From a5642453a8f50d112d9df39879fa27b1b70818e1 Mon Sep 17 00:00:00 2001
From: Yang Li <yang.li@easystack.cn>
Date: Wed, 27 Nov 2019 14:48:05 +0800
Subject: [PATCH] Add more condition to check sg member exist

Only check sg object is not enough, we should also
check sg'ports is {} or not. Otherwise the old conjunction
will still exist.

Change-Id: I10588e73a9da7fdd43677f9247c176811dd68c62
Closes-Bug: #1854131
(cherry picked from commit 5cb0ff418a0794d060001a7313561c4cfb584d0e)
---
 neutron/agent/linux/openvswitch_firewall/firewall.py |  2 +-
 .../linux/openvswitch_firewall/test_firewall.py      | 12 ++++++++++++
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/neutron/agent/linux/openvswitch_firewall/firewall.py b/neutron/agent/linux/openvswitch_firewall/firewall.py
index b7c01b98949..e023bb986d1 100644
--- a/neutron/agent/linux/openvswitch_firewall/firewall.py
+++ b/neutron/agent/linux/openvswitch_firewall/firewall.py
@@ -293,7 +293,7 @@ class ConjIPFlowManager(object):
         addr_to_conj = collections.defaultdict(list)
         for remote_id, conj_id_set in sg_conj_id_map.items():
             remote_group = self.driver.sg_port_map.get_sg(remote_id)
-            if not remote_group:
+            if not remote_group or not remote_group.ports:
                 LOG.debug('No member for SG %s', remote_id)
                 continue
             for addr in remote_group.get_ethertype_filtered_addresses(
diff --git a/neutron/tests/unit/agent/linux/openvswitch_firewall/test_firewall.py b/neutron/tests/unit/agent/linux/openvswitch_firewall/test_firewall.py
index 1048a72f3a2..df112fc3bba 100644
--- a/neutron/tests/unit/agent/linux/openvswitch_firewall/test_firewall.py
+++ b/neutron/tests/unit/agent/linux/openvswitch_firewall/test_firewall.py
@@ -303,6 +303,18 @@ class TestConjIPFlowManager(base.BaseTestCase):
         self.vlan_tag = 100
         self.conj_id = 16
 
+    def test_update_flows_for_vlan_no_ports(self):
+        remote_group = self.driver.sg_port_map.get_sg.return_value
+        remote_group.ports = {}
+        with mock.patch.object(self.manager.conj_id_map,
+                               'get_conj_id') as get_conj_id_mock:
+            get_conj_id_mock.return_value = self.conj_id
+            self.manager.add(self.vlan_tag, 'sg', 'remote_id',
+                             constants.INGRESS_DIRECTION, constants.IPv4, 0)
+            self.manager.update_flows_for_vlan(self.vlan_tag)
+        self.assertFalse(remote_group.get_ethertype_filtered_addresses.called)
+        self.assertFalse(self.driver._add_flow.called)
+
     def test_update_flows_for_vlan(self):
         remote_group = self.driver.sg_port_map.get_sg.return_value
         remote_group.get_ethertype_filtered_addresses.return_value = [