[Yahoo-eng-team] [Bug 1592005] [NEW] [RFE] Security-groups that blocks matched traffic

Mon, 13 Jun 2016 07:16:31 -0700 

Public bug reported:

Neutron security-group allow the user to define security groups so that only 
traffic matched with security group rules are allowed.
Sometimes it’s simpler to define these rules as blocking rules which matched on 
traffic that should not be allowed (e.g - allow all traffic except ssh).

Supporting both ‘deny’ and ‘allow’ rules combined in one security-group may 
impair the simplicity of the security-group API, therefore, we'd like to 
consider the option of allowing a new type of security-group, one which all 
rules implicit action is 'deny'.
This group should be constructed as any other security-group (by creating rules 
and assigning to ports).
A Neutron port then could be associated with one or more of both security-group 
types.

For each port, ’deny’ rules (when port is associated with one or more
"deny" security group) will always be matched before ‘allow’ rules.

** Affects: neutron
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1592005

Title:
  [RFE] Security-groups that blocks matched traffic

Status in neutron:
  New

Bug description:
  Neutron security-group allow the user to define security groups so that only 
traffic matched with security group rules are allowed.
  Sometimes it’s simpler to define these rules as blocking rules which matched 
on traffic that should not be allowed (e.g - allow all traffic except ssh).

  Supporting both ‘deny’ and ‘allow’ rules combined in one security-group may 
impair the simplicity of the security-group API, therefore, we'd like to 
consider the option of allowing a new type of security-group, one which all 
rules implicit action is 'deny'.
  This group should be constructed as any other security-group (by creating 
rules and assigning to ports).
  A Neutron port then could be associated with one or more of both 
security-group types.

  For each port, ’deny’ rules (when port is associated with one or more
  "deny" security group) will always be matched before ‘allow’ rules.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1592005/+subscriptions

-- 
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to     : [email protected]
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help   : https://help.launchpad.net/ListHelp

Reply via email to