Merge "Default SG rules template - Update related docs and add release note"
This commit is contained in:
commit
1bb9fe1b21
|
@ -234,12 +234,17 @@ or more security groups in an additive fashion. The firewall driver
|
|||
translates security group rules to a configuration for the underlying packet
|
||||
filtering technology such as ``iptables``.
|
||||
|
||||
Each project contains a ``default`` security group that allows all egress
|
||||
traffic and denies all ingress traffic. You can change the rules in the
|
||||
``default`` security group. If you launch an instance without specifying a
|
||||
security group, the ``default`` security group automatically applies to it.
|
||||
Similarly, if you create a port without specifying a security group, the
|
||||
``default`` security group automatically applies to it.
|
||||
Each project contains a ``default`` security group that by default allows all
|
||||
egress traffic and denies all ingress traffic. You can change the rules in the
|
||||
``default`` security group. Admin user can also define own set of security group
|
||||
rules which will be added by default to each new ``default`` and each new non
|
||||
default (custom) security group created for every project in the cloud. There is
|
||||
``security-group-default-rules`` API extension which allows to define such own
|
||||
set of the default security group rules.
|
||||
If you launch an instance without specifying a security group, the ``default``
|
||||
security group automatically applies to it. Similarly, if you create a port
|
||||
without specifying a security group, the ``default`` security group
|
||||
automatically applies to it.
|
||||
|
||||
.. note::
|
||||
|
||||
|
@ -278,6 +283,10 @@ anti-spoofing rules that perform the following actions:
|
|||
instance and any additional MAC addresses in ``allowed-address-pairs`` on
|
||||
the port for the instance.
|
||||
|
||||
Those rules mentioned above are added automatically by neutron and cannot be
|
||||
changed using ``default security group rules`` API provided by the
|
||||
``security-group-default-rules`` extensions.
|
||||
|
||||
Although non-IP traffic, security groups do not implicitly allow all ARP
|
||||
traffic. Separate ARP filtering rules prevent instances from using ARP
|
||||
to intercept traffic for another instance. You cannot disable or remove
|
||||
|
|
|
@ -0,0 +1,23 @@
|
|||
---
|
||||
features:
|
||||
- |
|
||||
New API which allows to define own set of the security group rules used
|
||||
automatically in every new ``default`` and/or custom security group created
|
||||
for projects.
|
||||
upgrade:
|
||||
- |
|
||||
During upgrade process set of 4 default security group rules will be created
|
||||
in the Neutron database. Those rules are the same as default rules added to
|
||||
every new security group up to now:
|
||||
|
||||
* rule to allow all egress IPv4 traffic (for all default and custom
|
||||
Security groups),
|
||||
* rule to allow all egress IPv6 traffic (for all default and custom
|
||||
Security groups),
|
||||
* rule to allow all ingress IPv4 traffic from the same security group
|
||||
(for default security group in each project),
|
||||
* rule to allow all ingress IPv6 traffic from the same security group
|
||||
(for default security group in each project).
|
||||
|
||||
Those rules can now be modified by cloud administrator using
|
||||
``default-security-group-rules`` API.
|
Loading…
Reference in New Issue