Comment 6 for bug 1163569

I think it seems doesn't exist security group issue only by my theoretical analysis (I haven't done this test).
good picture

1) for the compute node which the lb service located in, it's just a common vm, so it should have following firewall rules.
   -A nova-compute-local -d -j nova-compute-haproxy-instance
   -A nova-compute-haproxy-instance -s -j ACCEPT
   -A nova-compute-haproxy-instance -s -p udp -m udp --sport 67 --dport 68 -j ACCEPT
   -A nova-compute-haproxy-instance -j nova-compute-sg-fallback
   -A nova-compute-sg-fallback -j DROP
  at the same time, it also has a routing rule for vip to connect it's gateway in the l3-agent although it has it's own namespace default-sg
   route add default gw

2) vip should can visit other vm of lb pool because l3-agent has following firewall rules
   -A nova-network-POSTROUTING -s -d -m conntrack ! --ctstate DNAT -j ACCEPT