From 6362e710d9a65cf9aff39033dd6885e1bfaeaae1 Mon Sep 17 00:00:00 2001 From: Gary Kotton Date: Fri, 16 Feb 2018 21:57:54 +0200 Subject: [PATCH] NSX|V: ensure that no sec groups and port sec will discard traffic Traffic to ports that have port security and port security enabled will by default be discarded. A configuration variable has been added with default False so that there is not a degradation with the current behaviour. The variable is use_default_block_all. Change-Id: I5569234de01c116d1ad3161cfaf54404467f6816 --- .../block-all-no-security-groups-47af550349dbc85a.yaml | 9 +++++++++ vmware_nsx/common/config.py | 4 ++++ vmware_nsx/plugins/nsx_v/plugin.py | 10 ++++++++++ 3 files changed, 23 insertions(+) create mode 100644 releasenotes/notes/block-all-no-security-groups-47af550349dbc85a.yaml diff --git a/releasenotes/notes/block-all-no-security-groups-47af550349dbc85a.yaml b/releasenotes/notes/block-all-no-security-groups-47af550349dbc85a.yaml new file mode 100644 index 0000000000..3c5efe3229 --- /dev/null +++ b/releasenotes/notes/block-all-no-security-groups-47af550349dbc85a.yaml @@ -0,0 +1,9 @@ +--- +prelude: > + Enable 'use_default_block_all' to ensure that traffic to a port that has + no security groups and has port security enabled will be discarded. +features: + - | + Enable 'use_default_block_all' to ensure that traffic to a port that has + no security groups and has port security enabled will be discarded. This + will ensure the same behaviours as the upstream security groups. diff --git a/vmware_nsx/common/config.py b/vmware_nsx/common/config.py index 0e2fa124a2..2c7a29e153 100644 --- a/vmware_nsx/common/config.py +++ b/vmware_nsx/common/config.py @@ -719,6 +719,10 @@ nsxv_opts = [ cfg.BoolOpt('housekeeping_readonly', default=True, help=_("Housekeeping will only warn about breakage.")), + cfg.BoolOpt('use_default_block_all', + default=False, + help=_("Use default block all rule when no security groups " + "are set on a port and port security is enabled")), ] # define the configuration of each NSX-V availability zone. diff --git a/vmware_nsx/plugins/nsx_v/plugin.py b/vmware_nsx/plugins/nsx_v/plugin.py index 002de85d94..0be7f31b74 100644 --- a/vmware_nsx/plugins/nsx_v/plugin.py +++ b/vmware_nsx/plugins/nsx_v/plugin.py @@ -2175,6 +2175,10 @@ class NsxVPluginV2(addr_pair_db.AllowedAddressPairsMixin, original_port['fixed_ips']) self._update_vnic_assigned_addresses( context.session, original_port, vnic_id) + if (cfg.CONF.nsxv.use_default_block_all and + not original_port[ext_sg.SECURITYGROUPS]): + self._add_member_to_security_group( + self.sg_container_id, vnic_id) else: # Add vm to the exclusion list, since it has no port security self._add_vm_to_exclude_list(context, device_id, id) @@ -2405,6 +2409,12 @@ class NsxVPluginV2(addr_pair_db.AllowedAddressPairsMixin, ret_port[ext_sg.SECURITYGROUPS]) self._update_security_groups_port_mapping( context.session, id, vnic_id, curr_sgids, new_sgids) + if (cfg.CONF.nsxv.use_default_block_all and + not ret_port[ext_sg.SECURITYGROUPS]): + # If there are no security groups ensure that the + # default is 'Drop All' + self._add_member_to_security_group( + self.sg_container_id, vnic_id) # update mac learning on NSX if self._vcm: