vmware_nsx/nsxlib/v3/dfw_api.py
@ -186,7 +186,8 @@ def update_section(section_id, display_name, description, applied_tos=None):
    section.update({'display_name': display_name,
                    'description': description})
    if applied_tos is not None:
-        section['applied_tos'] = applied_tos
+        section['applied_tos'] = [get_nsgroup_reference(nsg_id)
+                                  for nsg_id in applied_tos]
    return nsxclient.update_resource(resource, section)


--- a/vmware_nsx/nsxlib/v3/security.py
+++ b/vmware_nsx/nsxlib/v3/security.py
@ -227,7 +227,10 @@ def init_nsgroup_manager_and_default_section_rules():
 def _init_default_section(name, description, nested_groups):
    fw_sections = firewall.list_sections()
    for section in fw_sections:
-        if section.get('display_name') == name:
+        if section['display_name'] == name:
+            firewall.update_section(section['id'],
+                                    name, section['description'],
+                                    applied_tos=nested_groups)
            break
    else:
        tags = utils.build_v3_api_version_tag()