neutron

[RFE] Security-groups that blocks matched traffic

Bug #1592005 reported by Roey Chen
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Won't Fix
Wishlist
Roey Chen

Bug Description

Neutron security-group allow the user to define security groups so that only traffic matched with security group rules are allowed.
Sometimes it’s simpler to define these rules as blocking rules which matched on traffic that should not be allowed (e.g - allow all traffic except ssh).

Supporting both ‘deny’ and ‘allow’ rules combined in one security-group may impair the simplicity of the security-group API, therefore, we'd like to consider the option of allowing a new type of security-group, one which all rules implicit action is 'deny'.
This group should be constructed as any other security-group (by creating rules and assigning to ports).
A Neutron port then could be associated with one or more of both security-group types.

For each port, ’deny’ rules (when port is associated with one or more "deny" security group) will always be matched before ‘allow’ rules.

Tags: rfe sg-fw
Dariusz Smigiel (smigiel-dariusz)
tags: added: rfe sg-fw
Changed in neutron:
importance: Undecided → Wishlist
status: New → Confirmed
Roey Chen (roeyc)
Changed in neutron:
assignee: nobody → Roey Chen (roeyc)
Revision history for this message
Armando Migliaccio (armando-migliaccio) wrote :

this is called FWaaS v2.

Changed in neutron:
status: Confirmed → Won't Fix
Revision history for this message
Armando Migliaccio (armando-migliaccio) wrote :

My suggestion is to engage with the FWaaS team and see how to collaborate with them to deliver what you're after within the context of FWaaS

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.