It¹s kinda ugly, if a user through API/Horizon thinks they¹ve isolated a host, it should be isolatedŠ
I smell an OSSN here... On 26/06/2014 17:57, "Miguel Angel Ajo Pelayo" <mangel...@redhat.com> wrote: >Yes, once a connection has past the nat tables, >and it's on the kernel connection tracker, it >will keep working even if you remove the nat rule. > >Doing that would require manipulating the kernel >connection tracking to kill that connection, >I'm not familiar with that part of the linux network >stack, not sure if it's possible, but that would be >the perfect way. (kill nat connection on ext ip=float ip int_ip = >internal ip)... > > > > >----- Original Message ----- >> Hi folks, >> >> After we create an SSH connection to a VM via its floating ip, even >>though we >> have removed the floating ip association, we can still access the VM via >> that connection. Namely, SSH is not disconnected when the floating ip >>is not >> valid. Any good solution about this security issue? >> >> Thanks >> Xurong Yang >> >> _______________________________________________ >> OpenStack-dev mailing list >> OpenStack-dev@lists.openstack.org >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >> > >_______________________________________________ >OpenStack-dev mailing list >OpenStack-dev@lists.openstack.org >http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev _______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
