Bug 1378459

Summary: [RFE] Allow deny rules on security groups
Product: Red Hat OpenStack Reporter: Petr Barta <pbarta>
Component: openstack-neutronAssignee: Assaf Muller <amuller>
Status: CLOSED WONTFIX QA Contact: Toni Freger <tfreger>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 7.0 (Kilo)CC: amuller, chrisw, dhill, Egarciad, nyechiel, pablo.iranzo, pbarta, srevivo
Target Milestone: ---Keywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-10-06 08:54:58 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1381612    

Description Petr Barta 2016-09-22 13:09:09 UTC 
Description of problem:

Allow deny rules on security groups.

Use case:
If customer creates, for example, a rule to allow incoming traffic to port 80, it's not possible explicitly deny traffic from a specific network, and therefore customer has to know all networks which he wants to allow traffic from, and modify the security group rules every time a new network is created.

Client wants to allow traffic by default to all networks, and create deny rules to explicitly deny traffic from some networks.

Useful as well when there is a network attack (hacking attempt, DOS) and customer wants to block the attacking IP only.


Customer is aware of FWaaS possibility, which allows creation of deny/reject rules, but as it is technology preview only, does not want to use it in production environment, therefore request for enhancement.

We have discussed as well possibility to filter traffic on the instance's side (by using for example iptables/firewalld on OS level), but this is feasible as security team can be separate from administrator's team of the instances, and therefore security team does not have access to the OS on instances.


Actual results:

Not possible to create "deny" security group rules.

Expected results:

Ability to create "allow" and/or "deny" security groups rules, to block unwonted traffic, rather then having to list all traffic which is allowed to come in.

Additional info:
Comment 9 RHEL Program Management 2016-10-06 08:54:58 UTC 
Product Management has reviewed and declined this request.
You may appeal this decision by reopening this request.