Browse Source

Removes SG rules on port with SG disabled

The SecurityGroupsDriver relies on its cache when removing a port's
ACL rules if the port's port_security_enabled field is False.

If the port was updated while the agent was down, the cache will be
empty, and thus skip removing the port's ACLs.

This patch addresses this issue by removing all of the port's ACLs if
the port's port_security_enabled is False.

Change-Id: Ibda80fbd17310e13ceb7fe4e6db7f68e6403e87b
Closes-Bug: #1747666
Claudiu Belu 1 year ago
parent
commit
13a1d75fe7

+ 2
- 3
networking_hyperv/neutron/security_groups_driver.py View File

@@ -220,9 +220,8 @@ class HyperVSecurityGroupsDriverMixin(object):
220 220
             LOG.info('Port %s does not have security enabled. '
221 221
                      'Removing existing rules if any.', port['id'])
222 222
             self._security_ports.pop(port.get('device'), None)
223
-            existing_rules = self._sec_group_rules.pop(port['id'], None)
224
-            if existing_rules:
225
-                self._utils.remove_all_security_rules(port['id'])
223
+            self._sec_group_rules.pop(port['id'], None)
224
+            self._utils.remove_all_security_rules(port['id'])
226 225
             return
227 226
         LOG.info('Updating port rules.')
228 227
 

+ 0
- 10
networking_hyperv/tests/unit/neutron/test_security_groups_driver.py View File

@@ -225,16 +225,6 @@ class TestHyperVSecurityGroupsDriver(SecurityGroupRuleTestHelper):
225 225
         self.assertNotIn(new_mock_port['device'], self._driver._security_ports)
226 226
         mock_method.assert_called_once_with(new_mock_port)
227 227
 
228
-    def test_update_port_filter_security_disabled(self):
229
-        mock_port = self._get_port()
230
-        mock_port['port_security_enabled'] = False
231
-
232
-        self._driver.update_port_filter(mock_port)
233
-
234
-        self.assertFalse(self._driver._utils.remove_all_security_rules.called)
235
-        self.assertNotIn(mock_port['device'], self._driver._security_ports)
236
-        self.assertNotIn(mock_port['id'], self._driver._sec_group_rules)
237
-
238 228
     def test_update_port_filter_security_disabled_existing_rules(self):
239 229
         mock_port = self._get_port()
240 230
         mock_port.pop('port_security_enabled')

Loading…
Cancel
Save