From: shihanzhang <shihanzhang@huawei.com>
Date: Mon, 15 Sep 2014 06:46:31 +0000 (+0800)
Subject: Don't create unused ipset chain
X-Git-Url: https://review.fuel-infra.org/gitweb?a=commitdiff_plain;h=bf4a0199a73374d786e3a5bda770fd8545ebc4e9;p=openstack-build%2Fneutron-build.git

Don't create unused ipset chain

when a security group don't have members, it should not create corresponding
ipset chain.

Change-Id: Ia04ffb3ac539c9a89a882e6dd91f373cb67c6f8b
Closes-bug: #1369431
---

diff --git a/neutron/agent/linux/iptables_firewall.py b/neutron/agent/linux/iptables_firewall.py
index f38800b55..5f050b91a 100644
--- a/neutron/agent/linux/iptables_firewall.py
+++ b/neutron/agent/linux/iptables_firewall.py
@@ -385,7 +385,7 @@ class IptablesFirewallDriver(firewall.FirewallDriver):
                 del_ips = self._get_deleted_sg_member_ips(sg_id, ethertype)
                 cur_member_ips = self._get_cur_sg_member_ips(sg_id, ethertype)
                 chain_name = ethertype + sg_id[:IPSET_CHAIN_LEN]
-                if chain_name not in self.ipset_chains:
+                if chain_name not in self.ipset_chains and cur_member_ips:
                     self.ipset_chains[chain_name] = []
                     self.ipset.create_ipset_chain(
                         chain_name, ethertype)
diff --git a/neutron/tests/unit/test_iptables_firewall.py b/neutron/tests/unit/test_iptables_firewall.py
index f313df139..a342a5c56 100644
--- a/neutron/tests/unit/test_iptables_firewall.py
+++ b/neutron/tests/unit/test_iptables_firewall.py
@@ -1347,3 +1347,23 @@ class IptablesFirewallEnhancedIpsetTestCase(BaseIptablesFirewallTestCase):
                 'IPv6fake_sgid', ['fe80::1'], 'IPv6')]
 
         self.firewall.ipset.assert_has_calls(calls)
+
+    def test_prepare_port_filter_with_sg_no_member(self):
+        self.firewall.sg_rules = self._fake_sg_rule()
+        self.firewall.sg_rules['fake_sgid'].append(
+            {'direction': 'ingress', 'remote_group_id': 'fake_sgid2'})
+        self.firewall.sg_rules.update()
+        self.firewall.sg_members = {'fake_sgid': {
+            'IPv4': ['10.0.0.1', '10.0.0.2'], 'IPv6': ['fe80::1']}}
+        self.firewall.pre_sg_members = {}
+        port = self._fake_port()
+        port['security_group_source_groups'].append('fake_sgid2')
+        self.firewall.prepare_port_filter(port)
+        calls = [mock.call.create_ipset_chain('IPv4fake_sgid', 'IPv4'),
+                 mock.call.refresh_ipset_chain_by_name(
+                     'IPv4fake_sgid', ['10.0.0.1', '10.0.0.2'], 'IPv4'),
+                 mock.call.create_ipset_chain('IPv6fake_sgid', 'IPv6'),
+                 mock.call.refresh_ipset_chain_by_name(
+                     'IPv6fake_sgid', ['fe80::1'], 'IPv6')]
+
+        self.firewall.ipset.assert_has_calls(calls)