Check SG members instead of ports to skip flow update
Security group can have a state of empty ports but non-empty members. So we need skip the flow update only when members dict is empty. Change-Id: I429edb3d2dea5fa97441909b4d2c776f97f0516f Closes-Bug: #1862703 Related-Bug: #1854131
This commit is contained in:
parent
6e80cb5aab
commit
6dbba8d5ce
neutron
agent/linux/openvswitch_firewall
tests/unit/agent/linux/openvswitch_firewall
releasenotes/notes
@ -336,7 +336,7 @@ class ConjIPFlowManager(object):
|
||||
addr_to_conj = collections.defaultdict(list)
|
||||
for remote_id, conj_id_set in sg_conj_id_map.items():
|
||||
remote_group = self.driver.sg_port_map.get_sg(remote_id)
|
||||
if not remote_group or not remote_group.ports:
|
||||
if not remote_group or not remote_group.members:
|
||||
LOG.debug('No member for SG %s', remote_id)
|
||||
continue
|
||||
for addr in remote_group.get_ethertype_filtered_addresses(
|
||||
|
@ -308,9 +308,9 @@ class TestConjIPFlowManager(base.BaseTestCase):
|
||||
self.vlan_tag = 100
|
||||
self.conj_id = 16
|
||||
|
||||
def test_update_flows_for_vlan_no_ports(self):
|
||||
def test_update_flows_for_vlan_no_members(self):
|
||||
remote_group = self.driver.sg_port_map.get_sg.return_value
|
||||
remote_group.ports = {}
|
||||
remote_group.members = {}
|
||||
with mock.patch.object(self.manager.conj_id_map,
|
||||
'get_conj_id') as get_conj_id_mock:
|
||||
get_conj_id_mock.return_value = self.conj_id
|
||||
@ -320,6 +320,21 @@ class TestConjIPFlowManager(base.BaseTestCase):
|
||||
self.assertFalse(remote_group.get_ethertype_filtered_addresses.called)
|
||||
self.assertFalse(self.driver._add_flow.called)
|
||||
|
||||
def test_update_flows_for_vlan_no_ports_but_members(self):
|
||||
remote_group = self.driver.sg_port_map.get_sg.return_value
|
||||
remote_group.ports = set()
|
||||
remote_group.members = {constants.IPv4: ['10.22.3.4']}
|
||||
remote_group.get_ethertype_filtered_addresses.return_value = [
|
||||
'10.22.3.4']
|
||||
with mock.patch.object(self.manager.conj_id_map,
|
||||
'get_conj_id') as get_conj_id_mock:
|
||||
get_conj_id_mock.return_value = self.conj_id
|
||||
self.manager.add(self.vlan_tag, 'sg', 'remote_id',
|
||||
constants.INGRESS_DIRECTION, constants.IPv4, 0)
|
||||
self.manager.update_flows_for_vlan(self.vlan_tag)
|
||||
self.assertTrue(remote_group.get_ethertype_filtered_addresses.called)
|
||||
self.assertTrue(self.driver._add_flow.called)
|
||||
|
||||
def test_update_flows_for_vlan(self):
|
||||
remote_group = self.driver.sg_port_map.get_sg.return_value
|
||||
remote_group.get_ethertype_filtered_addresses.return_value = [
|
||||
|
@ -0,0 +1,8 @@
|
||||
---
|
||||
fixes:
|
||||
- |
|
||||
Fixes an issue that the OVS firewall driver does not configure security
|
||||
group rules using remote group properly when a corresponding remote group
|
||||
has no port on a local hypervisor. For more information
|
||||
see bugs: `1862703 <https://bugs.launchpad.net/neutron/+bug/1862703>`_
|
||||
and `1854131 <https://bugs.launchpad.net/neutron/+bug/1854131>`__.
|
Loading…
x
Reference in New Issue
Block a user