© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
a60fb26
(Get the code!)
> This spec defines that packets will be allowed if any one of the
> firewall groups associated with that Neutron port allows the
> packet. This behavior is similar to the case of multiple Security
> Groups associated with the same VM port.
This works with security groups on VM ports because there are no "deny" actions. When we have "deny" actions in firewall policies, and there are multiple policies applied to a port, if one policy allows the traffic and another policy denies the traffic, there is a conflict. It now becomes random whether or not that traffic will be allowed or denied.
It is possible to assign multiple groups to ports during firewall group creation by not specifying a port in the group creation command.