]> review.fuel-infra Code Review - openstack-build/neutron-build.git/commitdiff
Code Review / openstack-build / neutron-build.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | review | tree
raw | patch | inline | side by side (parent: 66bc9de)
Update ipset members when corresponding sg member is empty
authorshihanzhang <shihanzhang@huawei.com>
Tue, 26 May 2015 08:42:44 +0000 (16:42 +0800)
committershihanzhang <shihanzhang@huawei.com>
Mon, 8 Jun 2015 06:20:59 +0000 (14:20 +0800)
if a security group has a rule with 'remote-group-id', the ports
in this security group should update its relevant ipset member
when the remote-group members is empty.

Change-Id: I980ebfd8f6537f803d9d5cbf21ca33f727fea3b3
Closes-bug: #1458786

neutron/agent/linux/iptables_firewall.py patch | blob | history
neutron/tests/unit/agent/linux/test_iptables_firewall.py patch | blob | history

diff --git a/neutron/agent/linux/iptables_firewall.py b/neutron/agent/linux/iptables_firewall.py
index 4dd988fde8b8c6b3f435423307e83ab2da108599..1cae8f6429f3f790d106ee6299b28a55c6000f30 100644 (file)
--- a/neutron/agent/linux/iptables_firewall.py
+++ b/neutron/agent/linux/iptables_firewall.py
@@ -458,8 +458,7 @@ class IptablesFirewallDriver(firewall.FirewallDriver):
         for ip_version, sg_ids in security_group_ids.items():
             for sg_id in sg_ids:
                 current_ips = self.sg_members[sg_id][ip_version]
-                if current_ips:
-                    self.ipset.set_members(sg_id, ip_version, current_ips)
+                self.ipset.set_members(sg_id, ip_version, current_ips)
 
     def _generate_ipset_rule_args(self, sg_rule, remote_gid):
         ethertype = sg_rule.get('ethertype')
diff --git a/neutron/tests/unit/agent/linux/test_iptables_firewall.py b/neutron/tests/unit/agent/linux/test_iptables_firewall.py
index 53726f81c73188d38dfa4e986a1f458bd0e78a85..7491d5a8740b49ea7ff44f75994c393ac44ef380 100644 (file)
--- a/neutron/tests/unit/agent/linux/test_iptables_firewall.py
+++ b/neutron/tests/unit/agent/linux/test_iptables_firewall.py
@@ -1695,3 +1695,11 @@ class IptablesFirewallEnhancedIpsetTestCase(BaseIptablesFirewallTestCase):
         self.firewall._build_ipv4v6_mac_ip_list(mac_oth, ipv6,
                                                 mac_ipv4_pairs, mac_ipv6_pairs)
         self.assertEqual(fake_ipv6_pair, mac_ipv6_pairs)
+
+    def test_update_ipset_members(self):
+        self.firewall.sg_members[FAKE_SGID][_IPv4] = []
+        self.firewall.sg_members[FAKE_SGID][_IPv6] = []
+        sg_info = {constants.IPv4: [FAKE_SGID]}
+        self.firewall._update_ipset_members(sg_info)
+        calls = [mock.call.set_members(FAKE_SGID, constants.IPv4, [])]
+        self.firewall.ipset.assert_has_calls(calls)