Bug 1258455 - [RFE][neutron]: Enable setting default rules for default security group
[RFE][neutron]: Enable setting default rules for default security group
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-neutron (Show other bugs)
7.0 (Kilo)
Unspecified Unspecified
low Severity unspecified
: ---
: ---
Assigned To: Assaf Muller
Toni Freger
upstream_milestone_none upstream_defi...
: FutureFeature
: 886303 (view as bug list)
Depends On:
  Show dependency treegraph
Reported: 2015-08-31 08:25 EDT by Pablo Iranzo Gómez
Modified: 2018-03-17 19:41 EDT (History)
15 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2018-03-17 19:41:28 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Launchpad 1592000 None None None 2016-06-14 07:32 EDT

  None (edit)
Description Pablo Iranzo Gómez 2015-08-31 08:25:52 EDT
Request to include https://blueprints.launchpad.net/neutron/+spec/default-rules-for-default-security-group.


We already have this feature in nova when using nova as security driver implementation, providing a hook mechanism to add customized rules when creating default security groups, so that we don't have to remind users to modify default security group at the first time they create instances. 

But This feature has been lost when neutron is used. It's worthwhile for this useful feature to be reimplemented in neutron. 

Customer wants to be able to define default SG set when creating new tenants
Comment 4 Nir Yechiel 2015-09-24 06:57:52 EDT
Can you please clarify the use-case for this request?

Note that ML2 port-security extension was added in RHEL OpenStack Platform 7. This allows to disable the security-group feature (including the anti-spoofing rules) on a per port basis, so that customers should be able to deploy VNF applications inside VMs without interruption from Neutron. I am not sure if the helps here or not.
Comment 5 Pablo Iranzo Gómez 2015-10-14 04:02:20 EDT
Hi Nir,

As discussed with Sadique, this is for allowing the modification the rules that are in place when a new security group is created.

Customer is interested in OSP reseller functionality and want to be able to define the default rules to be created on each new SG defined.

Comment 6 Assaf Muller 2016-04-11 20:19:30 EDT
*** Bug 886303 has been marked as a duplicate of this bug. ***
Comment 13 Ihar Hrachyshka 2017-08-11 14:57:20 EDT
To give context here, the feature was extensively discussed in upstream community for a long time, and the decision there is that it's impossible to implement the feature in a backwards compatible way for security groups that are established API for which existing users have behavioral assumptions (incl. the fact that default behavior allows outgoing connections). The suggestion from the upstream drivers (design) team is to explore alternative API for that matter, f.e. building it on top of fwaas-v2 API that is still experimental.

Realistically, to get the feature implemented and supported in OSP, significant amount of engineering work is expected, including first helping fwaas community to build fwaas-v2 as a viable alternative for fwaas-v1 (v2 is still experimental and incomplete, and there is no clear ETA as to when it will mature).
Comment 16 Nir Yechiel 2018-03-17 19:41:28 EDT
Closing this RFE based on comment #13 above.

Note You need to log in before you can comment on or make changes to this bug.