Browse Source

[OVS FW] Clean port rules if port not found in ovsdb

During e.g. migration or shelve of VM it may happend that
port update event will be send to the ovs agent and in the almost
the same time, port will be removed from br-int.
In such case during update_port_filter method openvswitch firewall
driver will not find port in br-int, and it will do nothing with it.
That will lead to leftover rules for this port in br-int.

So this patch adds calling remove_port_filter() method if port was
not found in br-int. Just to be sure that there is no any leftovers
from the port in br-int anymore.

Conflicts:
    neutron/agent/linux/openvswitch_firewall/firewall.py

Change-Id: I06036ce5fe15d91aa440dc340a70dd27ae078c53
Closes-Bug: #1850557
(cherry picked from commit b01e0c2aa9)
tags/13.0.6
Slawek Kaplonski 6 months ago
parent
commit
50a02ebc06
2 changed files with 13 additions and 0 deletions
  1. +3
    -0
      neutron/agent/linux/openvswitch_firewall/firewall.py
  2. +10
    -0
      neutron/tests/unit/agent/linux/openvswitch_firewall/test_firewall.py

+ 3
- 0
neutron/agent/linux/openvswitch_firewall/firewall.py View File

@@ -601,6 +601,9 @@ class OVSFirewallDriver(firewall.FirewallDriver):
LOG.info("port %(port_id)s does not exist in ovsdb: %(err)s.",
{'port_id': port['device'],
'err': not_found_error})
# If port doesn't exist in ovsdb, lets ensure that there are no
# leftovers
self.remove_port_filter(port)

def _set_port_filters(self, of_port):
self.initialize_port_flows(of_port)


+ 10
- 0
neutron/tests/unit/agent/linux/openvswitch_firewall/test_firewall.py View File

@@ -631,6 +631,16 @@ class TestOVSFirewallDriver(base.BaseTestCase):
self.firewall.update_port_filter(port_dict)
self.assertEqual(2, self.mock_bridge.apply_flows.call_count)

def test_update_port_filter_clean_when_port_not_found(self):
"""Check flows are cleaned if port is not found in the bridge."""
port_dict = {'device': 'port-id',
'security_groups': [1]}
self._prepare_security_group()
self.firewall.prepare_port_filter(port_dict)
self.mock_bridge.br.get_vif_port_by_id.return_value = None
self.firewall.update_port_filter(port_dict)
self.assertTrue(self.mock_bridge.br.delete_flows.called)

def test_remove_port_filter(self):
port_dict = {'device': 'port-id',
'security_groups': [1]}


Loading…
Cancel
Save