1 files changed, 24 insertions, 11 deletions

diff --git a/nova/virt/libvirt/firewall.py b/nova/virt/libvirt/firewall.py
index 9ce57b6c9..16e5070c6 100644
--- a/nova/virt/libvirt/firewall.py
+++ b/nova/virt/libvirt/firewall.py
@@ -664,11 +664,10 @@ class IptablesFirewallDriver(FirewallDriver):
                 LOG.debug(_('Adding security group rule: %r'), rule)
 
                 if not rule.cidr:
-                    # Eventually, a mechanism to grant access for security
-                    # groups will turn up here. It'll use ipsets.
-                    continue
+                    version = 4
+                else:
+                    version = netutils.get_ip_version(rule.cidr)
 
-                version = netutils.get_ip_version(rule.cidr)
                 if version == 4:
                     fw_rules = ipv4_rules
                 else:
@@ -678,16 +677,16 @@ class IptablesFirewallDriver(FirewallDriver):
                 if version == 6 and rule.protocol == 'icmp':
                     protocol = 'icmpv6'
 
-                args = ['-p', protocol, '-s', rule.cidr]
+                args = ['-j ACCEPT', '-p', protocol]
 
-                if rule.protocol in ['udp', 'tcp']:
+                if protocol in ['udp', 'tcp']:
                     if rule.from_port == rule.to_port:
                         args += ['--dport', '%s' % (rule.from_port,)]
                     else:
                         args += ['-m', 'multiport',
                                  '--dports', '%s:%s' % (rule.from_port,
                                                         rule.to_port)]
-                elif rule.protocol == 'icmp':
+                elif protocol == 'icmp':
                     icmp_type = rule.from_port
                     icmp_code = rule.to_port
 
@@ -706,9 +705,22 @@ class IptablesFirewallDriver(FirewallDriver):
                             args += ['-m', 'icmp6', '--icmpv6-type',
                                      icmp_type_arg]
 
-                args += ['-j ACCEPT']
-                fw_rules += [' '.join(args)]
-
+                if rule.cidr:
+                    LOG.info('Using cidr %r', rule.cidr)
+                    args += ['-s', rule.cidr]
+                    fw_rules += [' '.join(args)]
+                else:
+                    if rule['grantee_group']:
+                        for instance in rule['grantee_group']['instances']:
+                            LOG.info('instance: %r', instance)
+                            ips = db.instance_get_fixed_addresses(ctxt,
+                                                                instance['id'])
+                            LOG.info('ips: %r', ips)
+                            for ip in ips:
+                                subrule = args + ['-s %s' % ip]
+                                fw_rules += [' '.join(subrule)]
+
+                LOG.info('Using fw_rules: %r', fw_rules)
         ipv4_rules += ['-j $sg-fallback']
         ipv6_rules += ['-j $sg-fallback']
 
@@ -719,7 +731,8 @@ class IptablesFirewallDriver(FirewallDriver):
         return self.nwfilter.instance_filter_exists(instance)
 
     def refresh_security_group_members(self, security_group):
-        pass
+        self.do_refresh_security_group_rules(security_group)
+        self.iptables.apply()
 
     def refresh_security_group_rules(self, security_group, network_info=None):
         self.do_refresh_security_group_rules(security_group, network_info)