© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
a60fb26
(Get the code!)
As Brian points out, the described behavior is as designed (if
perhaps surprising to users). Per the linked specification:
> When there are multiple firewall groups associated with a specific
> Neutron port, there is no position or priority between the
> different firewall groups. Some deterministic behavior must be
> defined in order to resolve the action to be taken when some
> firewall groups determine an “allow” action while other firewall
> groups determine a “deny” action.
>
> This spec defines that packets will be allowed if any one of the
> firewall groups associated with that Neutron port allows the
> packet. This behavior is similar to the case of multiple Security
> Groups associated with the same VM port.
Given this, short of redesigning the API, we're presumably looking
at possible improvements to the documentation in order to make the
described pitfall more obvious to end users. If this is correct, I
propose we switch this to a normal public bug in order to continue
discussion with the broader community on ways to better describe
how this interface works.