[openstack-dev] [neutron] - Changing the Neutron default security group rules

Sean M. Collins sean at coreitpro.com
Wed Mar 2 21:33:26 UTC 2016

Clark Boylan wrote:
> On Wed, Mar 2, 2016, at 09:38 AM, Sean M. Collins wrote:
> > Kevin Benton wrote:
> > > * Neutron cannot be trusted to do what it says it's doing with the security
> > > groups API so users want to orchestrate firewalls directly on their
> > > instances.
> > 
> > This one really rubs me the wrong way. Can we please get a better
> > description of the bug - instead of someone just saying that Neutron
> > doesn't work, therefore we don't want any filtering or security for our
> > instances using an API?
> Sure. There are two ways this manifests. The first is that there have
> been bugs in security groups where traffic is passed despite being told
> not to pass that traffic. This has been treated as a bug in the past and
> corrected which is great so this particular instance of the issue is
> less worrysome.

So as Kevin stated, there does not appear to be any known bugs where
traffic is passed despite being disallowed. If this were the case, I
assure you, this would be treated as a serious issue and fixed quickly.
If you are experiencing this issue, please open a bug and help us
address it.

We can't make serious policy decisions based on rumors and hearsay about
how Neutron doesn't work correctly.

> The second is that I will explicitly tell neutron to
> pass traffic but for whatever reason that traffic ends up being blocked
> anyways. One concrete example of this is the infra team has had to stop
> using GRE because at least two of our clouds do not pass GRE traffic
> despite having explicit "pass all ipv4 and all ipv6 between all possible
> addresses rules".

Are we certain that Neutron is the culprit? If so, please, open a bug
and help us track this down.

Sean M. Collins

More information about the OpenStack-dev mailing list