Merge "Use '-p ip' instead of '-p 0' with conntrack"

neutron/agent/linux/ip_conntrack.py

@@ -117,7 +117,10 @@ class IpConntrackManager(object):
         protocol = rule.get('protocol')
         direction = rule.get('direction')
         cmd = ['conntrack', '-D']
-        if protocol:
+        if protocol is not None:
+            # 0 is IP in /etc/protocols, but conntrack will throw an error
+            if str(protocol) == '0':
+                protocol = 'ip'
             cmd.extend(['-p', str(protocol)])
         cmd.extend(['-f', str(ethertype).lower()])
         cmd.append('-d' if direction == 'ingress' else '-s')

neutron/tests/unit/agent/linux/test_iptables_firewall.py

@@ -1389,8 +1389,10 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase):
             while not self.firewall.ipconntrack._queue.empty():
                 self.firewall.ipconntrack._process_queue()
             cmd = ['conntrack', '-D']
-            if protocol:
-                cmd.extend(['-p', protocol])
+            if protocol is not None:
+                if str(protocol) == '0':
+                    protocol = 'ip'
+                cmd.extend(['-p', str(protocol)])
             if ethertype == 'IPv4':
                 cmd.extend(['-f', 'ipv4'])
                 if direction == 'ingress':
@@ -1412,7 +1414,13 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase):
 
     def test_remove_conntrack_entries_for_delete_rule_ipv4(self):
         for direction in ['ingress', 'egress']:
-            for pro in [None, 'tcp', 'icmp', 'udp']:
+            for pro in [None, 'ip', 'tcp', 'icmp', 'udp', '0']:
+                self._test_remove_conntrack_entries(
+                    'IPv4', pro, direction, ct_zone=10)
+
+    def test_remove_conntrack_entries_for_delete_rule_ipv4_by_num(self):
+        for direction in ['ingress', 'egress']:
+            for pro in [None, 0, 6, 1, 17]:
                 self._test_remove_conntrack_entries(
                     'IPv4', pro, direction, ct_zone=10)