...and this is me snapping back into reality removing all trace of ipsets. Go me.

3 files changed, 12 insertions, 87 deletions

diff --git a/nova/network/linux_net.py b/nova/network/linux_net.py
index 0e021a40f..283a5aca1 100644
--- a/nova/network/linux_net.py
+++ b/nova/network/linux_net.py
@@ -96,33 +96,6 @@ class IptablesRule(object):
             chain = self.chain
         return '-A %s %s' % (chain, self.rule)
 
-class IpSet(object):
-    """A class for handling large collections of IPs efficiently"""
-
-    def __init__(self, name, execute=None):
-        self.name = name
-        self._ips = set()
-        if not execute:
-            self.execute = _execute
-        else:
-            self.execute = execute
-
-    def __contains__(self, addr):
-        return addr in self._ips
-
-    def _set_name(self):
-        return '%s-%s' % (binary_name, self.name)
-
-    def add_ip(self, addr):
-        self._ips.add(addr)
-        self.execute('ipset', '-A', self._set_name(), addr)
-
-    def remove_ip(self, addr):
-        self._ips.remove(addr)
-        self.execute('ipset', '-D', self._set_name(), addr)
-
-    def iptables_source_match(self):
-        return ['-m set --match-set %s src' % (self._set_name(),)]
 
 class IptablesTable(object):
     """An iptables table."""
@@ -308,9 +281,6 @@ class IptablesManager(object):
         self.ipv4['nat'].add_chain('floating-snat')
         self.ipv4['nat'].add_rule('snat', '-j $floating-snat')
 
-    def ipset_supported(self):
-        return False
-
     @utils.synchronized('iptables', external=True)
     def apply(self):
         """Apply the current in-memory set of iptables rules.
diff --git a/nova/tests/test_iptables_network.py b/nova/tests/test_iptables_network.py
index d0a8c052c..918034269 100644
--- a/nova/tests/test_iptables_network.py
+++ b/nova/tests/test_iptables_network.py
@@ -17,46 +17,11 @@
 #    under the License.
 """Unit Tests for network code."""
 
+import os
+
 from nova import test
 from nova.network import linux_net
 
-class IpSetTestCase(test.TestCase):
-    def test_add(self):
-        """Adding an address"""
-        ipset = linux_net.IpSet('somename')
-
-        ipset.add_ip('1.2.3.4')
-        self.assertTrue('1.2.3.4' in ipset)
-
-
-    def test_add_remove(self):
-        """Adding and then removing an address"""
-
-        self.verify_cmd_call_count = 0
-        def verify_cmd(*args):
-            self.assertEquals(args, self.expected_cmd)
-            self.verify_cmd_call_count += 1
-
-        self.expected_cmd = ('ipset', '-A', 'run_tests.py-somename', '1.2.3.4')
-        ipset = linux_net.IpSet('somename',execute=verify_cmd)
-        ipset.add_ip('1.2.3.4')
-        self.assertTrue('1.2.3.4' in ipset)
-
-        self.expected_cmd = ('ipset', '-D', 'run_tests.py-somename', '1.2.3.4')
-        ipset.remove_ip('1.2.3.4')
-        self.assertTrue('1.2.3.4' not in ipset)
-        self.assertEquals(self.verify_cmd_call_count, 2)
-
-
-    def test_two_adds_one_remove(self):
-        """Adding the same address twice works. Removing it once removes it entirely."""
-        ipset = linux_net.IpSet('somename')
-
-        ipset.add_ip('1.2.3.4')
-        ipset.add_ip('1.2.3.4')
-        ipset.remove_ip('1.2.3.4')
-        self.assertTrue('1.2.3.4' not in ipset)
-
 
 class IptablesManagerTestCase(test.TestCase):
     sample_filter = ['#Generated by iptables-save on Fri Feb 18 15:17:05 2011',
diff --git a/nova/virt/libvirt/firewall.py b/nova/virt/libvirt/firewall.py
index aa36e4184..4d615058b 100644
--- a/nova/virt/libvirt/firewall.py
+++ b/nova/virt/libvirt/firewall.py
@@ -709,23 +709,14 @@ class IptablesFirewallDriver(FirewallDriver):
                     args += ['-s', rule.cidr]
                     fw_rules += [' '.join(args)]
                 else:
-                    LOG.info('Not using cidr %r', rule.cidr)
-                    if self.iptables.ipset_supported():
-                        LOG.info('ipset supported %r', rule.cidr)
-                        ipset = linux_net.IpSet('%s' % rule.group_id)
-                        args += ipset.iptables_source_match()
-                        fw_rules += [' '.join(args)]
-                    else:
-                        LOG.info('ipset unsupported %r', rule.cidr)
-                        LOG.info('rule.grantee_group.instances: %r', rule.grantee_group.instances)
-                        for instance in rule.grantee_group.instances:
-                            LOG.info('instance: %r', instance)
-                            ips = db.instance_get_fixed_addresses(ctxt,
-                                                                instance['id'])
-                            LOG.info('ips: %r', ips)
-                            for ip in ips:
-                                subrule = args + ['-s %s' % ip]
-                                fw_rules += [' '.join(subrule)]
+                    for instance in rule.grantee_group.instances:
+                        LOG.info('instance: %r', instance)
+                        ips = db.instance_get_fixed_addresses(ctxt,
+                                                            instance['id'])
+                        LOG.info('ips: %r', ips)
+                        for ip in ips:
+                            subrule = args + ['-s %s' % ip]
+                            fw_rules += [' '.join(subrule)]
 
                 LOG.info('Using fw_rules: %r', fw_rules)
         ipv4_rules += ['-j $sg-fallback']
@@ -738,9 +729,8 @@ class IptablesFirewallDriver(FirewallDriver):
         return self.nwfilter.instance_filter_exists(instance)
 
     def refresh_security_group_members(self, security_group):
-        if not self.iptables.ipset_supported():
-            self.do_refresh_security_group_rules(security_group)
-            self.iptables.apply()
+        self.do_refresh_security_group_rules(security_group)
+        self.iptables.apply()
 
     def refresh_security_group_rules(self, security_group, network_info=None):
         self.do_refresh_security_group_rules(security_group, network_info)