Don't create unused ipset chain

author shihanzhang <shihanzhang@huawei.com>

Mon, 15 Sep 2014 06:46:31 +0000 (14:46 +0800)

committer shihanzhang <shihanzhang@huawei.com>

Mon, 15 Sep 2014 07:51:14 +0000 (15:51 +0800)
author shihanzhang <shihanzhang@huawei.com>
Mon, 15 Sep 2014 06:46:31 +0000 (14:46 +0800)
committer shihanzhang <shihanzhang@huawei.com>
Mon, 15 Sep 2014 07:51:14 +0000 (15:51 +0800)
diff --git a/neutron/agent/linux/iptables_firewall.py b/neutron/agent/linux/iptables_firewall.py

index f38800b55e14b4de428bb911b299c8c11a9bfc76..5f050b91aa33a48523850815c0730e8abc83154a 100644 (file)
--- a/neutron/agent/linux/iptables_firewall.py
+++ b/neutron/agent/linux/iptables_firewall.py
@@ -385,7 +385,7 @@ class IptablesFirewallDriver(firewall.FirewallDriver):
                  del_ips = self._get_deleted_sg_member_ips(sg_id, ethertype)
                  cur_member_ips = self._get_cur_sg_member_ips(sg_id, ethertype)
                  chain_name = ethertype + sg_id[:IPSET_CHAIN_LEN]
-                if chain_name not in self.ipset_chains:
+                if chain_name not in self.ipset_chains and cur_member_ips:
                      self.ipset_chains[chain_name] = []
                      self.ipset.create_ipset_chain(
                          chain_name, ethertype)
diff --git a/neutron/tests/unit/test_iptables_firewall.py b/neutron/tests/unit/test_iptables_firewall.py

index f313df139a8287535c28de1d0b7d64e92b5d0521..a342a5c5625a2d89885b34ac08e981c5d786befe 100644 (file)
--- a/neutron/tests/unit/test_iptables_firewall.py
+++ b/neutron/tests/unit/test_iptables_firewall.py
@@ -1347,3 +1347,23 @@ class IptablesFirewallEnhancedIpsetTestCase(BaseIptablesFirewallTestCase):
                  'IPv6fake_sgid', ['fe80::1'], 'IPv6')]
  
          self.firewall.ipset.assert_has_calls(calls)
+
+    def test_prepare_port_filter_with_sg_no_member(self):
+        self.firewall.sg_rules = self._fake_sg_rule()
+        self.firewall.sg_rules['fake_sgid'].append(
+            {'direction': 'ingress', 'remote_group_id': 'fake_sgid2'})
+        self.firewall.sg_rules.update()
+        self.firewall.sg_members = {'fake_sgid': {
+            'IPv4': ['10.0.0.1', '10.0.0.2'], 'IPv6': ['fe80::1']}}
+        self.firewall.pre_sg_members = {}
+        port = self._fake_port()
+        port['security_group_source_groups'].append('fake_sgid2')
+        self.firewall.prepare_port_filter(port)
+        calls = [mock.call.create_ipset_chain('IPv4fake_sgid', 'IPv4'),
+                 mock.call.refresh_ipset_chain_by_name(
+                     'IPv4fake_sgid', ['10.0.0.1', '10.0.0.2'], 'IPv4'),
+                 mock.call.create_ipset_chain('IPv6fake_sgid', 'IPv6'),
+                 mock.call.refresh_ipset_chain_by_name(
+                     'IPv6fake_sgid', ['fe80::1'], 'IPv6')]
+
+        self.firewall.ipset.assert_has_calls(calls)
author	shihanzhang <shihanzhang@huawei.com>
	Mon, 15 Sep 2014 06:46:31 +0000 (14:46 +0800)
committer	shihanzhang <shihanzhang@huawei.com>
	Mon, 15 Sep 2014 07:51:14 +0000 (15:51 +0800)
neutron/agent/linux/iptables_firewall.py		patch \| blob \| history
neutron/tests/unit/test_iptables_firewall.py		patch \| blob \| history