| Jon Perritt | af5e28c | 2015-03-06 13:09:49 -0700 | [diff] [blame^] | 1 | // Package security contains functionality to work with security group and |
| 2 | // security group rules Neutron resources. |
| 3 | // |
| 4 | // Security groups and security group rules allows administrators and tenants |
| 5 | // the ability to specify the type of traffic and direction (ingress/egress) |
| 6 | // that is allowed to pass through a port. A security group is a container for |
| 7 | // security group rules. |
| 8 | // |
| 9 | // When a port is created in Networking it is associated with a security group. |
| 10 | // If a security group is not specified the port is associated with a 'default' |
| 11 | // security group. By default, this group drops all ingress traffic and allows |
| 12 | // all egress. Rules can be added to this group in order to change the behaviour. |
| 13 | // |
| 14 | // The basic characteristics of Neutron Security Groups are: |
| 15 | // |
| 16 | // For ingress traffic (to an instance) |
| 17 | // - Only traffic matched with security group rules are allowed. |
| 18 | // - When there is no rule defined, all traffic are dropped. |
| 19 | // |
| 20 | // For egress traffic (from an instance) |
| 21 | // - Only traffic matched with security group rules are allowed. |
| 22 | // - When there is no rule defined, all egress traffic are dropped. |
| 23 | // - When a new security group is created, rules to allow all egress traffic |
| 24 | // are automatically added. |
| 25 | // |
| 26 | // "default security group" is defined for each tenant. |
| 27 | // - For the default security group a rule which allows intercommunication |
| 28 | // among hosts associated with the default security group is defined by default. |
| 29 | // - As a result, all egress traffic and intercommunication in the default |
| 30 | // group are allowed and all ingress from outside of the default group is |
| 31 | // dropped by default (in the default security group). |
| 32 | package security |