Fix: do not remove egress sg rule if port is associated with any sg
Change-Id: I564ff826d1cda9ecd7527c3503b28d2c61016323
diff --git a/apps/openstacknetworking/app/src/main/java/org/onosproject/openstacknetworking/impl/OpenstackSecurityGroupHandler.java b/apps/openstacknetworking/app/src/main/java/org/onosproject/openstacknetworking/impl/OpenstackSecurityGroupHandler.java
index f42b073..8774154 100644
--- a/apps/openstacknetworking/app/src/main/java/org/onosproject/openstacknetworking/impl/OpenstackSecurityGroupHandler.java
+++ b/apps/openstacknetworking/app/src/main/java/org/onosproject/openstacknetworking/impl/OpenstackSecurityGroupHandler.java
@@ -86,6 +86,7 @@
import java.util.Dictionary;
import java.util.HashSet;
import java.util.LinkedHashMap;
+import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
@@ -379,6 +380,16 @@
return;
}
+ // in case a port is bound to multiple security groups, we do NOT remove
+ // egress rules unless all security groups bound to the port to be removed
+ Port osPort = osNetService.port(instPort.portId());
+ if (!install && osPort != null && sgRule.getDirection().equalsIgnoreCase(EGRESS)) {
+ List<String> sgIds = osPort.getSecurityGroups();
+ if (!sgIds.contains(sgRule.getSecurityGroupId()) && !sgIds.isEmpty()) {
+ return;
+ }
+ }
+
// XXX All egress traffic needs to go through connection tracking module,
// which might hurt its performance.
ExtensionTreatment ctTreatment =