[openstack-dev] [neutron][security-group] rules for filter mac-addresses

Yan Xing'an yan_xing_an at 163.com
Fri Jul 17 02:17:30 UTC 2015 

For example, in usecase of VM is a LVS (Linux Virtual Server), 
to make any client's ip outgoing, we need configure allowed_address_pairs to 0.0.0.0/0,  or disable security-group on port by setting "port-security-enable" false.
After that, mac-level rules are needed to protect other VMs. 

Does anyone else has other usecase?



Yan Xing'an
 
From: Daniel Comnea
Date: 2015-07-15 14:14
To: OpenStack Development Mailing List (not for usage questions)
Subject: Re: [openstack-dev] [neutron][security-group] rules for filter mac-addresses
Can i understand the use case for that?

What i don't get it is how will you know the MAC for a new created instance via HEAT so you can set at the same time the SG based on MAC?



On Tue, Jul 14, 2015 at 12:29 PM, yan_xing_an at 163.com <yan_xing_an at 163.com> wrote:
Thank you, Kevin. 
I search the blueprint about this point in launchpad.net, and got nothing, then register one at:
https://blueprints.launchpad.net/neutron/+spec/security-group-mac-rule 




Yan Xing'an
 
From: Kevin Benton
Date: 2015-07-14 18:31
To: OpenStack Development Mailing List (not for usage questions)
Subject: Re: [openstack-dev] [neutron][security-group] rules for filter mac-addresses
Unfortunately the security groups API does not have mac-level rules right now.

On Tue, Jul 14, 2015 at 2:17 AM, yan_xing_an at 163.com <yan_xing_an at 163.com> wrote:
Hi, all:

Here is a requirement: deny/permit incoming packets on VM by mac addresses,
I have tried to find better method than modifying neutron code, but failed.
Any suggesion is grateful. Thank you.

Yan.



yan_xing_an at 163.com

__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev




-- 
Kevin Benton

__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150717/9a5ee01b/attachment.html>

More information about the OpenStack-dev mailing list