vishvananda/gist:2991284

## gistfile1.txt
diff --git a/nova/network/linux_net.py b/nova/network/linux_net.py
index 42fb9cc..a30c767 100644
--- a/nova/network/linux_net.py
+++ b/nova/network/linux_net.py
@@ -136,6 +136,14 @@ class IptablesTable(object):
         self.chains = set()
         self.unwrapped_chains = set()

+    def __eq__(self, other):
+        return ((self.rules == other.rules) and
+                (self.chains == other.chains) and
+                (self.unwrapped_chains == other.unwrapped_chains))
+
+    def __ne__(self, other):
+        return not self == other
+
     def add_chain(self, name, wrap=True):
         """Adds a named chain to the table.

diff --git a/nova/virt/firewall.py b/nova/virt/firewall.py
index 89559a8..4a8f47b 100644
--- a/nova/virt/firewall.py
+++ b/nova/virt/firewall.py
@@ -148,10 +148,10 @@ class IptablesFirewallDriver(FirewallDriver):
         self.instances[instance['id']] = instance
         self.network_infos[instance['id']] = network_info
         self.add_filters_for_instance(instance)
+        self.iptables.apply()
         LOG.debug(_('Filters added to instance'), instance=instance)
         self.refresh_provider_fw_rules()
         LOG.debug(_('Provider Firewall Rules refreshed'), instance=instance)
-        self.iptables.apply()

     def _create_filter(self, ips, chain_name):
         return ['-d %s -j $%s' % (ip, chain_name) for ip in ips]
@@ -384,29 +384,37 @@ class IptablesFirewallDriver(FirewallDriver):
         pass

     def refresh_security_group_members(self, security_group):
-        self.do_refresh_security_group_rules(security_group)
-        self.iptables.apply()
+        if self.do_refresh_security_group_rules(security_group):
+            self.iptables.apply()

     def refresh_security_group_rules(self, security_group):
-        self.do_refresh_security_group_rules(security_group)
-        self.iptables.apply()
+        if self.do_refresh_security_group_rules(security_group):
+            self.iptables.apply()

     @utils.synchronized('iptables', external=True)
     def do_refresh_security_group_rules(self, security_group):
+        ipv4rules = self.iptables.ipv4['filter']
+        ipv6rules = self.iptables.ipv6['filter']
         for instance in self.instances.values():
             self.remove_filters_for_instance(instance)
             self.add_filters_for_instance(instance)
+        return (self.iptables.ipv4['filter'] != ipv4rules or
+                self.iptables.ipv6['filter'] != ipv6rules)

     def refresh_provider_fw_rules(self):
         """See :class:`FirewallDriver` docs."""
-        self._do_refresh_provider_fw_rules()
-        self.iptables.apply()
+        if self._do_refresh_provider_fw_rules():
+            self.iptables.apply()

     @utils.synchronized('iptables', external=True)
     def _do_refresh_provider_fw_rules(self):
         """Internal, synchronized version of refresh_provider_fw_rules."""
+        ipv4rules = self.iptables.ipv4['filter']
+        ipv6rules = self.iptables.ipv6['filter']
         self._purge_provider_fw_rules()
         self._build_provider_fw_rules()
+        return (self.iptables.ipv4['filter'] != ipv4rules or
+                self.iptables.ipv6['filter'] != ipv6rules)

     def _purge_provider_fw_rules(self):
         """Remove all rules from the provider chains."""
	diff --git a/nova/network/linux_net.py b/nova/network/linux_net.py
	index 42fb9cc..a30c767 100644
	--- a/nova/network/linux_net.py
	+++ b/nova/network/linux_net.py
	@@ -136,6 +136,14 @@ class IptablesTable(object):
	self.chains = set()
	self.unwrapped_chains = set()

	+ def __eq__(self, other):
	+ return ((self.rules == other.rules) and
	+ (self.chains == other.chains) and
	+ (self.unwrapped_chains == other.unwrapped_chains))
	+
	+ def __ne__(self, other):
	+ return not self == other
	+
	def add_chain(self, name, wrap=True):
	"""Adds a named chain to the table.

	diff --git a/nova/virt/firewall.py b/nova/virt/firewall.py
	index 89559a8..4a8f47b 100644
	--- a/nova/virt/firewall.py
	+++ b/nova/virt/firewall.py
	@@ -148,10 +148,10 @@ class IptablesFirewallDriver(FirewallDriver):
	self.instances[instance['id']] = instance
	self.network_infos[instance['id']] = network_info
	self.add_filters_for_instance(instance)
	+ self.iptables.apply()
	LOG.debug(_('Filters added to instance'), instance=instance)
	self.refresh_provider_fw_rules()
	LOG.debug(_('Provider Firewall Rules refreshed'), instance=instance)
	- self.iptables.apply()

	def _create_filter(self, ips, chain_name):
	return ['-d %s -j $%s' % (ip, chain_name) for ip in ips]
	@@ -384,29 +384,37 @@ class IptablesFirewallDriver(FirewallDriver):
	pass

	def refresh_security_group_members(self, security_group):
	- self.do_refresh_security_group_rules(security_group)
	- self.iptables.apply()
	+ if self.do_refresh_security_group_rules(security_group):
	+ self.iptables.apply()

	def refresh_security_group_rules(self, security_group):
	- self.do_refresh_security_group_rules(security_group)
	- self.iptables.apply()
	+ if self.do_refresh_security_group_rules(security_group):
	+ self.iptables.apply()

	@utils.synchronized('iptables', external=True)
	def do_refresh_security_group_rules(self, security_group):
	+ ipv4rules = self.iptables.ipv4['filter']
	+ ipv6rules = self.iptables.ipv6['filter']
	for instance in self.instances.values():
	self.remove_filters_for_instance(instance)
	self.add_filters_for_instance(instance)
	+ return (self.iptables.ipv4['filter'] != ipv4rules or
	+ self.iptables.ipv6['filter'] != ipv6rules)

	def refresh_provider_fw_rules(self):
	"""See :class:`FirewallDriver` docs."""
	- self._do_refresh_provider_fw_rules()
	- self.iptables.apply()
	+ if self._do_refresh_provider_fw_rules():
	+ self.iptables.apply()

	@utils.synchronized('iptables', external=True)
	def _do_refresh_provider_fw_rules(self):
	"""Internal, synchronized version of refresh_provider_fw_rules."""
	+ ipv4rules = self.iptables.ipv4['filter']
	+ ipv6rules = self.iptables.ipv6['filter']
	self._purge_provider_fw_rules()
	self._build_provider_fw_rules()
	+ return (self.iptables.ipv4['filter'] != ipv4rules or
	+ self.iptables.ipv6['filter'] != ipv6rules)

	def _purge_provider_fw_rules(self):
	"""Remove all rules from the provider chains."""