NSXv3: Fix allowed address pairs switching profile

For allowed address pairs to be functional on NSXv3 plugin, we need to enforce both Spoof Guard and MAC Learning switching profile. MAC Learning is used to learning the mac address and spoof guard is used for switch security to ensure only added allowed address pairs to be allowed on this port. Moreover, during fix bug #1631540, we removed the parameter "mac_change_allowed". After further discussion with NSX team, it doesn't have negative effect to add it back. The value it can bring is to support guest VM on ESX host to change MAC address ( the mac_address still needs to be in allowed address pairs) on the interface. Change-Id: I2c725df74835165587170f6136c06494d1bfcf7b Closes-Bug: #1631539
2016-10-07 22:01:24 +00:00 · 2016-10-07 22:01:24 +00:00 · c12d8f88cb
commit c12d8f88cb
parent 3b5bfbb26a
3 changed files with 15 additions and 7 deletions
--- a/vmware_nsx/nsxlib/v3/resources.py
+++ b/vmware_nsx/nsxlib/v3/resources.py
@ -160,7 +160,8 @@ class SwitchingProfile(AbstractRESTResource):
                           display_name=display_name,
                           description=description,
                           tags=tags or [],
-                           mac_learning=mac_learning)
+                           mac_learning=mac_learning,
+                           mac_change_allowed=True)

    def create_port_mirror_profile(self, display_name, description,
                                   direction, destinations, tags=None):
--- a/vmware_nsx/plugins/nsx_v3/plugin.py
+++ b/vmware_nsx/plugins/nsx_v3/plugin.py
@ -1363,8 +1363,10 @@ class NsxV3Plugin(agentschedulers_db.AZDhcpAgentSchedulerDbMixin,
            vif_uuid = port_data['id']

        profiles = []
+        mac_learning_profile_set = False
        if psec_is_on and address_bindings:
-            profiles = [self._get_port_security_profile_id()]
+            mac_learning_profile_set = True
+            profiles.append(self._get_port_security_profile_id())
        if device_owner == const.DEVICE_OWNER_DHCP:
            profiles.append(self._dhcp_profile)

@ -1381,9 +1383,10 @@ class NsxV3Plugin(agentschedulers_db.AZDhcpAgentSchedulerDbMixin,
            profiles.append(qos_profile_id)

        # Add mac_learning profile if it exists and is configured
-        if (self._mac_learning_profile and
-            validators.is_attr_set(port_data.get(mac_ext.MAC_LEARNING)) and
-            port_data.get(mac_ext.MAC_LEARNING) is True):
+        if (mac_learning_profile_set or
+            (self._mac_learning_profile and
+             validators.is_attr_set(port_data.get(mac_ext.MAC_LEARNING)) and
+             port_data.get(mac_ext.MAC_LEARNING) is True)):
            profiles.append(self._mac_learning_profile)

        name = self._get_port_name(context, port_data)
@ -1995,9 +1998,12 @@ class NsxV3Plugin(agentschedulers_db.AZDhcpAgentSchedulerDbMixin,
        if qos_profile_id is not None:
            switch_profile_ids.append(qos_profile_id)

+        mac_learning_profile_set = (
+            self._get_port_security_profile_id() in switch_profile_ids)
        # Add mac_learning profile if it exists and is configured
-        if (self._mac_learning_profile and
-            updated_port.get(mac_ext.MAC_LEARNING) is True):
+        if (mac_learning_profile_set or
+            (self._mac_learning_profile and
+             updated_port.get(mac_ext.MAC_LEARNING) is True)):
            switch_profile_ids.append(self._mac_learning_profile)

        try:
--- a/vmware_nsx/tests/unit/nsxlib/v3/test_resources.py
+++ b/vmware_nsx/tests/unit/nsxlib/v3/test_resources.py
@ -183,6 +183,7 @@ class TestSwitchingProfileTestCase(nsxlib_testcase.NsxClientTestCase):
                'display_name': 'plugin-mac-learning',
                'description': 'mac-learning-for-plugin',
                'tags': tags,
+                'mac_change_allowed': True,
            }, sort_keys=True))

    def test_find_by_display_name(self):