Security Group rules are enforced by Linux iptable rules at the compute host level.
I'm using DVR (dist virtual routing) on Kilo, here are some rules dumped out
on a compute host:
sudo iptables -L
Chain neutron-openvswi-i76b78cbd-2 (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere state RELATED,ESTABLISHED /* Direct packets associated with a known session to the RETURN chain. */
RETURN udp -- 192.168.51.2 anywhere udp spt:bootps dpt:bootpc
RETURN tcp -- anywhere anywhere tcp
RETURN udp -- anywhere anywhere udp
RETURN icmp -- anywhere anywhere
DROP all -- anywhere anywhere state INVALID /* Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack. */
neutron-openvswi-sg-fallback all -- anywhere anywhere /* Send unmatched traffic to the fallback chain. */
yes, you can create security group rules in Heat orchestration template. Here is a brief example:
mysecurity_group:
type: OS::Neutron::SecurityGroup
properties:
description: Neutron security group rules
name: mysecurity_group
rules:
- remote_ip_prefix: 0.0.0.0/0
protocol: tcp
port_range_min: 0
port_range_max: 65535
direction: ingress