api-ref: describe which protocols are enabled for stateless SG

This behavior matches what ML2/OVS implementation does and what we intend to implement for ML2/OVN. More than that, a decision was made during vPTG to make the behavior part of api-ref to facilitate cross-backend consistency. Related-Bug: #2006949 Related-Bug: #2009053 Change-Id: Ic633eedd9f0d320d9ad0c27a72f07b1b016d7ba3
2023-03-29 16:22:36 -04:00 · 2023-03-29 16:22:36 -04:00 · 8337580561
commit 8337580561
parent eeec3633b9
1 changed files with 8 additions and 0 deletions
--- a/api-ref/source/v2/security-groups.inc
+++ b/api-ref/source/v2/security-groups.inc
@ -39,6 +39,14 @@ The existing security groups will all be considered as stateful. Update of the
 ``stateful`` attribute is allowed when there is no port associated with the
 security group.

+Regardless of rules defined for a stateless security group, the following
+protocols are expected to work: ARP, DHCP, IPv6 SLAAC / DHCPv6 stateless
+address configuration, IPv6 Router and Neighbour Discovery.
+
+Note: metadata service is not enabled by default. If your workload requires
+metadata for configuration, make sure to create a security group rule that
+would allow HTTP replies from the metadata service IP address / port pair.
+
 Shared filtering extension
 ==========================