From: shihanzhang <shihanzhang@huawei.com>
Date: Tue, 26 May 2015 08:42:44 +0000 (+0800)
Subject: Update ipset members when corresponding sg member is empty
X-Git-Url: https://review.fuel-infra.org/gitweb?a=commitdiff_plain;h=b239f75644bfdfec86f8a8efdabd6b11b766e822;p=openstack-build%2Fneutron-build.git

Update ipset members when corresponding sg member is empty

if a security group has a rule with 'remote-group-id', the ports
in this security group should update its relevant ipset member
when the remote-group members is empty.

Change-Id: I980ebfd8f6537f803d9d5cbf21ca33f727fea3b3
Closes-bug: #1458786
---

diff --git a/neutron/agent/linux/iptables_firewall.py b/neutron/agent/linux/iptables_firewall.py
index 4dd988fde..1cae8f642 100644
--- a/neutron/agent/linux/iptables_firewall.py
+++ b/neutron/agent/linux/iptables_firewall.py
@@ -458,8 +458,7 @@ class IptablesFirewallDriver(firewall.FirewallDriver):
         for ip_version, sg_ids in security_group_ids.items():
             for sg_id in sg_ids:
                 current_ips = self.sg_members[sg_id][ip_version]
-                if current_ips:
-                    self.ipset.set_members(sg_id, ip_version, current_ips)
+                self.ipset.set_members(sg_id, ip_version, current_ips)
 
     def _generate_ipset_rule_args(self, sg_rule, remote_gid):
         ethertype = sg_rule.get('ethertype')
diff --git a/neutron/tests/unit/agent/linux/test_iptables_firewall.py b/neutron/tests/unit/agent/linux/test_iptables_firewall.py
index 53726f81c..7491d5a87 100644
--- a/neutron/tests/unit/agent/linux/test_iptables_firewall.py
+++ b/neutron/tests/unit/agent/linux/test_iptables_firewall.py
@@ -1695,3 +1695,11 @@ class IptablesFirewallEnhancedIpsetTestCase(BaseIptablesFirewallTestCase):
         self.firewall._build_ipv4v6_mac_ip_list(mac_oth, ipv6,
                                                 mac_ipv4_pairs, mac_ipv6_pairs)
         self.assertEqual(fake_ipv6_pair, mac_ipv6_pairs)
+
+    def test_update_ipset_members(self):
+        self.firewall.sg_members[FAKE_SGID][_IPv4] = []
+        self.firewall.sg_members[FAKE_SGID][_IPv6] = []
+        sg_info = {constants.IPv4: [FAKE_SGID]}
+        self.firewall._update_ipset_members(sg_info)
+        calls = [mock.call.set_members(FAKE_SGID, constants.IPv4, [])]
+        self.firewall.ipset.assert_has_calls(calls)