Unfilter instance correctly on termination.

2 files changed, 7 insertions, 5 deletions

diff --git a/nova/network/linux_net.py b/nova/network/linux_net.py
index 1f96a4d55..1145bfa7a 100644
--- a/nova/network/linux_net.py
+++ b/nova/network/linux_net.py
@@ -101,6 +101,10 @@ class IptablesTable(object):
         self.chains.add(name)
 
     def remove_chain(self, name):
+        if name not in self.chain:
+            LOG.debug(_("Attempted to remove chain %s which doesn't exist"),
+                      name)
+            return
         self.chains.remove(name)
         self.rules = filter(lambda r: r.chain != name, self.rules)
 
diff --git a/nova/virt/libvirt_conn.py b/nova/virt/libvirt_conn.py
index daf8f0ed7..0c355e48e 100644
--- a/nova/virt/libvirt_conn.py
+++ b/nova/virt/libvirt_conn.py
@@ -1219,9 +1219,11 @@ class IptablesFirewallDriver(FirewallDriver):
         """No-op. Everything is done in prepare_instance_filter"""
         pass
 
-    def remove_instance(self, instance):
+    def unfilter_instance(self, instance):
         if instance['id'] in self.instances:
             del self.instances[instance['id']]
+            self.remove_filters_for_instance(instance)
+            self.iptables.apply()
         else:
             LOG.info(_('Attempted to unfilter instance %s which is not '
                        'filtered'), instance['id'])
@@ -1257,10 +1259,6 @@ class IptablesFirewallDriver(FirewallDriver):
             for rule in ipv6_rules:
                 self.iptables.ipv6['filter'].add_rule(chain_name, rule)
 
-    def unfilter_instance(self, instance):
-        self.remove_filters_for_instance(instance)
-        self.iptables.apply()
-
     def remove_filters_for_instance(self, instance):
         chain_name = self._instance_chain_name(instance)