diff --git a/neutron/agent/linux/openvswitch_firewall/firewall.py b/neutron/agent/linux/openvswitch_firewall/firewall.py index 69a841a206f..48686e79a11 100644 --- a/neutron/agent/linux/openvswitch_firewall/firewall.py +++ b/neutron/agent/linux/openvswitch_firewall/firewall.py @@ -630,6 +630,9 @@ class OVSFirewallDriver(firewall.FirewallDriver): LOG.info("port %(port_id)s does not exist in ovsdb: %(err)s.", {'port_id': port['device'], 'err': not_found_error}) + # If port doesn't exist in ovsdb, lets ensure that there are no + # leftovers + self.remove_port_filter(port) except exceptions.OVSFWTagNotFound as tag_not_found: LOG.info("Tag was not found for port %(port_id)s: %(err)s.", {'port_id': port['device'], diff --git a/neutron/tests/unit/agent/linux/openvswitch_firewall/test_firewall.py b/neutron/tests/unit/agent/linux/openvswitch_firewall/test_firewall.py index 41db625dbe0..dc754b9272b 100644 --- a/neutron/tests/unit/agent/linux/openvswitch_firewall/test_firewall.py +++ b/neutron/tests/unit/agent/linux/openvswitch_firewall/test_firewall.py @@ -743,6 +743,16 @@ class TestOVSFirewallDriver(base.BaseTestCase): self.firewall.update_port_filter(port_dict) self.assertEqual(2, self.mock_bridge.apply_flows.call_count) + def test_update_port_filter_clean_when_port_not_found(self): + """Check flows are cleaned if port is not found in the bridge.""" + port_dict = {'device': 'port-id', + 'security_groups': [1]} + self._prepare_security_group() + self.firewall.prepare_port_filter(port_dict) + self.mock_bridge.br.get_vif_port_by_id.return_value = None + self.firewall.update_port_filter(port_dict) + self.assertTrue(self.mock_bridge.br.delete_flows.called) + def test_remove_port_filter(self): port_dict = {'device': 'port-id', 'security_groups': [1]}