6 files changed, 38 insertions, 0 deletions

diff --git a/nova/virt/baremetal/driver.py b/nova/virt/baremetal/driver.py
index 5bbb23995..3da59e929 100644
--- a/nova/virt/baremetal/driver.py
+++ b/nova/virt/baremetal/driver.py
@@ -655,6 +655,10 @@ class BareMetalDriver(driver.ComputeDriver):
         # Bare metal doesn't currently support security groups
         pass
 
+    def refresh_instance_security_rules(self, instance):
+        # Bare metal doesn't currently support security groups
+        pass
+
     def update_available_resource(self, ctxt, host):
         """Updates compute manager resource info on ComputeNode table.
 
diff --git a/nova/virt/fake.py b/nova/virt/fake.py
index f87e78af4..178bfb066 100644
--- a/nova/virt/fake.py
+++ b/nova/virt/fake.py
@@ -213,6 +213,9 @@ class FakeDriver(driver.ComputeDriver):
     def refresh_security_group_members(self, security_group_id):
         return True
 
+    def refresh_instance_security_rules(self, instance):
+        return True
+
     def refresh_provider_fw_rules(self):
         pass
 
diff --git a/nova/virt/firewall.py b/nova/virt/firewall.py
index 2afb8b6cf..20f23906f 100644
--- a/nova/virt/firewall.py
+++ b/nova/virt/firewall.py
@@ -75,6 +75,14 @@ class FirewallDriver(object):
         the security group."""
         raise NotImplementedError()
 
+    def refresh_instance_security_rules(self, instance):
+        """Refresh security group rules from data store
+
+        Gets called when an instance gets added to or removed from
+        the security group the instance is a member of or if the
+        group gains or looses a rule."""
+        raise NotImplementedError()
+
     def refresh_provider_fw_rules(self):
         """Refresh common rules for all hosts/instances from data store.
 
@@ -391,12 +399,21 @@ class IptablesFirewallDriver(FirewallDriver):
         self.do_refresh_security_group_rules(security_group)
         self.iptables.apply()
 
+    def refresh_instance_security_rules(self, instance):
+        self.do_refresh_instance_rules(instance)
+        self.iptables.apply()
+
     @utils.synchronized('iptables', external=True)
     def do_refresh_security_group_rules(self, security_group):
         for instance in self.instances.values():
             self.remove_filters_for_instance(instance)
             self.add_filters_for_instance(instance)
 
+    @utils.synchronized('iptables', external=True)
+    def do_refresh_instance_rules(self, instance):
+        self.remove_filters_for_instance(instance)
+        self.add_filters_for_instance(instance)
+
     def refresh_provider_fw_rules(self):
         """See :class:`FirewallDriver` docs."""
         self._do_refresh_provider_fw_rules()
diff --git a/nova/virt/libvirt/driver.py b/nova/virt/libvirt/driver.py
index 57459b0c0..ba04dd70d 100644
--- a/nova/virt/libvirt/driver.py
+++ b/nova/virt/libvirt/driver.py
@@ -2173,6 +2173,9 @@ class LibvirtDriver(driver.ComputeDriver):
     def refresh_security_group_members(self, security_group_id):
         self.firewall_driver.refresh_security_group_members(security_group_id)
 
+    def refresh_instance_security_rules(self, instance):
+        self.firewall_driver.refresh_instance_security_rules(instance)
+
     def refresh_provider_fw_rules(self):
         self.firewall_driver.refresh_provider_fw_rules()
 
diff --git a/nova/virt/xenapi/driver.py b/nova/virt/xenapi/driver.py
index ac4547166..8891e9106 100644
--- a/nova/virt/xenapi/driver.py
+++ b/nova/virt/xenapi/driver.py
@@ -516,6 +516,13 @@ class XenAPIDriver(driver.ComputeDriver):
         """
         return self._vmops.refresh_security_group_members(security_group_id)
 
+    def refresh_instance_security_rules(self, instance):
+        """ Updates security group rules for specified instance
+            Invoked when instances are added/removed to a security group
+            or when a rule is added/removed to a security group
+        """
+        return self._vmops.refresh_instance_security_rules(instance)
+
     def refresh_provider_fw_rules(self):
         return self._vmops.refresh_provider_fw_rules()
 
diff --git a/nova/virt/xenapi/vmops.py b/nova/virt/xenapi/vmops.py
index 39c0f994e..9f00dc75e 100644
--- a/nova/virt/xenapi/vmops.py
+++ b/nova/virt/xenapi/vmops.py
@@ -1456,6 +1456,10 @@ class VMOps(object):
         """ recreates security group rules for every instance """
         self.firewall_driver.refresh_security_group_members(security_group_id)
 
+    def refresh_instance_security_rules(self, instance):
+        """ recreates security group rules for specified instance """
+        self.firewall_driver.refresh_instance_security_rules(instance)
+
     def refresh_provider_fw_rules(self):
         self.firewall_driver.refresh_provider_fw_rules()