← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #52263

[Bug 1592005] [NEW] [RFE] Security-groups that blocks matched traffic

  Thread PreviousDate PreviousThread Next 
Public bug reported:

Neutron security-group allow the user to define security groups so that only traffic matched with security group rules are allowed.
Sometimes it’s simpler to define these rules as blocking rules which matched on traffic that should not be allowed (e.g - allow all traffic except ssh).

Supporting both ‘deny’ and ‘allow’ rules combined in one security-group may impair the simplicity of the security-group API, therefore, we'd like to consider the option of allowing a new type of security-group, one which all rules implicit action is 'deny'.
This group should be constructed as any other security-group (by creating rules and assigning to ports).
A Neutron port then could be associated with one or more of both security-group types.

For each port, ’deny’ rules (when port is associated with one or more
"deny" security group) will always be matched before ‘allow’ rules.

** Affects: neutron
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1592005

Title:
  [RFE] Security-groups that blocks matched traffic

Status in neutron:
  New

Bug description:
  Neutron security-group allow the user to define security groups so that only traffic matched with security group rules are allowed.
  Sometimes it’s simpler to define these rules as blocking rules which matched on traffic that should not be allowed (e.g - allow all traffic except ssh).

  Supporting both ‘deny’ and ‘allow’ rules combined in one security-group may impair the simplicity of the security-group API, therefore, we'd like to consider the option of allowing a new type of security-group, one which all rules implicit action is 'deny'.
  This group should be constructed as any other security-group (by creating rules and assigning to ports).
  A Neutron port then could be associated with one or more of both security-group types.

  For each port, ’deny’ rules (when port is associated with one or more
  "deny" security group) will always be matched before ‘allow’ rules.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1592005/+subscriptions

Follow ups

  Thread PreviousDate PreviousThread Next