Comment 0 for bug 1881157

When any port in the OVS agent is using a SG, is marked to be deleted. This deletion process is done in [1].

The SG deletion process consists on removing any reference of this SG from the firewall and the SG port map. The firewall removes this SG in [2].

The information of a SG is stored in:
- ConjIPFlowManager.conj_id_map = ConjIdMap(). This class stores the conjunction IDS (conj_ids) in a dictionary using the following keys:
  ConjIdMap.id_map[(sg_id, remote_sg_id, direction, ethertype, conj_ids)] = conj_id_XXX

- ConjIPFlowManager.conj_ids is a nested dictionary, built in the following way:
  self.conj_ids[vlan_tag][(direction, ethertype)][remote_sg_id] = set([conj_id_1, conj_id_2, ...])

When a SG is removed, this reference should be deleted both from "conj_id_map" and "conj_ids". From "conj_id_map" is correctly removed in [3]. But from "conj_ids" is not being deleted properly. Instead of the current logic, what we should do is to walk through the nested dictionary and remove any entry with "remote_sg_id" == "sg_id" (<-- SG ID to be removed).

The current implementation leaves some "remote_sg_id" in the nested dictionary "conj_ids". That could cause:
- A memory leak in the OVS agent, storing in memory those unneeded remote SG.
- A increase in the complexity of the OVS rules, adding those unused SG (actually the conj_ids related to those SG)
- A security breach between SGs if the conj_ids left in an unused SG is deleted and reused again (the FW stores the unused conj_ids to be recycled in later rules).

[1]https://github.com/openstack/neutron/blob/118930f03d31f157f8c7a9e6c57122ecea8982b9/neutron/agent/linux/openvswitch_firewall/firewall.py#L731
[2]https://github.com/openstack/neutron/blob/118930f03d31f157f8c7a9e6c57122ecea8982b9/neutron/agent/linux/openvswitch_firewall/firewall.py#L399
[3]https://github.com/openstack/neutron/blob/118930f03d31f157f8c7a9e6c57122ecea8982b9/neutron/agent/linux/openvswitch_firewall/firewall.py#L296