Comment 11 for bug 1793029

For problem 2 in #10, I don't have a good solution directly.
What I can suggest is not to use "remote group" in security group rules and "allowed-address-pair" (with a wider IP address range) together. It is recommended to use "IP address" rather than "remote group" in security group rules if you use "allowed-address-pair".

For problem 1 in #10, we can potentially use a separate ipset for each port. Each ipset contains a list of IP addresses of security group members but it does not contain its own IP address of the port.

However, if we go to the above route for problem 2, problem 1 will be minor because problem 1 also occurs only when using "remote group" and "allowed-address-pairs" together.

My current conclusion is to add warnings on this to various documents like neutron API reference, security notes and more if any.

Thought?