[RFE] Security-groups that blocks matched traffic
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Won't Fix
|
Wishlist
|
Roey Chen |
Bug Description
Neutron security-group allow the user to define security groups so that only traffic matched with security group rules are allowed.
Sometimes it’s simpler to define these rules as blocking rules which matched on traffic that should not be allowed (e.g - allow all traffic except ssh).
Supporting both ‘deny’ and ‘allow’ rules combined in one security-group may impair the simplicity of the security-group API, therefore, we'd like to consider the option of allowing a new type of security-group, one which all rules implicit action is 'deny'.
This group should be constructed as any other security-group (by creating rules and assigning to ports).
A Neutron port then could be associated with one or more of both security-group types.
For each port, ’deny’ rules (when port is associated with one or more "deny" security group) will always be matched before ‘allow’ rules.
tags: | added: rfe sg-fw |
Changed in neutron: | |
importance: | Undecided → Wishlist |
status: | New → Confirmed |
Changed in neutron: | |
assignee: | nobody → Roey Chen (roeyc) |
this is called FWaaS v2.