Not arguing if it's suitable to implement this with security-group commands.
To solve the problem, I guess no 20 rules are necessary at all. You can just add one rules like the following to allow all traffic going out of the vm. iptables -I neutron-openvswi-o9LETTERID -j RETURN Where the id part is the first 9 letters of the vm attached port id. This rule will bypass all security filtering for the outgoing traffic. On Fri, Sep 5, 2014 at 11:27 PM, Monty Taylor <[email protected]> wrote: > Hi! > > I've decided that as I have problems with OpenStack while using it in the > service of Infra, I'm going to just start spamming the list. > > Please make something like this: > > neutron security-group-create default --allow-every-damn-thing > > Right now, to make security groups get the hell out of our way because > they do not provide us any value because we manage our own iptables, it > takes adding something like 20 rules. > > 15:24:05 clarkb | one each for ingress and egress udp tcp over > ipv4 then ipv6 and finaly icmp > > That may be great for someone using my-first-server-pony, but for me, I > know how the internet works, and when I ask for a server, I want it to just > work. > > Now, I know, I know - the DEPLOYER can make decisions blah blah blah. > > BS > > If OpenStack is going to let my deployer make the absolutely assinine > decision that all of my network traffic should be blocked by default, it > should give me, the USER, a get out of jail free card. > > kthxbai > > _______________________________________________ > OpenStack-dev mailing list > [email protected] > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > -- Best wishes! Baohua
_______________________________________________ OpenStack-dev mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
