x/vmware-nsx
Code Issues Proposed changes

NSX|V3: fix issues with exclude list

Browse Source 
In NSX 2.0.0 onwards we are able to make use of the tags
for the exclude list. Prior to this we need to make use of the
exclude list directly.

Co-Authored-By: Shih-Hao Li <shihli@vmware.com>

Change-Id: I31fec57ec7db7db5066c446251917720a043339e
This commit is contained in:
Gary Kotton 2017-04-25 22:14:18 -07:00
parent 6bca0eeea0
commit 11d3da3ef5
2 changed files with 35 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
vmware_nsx/common/utils.py
View File

@ -34,6 +34,7 @@ MAX_DISPLAY_NAME_LEN = 40
NEUTRON_VERSION = n_version.version_info.release_string()
OS_NEUTRON_ID_SCOPE = 'os-neutron-id'
NSXV3_VERSION_1_1_0 = '1.1.0'
NSXV3_VERSION_2_0_0 = '2.0.0'
# Allowed network types for the NSX Plugin
@ -70,6 +71,11 @@ def is_nsx_version_1_1_0(nsx_version):
version.LooseVersion(NSXV3_VERSION_1_1_0))
def is_nsx_version_2_0_0(nsx_version):
return (version.LooseVersion(nsx_version) >=
version.LooseVersion(NSXV3_VERSION_2_0_0))
def is_nsxv_version_6_2(nsx_version):
return (version.LooseVersion(nsx_version) >=
version.LooseVersion('6.2'))

34
vmware_nsx/plugins/nsx_v3/plugin.py
View File

@ -1525,13 +1525,17 @@ class NsxV3Plugin(agentschedulers_db.AZDhcpAgentSchedulerDbMixin,
if resource_type:
tags = nsxlib_utils.add_v3_tag(tags, resource_type, device_id)
add_to_exclude_list = False
if device_owner != l3_db.DEVICE_OWNER_ROUTER_INTF:
if ((device_owner == const.DEVICE_OWNER_DHCP and
not cfg.CONF.nsx_v3.native_dhcp_metadata) or
(device_owner != const.DEVICE_OWNER_DHCP and
not psec_is_on)):
tags.append({'scope': security.PORT_SG_SCOPE,
'tag': nsxlib_consts.EXCLUDE_PORT})
if utils.is_nsx_version_2_0_0(self._nsx_version):
tags.append({'scope': security.PORT_SG_SCOPE,
'tag': nsxlib_consts.EXCLUDE_PORT})
else:
add_to_exclude_list = True
if utils.is_nsx_version_1_1_0(self._nsx_version):
# If port has no security-groups then we don't need to add any
@ -1623,6 +1627,10 @@ class NsxV3Plugin(agentschedulers_db.AZDhcpAgentSchedulerDbMixin,
qos_com_utils.update_port_policy_binding(context,
port_data['id'],
qos_policy_id)
# Add the port to the exclude list if necessary
if add_to_exclude_list:
self.nsxlib.firewall_section.add_member_to_fw_exclude_list(
result['id'], nsxlib_consts.TARGET_TYPE_LOGICAL_PORT)
return result
def _validate_address_pairs(self, address_pairs):
@ -2141,6 +2149,11 @@ class NsxV3Plugin(agentschedulers_db.AZDhcpAgentSchedulerDbMixin,
self._update_lport_with_security_groups(
context, nsx_port_id,
port.get(ext_sg.SECURITYGROUPS, []), [])
if (not utils.is_nsx_version_2_0_0(self._nsx_version) and
not port.get('port_security_enabled')):
fs = self.nsxlib.firewall_section
fs.remove_member_from_fw_exclude_list(
nsx_port_id, nsxlib_consts.TARGET_TYPE_LOGICAL_PORT)
self.disassociate_floatingips(context, port_id)
# Remove Mac/IP binding from native DHCP server and neutron DB.
@ -2267,9 +2280,20 @@ class NsxV3Plugin(agentschedulers_db.AZDhcpAgentSchedulerDbMixin,
name = self._get_port_name(context, updated_port)
updated_ps = updated_port.get('port_security_enabled')
if not updated_ps:
tags_update.append({'scope': security.PORT_SG_SCOPE,
'tag': nsxlib_consts.EXCLUDE_PORT})
if utils.is_nsx_version_2_0_0(self._nsx_version):
if not updated_ps:
tags_update.append({'scope': security.PORT_SG_SCOPE,
'tag': nsxlib_consts.EXCLUDE_PORT})
else:
original_ps = original_port.get('port_security_enabled')
if updated_ps != original_ps:
fs = self.nsxlib.firewall_section
if not updated_ps:
fs.add_member_to_fw_exclude_list(
lport_id, nsxlib_consts.TARGET_TYPE_LOGICAL_PORT)
else:
fs.remove_member_from_fw_exclude_list(
lport_id, nsxlib_consts.TARGET_TYPE_LOGICAL_PORT)
if utils.is_nsx_version_1_1_0(self._nsx_version):
tags_update += self.nsxlib.ns_group.get_lport_tags(