Not arguing if it's suitable to implement this with security-group commands.

To solve the problem, I guess no 20 rules are necessary at all.

You can just add one rules like the following to allow all traffic going
out of the vm.

iptables -I neutron-openvswi-o9LETTERID -j RETURN
Where the id part is the first 9 letters of the vm attached port id.
This rule will bypass all security filtering for the outgoing traffic.

On Fri, Sep 5, 2014 at 11:27 PM, Monty Taylor <> wrote:

> Hi!
> I've decided that as I have problems with OpenStack while using it in the
> service of Infra, I'm going to just start spamming the list.
> Please make something like this:
> neutron security-group-create default --allow-every-damn-thing
> Right now, to make security groups get the hell out of our way because
> they do not provide us any value because we manage our own iptables, it
> takes adding something like 20 rules.
> 15:24:05          clarkb | one each for ingress and egress udp tcp over
> ipv4 then ipv6 and finaly icmp
> That may be great for someone using my-first-server-pony, but for me, I
> know how the internet works, and when I ask for a server, I want it to just
> work.
> Now, I know, I know - the DEPLOYER can make decisions blah blah blah.
> BS
> If OpenStack is going to let my deployer make the absolutely assinine
> decision that all of my network traffic should be blocked by default, it
> should give me, the USER, a get out of jail free card.
> kthxbai
> _______________________________________________
> OpenStack-dev mailing list

Best wishes!
OpenStack-dev mailing list

Reply via email to