Merge "ovsfw: Update SG rules even if OVSFW Port is not found"
This commit is contained in:
commit
fcdca67908
|
@ -498,18 +498,7 @@ class OVSFirewallDriver(firewall.FirewallDriver):
|
|||
if not firewall.port_sec_enabled(port):
|
||||
self._initialize_egress_no_port_security(port['device'])
|
||||
return
|
||||
old_of_port = self.get_ofport(port)
|
||||
# Make sure delete old allowed_address_pair MACs because
|
||||
# allowed_address_pair MACs will be updated in
|
||||
# self.get_or_create_ofport(port)
|
||||
if old_of_port:
|
||||
LOG.error("Initializing port %s that was already "
|
||||
"initialized.",
|
||||
port['device'])
|
||||
self.delete_all_port_flows(old_of_port)
|
||||
of_port = self.get_or_create_ofport(port)
|
||||
self.initialize_port_flows(of_port)
|
||||
self.add_flows_from_rules(of_port)
|
||||
self._set_port_filters(port, old_port_expected=False)
|
||||
|
||||
def update_port_filter(self, port):
|
||||
"""Update rules for given port
|
||||
|
@ -529,17 +518,26 @@ class OVSFirewallDriver(firewall.FirewallDriver):
|
|||
LOG.debug(e)
|
||||
else:
|
||||
self.prepare_port_filter(port)
|
||||
return
|
||||
old_of_port = self.get_ofport(port)
|
||||
return
|
||||
try:
|
||||
of_port = self.get_or_create_ofport(port)
|
||||
self._set_port_filters(port, old_port_expected=True)
|
||||
except exceptions.OVSFWPortNotFound as not_found_error:
|
||||
LOG.info("port %(port_id)s does not exist in ovsdb: %(err)s.",
|
||||
{'port_id': port['device'],
|
||||
'err': not_found_error})
|
||||
return
|
||||
|
||||
def _set_port_filters(self, port, old_port_expected):
|
||||
old_of_port = self.get_ofport(port)
|
||||
# Make sure delete old allowed_address_pair MACs because
|
||||
# allowed_address_pair MACs will be updated in
|
||||
# self.get_or_create_ofport(port)
|
||||
if old_of_port:
|
||||
if not old_port_expected:
|
||||
LOG.info("Initializing port %s that was already "
|
||||
"initialized.", port['device'])
|
||||
self.delete_all_port_flows(old_of_port)
|
||||
# TODO(jlibosva): Handle firewall blink
|
||||
self.delete_all_port_flows(old_of_port)
|
||||
of_port = self.get_or_create_ofport(port)
|
||||
self.initialize_port_flows(of_port)
|
||||
self.add_flows_from_rules(of_port)
|
||||
|
||||
|
|
|
@ -583,10 +583,20 @@ class TestOVSFirewallDriver(base.BaseTestCase):
|
|||
port_dict = {'device': 'port-id',
|
||||
'security_groups': [1]}
|
||||
self._prepare_security_group()
|
||||
|
||||
with mock.patch.object(
|
||||
self.firewall, 'prepare_port_filter') as prepare_mock:
|
||||
self.firewall, 'prepare_port_filter'
|
||||
) as prepare_mock, mock.patch.object(
|
||||
self.firewall, 'initialize_port_flows'
|
||||
) as initialize_port_flows_mock, mock.patch.object(
|
||||
self.firewall, 'add_flows_from_rules'
|
||||
) as add_flows_from_rules_mock:
|
||||
self.firewall.update_port_filter(port_dict)
|
||||
|
||||
self.assertFalse(prepare_mock.called)
|
||||
self.assertFalse(self.mock_bridge.br.delete_flows.called)
|
||||
self.assertTrue(initialize_port_flows_mock.called)
|
||||
self.assertTrue(add_flows_from_rules_mock.called)
|
||||
|
||||
def test_update_port_filter_port_security_disabled(self):
|
||||
port_dict = {'device': 'port-id',
|
||||
|
|
Loading…
Reference in New Issue