
<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><style>body { line-height: 1.5; }blockquote { margin-top: 0px; margin-bottom: 0px; margin-left: 0.5em; }div.foxdiv20150717100415243809 { }body { font-size: 10.5pt; font-family: 'Microsoft YaHei UI'; color: rgb(0, 0, 0); line-height: 1.5; }</style></head><body>

<div><span style="font-family: "" microsoft="" yahei="" ui'";="" font-size:="" 14px;="" color:="" rgb(0,="" 0,="" 0);="" background-color:="" rgba(0,="" font-weight:="" normal;="" font-style:="" normal;text-decoration:="" none;'="">For example, in usecase of VM is a LVS (Linux Virtual Server), </span></div><div><span style="font-family: "" microsoft="" yahei="" ui'";="" font-size:="" 14px;="" color:="" rgb(0,="" 0,="" 0);="" background-color:="" rgba(0,="" font-weight:="" normal;="" font-style:="" normal;text-decoration:="" none;'="">to make any client's ip outgoing, we need configure allowed_address_pairs to 0.0.0.0/0,  or disable security-group on port by setting "port-security-enable" false.<br>After that, mac-level rules are needed to protect other VMs. <br><br></span></div><div><span style="font-family: "" microsoft="" yahei="" ui'";="" font-size:="" 14px;="" color:="" rgb(0,="" 0,="" 0);="" background-color:="" rgba(0,="" font-weight:="" normal;="" font-style:="" normal;text-decoration:="" none;'="">Does anyone else has other usecase?</span><span></span></div><div><br></div><hr style="width: 210px; height: 1px;" color="#b5c4df" size="1" align="left">

<div><span><div style="MARGIN: 10px; FONT-FAMILY: verdana; FONT-SIZE: 10pt"><div>Yan Xing'an</div></div></span></div>

<blockquote style="margin-top: 0px; margin-bottom: 0px; margin-left: 0.5em;"><div> </div><div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm"><div style="PADDING-RIGHT: 8px; PADDING-LEFT: 8px; FONT-SIZE: 12px;FONT-FAMILY:tahoma;COLOR:#000000; BACKGROUND: #efefef; PADDING-BOTTOM: 8px; PADDING-TOP: 8px"><div><b>From:</b> <a href="mailto:comnea.dani@gmail.com">Daniel Comnea</a></div><div><b>Date:</b> 2015-07-15 14:14</div><div><b>To:</b> <a href="mailto:openstack-dev@lists.openstack.org">OpenStack Development Mailing List (not for usage questions)</a></div><div><b>Subject:</b> Re: [openstack-dev] [neutron][security-group] rules for filter mac-addresses</div></div></div><div><div class="FoxDiv20150717100415243809"><div dir="ltr"><div>Can i understand the use case for that?<br><br></div>What i don't get it is how will you know the MAC for a new created instance via HEAT so you can set at the same time the SG based on MAC?<br><br><br></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Jul 14, 2015 at 12:29 PM, <a href="mailto:yan_xing_an@163.com">yan_xing_an@163.com</a> <span dir="ltr"><<a href="mailto:yan_xing_an@163.com" target="_blank">yan_xing_an@163.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin: 0px 0px 0px 0.8ex; border-left-width: 1px; border-left-color: rgb(204, 204, 204); border-left-style: solid; padding-left: 1ex;"><div>

<div><span>Thank you, Kevin. <br>I search the blueprint about this point in <a href="http://launchpad.net" target="_blank">launchpad.net</a>, and got nothing, then register one at:<br><span></span></span><span></span><a href="https://blueprints.launchpad.net/neutron/+spec/security-group-mac-rule" style="font-family:'';font-size:10.5pt;line-height:1.5;background-color:window" target="_blank">https://blueprints.launchpad.net/neutron/+spec/security-group-mac-rule</a><span style="font-family:'';font-size:10.5pt;line-height:1.5;background-color:window"> </span></div><div><span style="font-family:'';font-size:10.5pt;line-height:1.5;background-color:window"><br></span></div><span></span><div><br></div><hr style="width:210px;min-height:1px" align="left" color="#b5c4df" size="1">

<div><span><div style="MARGIN:10px;FONT-FAMILY:verdana;FONT-SIZE:10pt">Yan Xing'an</div></span></div>

<blockquote style="margin-top: 0px; margin-bottom: 0px; margin-left: 0.5em;"><div> </div><div style="border:none;border-top:solid #b5c4df 1.0pt;padding:3.0pt 0cm 0cm 0cm"><div style="PADDING-RIGHT:8px;PADDING-LEFT:8px;FONT-SIZE:12px;FONT-FAMILY:tahoma;COLOR:#000000;BACKGROUND:#efefef;PADDING-BOTTOM:8px;PADDING-TOP:8px"><div><b>From:</b> <a href="mailto:blak111@gmail.com" target="_blank">Kevin Benton</a></div><div><b>Date:</b> 2015-07-14 18:31</div><div><b>To:</b> <a href="mailto:openstack-dev@lists.openstack.org" target="_blank">OpenStack Development Mailing List (not for usage questions)</a></div><div><b>Subject:</b> Re: [openstack-dev] [neutron][security-group] rules for filter mac-addresses</div></div></div><div><div class="h5"><div><div><div dir="ltr">Unfortunately the security groups API does not have mac-level rules right now.</div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Jul 14, 2015 at 2:17 AM, <a href="mailto:yan_xing_an@163.com" target="_blank">yan_xing_an@163.com</a> <span dir="ltr"><<a href="mailto:yan_xing_an@163.com" target="_blank">yan_xing_an@163.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin: 0px 0px 0px 0.8ex; border-left-width: 1px; border-left-color: rgb(204, 204, 204); border-left-style: solid; padding-left: 1ex;"><div>

<div><span></span><div style="font-family:'lucida Grande',Verdana,'Microsoft YaHei';line-height:23.799999237060547px"><div>Hi, all:</div><div><br></div><div>Here is a requirement: deny/permit incoming packets on VM by mac addresses,</div><div>I have tried to find better method than modifying neutron code, but failed.</div><div>Any suggesion is grateful. Thank you.</div></div><div style="font-family:'lucida Grande',Verdana,'Microsoft YaHei';line-height:23.799999237060547px"><br></div><div style="font-family:'lucida Grande',Verdana,'Microsoft YaHei';line-height:23.799999237060547px">Yan.</div></div>

<div><br></div><hr style="width:210px;min-height:1px" align="left" color="#b5c4df" size="1"><span><font color="#888888">

<div><span><div style="MARGIN:10px;FONT-FAMILY:verdana;FONT-SIZE:10pt"><div><a href="mailto:yan_xing_an@163.com" target="_blank">yan_xing_an@163.com</a></div></div></span></div>

</font></span></div><br>__________________________________________________________________________<br>

OpenStack Development Mailing List (not for usage questions)<br>

Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>

<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>

<br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div><div>Kevin Benton</div></div>

</div>

</div></div></div></div></blockquote>

</div><br>__________________________________________________________________________<br>

OpenStack Development Mailing List (not for usage questions)<br>

Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>

<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>

<br></blockquote></div><br></div>

</div></div></blockquote>

</body></html>