yahoo-eng-team team mailing list archive

[Brian Haley <1649417@xxxxxxxxxxxxxxxxxx>]

Closing as this is very old and the Queens spec was never update/moved
to a newer release. Please re-open if anyone intends to work on it
further. Thanks.

** Changed in: neutron
       Status: Triaged => Won't Fix

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1649417

Title:
  RFE: Security group rule using address set

Status in neutron:
  Won't Fix

Bug description:
  Today if we want to create a rule in security group to allow access
  to/from a set of remote IPs, there are 2 ways:

  1. If the set of remote IPs belongs to a group of Neutron ports, we
  can attach those remote Neutron ports to a Neutron security group and
  use the "remote group" field in security group rule.

  2. If the set of remote IPs can't be mapped to Neutron ports (they can
  be IPs from external or legacy networking system), we will have to
  white-list each individual IPs (if they cannot be summarized to CIDRs)
  in each rule that references to that set of IPs in the
  remote_ip_prefix field.

  For 2, if the number of remote IPs is huge, it will be inefficient in
  Neutron Security group implementation and cause scaling issues. Now
  that some back-end SDN systems (e.g. OVN) support concept of "address
  set", it will be good to have same model in Neutron security group, so
  that the capability of "address set" can be utilized directly for
  external IPs.

  It can be a simple extension to Neutron's Security Group extension, to
  support "Address Set" object and reference it in Neutron security
  group rules.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1649417/+subscriptions