<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<font face="SFNS Display">Hi colleagues,<br>
<br>
after upgrade from Ocata to Pike I noticed change in security
groups behaviour.<br>
<br>
In Ocata, I was using a combination of default security group +
custom group (which matches ingress ethertype both IPv4 and IPv6)
on a port and this was allowing ingress traffic to VM.<br>
<br>
In Pike this doesn't work anymore, i.e. having two security groups
in project<br>
<br>
$ openstack security group list</font><tt><br>
</tt><tt>[ ... ]<br>
| 53ede63e-b08f-4c95-b5fe-29cd21ed442a | default | Default
security group | d8051a3ff3ad4c4bb380f828992b8178 |</tt><tt><br>
</tt><tt>| cd0bd222-78e1-42b2-b8a5-51d655c49a8f | jex-esg
| | d8051a3ff3ad4c4bb380f828992b8178 |</tt><tt><br>
</tt><tt><br>
</tt><font face="SFNS Display">and using both on port disables any
traffic from outside (e.g. ping):<br>
<br>
</font><tt>$ openstack port show jex-n1-wan</tt><tt><br>
</tt><tt>[ ... ]</tt><tt><br>
</tt><tt>| fixed_ips | ip_address='x.x.x.246',
subnet_id='5cfcb94e-5865-4cbd-83e3-56e397a436ec' |</tt><tt><br>
</tt><tt>| security_group_ids |
53ede63e-b08f-4c95-b5fe-29cd21ed442a,
cd0bd222-78e1-42b2-b8a5-51d655c49a8f |</tt><tt><br>
</tt><font face="SFNS Display"><br>
while keeping only custom group allows traffic from outside:<br>
<br>
</font><tt>$ openstack port show jex-n1-wan</tt><tt><br>
</tt><tt>| fixed_ips | ip_address='x.x.x.246',
subnet_id='5cfcb94e-5865-4cbd-83e3-56e397a436ec' |</tt><tt><br>
</tt><tt>| security_group_ids |
cd0bd222-78e1-42b2-b8a5-51d655c49a8f
|</tt><font face="SFNS Display"><br>
<br>
<b>I didn't find any notices on this in Pike release notes. Can
anybody point me to the pla</b><b>ce</b><b> where I can find
information on this and, possibly, other implicit changes?</b><br>
<br>
For additional information, rules of jex-esg are these:<br>
<br>
</font><tt>$ openstack security group show jex-esg</tt><tt><br>
</tt><tt>+-----------------+-----------------------------------------------------------------------------------------+</tt><tt><br>
</tt><tt>| Field |
Value
|</tt><tt><br>
</tt><tt>+-----------------+-----------------------------------------------------------------------------------------+</tt><tt><br>
</tt><tt>| created_at |
2017-09-21T13:25:53Z
|</tt><tt><br>
</tt><tt>| description
|
|</tt><tt><br>
</tt><tt>| id |
cd0bd222-78e1-42b2-b8a5-51d655c49a8f
|</tt><tt><br>
</tt><tt>| name |
jex-esg
|</tt><tt><br>
</tt><tt>| project_id |
d8051a3ff3ad4c4bb380f828992b8178
|</tt><tt><br>
</tt><tt>| revision_number |
4
|</tt><tt><br>
</tt><tt>| rules | created_at='2017-09-21T13:25:53Z',
direction='ingress', ethertype='IPv4', id='1b979cd7- |</tt><tt><br>
</tt><tt>| | created_at='2017-09-21T13:25:53Z',
direction='ingress', ethertype='IPv6', id='906ac4e2- |</tt><tt><br>
</tt><tt>| | created_at='2017-09-21T13:25:53Z',
direction='egress', ethertype='IPv6', id='c8cc2114- |</tt><tt><br>
</tt><tt>| | created_at='2017-09-21T13:25:53Z',
direction='egress', ethertype='IPv4', id='ebb060f5- |</tt><tt><br>
</tt><tt>| updated_at |
2017-09-21T13:25:53Z
|</tt><tt><br>
</tt><tt>+-----------------+-----------------------------------------------------------------------------------------+</tt><font
face="SFNS Display"><br>
<br>
Thank you.<br>
<br>
</font>
<pre class="moz-signature" cols="72">--
Volodymyr Litovka
"Vision without Execution is Hallucination." -- Thomas Edison
</pre>
</body>
</html>