[Ussuri][neutron] How to accomplish what allow_same_net_traffic did

Eugen Block eblock at nde.ag
Tue May 4 08:29:46 UTC 2021 

Hi,

> I don't know about this option TBH but from the quick search it looks for me
> that it's Nova's option. So you are probably using nova-network  
> still. Is that correct?

I should have mentioned that we did switch from nova-network to  
neutron a couple of releases ago. We just noticed recently that the  
cross-project traffic was not filtered anymore.

> If yes, I think You need to migrate to Neutron in never versions and
> in Neutron each "default" SG has got rule to allow ingress traffic from all
> other ports which uses same SG.
> If that will not help You, I think that You will need to add own  
> rules to Your SGs to achieve that.

That is my impression at the moment, too. If there's no easier way  
we'll have to adjust our SGs.

Thanks!
Eugen


Zitat von Slawek Kaplonski <skaplons at redhat.com>:

> Hi,
>
> Dnia wtorek, 4 maja 2021 09:40:31 CEST Eugen Block pisze:
>> Hi *,
>>
>> I was wondering how other operators deal with this. Our cloud started
>> somewhere in Kilo or Liberty version and in older versions the option
>> allow_same_net_traffic allowed to control whether instances in our
>> shared network could connect to each other between different projects.
>> That option worked for us but is now deprecated and the Pike release
>>
>> notes [1] state:
>> > Given that there are other better documented and better tested ways
>> > to approach this, such as through use of neutron’s native port
>> > filtering or security groups, this functionality has been removed.
>> >
>> > > Users should instead rely on one of these alternatives.
>>
>> Does that mean all security groups need to be changed in a way that
>> this specific shared network is not reachable? That would be a lot of
>> work if you have many projects. Is there any easier way?
>>
>> Regards,
>> Eugen
>>
>> [1] https://docs.openstack.org/releasenotes/nova/pike.html
>
> I don't know about this option TBH but from the quick search it looks for me
> that it's Nova's option. So you are probably using nova-network  
> still. Is that
> correct? If yes, I think You need to migrate to Neutron in never versions and
> in Neutron each "default" SG has got rule to allow ingress traffic from all
> other ports which uses same SG.
> If that will not help You, I think that You will need to add own  
> rules to Your
> SGs to achieve that.
>
> --
> Slawek Kaplonski
> Principal Software Engineer
> Red Hat

More information about the openstack-discuss mailing list