← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1983053] Re: [RFE] Add possibility to define default security group rules

 

Reviewed:  https://review.opendev.org/c/openstack/neutron/+/884474
Committed: https://opendev.org/openstack/neutron/commit/a4c8392209f7935cc6699c1cf9dc36d483b2f864
Submitter: "Zuul (22348)"
Branch:    master

commit a4c8392209f7935cc6699c1cf9dc36d483b2f864
Author: Slawek Kaplonski <skaplons@xxxxxxxxxx>
Date:   Fri May 26 12:01:31 2023 +0200

    Default SG rules - use new rules templates to create rules for SGs
    
    Default SG rules created as template in the Neutron DB are now used to
    create security group rules for each new default and non-default SG
    created in Neutron.
    
    Closes-bug: #1983053
    Change-Id: Iaf27deb955c3844409fcd36239511478e9607a82


** Changed in: neutron
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1983053

Title:
  [RFE] Add possibility to define default security group rules

Status in neutron:
  Fix Released

Bug description:
  Currently when default security group rule is created for every new project, there are hardcoded 4 rules added to it. Those rules allows:
  1. IPv4 egress traffic from port,
  2. IPv6 egress traffic from port,
  3  IPv4 ingress traffic to port incoming from other ports which are using same security group,
  4. IPv6 ingress traffic to port incoming from other ports which are using same security group.

  There is couple of issues with that:
  1. it is known fact that SG rules with remote_group_id (rule 3. and 4. above) don't scale well e.g. with neutron-openvswitch-agent,
  2. Some operators would like to define different rules to be created by default for each new project.

  So this RFE propose to add possibility to define for operators (admin user maybe) SG rules which will be added by default for default security group for each project.
  To keep backward compatybility with what we have now and what is working like that since many years, by default we may have configure those 4 rules mentioned above as default SG rules but operator (admin user) will have possibility to change it.

  I mentioned that it can be defined by operator or admin user as we may
  implement it as new API which will be available for admins only or
  e.g. by some special config file (something similar to policy.yaml)
  and then it can be possible to modify it by clouds operator.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1983053/+subscriptions



References