Neutron security groups are stateful. A response should be able to come back without ingress rules regardless of the use of iptables. On Fri, Sep 11, 2015 at 12:25 AM, Tikkanen, Viktor (Nokia - FI/Espoo) < viktor.tikkanen at nokia.com> wrote: > Hi! > > We have a scenario tempest test case (test_cross_tenant_traffic) which > assumes that an instance should be able to receive icmp echo responses > even when no ingress security rules are defined for that instance. > > I don't take a stand on iptables-based security group implementation > details (this was discussed e.g. here: > http://lists.openstack.org/pipermail/openstack-dev/2015-April/060989.html > ) but rather on tempest logic. > > Do we have some requirement(s) that incoming packets with ESTABLISHED > state should be accepted regardless of security rules? If so, does it > really concern also ICMP packets? > > And if there are no such requirements, should we e.g. parameterize the > test case so that it will be skipped when no iptables-based firewall > drivers are used? > > -Viktor > > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > -- Kevin Benton -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150911/f6cb74ec/attachment.html>