Don't install iptables rules if neutron is filtering

Don't setup iptables rules in the Linux Bridge driver
if Neutron is providing security groups filtering.
When neutron is providing filtering, it handles everything
ranging from security-group enforcement to anti-spoofing
rules so Nova/os-vif shouldn't need to do anything on plug.

Change-Id: I19d62a8ac730aba2586b9f8eb08e153746ec2bcb

vif_plug_linux_bridge/linux_bridge.py

@@ -102,7 +102,10 @@ class LinuxBridgePlugin(plugin.PluginBase):
                                              bridge_name, iface, mtu=mtu)
             else:
                 iface = self.config.flat_interface or network.bridge_interface
-                linux_net.ensure_bridge(bridge_name, iface)
+                # only put in iptables rules if Neutron not filtering
+                install_filters = not vif.has_traffic_filtering
+                linux_net.ensure_bridge(bridge_name, iface,
+                                        filtering=install_filters)
 
     def unplug(self, vif, instance_info):
         # Nothing required to unplug a port for a VIF using standard

vif_plug_linux_bridge/tests/test_plugin.py

@@ -66,14 +66,20 @@ class PluginTest(testtools.TestCase):
             address='ca:fe:de:ad:be:ef',
             network=network,
             dev_name='tap-xxx-yyy-zzz',
+            has_traffic_filtering=True,
             bridge_name="br0")
 
         plugin = linux_bridge.LinuxBridgePlugin.load("linux_bridge")
         plugin.plug(vif, self.instance)
 
-        mock_ensure_bridge.assert_called_with("br0", "eth0")
+        mock_ensure_bridge.assert_called_with("br0", "eth0", filtering=False)
         self.assertEqual(len(mock_ensure_vlan_bridge.calls), 0)
 
+        mock_ensure_bridge.reset_mock()
+        vif.has_traffic_filtering = False
+        plugin.plug(vif, self.instance)
+        mock_ensure_bridge.assert_called_with("br0", "eth0", filtering=True)
+
     def test_plug_bridge_create_br_vlan_mtu_in_model(self):
         self._test_plug_bridge_create_br_vlan(mtu=1234)