yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #59721
[Bug 1649417] [NEW] RFE: Security group rule using address set
Public bug reported:
Today if we want to create a rule in security group to allow access
to/from a set of remote IPs, there are 2 ways:
1. If the set of remote IPs belongs to a group of Neutron ports, we can
attach those remote Neutron ports to a Neutron security group and use
the "remote group" field in security group rule.
2. If the set of remote IPs can't be mapped to Neutron ports (they can
be IPs from external or legacy networking system), we will have to
white-list each individual IPs (if they cannot be summarized to CIDRs)
in each rule that references to that set of IPs in the remote_ip_prefix
field.
For 2, if the number of remote IPs is huge, it will be inefficient in
Neutron Security group implementation and cause scaling issues. Now that
some back-end SDN systems (e.g. OVN) support concept of "address set",
it will be good to have same model in Neutron security group, so that
the capability of "address set" can be utilized directly for external
IPs.
It can be a simple extension to Neutron's Security Group extension, to
support "Address Set" object and reference it in Neutron security group
rules.
** Affects: neutron
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1649417
Title:
RFE: Security group rule using address set
Status in neutron:
New
Bug description:
Today if we want to create a rule in security group to allow access
to/from a set of remote IPs, there are 2 ways:
1. If the set of remote IPs belongs to a group of Neutron ports, we
can attach those remote Neutron ports to a Neutron security group and
use the "remote group" field in security group rule.
2. If the set of remote IPs can't be mapped to Neutron ports (they can
be IPs from external or legacy networking system), we will have to
white-list each individual IPs (if they cannot be summarized to CIDRs)
in each rule that references to that set of IPs in the
remote_ip_prefix field.
For 2, if the number of remote IPs is huge, it will be inefficient in
Neutron Security group implementation and cause scaling issues. Now
that some back-end SDN systems (e.g. OVN) support concept of "address
set", it will be good to have same model in Neutron security group, so
that the capability of "address set" can be utilized directly for
external IPs.
It can be a simple extension to Neutron's Security Group extension, to
support "Address Set" object and reference it in Neutron security
group rules.
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1649417/+subscriptions
Follow ups