3 files changed, 46 insertions, 16 deletions

diff --git a/nova/compute/manager.py b/nova/compute/manager.py
index 5f7a94106..a00fd9baa 100644
--- a/nova/compute/manager.py
+++ b/nova/compute/manager.py
@@ -63,6 +63,11 @@ class ComputeManager(manager.Manager):
 
     @defer.inlineCallbacks
     @exception.wrap_exception
+    def refresh_security_group(self, context, security_group_id, **_kwargs):
+        self.driver.refresh_security_group(security_group_id)
+
+    @defer.inlineCallbacks
+    @exception.wrap_exception
     def run_instance(self, context, instance_id, **_kwargs):
         """Launch a new instance with specified options."""
         instance_ref = self.db.instance_get(context, instance_id)
diff --git a/nova/endpoint/cloud.py b/nova/endpoint/cloud.py
index 7408e02e9..1403a62f6 100644
--- a/nova/endpoint/cloud.py
+++ b/nova/endpoint/cloud.py
@@ -93,6 +93,14 @@ class CloudController(object):
                 result[instance['key_name']] = [line]
         return result
 
+    def _refresh_security_group(self, security_group):
+        nodes = set([instance.host for instance in security_group.instances])
+        for node in nodes:
+            rpc.call('%s.%s' % (FLAGS.compute_topic, node),
+                     { "method": "refresh_security_group",
+                       "args": { "context": None,
+                                 "security_group_id": security_group.id}})
+
     def get_metadata(self, address):
         instance_ref = db.fixed_ip_get_instance(None, address)
         if instance_ref is None:
@@ -265,12 +273,12 @@ class CloudController(object):
         if source_security_group_name:
             source_project_id = self._get_source_project_id(context,
                 source_security_group_owner_id)
-                
+
             source_security_group = \
                     db.security_group_get_by_name(context,
                                                   source_project_id,
                                                   source_security_group_name)
-                                                  
+
             criteria['group_id'] = source_security_group.id
         elif cidr_ip:
             criteria['cidr'] = cidr_ip
@@ -292,6 +300,9 @@ class CloudController(object):
                     break
             # If we make it here, we have a match
             db.security_group_rule_destroy(context, rule.id)
+
+        self._refresh_security_group(security_group)
+
         return True
 
     @rbac.allow('netadmin')
@@ -330,8 +341,11 @@ class CloudController(object):
                 return None
 
         security_group_rule = db.security_group_rule_create(context, values)
+
+        self._refresh_security_group(security_group)
+
         return True
-        
+
     def _get_source_project_id(self, context, source_security_group_owner_id):
         if source_security_group_owner_id:
         # Parse user:project for source group.
diff --git a/nova/virt/libvirt_conn.py b/nova/virt/libvirt_conn.py
index 89ede1d1a..a343267dc 100644
--- a/nova/virt/libvirt_conn.py
+++ b/nova/virt/libvirt_conn.py
@@ -444,6 +444,12 @@ class LibvirtConnection(object):
         domain = self._conn.lookupByName(instance_name)
         return domain.interfaceStats(interface)
 
+
+    def refresh_security_group(self, security_group_id):
+        fw = self.NWFilterFirewall(self._conn)
+        fw.ensure_security_group_filter(security_group_id, override=True)
+
+
 class NWFilterFirewall(object):
     """
     This class implements a network filtering mechanism versatile
@@ -533,27 +539,32 @@ class NWFilterFirewall(object):
         return 'nova-secgroup-%d' % (security_group_id,)
 
 
-    def ensure_filter(self, name, xml_generator):
-        def _already_exists_check(filterlist, filter):
-            return filter in filterlist
-        def _define_if_not_exists(exists, xml_generator):
-            if not exists:
-                xml = xml_generator()
-                return threads.deferToThread(self._conn.nwfilterDefineXML, xml)
-        d = threads.deferToThread(self._conn.listNWFilter)
-        d.addCallback(_already_exists_check, name)
+    def define_filter(self, name, xml_generator, override=False):
+        if not override:
+            def _already_exists_check(filterlist, filter):
+                return filter in filterlist
+            def _define_if_not_exists(exists, xml_generator):
+                if not exists:
+                    xml = xml_generator()
+                    return threads.deferToThread(self._conn.nwfilterDefineXML, xml)
+            d = threads.deferToThread(self._conn.listNWFilter)
+            d.addCallback(_already_exists_check, name)
+        else:
+            # Pretend we looked it up and it wasn't defined
+            d = defer.succeed(False)
         d.addCallback(_define_if_not_exists, xml_generator)
         return d
 
 
     def ensure_base_filter(self):
-        return self.ensure_filter('nova-base-filter', self.nova_base_filter)
+        return self.define_filter('nova-base-filter', self.nova_base_filter)
 
 
-    def ensure_security_group_filter(self, security_group_id):
-        return self.ensure_filter(
+    def ensure_security_group_filter(self, security_group_id, override=False):
+        return self.define_filter(
                    self._nwfilter_name_for_security_group(security_group_id),
-                   lambda:self.security_group_to_nwfilter_xml(security_group_id))
+                   lambda:self.security_group_to_nwfilter_xml(security_group_id),
+                   override=override)
 
 
     def security_group_to_nwfilter_xml(self, security_group_id):