diff --git a/neutron/agent/linux/ip_conntrack.py b/neutron/agent/linux/ip_conntrack.py index 9040504149c..c3594b0ff1f 100644 --- a/neutron/agent/linux/ip_conntrack.py +++ b/neutron/agent/linux/ip_conntrack.py @@ -117,7 +117,10 @@ class IpConntrackManager(object): protocol = rule.get('protocol') direction = rule.get('direction') cmd = ['conntrack', '-D'] - if protocol: + if protocol is not None: + # 0 is IP in /etc/protocols, but conntrack will throw an error + if str(protocol) == '0': + protocol = 'ip' cmd.extend(['-p', str(protocol)]) cmd.extend(['-f', str(ethertype).lower()]) cmd.append('-d' if direction == 'ingress' else '-s') diff --git a/neutron/tests/unit/agent/linux/test_iptables_firewall.py b/neutron/tests/unit/agent/linux/test_iptables_firewall.py index 2400c181400..92e5b3fd42b 100644 --- a/neutron/tests/unit/agent/linux/test_iptables_firewall.py +++ b/neutron/tests/unit/agent/linux/test_iptables_firewall.py @@ -1389,8 +1389,10 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase): while not self.firewall.ipconntrack._queue.empty(): self.firewall.ipconntrack._process_queue() cmd = ['conntrack', '-D'] - if protocol: - cmd.extend(['-p', protocol]) + if protocol is not None: + if str(protocol) == '0': + protocol = 'ip' + cmd.extend(['-p', str(protocol)]) if ethertype == 'IPv4': cmd.extend(['-f', 'ipv4']) if direction == 'ingress': @@ -1412,7 +1414,13 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase): def test_remove_conntrack_entries_for_delete_rule_ipv4(self): for direction in ['ingress', 'egress']: - for pro in [None, 'tcp', 'icmp', 'udp']: + for pro in [None, 'ip', 'tcp', 'icmp', 'udp', '0']: + self._test_remove_conntrack_entries( + 'IPv4', pro, direction, ct_zone=10) + + def test_remove_conntrack_entries_for_delete_rule_ipv4_by_num(self): + for direction in ['ingress', 'egress']: + for pro in [None, 0, 6, 1, 17]: self._test_remove_conntrack_entries( 'IPv4', pro, direction, ct_zone=10)