NSXv3: Fix allowed address pairs switching profile
For allowed address pairs to be functional on NSXv3 plugin, we
need to enforce both Spoof Guard and MAC Learning switching
profile. MAC Learning is used to learning the mac address and
spoof guard is used for switch security to ensure only added
allowed address pairs to be allowed on this port.
Moreover, during fix bug #1631540, we removed the parameter
"mac_change_allowed". After further discussion with NSX team,
it doesn't have negative effect to add it back. The value it can
bring is to support guest VM on ESX host to change MAC address (
the mac_address still needs to be in allowed address pairs) on the
interface.
Change-Id: I2c725df74835165587170f6136c06494d1bfcf7b
Closes-Bug: #1631539
(cherry picked from commit c12d8f88cb
)
This commit is contained in:
parent
ee96b4a451
commit
4ccfdcc75e
|
@ -163,7 +163,8 @@ class SwitchingProfile(AbstractRESTResource):
|
|||
display_name=display_name,
|
||||
description=description,
|
||||
tags=tags or [],
|
||||
mac_learning=mac_learning)
|
||||
mac_learning=mac_learning,
|
||||
mac_change_allowed=True)
|
||||
|
||||
def create_port_mirror_profile(self, display_name, description,
|
||||
direction, destinations, tags=None):
|
||||
|
|
|
@ -1340,8 +1340,10 @@ class NsxV3Plugin(agentschedulers_db.AZDhcpAgentSchedulerDbMixin,
|
|||
vif_uuid = port_data['id']
|
||||
|
||||
profiles = []
|
||||
mac_learning_profile_set = False
|
||||
if psec_is_on and address_bindings:
|
||||
profiles = [self._get_port_security_profile_id()]
|
||||
mac_learning_profile_set = True
|
||||
profiles.append(self._get_port_security_profile_id())
|
||||
if device_owner == const.DEVICE_OWNER_DHCP:
|
||||
profiles.append(self._dhcp_profile)
|
||||
|
||||
|
@ -1358,9 +1360,10 @@ class NsxV3Plugin(agentschedulers_db.AZDhcpAgentSchedulerDbMixin,
|
|||
profiles.append(qos_profile_id)
|
||||
|
||||
# Add mac_learning profile if it exists and is configured
|
||||
if (self._mac_learning_profile and
|
||||
validators.is_attr_set(port_data.get(mac_ext.MAC_LEARNING)) and
|
||||
port_data.get(mac_ext.MAC_LEARNING) is True):
|
||||
if (mac_learning_profile_set or
|
||||
(self._mac_learning_profile and
|
||||
validators.is_attr_set(port_data.get(mac_ext.MAC_LEARNING)) and
|
||||
port_data.get(mac_ext.MAC_LEARNING) is True)):
|
||||
profiles.append(self._mac_learning_profile)
|
||||
|
||||
name = self._get_port_name(context, port_data)
|
||||
|
@ -1960,9 +1963,12 @@ class NsxV3Plugin(agentschedulers_db.AZDhcpAgentSchedulerDbMixin,
|
|||
if qos_profile_id is not None:
|
||||
switch_profile_ids.append(qos_profile_id)
|
||||
|
||||
mac_learning_profile_set = (
|
||||
self._get_port_security_profile_id() in switch_profile_ids)
|
||||
# Add mac_learning profile if it exists and is configured
|
||||
if (self._mac_learning_profile and
|
||||
updated_port.get(mac_ext.MAC_LEARNING) is True):
|
||||
if (mac_learning_profile_set or
|
||||
(self._mac_learning_profile and
|
||||
updated_port.get(mac_ext.MAC_LEARNING) is True)):
|
||||
switch_profile_ids.append(self._mac_learning_profile)
|
||||
|
||||
try:
|
||||
|
|
|
@ -182,6 +182,7 @@ class TestSwitchingProfileTestCase(nsxlib_testcase.NsxClientTestCase):
|
|||
'display_name': 'neutron-mac-learning',
|
||||
'description': 'mac-learning-for-neutron',
|
||||
'tags': tags,
|
||||
'mac_change_allowed': True,
|
||||
}, sort_keys=True))
|
||||
|
||||
def test_find_by_display_name(self):
|
||||
|
|
Loading…
Reference in New Issue