Merge "ovsfw: Don't create rules if updated port doesn't exist" into stable/pike

neutron/agent/linux/openvswitch_firewall/exceptions.py

@@ -26,3 +26,7 @@ class OVSFWTagNotFound(exceptions.NeutronException):
     message = _(
         "Cannot get tag for port %(port_name)s from its other_config: "
         "%(other_config)s")
+
+
+class OVSFWPortNotHandled(exceptions.NeutronException):
+    message = ("Port %(port_id)s is not handled by the firewall.")

neutron/agent/linux/openvswitch_firewall/firewall.py

@@ -500,8 +500,12 @@ class OVSFirewallDriver(firewall.FirewallDriver):
             self._initialize_egress_no_port_security(port['device'])
             return
         elif not self.is_port_managed(port):
-            self._remove_egress_no_port_security(port['device'])
-            self.prepare_port_filter(port)
+            try:
+                self._remove_egress_no_port_security(port['device'])
+            except exceptions.OVSFWPortNotHandled as e:
+                LOG.debug(e)
+            else:
+                self.prepare_port_filter(port)
             return
         old_of_port = self.get_ofport(port)
         try:
@@ -569,7 +573,10 @@ class OVSFirewallDriver(firewall.FirewallDriver):
 
     def remove_trusted_ports(self, port_ids):
         for port_id in port_ids:
-            self._remove_egress_no_port_security(port_id)
+            try:
+                self._remove_egress_no_port_security(port_id)
+            except exceptions.OVSFWPortNotHandled as e:
+                LOG.debug(e)
 
     def filter_defer_apply_on(self):
         self._deferred = True
@@ -677,8 +684,8 @@ class OVSFirewallDriver(firewall.FirewallDriver):
         try:
             ofport = self.sg_port_map.unfiltered[port_id]
         except KeyError:
-            LOG.debug("Port %s is not handled by the firewall.", port_id)
-            return
+            raise exceptions.OVSFWPortNotHandled(port_id=port_id)
+
         self._delete_flows(
             table=ovs_consts.TRANSIENT_TABLE,
             in_port=ofport

neutron/tests/unit/agent/linux/openvswitch_firewall/test_firewall.py

@@ -582,7 +582,7 @@ class TestOVSFirewallDriver(base.BaseTestCase):
         with mock.patch.object(
                 self.firewall, 'prepare_port_filter') as prepare_mock:
             self.firewall.update_port_filter(port_dict)
-        self.assertTrue(prepare_mock.called)
+        self.assertFalse(prepare_mock.called)
 
     def test_update_port_filter_port_security_disabled(self):
         port_dict = {'device': 'port-id',
@@ -679,10 +679,9 @@ class TestOVSFirewallDriver(base.BaseTestCase):
         calls = self.mock_bridge.br.delete_flows.call_args_list
         self.assertIn(expected_call, calls)
 
-    def test__remove_egress_no_port_security_no_tag(self):
-        self.mock_bridge.br.db_get_val.return_value = {}
-        self.firewall._remove_egress_no_port_security('port_id')
-        self.assertFalse(self.mock_bridge.br.delete_flows.called)
+    def test__remove_egress_no_port_security_non_existing_port(self):
+        with testtools.ExpectedException(exceptions.OVSFWPortNotHandled):
+            self.firewall._remove_egress_no_port_security('foo')
 
     def test_process_trusted_ports_caches_port_id(self):
         self.firewall.process_trusted_ports(['port_id'])