Comment 9 for bug 1945306

I also did some tests to confirm whether any manual intervention is required when the flag is toggled from true to false [1].

The flow [2] will not be deleted by the following tests.

1, update SG member

PROJECT_ID=$(openstack project show --domain admin_domain admin -f value -c id)
SECGRP_ID=$(openstack security group list --project ${PROJECT_ID} | awk '/default/ {print $2}')
openstack security group rule create ${SECGRP_ID} --protocol tcp --dst-port 2222 --ingress

2, update port SG

openstack port set f9977d83-dade-4849-b0a5-b151c9812e94 --no-security-group
openstack port set f9977d83-dade-4849-b0a5-b151c9812e94 --disable-port-security
openstack port set f9977d83-dade-4849-b0a5-b151c9812e94 --enable-port-security
openstack port set f9977d83-dade-4849-b0a5-b151c9812e94 --security-group $SECGRP_ID

3, update network SG

openstack network set private --disable-port-security
openstack network set private --enable-port-security

4, restart neutron-openvswitch-agent.service

Unless I restart the machine, but rebooting machine might not be acceptable in production, so removing the following flows by hand may be a workaround to get it up with the config change with minimal destruction, it can avoid restarting the machine.

# fa:16:3e:7a:11:7d is mac of sg-xxx interface
# ovs-ofctl dump-flows br-int |grep fa:16:3e:7a:11:7d |grep -E 'priority=12|priority=10'
 cookie=0xf6202ec41ea7282d, duration=329.516s, table=94, n_packets=0, n_bytes=0, idle_age=333, priority=12,reg6=0x2,dl_dst=fa:16:3e:7a:11:7d actions=output:5
 cookie=0xf6202ec41ea7282d, duration=329.516s, table=94, n_packets=0, n_bytes=0, idle_age=333, priority=10,reg6=0x2,dl_src=fa:16:3e:7a:11:7d,dl_dst=00:00:00:00:00:00/01:00:00:00:00:00 actions=mod_vlan_vid:2,output:2

[1] https://review.opendev.org/c/openstack/charm-neutron-openvswitch/+/813407
[2] https://bugs.launchpad.net/neutron/+bug/1945306/comments/3