neutron

  1. Bug #1449344
  2. Comment #1

Comment 1 for bug 1449344

Revision history for this message
James Denton (james-denton) wrote : Re: When VM security group is not choose,the packets is still block by security group

When you remove a security group from a port, the chains remain but appear to limit traffic to DHCP requests/responses and established connections only. All other ingress/egress traffic through the port is dropped by the neutron-*-sg-fallback chain. Same goes for ports that are created without a security group that are later applied to instances.

You might be interested in the ML2 port security feature in Kilo, which allows you to disable filtering and anti-spoofing on the port altogether.

I don't know much about it, but there are some details here:
http://specs.openstack.org/openstack/neutron-specs/specs/kilo/ml2-ovs-portsecurity.html

and here:
http://blog.otherwiseguy.com/trying-out-the-ml2-port-security-extension/