Not arguing if it's suitable to implement this with security-group commands.

To solve the problem, I guess no 20 rules are necessary at all.

You can just add one rules like the following to allow all traffic going
out of the vm.

iptables -I neutron-openvswi-o9LETTERID -j RETURN
Where the id part is the first 9 letters of the vm attached port id.
This rule will bypass all security filtering for the outgoing traffic.

On Fri, Sep 5, 2014 at 11:27 PM, Monty Taylor <mord...@inaugust.com> wrote:

> Hi!
>
> I've decided that as I have problems with OpenStack while using it in the
> service of Infra, I'm going to just start spamming the list.
>
> Please make something like this:
>
> neutron security-group-create default --allow-every-damn-thing
>
> Right now, to make security groups get the hell out of our way because
> they do not provide us any value because we manage our own iptables, it
> takes adding something like 20 rules.
>
> 15:24:05          clarkb | one each for ingress and egress udp tcp over
> ipv4 then ipv6 and finaly icmp
>
> That may be great for someone using my-first-server-pony, but for me, I
> know how the internet works, and when I ask for a server, I want it to just
> work.
>
> Now, I know, I know - the DEPLOYER can make decisions blah blah blah.
>
> BS
>
> If OpenStack is going to let my deployer make the absolutely assinine
> decision that all of my network traffic should be blocked by default, it
> should give me, the USER, a get out of jail free card.
>
> kthxbai
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev@lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>



-- 
Best wishes!
Baohua
_______________________________________________
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Reply via email to