diff --git a/neutron/agent/linux/openvswitch_firewall/exceptions.py b/neutron/agent/linux/openvswitch_firewall/exceptions.py index 7d0475f8265..d0c241d36a1 100644 --- a/neutron/agent/linux/openvswitch_firewall/exceptions.py +++ b/neutron/agent/linux/openvswitch_firewall/exceptions.py @@ -26,3 +26,7 @@ class OVSFWTagNotFound(exceptions.NeutronException): message = _( "Cannot get tag for port %(port_name)s from its other_config: " "%(other_config)s") + + +class OVSFWPortNotHandled(exceptions.NeutronException): + message = ("Port %(port_id)s is not handled by the firewall.") diff --git a/neutron/agent/linux/openvswitch_firewall/firewall.py b/neutron/agent/linux/openvswitch_firewall/firewall.py index 783d3048556..d1a79ca34a4 100644 --- a/neutron/agent/linux/openvswitch_firewall/firewall.py +++ b/neutron/agent/linux/openvswitch_firewall/firewall.py @@ -500,8 +500,12 @@ class OVSFirewallDriver(firewall.FirewallDriver): self._initialize_egress_no_port_security(port['device']) return elif not self.is_port_managed(port): - self._remove_egress_no_port_security(port['device']) - self.prepare_port_filter(port) + try: + self._remove_egress_no_port_security(port['device']) + except exceptions.OVSFWPortNotHandled as e: + LOG.debug(e) + else: + self.prepare_port_filter(port) return old_of_port = self.get_ofport(port) try: @@ -569,7 +573,10 @@ class OVSFirewallDriver(firewall.FirewallDriver): def remove_trusted_ports(self, port_ids): for port_id in port_ids: - self._remove_egress_no_port_security(port_id) + try: + self._remove_egress_no_port_security(port_id) + except exceptions.OVSFWPortNotHandled as e: + LOG.debug(e) def filter_defer_apply_on(self): self._deferred = True @@ -677,8 +684,8 @@ class OVSFirewallDriver(firewall.FirewallDriver): try: ofport = self.sg_port_map.unfiltered[port_id] except KeyError: - LOG.debug("Port %s is not handled by the firewall.", port_id) - return + raise exceptions.OVSFWPortNotHandled(port_id=port_id) + self._delete_flows( table=ovs_consts.TRANSIENT_TABLE, in_port=ofport diff --git a/neutron/tests/unit/agent/linux/openvswitch_firewall/test_firewall.py b/neutron/tests/unit/agent/linux/openvswitch_firewall/test_firewall.py index 07e7895a698..9cc8a6e0fed 100644 --- a/neutron/tests/unit/agent/linux/openvswitch_firewall/test_firewall.py +++ b/neutron/tests/unit/agent/linux/openvswitch_firewall/test_firewall.py @@ -582,7 +582,7 @@ class TestOVSFirewallDriver(base.BaseTestCase): with mock.patch.object( self.firewall, 'prepare_port_filter') as prepare_mock: self.firewall.update_port_filter(port_dict) - self.assertTrue(prepare_mock.called) + self.assertFalse(prepare_mock.called) def test_update_port_filter_port_security_disabled(self): port_dict = {'device': 'port-id', @@ -679,10 +679,9 @@ class TestOVSFirewallDriver(base.BaseTestCase): calls = self.mock_bridge.br.delete_flows.call_args_list self.assertIn(expected_call, calls) - def test__remove_egress_no_port_security_no_tag(self): - self.mock_bridge.br.db_get_val.return_value = {} - self.firewall._remove_egress_no_port_security('port_id') - self.assertFalse(self.mock_bridge.br.delete_flows.called) + def test__remove_egress_no_port_security_non_existing_port(self): + with testtools.ExpectedException(exceptions.OVSFWPortNotHandled): + self.firewall._remove_egress_no_port_security('foo') def test_process_trusted_ports_caches_port_id(self): self.firewall.process_trusted_ports(['port_id'])