yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #94108
[Bug 1649417] Re: RFE: Security group rule using address set
Closing as this is very old and the Queens spec was never update/moved
to a newer release. Please re-open if anyone intends to work on it
further. Thanks.
** Changed in: neutron
Status: Triaged => Won't Fix
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1649417
Title:
RFE: Security group rule using address set
Status in neutron:
Won't Fix
Bug description:
Today if we want to create a rule in security group to allow access
to/from a set of remote IPs, there are 2 ways:
1. If the set of remote IPs belongs to a group of Neutron ports, we
can attach those remote Neutron ports to a Neutron security group and
use the "remote group" field in security group rule.
2. If the set of remote IPs can't be mapped to Neutron ports (they can
be IPs from external or legacy networking system), we will have to
white-list each individual IPs (if they cannot be summarized to CIDRs)
in each rule that references to that set of IPs in the
remote_ip_prefix field.
For 2, if the number of remote IPs is huge, it will be inefficient in
Neutron Security group implementation and cause scaling issues. Now
that some back-end SDN systems (e.g. OVN) support concept of "address
set", it will be good to have same model in Neutron security group, so
that the capability of "address set" can be utilized directly for
external IPs.
It can be a simple extension to Neutron's Security Group extension, to
support "Address Set" object and reference it in Neutron security
group rules.
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1649417/+subscriptions
References