Add more condition to check sg member exist

Only check sg object is not enough, we should also
check sg'ports is {} or not. Otherwise the old conjunction
will still exist.

Change-Id: I10588e73a9da7fdd43677f9247c176811dd68c62
Closes-Bug: #1854131
(cherry picked from commit 5cb0ff418a)

neutron/agent/linux/openvswitch_firewall/firewall.py

@@ -293,7 +293,7 @@ class ConjIPFlowManager(object):
         addr_to_conj = collections.defaultdict(list)
         for remote_id, conj_id_set in sg_conj_id_map.items():
             remote_group = self.driver.sg_port_map.get_sg(remote_id)
-            if not remote_group:
+            if not remote_group or not remote_group.ports:
                 LOG.debug('No member for SG %s', remote_id)
                 continue
             for addr in remote_group.get_ethertype_filtered_addresses(

neutron/tests/unit/agent/linux/openvswitch_firewall/test_firewall.py

@@ -302,6 +302,18 @@ class TestConjIPFlowManager(base.BaseTestCase):
         self.vlan_tag = 100
         self.conj_id = 16
 
+    def test_update_flows_for_vlan_no_ports(self):
+        remote_group = self.driver.sg_port_map.get_sg.return_value
+        remote_group.ports = {}
+        with mock.patch.object(self.manager.conj_id_map,
+                               'get_conj_id') as get_conj_id_mock:
+            get_conj_id_mock.return_value = self.conj_id
+            self.manager.add(self.vlan_tag, 'sg', 'remote_id',
+                             constants.INGRESS_DIRECTION, constants.IPv4, 0)
+            self.manager.update_flows_for_vlan(self.vlan_tag)
+        self.assertFalse(remote_group.get_ethertype_filtered_addresses.called)
+        self.assertFalse(self.driver._add_flow.called)
+
     def test_update_flows_for_vlan(self):
         remote_group = self.driver.sg_port_map.get_sg.return_value
         remote_group.get_ethertype_filtered_addresses.return_value = [