Merge "ovsfw: Don't create rules if updated port doesn't exist" into stable/pike
This commit is contained in:
commit
57c7be250c
|
@ -26,3 +26,7 @@ class OVSFWTagNotFound(exceptions.NeutronException):
|
|||
message = _(
|
||||
"Cannot get tag for port %(port_name)s from its other_config: "
|
||||
"%(other_config)s")
|
||||
|
||||
|
||||
class OVSFWPortNotHandled(exceptions.NeutronException):
|
||||
message = ("Port %(port_id)s is not handled by the firewall.")
|
||||
|
|
|
@ -500,8 +500,12 @@ class OVSFirewallDriver(firewall.FirewallDriver):
|
|||
self._initialize_egress_no_port_security(port['device'])
|
||||
return
|
||||
elif not self.is_port_managed(port):
|
||||
self._remove_egress_no_port_security(port['device'])
|
||||
self.prepare_port_filter(port)
|
||||
try:
|
||||
self._remove_egress_no_port_security(port['device'])
|
||||
except exceptions.OVSFWPortNotHandled as e:
|
||||
LOG.debug(e)
|
||||
else:
|
||||
self.prepare_port_filter(port)
|
||||
return
|
||||
old_of_port = self.get_ofport(port)
|
||||
try:
|
||||
|
@ -569,7 +573,10 @@ class OVSFirewallDriver(firewall.FirewallDriver):
|
|||
|
||||
def remove_trusted_ports(self, port_ids):
|
||||
for port_id in port_ids:
|
||||
self._remove_egress_no_port_security(port_id)
|
||||
try:
|
||||
self._remove_egress_no_port_security(port_id)
|
||||
except exceptions.OVSFWPortNotHandled as e:
|
||||
LOG.debug(e)
|
||||
|
||||
def filter_defer_apply_on(self):
|
||||
self._deferred = True
|
||||
|
@ -677,8 +684,8 @@ class OVSFirewallDriver(firewall.FirewallDriver):
|
|||
try:
|
||||
ofport = self.sg_port_map.unfiltered[port_id]
|
||||
except KeyError:
|
||||
LOG.debug("Port %s is not handled by the firewall.", port_id)
|
||||
return
|
||||
raise exceptions.OVSFWPortNotHandled(port_id=port_id)
|
||||
|
||||
self._delete_flows(
|
||||
table=ovs_consts.TRANSIENT_TABLE,
|
||||
in_port=ofport
|
||||
|
|
|
@ -582,7 +582,7 @@ class TestOVSFirewallDriver(base.BaseTestCase):
|
|||
with mock.patch.object(
|
||||
self.firewall, 'prepare_port_filter') as prepare_mock:
|
||||
self.firewall.update_port_filter(port_dict)
|
||||
self.assertTrue(prepare_mock.called)
|
||||
self.assertFalse(prepare_mock.called)
|
||||
|
||||
def test_update_port_filter_port_security_disabled(self):
|
||||
port_dict = {'device': 'port-id',
|
||||
|
@ -679,10 +679,9 @@ class TestOVSFirewallDriver(base.BaseTestCase):
|
|||
calls = self.mock_bridge.br.delete_flows.call_args_list
|
||||
self.assertIn(expected_call, calls)
|
||||
|
||||
def test__remove_egress_no_port_security_no_tag(self):
|
||||
self.mock_bridge.br.db_get_val.return_value = {}
|
||||
self.firewall._remove_egress_no_port_security('port_id')
|
||||
self.assertFalse(self.mock_bridge.br.delete_flows.called)
|
||||
def test__remove_egress_no_port_security_non_existing_port(self):
|
||||
with testtools.ExpectedException(exceptions.OVSFWPortNotHandled):
|
||||
self.firewall._remove_egress_no_port_security('foo')
|
||||
|
||||
def test_process_trusted_ports_caches_port_id(self):
|
||||
self.firewall.process_trusted_ports(['port_id'])
|
||||
|
|
Loading…
Reference in New Issue