969e6abd20
When adding a security group rule, if no IP address is given we will use '0.0.0.0/0', but if the ethertype is IPv6 we will leave it as None. Change this to be '::/0' to match what we do for IPv4 - use the "any" address. The neutron server treats them both the same when checking for duplicates. Because there are most likely entries in the DB using None for the IP, print them as '0.0.0.0/0' or '::/0' so it is more obvious what address they are actually referring to. Also change to display the Ethertype column by default instead of with --long, since easily knowing IPv4 or IPv6 is useful. Change-Id: Ic396fc23caa66b6b0034c5d30b27c6ed499de5a6 Closes-bug: #1735575
201 lines
4.4 KiB
ReStructuredText
201 lines
4.4 KiB
ReStructuredText
===================
|
|
security group rule
|
|
===================
|
|
|
|
A **security group rule** specifies the network access rules for servers
|
|
and other resources on the network.
|
|
|
|
Compute v2, Network v2
|
|
|
|
security group rule create
|
|
--------------------------
|
|
|
|
Create a new security group rule
|
|
|
|
.. program:: security group rule create
|
|
.. code:: bash
|
|
|
|
openstack security group rule create
|
|
[--remote-ip <ip-address> | --remote-group <group>]
|
|
[--dst-port <port-range> | [--icmp-type <icmp-type> [--icmp-code <icmp-code>]]]
|
|
[--protocol <protocol>]
|
|
[--ingress | --egress]
|
|
[--ethertype <ethertype>]
|
|
[--project <project> [--project-domain <project-domain>]]
|
|
[--description <description>]
|
|
<group>
|
|
|
|
.. option:: --remote-ip <ip-address>
|
|
|
|
Remote IP address block (may use CIDR notation;
|
|
default for IPv4 rule: 0.0.0.0/0,
|
|
default for IPv6 rule: ::/0)
|
|
|
|
.. option:: --remote-group <group>
|
|
|
|
Remote security group (name or ID)
|
|
|
|
.. option:: --dst-port <port-range>
|
|
|
|
Destination port, may be a single port or a starting and
|
|
ending port range: 137:139. Required for IP protocols TCP
|
|
and UDP. Ignored for ICMP IP protocols.
|
|
|
|
.. option:: --icmp-type <icmp-type>
|
|
|
|
ICMP type for ICMP IP protocols
|
|
|
|
*Network version 2 only*
|
|
|
|
.. option:: --icmp-code <icmp-code>
|
|
|
|
ICMP code for ICMP IP protocols
|
|
|
|
*Network version 2 only*
|
|
|
|
.. option:: --protocol <protocol>
|
|
|
|
IP protocol (icmp, tcp, udp; default: tcp)
|
|
|
|
*Compute version 2*
|
|
|
|
IP protocol (ah, dccp, egp, esp, gre, icmp, igmp,
|
|
ipv6-encap, ipv6-frag, ipv6-icmp, ipv6-nonxt,
|
|
ipv6-opts, ipv6-route, ospf, pgm, rsvp, sctp, tcp,
|
|
udp, udplite, vrrp and integer representations [0-255]
|
|
or any; default: any (all protocols))
|
|
|
|
*Network version 2*
|
|
|
|
.. option:: --ingress
|
|
|
|
Rule applies to incoming network traffic (default)
|
|
|
|
*Network version 2 only*
|
|
|
|
.. option:: --egress
|
|
|
|
Rule applies to outgoing network traffic
|
|
|
|
*Network version 2 only*
|
|
|
|
.. option:: --ethertype <ethertype>
|
|
|
|
Ethertype of network traffic
|
|
(IPv4, IPv6; default: based on IP protocol)
|
|
|
|
*Network version 2 only*
|
|
|
|
.. option:: --project <project>
|
|
|
|
Owner's project (name or ID)
|
|
|
|
*Network version 2 only*
|
|
|
|
.. option:: --project-domain <project-domain>
|
|
|
|
Domain the project belongs to (name or ID).
|
|
This can be used in case collisions between project names exist.
|
|
|
|
*Network version 2 only*
|
|
|
|
.. option:: --description <description>
|
|
|
|
Set security group rule description
|
|
|
|
*Network version 2 only*
|
|
|
|
.. describe:: <group>
|
|
|
|
Create rule in this security group (name or ID)
|
|
|
|
security group rule delete
|
|
--------------------------
|
|
|
|
Delete security group rule(s)
|
|
|
|
.. program:: security group rule delete
|
|
.. code:: bash
|
|
|
|
openstack security group rule delete
|
|
<rule> [<rule> ...]
|
|
|
|
.. describe:: <rule>
|
|
|
|
Security group rule(s) to delete (ID only)
|
|
|
|
security group rule list
|
|
------------------------
|
|
|
|
List security group rules
|
|
|
|
.. program:: security group rule list
|
|
.. code:: bash
|
|
|
|
openstack security group rule list
|
|
[--all-projects]
|
|
[--protocol <protocol>]
|
|
[--ethertype <ethertype>]
|
|
[--ingress | --egress]
|
|
[--long]
|
|
[<group>]
|
|
|
|
.. option:: --all-projects
|
|
|
|
Display information from all projects (admin only)
|
|
|
|
*Network version 2 ignores this option and will always display information*
|
|
*for all projects (admin only).*
|
|
|
|
.. option:: --long
|
|
|
|
List additional fields in output
|
|
|
|
*Compute version 2 does not have additional fields to display.*
|
|
|
|
.. option:: --protocol
|
|
|
|
List rules by the IP protocol (ah, dhcp, egp, esp, gre, icmp, igmp,
|
|
ipv6-encap, ipv6-frag, ipv6-icmp, ipv6-nonxt,ipv6-opts, ipv6-route,
|
|
ospf, pgm, rsvp, sctp, tcp, udp, udplite, vrrp and integer
|
|
representations [0-255] or any; default: any (all protocols))
|
|
|
|
*Network version 2*
|
|
|
|
.. option:: --ethertype
|
|
|
|
List rules by the Ethertype (IPv4 or IPv6)
|
|
|
|
*Network version 2*
|
|
|
|
.. option:: --ingress
|
|
|
|
List rules applied to incoming network traffic
|
|
|
|
*Network version 2 only*
|
|
|
|
.. option:: --egress
|
|
|
|
List rules applied to outgoing network traffic
|
|
|
|
*Network version 2 only*
|
|
|
|
.. describe:: <group>
|
|
|
|
List all rules in this security group (name or ID)
|
|
|
|
security group rule show
|
|
------------------------
|
|
|
|
Display security group rule details
|
|
|
|
.. program:: security group rule show
|
|
.. code:: bash
|
|
|
|
openstack security group rule show
|
|
<rule>
|
|
|
|
.. describe:: <rule>
|
|
|
|
Security group rule to display (ID only)
|