Comment 6 for bug 1163569

I think it seems doesn't exist security group issue only by my theoretical analysis (I haven't done this test).
good picture https://docs.google.com/presentation/d/15mpiFyilGvHFEEOw1Ytv2uSb80nW0KjEBRlHI4qOO8g/edit#slide=id.gb876186f_05

1) for the compute node which the lb service located in, it's just a common vm, so it should have following firewall rules.
   -A nova-compute-local -d 10.0.0.8/32 -j nova-compute-haproxy-instance
   -A nova-compute-haproxy-instance -s 10.0.0.0/24 -j ACCEPT
   -A nova-compute-haproxy-instance -s 10.0.0.1/32 -p udp -m udp --sport 67 --dport 68 -j ACCEPT
   -A nova-compute-haproxy-instance -j nova-compute-sg-fallback
   -A nova-compute-sg-fallback -j DROP
  at the same time, it also has a routing rule for vip to connect it's gateway in the l3-agent although it has it's own namespace default-sg
   route add default gw 10.0.0.1

2) vip should can visit other vm of lb pool because l3-agent has following firewall rules
   -A nova-network-POSTROUTING -s 10.0.0.0/8 -d 10.0.0.0/8 -m conntrack ! --ctstate DNAT -j ACCEPT