A security group rule specifies the network access rules for servers and other resources on the network.
Compute v2, Network v2
Create a new security group rule
openstack security group rule create
[--remote-ip <ip-address> | --remote-group <group>]
[--dst-port <port-range>]
[--protocol <protocol>]
[--description <description>]
[--icmp-type <icmp-type>]
[--icmp-code <icmp-code>]
[--ingress | --egress]
[--ethertype <ethertype>]
[--project <project>]
[--project-domain <project-domain>]
<group>
--remote-ip
<ip-address>
¶Remote IP address block (may use CIDR notation; default for IPv4 rule: 0.0.0.0/0, default for IPv6 rule: ::/0)
--remote-group
<group>
¶Remote security group (name or ID)
--dst-port
<port-range>
¶Destination port, may be a single port or a starting and ending port range: 137:139. Required for IP protocols TCP and UDP. Ignored for ICMP IP protocols.
--protocol
<protocol>
¶IP protocol (ah, dccp, egp, esp, gre, icmp, igmp, ipv6-encap, ipv6-frag, ipv6-icmp, ipv6-nonxt, ipv6-opts, ipv6-route, ospf, pgm, rsvp, sctp, tcp, udp, udplite, vrrp and integer representations [0-255] or any; default: any (all protocols))
IP protocol (icmp, tcp, udp; default: tcp)
--description
<description>
¶Set security group rule description
Network version 2 only
--icmp-type
<icmp-type>
¶ICMP type for ICMP IP protocols
Network version 2 only
--icmp-code
<icmp-code>
¶ICMP code for ICMP IP protocols
Network version 2 only
--ingress
¶Rule applies to incoming network traffic (default)
Network version 2 only
--egress
¶Rule applies to outgoing network traffic
Network version 2 only
--ethertype
<ethertype>
¶Ethertype of network traffic (IPv4, IPv6; default: based on IP protocol)
Network version 2 only
--project
<project>
¶Owner’s project (name or ID)
Network version 2 only
--project-domain
<project-domain>
¶Domain the project belongs to (name or ID). This can be used in case collisions between project names exist.
Network version 2 only
group
¶Create rule in this security group (name or ID)
This command is provided by the python-openstackclient plugin.
Delete security group rule(s)
openstack security group rule delete <rule> [<rule> ...]
rule
¶Security group rule(s) to delete (ID only)
This command is provided by the python-openstackclient plugin.
List security group rules
openstack security group rule list
[--format-config-file FORMAT_CONFIG]
[--sort-column SORT_COLUMN]
[--protocol <protocol>]
[--ethertype <ethertype>]
[--ingress | --egress]
[--long]
[--all-projects]
[<group>]
--format-config-file
<FORMAT_CONFIG>
¶Config file for the dict-to-csv formatter
--sort-column
SORT_COLUMN
¶specify the column(s) to sort the data (columns specified first have a priority, non-existing columns are ignored), can be repeated
--protocol
<protocol>
¶List rules by the IP protocol (ah, dhcp, egp, esp, gre, icmp, igmp, ipv6-encap, ipv6-frag, ipv6-icmp, ipv6-nonxt, ipv6-opts, ipv6-route, ospf, pgm, rsvp, sctp, tcp, udp, udplite, vrrp and integer representations [0-255] or any; default: any (all protocols))
Network version 2 only
--ethertype
<ethertype>
¶List rules by the Ethertype (IPv4 or IPv6)
Network version 2 only
--ingress
¶List rules applied to incoming network traffic
Network version 2 only
--egress
¶List rules applied to outgoing network traffic
Network version 2 only
--long
¶List additional fields in output
Network version 2 only
--all-projects
¶Display information from all projects (admin only)
Compute version 2 only
group
¶List all rules in this security group (name or ID)
This command is provided by the python-openstackclient plugin.
Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.