Comment 2 for bug 1611836

Richard, thanks for reporting. This sounds interesting. To solve the problem, I wonder we firstly need to clarify the requirement from neutron model point of view.

In neutron model, ports can have overlapping IPs (they belongs to different networks and they don't talk to each other, so that's fine). But when they are attached to same security group, it is tricky.

It is valid use case saying that those ports just share same security rules, as long as there is no reference of the security group as "remote group".

Otherwise, if the shared security group is referred as a "remote group" in a security rule of some security group (that some security group could be the same group or a different group, which doesn't matter), I wonder what's the real intent of the rule. For example, the rule says allow any ipv4 packets from a security group. Now we have 2 ports with same IP address, one in the group, the other not. Shall we allow the packet from that IP address? In general, a security group implementation can't distinguish source ports if they have same IP address. This sounds like a conflicting requirement.