Merge "Revert "Setup firewall filters only for required ports""

author: Jenkins <jenkins@review.openstack.org> 2017-02-02 00:06:55 +0000
committer: Gerrit Code Review <review@openstack.org> 2017-02-02 00:06:55 +0000
commit: 0e712489557b9ebe0b6d90abf54260a53987891d (patch)
tree: 0777141cb110bbcfda0ee15554a25f309651a7e1
parent: 525d1908be24815d103fe766025f2fa4ff5a1b5a (diff)
parent: a8b6a597b6aab7cd3b0a5d0c3baad75af395fe1d (diff)
download: neutron-0e712489557b9ebe0b6d90abf54260a53987891d.tar.gz
4 files changed, 8 insertions, 44 deletions
diff --git a/neutron/plugins/ml2/drivers/openvswitch/agent/ovs_neutron_agent.py b/neutron/plugins/ml2/drivers/openvswitch/agent/ovs_neutron_agent.py
index 49091e448d..ae1a2899e3 100644
--- a/neutron/plugins/ml2/drivers/openvswitch/agent/ovs_neutron_agent.py
+++ b/neutron/plugins/ml2/drivers/openvswitch/agent/ovs_neutron_agent.py
@@ -1481,7 +1481,6 @@ class OVSNeutronAgent(sg_rpc.SecurityGroupAgentRpcCallbackMixin,
     def treat_devices_added_or_updated(self, devices, ovs_restarted):
         skipped_devices = []
         need_binding_devices = []
-        security_disabled_devices = []
         devices_details_list = (
             self.plugin_rpc.get_devices_details_list_and_failed_devices(
                 self.context,
@@ -1519,11 +1518,6 @@ class OVSNeutronAgent(sg_rpc.SecurityGroupAgentRpcCallbackMixin,
                                                    ovs_restarted)
                 if need_binding:
                     need_binding_devices.append(details)
-
-                port_security = details['port_security_enabled']
-                has_sgs = 'security_groups' in details
-                if not port_security or not has_sgs:
-                    security_disabled_devices.append(device)
                 self._update_port_network(details['port_id'],
                                           details['network_id'])
                 self.ext_manager.handle_port(self.context, details)
@@ -1534,7 +1528,7 @@ class OVSNeutronAgent(sg_rpc.SecurityGroupAgentRpcCallbackMixin,
                 if (port and port.ofport != -1):
                     self.port_dead(port)
         return (skipped_devices, need_binding_devices,
-                security_disabled_devices, failed_devices)
+                failed_devices)
 
     def _update_port_network(self, port_id, network_id):
         self._clean_network_ports(port_id)
@@ -1614,12 +1608,11 @@ class OVSNeutronAgent(sg_rpc.SecurityGroupAgentRpcCallbackMixin,
         devices_added_updated = (port_info.get('added', set()) |
                                  port_info.get('updated', set()))
         need_binding_devices = []
-        security_disabled_ports = []
         skipped_devices = set()
         if devices_added_updated:
             start = time.time()
             (skipped_devices, need_binding_devices,
-            security_disabled_ports, failed_devices['added']) = (
+            failed_devices['added']) = (
                 self.treat_devices_added_or_updated(
                     devices_added_updated, ovs_restarted))
             LOG.debug("process_network_ports - iteration:%(iter_num)d - "
@@ -1640,8 +1633,6 @@ class OVSNeutronAgent(sg_rpc.SecurityGroupAgentRpcCallbackMixin,
         # unnecessarily, (eg: when there are no IP address changes)
         added_ports = port_info.get('added', set()) - skipped_devices
         self._add_port_tag_info(need_binding_devices)
-        if security_disabled_ports:
-            added_ports -= set(security_disabled_ports)
         self.sg_agent.setup_port_filters(added_ports,
                                          port_info.get('updated', set()))
         failed_devices['added'] |= self._bind_devices(need_binding_devices)
diff --git a/neutron/plugins/ml2/rpc.py b/neutron/plugins/ml2/rpc.py
index 702be2abd8..9ef7ab64d7 100644
--- a/neutron/plugins/ml2/rpc.py
+++ b/neutron/plugins/ml2/rpc.py
@@ -127,8 +127,6 @@ class RpcCallbacks(type_tunnel.TunnelRpcCallbackMixin):
                  'qos_policy_id': port.get(qos_consts.QOS_POLICY_ID),
                  'network_qos_policy_id': network_qos_policy_id,
                  'profile': port[portbindings.PROFILE]}
-        if 'security_groups' in port:
-            entry['security_groups'] = port['security_groups']
         LOG.debug("Returning: %s", entry)
         return entry
 
diff --git a/neutron/tests/functional/agent/l2/base.py b/neutron/tests/functional/agent/l2/base.py
index 84b8418888..f5055391d2 100644
--- a/neutron/tests/functional/agent/l2/base.py
+++ b/neutron/tests/functional/agent/l2/base.py
@@ -212,8 +212,6 @@ class OVSAgentTestFramework(base.BaseOVSLinuxTestCase):
                'segmentation_id': network.get('segmentation_id', 1),
                'fixed_ips': port['fixed_ips'],
                'device_owner': n_const.DEVICE_OWNER_COMPUTE_PREFIX,
-               'port_security_enabled': True,
-               'security_groups': ['default'],
                'admin_state_up': True}
         return dev
 
diff --git a/neutron/tests/unit/plugins/ml2/drivers/openvswitch/agent/test_ovs_neutron_agent.py b/neutron/tests/unit/plugins/ml2/drivers/openvswitch/agent/test_ovs_neutron_agent.py
index bf76558ea2..f08b205fd3 100644
--- a/neutron/tests/unit/plugins/ml2/drivers/openvswitch/agent/test_ovs_neutron_agent.py
+++ b/neutron/tests/unit/plugins/ml2/drivers/openvswitch/agent/test_ovs_neutron_agent.py
@@ -768,7 +768,7 @@ class TestOvsNeutronAgent(object):
                     'get_port_tag_dict',
                     return_value={}),\
                 mock.patch.object(self.agent, func_name) as func:
-            skip_devs, need_bound_devices, insecure_ports, _ = (
+            skip_devs, need_bound_devices, _ = (
                 self.agent.treat_devices_added_or_updated([], False))
             # The function should not raise
             self.assertFalse(skip_devs)
@@ -842,7 +842,7 @@ class TestOvsNeutronAgent(object):
             skip_devs = self.agent.treat_devices_added_or_updated([], False)
             # The function should return False for resync and no device
             # processed
-            self.assertEqual((['the_skipped_one'], [], [], set()), skip_devs)
+            self.assertEqual((['the_skipped_one'], [], set()), skip_devs)
             self.assertFalse(treat_vif_port.called)
 
     def test_treat_devices_added_failed_devices(self):
@@ -857,7 +857,7 @@ class TestOvsNeutronAgent(object):
                 mock.patch.object(self.agent,
                                   'treat_vif_port') as treat_vif_port:
             failed_devices = {'added': set(), 'removed': set()}
-            (_, _, _, failed_devices['added']) = (
+            (_, _, failed_devices['added']) = (
                 self.agent.treat_devices_added_or_updated([], False))
             # The function should return False for resync and no device
             # processed
@@ -874,8 +874,7 @@ class TestOvsNeutronAgent(object):
                              'network_type': 'baz',
                              'fixed_ips': [{'subnet_id': 'my-subnet-uuid',
                                             'ip_address': '1.1.1.1'}],
-                             'device_owner': DEVICE_OWNER_COMPUTE,
-                             'port_security_enabled': True
+                             'device_owner': DEVICE_OWNER_COMPUTE
                              }
 
         with mock.patch.object(self.agent.plugin_rpc,
@@ -889,7 +888,7 @@ class TestOvsNeutronAgent(object):
                                   return_value={}),\
                 mock.patch.object(self.agent,
                                   'treat_vif_port') as treat_vif_port:
-            skip_devs, need_bound_devices, insecure_ports, _ = (
+            skip_devs, need_bound_devices, _ = (
                 self.agent.treat_devices_added_or_updated([], False))
             # The function should return False for resync
             self.assertFalse(skip_devs)
@@ -956,7 +955,7 @@ class TestOvsNeutronAgent(object):
                 mock.patch.object(
                     self.agent, "treat_devices_added_or_updated",
                     return_value=(
-                        skipped_devices, [], [],
+                        skipped_devices, [],
                         failed_devices['added'])) as device_added_updated,\
                 mock.patch.object(self.agent.int_br, "get_ports_attributes",
                                   return_value=[]),\
@@ -1001,28 +1000,6 @@ class TestOvsNeutronAgent(object):
     def test_process_network_port_with_empty_port(self):
         self._test_process_network_ports({})
 
-    def test_process_network_ports_with_insecure_ports(self):
-        port_info = {'current': set(['tap0', 'tap1']),
-                     'updated': set(['tap1']),
-                     'removed': set([]),
-                     'added': set(['eth1'])}
-        failed_dev = {'added': set(), 'removed': set()}
-        with mock.patch.object(self.agent.sg_agent,
-                               "setup_port_filters") as setup_port_filters,\
-                mock.patch.object(
-                    self.agent,
-                    "treat_devices_added_or_updated",
-                    return_value=(
-                        [], [], ['eth1'],
-                        failed_dev['added'])) as device_added_updated:
-            self.assertEqual(
-                failed_dev,
-                self.agent.process_network_ports(port_info, False))
-            device_added_updated.assert_called_once_with(
-                set(['eth1', 'tap1']), False)
-            setup_port_filters.assert_called_once_with(
-                set(), port_info.get('updated', set()))
-
     def test_hybrid_plug_flag_based_on_firewall(self):
         cfg.CONF.set_default(
             'firewall_driver',
author	Jenkins <jenkins@review.openstack.org>	2017-02-02 00:06:55 +0000
committer	Gerrit Code Review <review@openstack.org>	2017-02-02 00:06:55 +0000
commit	0e712489557b9ebe0b6d90abf54260a53987891d (patch)
tree	0777141cb110bbcfda0ee15554a25f309651a7e1
parent	525d1908be24815d103fe766025f2fa4ff5a1b5a (diff)
parent	a8b6a597b6aab7cd3b0a5d0c3baad75af395fe1d (diff)
download	neutron-0e712489557b9ebe0b6d90abf54260a53987891d.tar.gz