Delete conntrack entry with remote_ip on the other direction

Patch [1] is incomplete for deleting conntrack entries with
remote_ip set. This patch fixes the defect.
[1]: I44d6bd0c2465294b557fd01566b72e016d34bba3

Change-Id: I31c579dbe28e4e8e824912b695eaba9475cf0095
Closes-Bug: #1570171

neutron/agent/linux/ip_conntrack.py

@@ -58,7 +58,11 @@ class IpConntrackManager(object):
                 ip_cmd = [str(net.ip), '-w', zone_id]
                 if remote_ip and str(
                         netaddr.IPNetwork(remote_ip).version) in ethertype:
-                    ip_cmd.extend(['-s', str(remote_ip)])
+                    if rule.get('direction') == 'ingress':
+                        direction = '-s'
+                    else:
+                        direction = '-d'
+                    ip_cmd.extend([direction, str(remote_ip)])
                 conntrack_cmds.add(tuple(cmd + ip_cmd))
         return conntrack_cmds
 

neutron/tests/unit/agent/linux/test_iptables_firewall.py

@@ -1158,6 +1158,56 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase):
                       extra_ok_codes=[1])]
         self.utils_exec.assert_has_calls(calls)
 
+    def test_remove_conntrack_entries_for_sg_member_changed_ipv4(self):
+        for direction in ['ingress', 'egress']:
+            for protocol in [None, 'tcp', 'icmp', 'udp']:
+                self._test_remove_conntrack_entries_sg_member_changed(
+                    'IPv4', protocol, direction)
+
+    def test_remove_conntrack_entries_for_sg_member_changed_ipv6(self):
+        for direction in ['ingress', 'egress']:
+            for protocol in [None, 'tcp', 'icmp', 'udp']:
+                self._test_remove_conntrack_entries_sg_member_changed(
+                    'IPv6', protocol, direction)
+
+    def _test_remove_conntrack_entries_sg_member_changed(self, ethertype,
+                                                         protocol, direction):
+        port = self._fake_port()
+        port['security_groups'] = ['fake_sg_id']
+        self.firewall.sg_rules.setdefault('fake_sg_id', [])
+        self.firewall.sg_rules['fake_sg_id'].append(
+            {'direction': direction, 'remote_group_id': 'fake_sg_id2',
+             'ethertype': ethertype})
+
+        self.firewall.filter_defer_apply_on()
+        self.firewall.devices_with_updated_sg_members['fake_sg_id2'] = [port]
+        if ethertype == "IPv4":
+            self.firewall.pre_sg_members = {'fake_sg_id2': {
+                                            'IPv4': ['10.0.0.2', '10.0.0.3']}}
+            self.firewall.sg_members = {'fake_sg_id2': {
+                                            'IPv4': ['10.0.0.3']}}
+            ethertype = "ipv4"
+        else:
+            self.firewall.pre_sg_members = {'fake_sg_id2': {
+                                            'IPv6': ['fe80::2', 'fe80::3']}}
+            self.firewall.sg_members = {'fake_sg_id2': {
+                                            'IPv6': ['fe80::3']}}
+            ethertype = "ipv6"
+        self.firewall.filter_defer_apply_off()
+        direction = '-d' if direction == 'ingress' else '-s'
+        remote_ip_direction = '-s' if direction == '-d' else '-d'
+        ips = {"ipv4": ['10.0.0.1', '10.0.0.2'],
+               "ipv6": ['fe80::1', 'fe80::2']}
+        calls = [
+                     # initial data has 1, 2, and 9 in use, CT zone will start
+                     # at 10.
+                     mock.call(['conntrack', '-D', '-f', ethertype, direction,
+                                ips[ethertype][0], '-w', 10,
+                                remote_ip_direction, ips[ethertype][1]],
+                               run_as_root=True, check_exit_code=True,
+                               extra_ok_codes=[1])]
+        self.utils_exec.assert_has_calls(calls)
+
     def test_user_sg_rules_deduped_before_call_to_iptables_manager(self):
         port = self._fake_port()
         port['security_group_rules'] = [{'ethertype': 'IPv4',