From 44438e864c4b3a19cbb1f7283783070fa209a5a2 Mon Sep 17 00:00:00 2001
From: Aaron Rosen <aaronorosen@gmail.com>
Date: Wed, 9 Jul 2014 10:02:09 -0700
Subject: [PATCH] NSX: neutron router-interface-add should clear
 security-groups

NSX does not support security groups on router ports so in the case
where someone uses a port that has a security group on it as the router
port we need to clear the security group off the port.

Change-Id: Ia0fb331516887dcd7e9a435094ce1eb082d72575
closes-bug: 1329043
---
 neutron/plugins/vmware/plugins/base.py       |  7 ++++++-
 neutron/tests/unit/vmware/test_nsx_plugin.py | 19 +++++++++++++++++++
 2 files changed, 25 insertions(+), 1 deletion(-)

diff --git a/neutron/plugins/vmware/plugins/base.py b/neutron/plugins/vmware/plugins/base.py
index 058dd18cb..072fd20eb 100644
--- a/neutron/plugins/vmware/plugins/base.py
+++ b/neutron/plugins/vmware/plugins/base.py
@@ -1716,7 +1716,12 @@ class NsxPluginV2(addr_pair_db.AllowedAddressPairsMixin,
         nsx_router_id = nsx_utils.get_nsx_router_id(
             context.session, self.cluster, router_id)
         if port_id:
-            port_data = self._get_port(context, port_id)
+            port_data = self.get_port(context, port_id)
+            # If security groups are present we need to remove them as
+            # this is a router port.
+            if port_data['security_groups']:
+                self.update_port(context, port_id,
+                                 {'port': {'security_groups': []}})
             nsx_switch_id, nsx_port_id = nsx_utils.get_nsx_switch_and_port_id(
                 context.session, self.cluster, port_id)
             # Unplug current attachment from lswitch port
diff --git a/neutron/tests/unit/vmware/test_nsx_plugin.py b/neutron/tests/unit/vmware/test_nsx_plugin.py
index 4f610802c..21b28513a 100644
--- a/neutron/tests/unit/vmware/test_nsx_plugin.py
+++ b/neutron/tests/unit/vmware/test_nsx_plugin.py
@@ -993,6 +993,25 @@ class TestL3NatTestCase(L3NatTest,
                     self.assertEqual(webob.exc.HTTPServiceUnavailable.code,
                                      res.status_int)
 
+    def test_router_add_interface_port_removes_security_group(self):
+        with self.router() as r:
+            with self.port(no_delete=True) as p:
+                body = self._router_interface_action('add',
+                                                     r['router']['id'],
+                                                     None,
+                                                     p['port']['id'])
+                self.assertIn('port_id', body)
+                self.assertEqual(body['port_id'], p['port']['id'])
+
+                # fetch port and confirm no security-group on it.
+                body = self._show('ports', p['port']['id'])
+                self.assertEqual(body['port']['security_groups'], [])
+                # clean-up
+                self._router_interface_action('remove',
+                                              r['router']['id'],
+                                              None,
+                                              p['port']['id'])
+
 
 class ExtGwModeTestCase(NsxPluginV2TestCase,
                         test_ext_gw_mode.ExtGwModeIntTestCase):
-- 
2.45.2