NSX-v3: Inform FWaaS when a router interface is removed

In FWaaS v2, the firewall group is attached to router interface ports. When the last interface is removed, the firewall status should be set to inactive until addign a new port. Change-Id: I20a7566d80fa011772066ecd076a303b0fb07f99
2018-01-07 14:08:41 +02:00 · 2018-01-07 14:08:41 +02:00 · f885408518
commit f885408518
parent 45ccd1eaa3
3 changed files with 19 additions and 0 deletions
--- a/vmware_nsx/plugins/nsx_v3/plugin.py
+++ b/vmware_nsx/plugins/nsx_v3/plugin.py
@ -3894,6 +3894,11 @@ class NsxV3Plugin(agentschedulers_db.AZDhcpAgentSchedulerDbMixin,
                      "%(net_id)s not found at the backend",
                      {'router_id': router_id,
                       'net_id': subnet['network_id']})
+
+        # inform the FWaaS that interface port was removed
+        if self.fwaas_callbacks:
+            self.fwaas_callbacks.delete_port(context, port_id)
+
        info = super(NsxV3Plugin, self).remove_router_interface(
            context, router_id, interface_info)
        if not cfg.CONF.nsx_v3.native_dhcp_metadata:
--- a/vmware_nsx/services/fwaas/nsx_v3/fwaas_callbacks_v1.py
+++ b/vmware_nsx/services/fwaas/nsx_v3/fwaas_callbacks_v1.py
@ -95,3 +95,7 @@ class Nsxv3FwaasCallbacksV1(com_clbcks.NsxFwaasCallbacks):

        # Also update the router tags
        self.internal_driver.update_nsx_router_tags(nsx_router_id, fw_id=fw_id)
+
+    def delete_port(self, context, port_id):
+        # nothing to do in FWaaS v1
+        pass
--- a/vmware_nsx/services/fwaas/nsx_v3/fwaas_callbacks_v2.py
+++ b/vmware_nsx/services/fwaas/nsx_v3/fwaas_callbacks_v2.py
@ -15,6 +15,8 @@

 from oslo_log import log as logging

+from neutron_lib import constants as nl_constants
+
 from vmware_nsx.db import db as nsx_db
 from vmware_nsx.extensions import projectpluginmap
 from vmware_nsx.services.fwaas.common import fwaas_callbacks_v2 as \
@ -98,3 +100,11 @@ class Nsxv3FwaasCallbacksV2(com_callbacks.NsxFwaasCallbacksV2):

        # update the backend router firewall
        nsxlib.firewall_section.update(section_id, rules=fw_rules)
+
+    def delete_port(self, context, port_id):
+        # Mark the FW group as inactive if this is the last port
+        fwg = self.get_port_fwg(context, port_id)
+        if (fwg and fwg.get('status') == nl_constants.ACTIVE and
+            len(fwg.get('ports', [])) <= 1):
+            self.fwplugin_rpc.set_firewall_group_status(
+                context, fwg['id'], nl_constants.INACTIVE)