Bug 1109414

Summary: Doesn't seem possible to configure direction as part of security rule creation
Product: Red Hat OpenStack Reporter: Matt Reid <mreid>
Component: openstack-novaAssignee: RHOS Maint <rhos-maint>
Status: CLOSED NOTABUG QA Contact: Ami Jeain <ajeain>
Severity: high Docs Contact:
Priority: unspecified    
Version: 4.0CC: ndipanov, sgordon, yeylon
Target Milestone: ---   
Target Release: 6.0 (Juno)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-07-09 15:35:35 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1099570    

Description Matt Reid 2014-06-13 19:45:07 UTC 
Description of problem:
Maybe I'm missing something, but when I was trying to set up some security rules through Horizon, had issues, and tried to switch to CLI, I couldn't figure out how to make an egress rule through nova secgroup-add-rule, everything was ingress, with no option to specify egress.

From the docs:
http://docs.openstack.org/cli-reference/content/novaclient_commands.html

nova secgroup-add-rule command

usage: nova secgroup-add-rule <secgroup> <ip-proto> <from-port> <to-port>
                              <cidr>

Add a rule to a security group.

Positional arguments

<secgroup>
    ID or name of security group.

<ip-proto>
    IP protocol (icmp, tcp, udp).

<from-port>
    Port at start of range.

<to-port>
    Port at end of range.

<cidr>
    CIDR for address range.

Shouldn't it be possible to specify an egress rule through the CLI? As part of the creation in Horizon, you pick EGRESS/INGRESS along with the other fields that the add-rule command lets you configure.
Comment 2 Russell Bryant 2014-07-09 15:35:35 UTC 
If you were able to specify egress/ingress in Horizon, it means that your deployment was using Neutron instead of nova-network for networking.  Egress rules are only supported by Neutron.  The CLI command you were using intentionally only supports ingress.  To define egress rules from the CLI, you'll have to use the neutron CLI command, which talks directly to the Neutron API, instead of through Nova's API.