diff --git a/neutron/agent/linux/iptables_firewall.py b/neutron/agent/linux/iptables_firewall.py index fc504b7d3eb..e496887ba9d 100644 --- a/neutron/agent/linux/iptables_firewall.py +++ b/neutron/agent/linux/iptables_firewall.py @@ -994,7 +994,8 @@ class IptablesFirewallDriver(firewall.FirewallDriver): self._clean_deleted_remote_sg_members_conntrack_entries() def _get_sg_members(self, sg_info, sg_id, ethertype): - return set(sg_info.get(sg_id, {}).get(ethertype, [])) + ip_mac_addresses = sg_info.get(sg_id, {}).get(ethertype, []) + return set([ip_mac[0] for ip_mac in ip_mac_addresses]) def filter_defer_apply_off(self): if self._defer_apply: diff --git a/neutron/tests/unit/agent/linux/test_iptables_firewall.py b/neutron/tests/unit/agent/linux/test_iptables_firewall.py index a5ce4da21d9..4af742980bd 100644 --- a/neutron/tests/unit/agent/linux/test_iptables_firewall.py +++ b/neutron/tests/unit/agent/linux/test_iptables_firewall.py @@ -2086,6 +2086,22 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase): mock.call.add_rule('sg-chain', '-j ACCEPT')] self.v4filter_inst.assert_has_calls(calls) + def test__get_sg_members(self): + sg_info = {_uuid(): {constants.IPv4: [['ip1', None]], + constants.IPv6: []}, + _uuid(): {constants.IPv4: [['ip2', None], ['ip3', None]], + constants.IPv6: [['ip4', None]]}, + } + sg_ids = list(sg_info.keys()) + self.assertEqual({'ip1'}, self.firewall._get_sg_members( + sg_info, sg_ids[0], constants.IPv4)) + self.assertEqual(set([]), self.firewall._get_sg_members( + sg_info, sg_ids[0], constants.IPv6)) + self.assertEqual({'ip2', 'ip3'}, self.firewall._get_sg_members( + sg_info, sg_ids[1], constants.IPv4)) + self.assertEqual({'ip4'}, self.firewall._get_sg_members( + sg_info, sg_ids[1], constants.IPv6)) + class IptablesFirewallEnhancedIpsetTestCase(BaseIptablesFirewallTestCase): def setUp(self):