Clark Boylan wrote: > On Wed, Mar 2, 2016, at 09:38 AM, Sean M. Collins wrote: > > Kevin Benton wrote: > > > * Neutron cannot be trusted to do what it says it's doing with the > > > security > > > groups API so users want to orchestrate firewalls directly on their > > > instances. > > > > This one really rubs me the wrong way. Can we please get a better > > description of the bug - instead of someone just saying that Neutron > > doesn't work, therefore we don't want any filtering or security for our > > instances using an API? > > Sure. There are two ways this manifests. The first is that there have > been bugs in security groups where traffic is passed despite being told > not to pass that traffic. This has been treated as a bug in the past and > corrected which is great so this particular instance of the issue is > less worrysome.
So as Kevin stated, there does not appear to be any known bugs where traffic is passed despite being disallowed. If this were the case, I assure you, this would be treated as a serious issue and fixed quickly. If you are experiencing this issue, please open a bug and help us address it. We can't make serious policy decisions based on rumors and hearsay about how Neutron doesn't work correctly. > The second is that I will explicitly tell neutron to > pass traffic but for whatever reason that traffic ends up being blocked > anyways. One concrete example of this is the infra team has had to stop > using GRE because at least two of our clouds do not pass GRE traffic > despite having explicit "pass all ipv4 and all ipv6 between all possible > addresses rules". Are we certain that Neutron is the culprit? If so, please, open a bug and help us track this down. -- Sean M. Collins __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: [email protected]?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
