There is a bit more to it. The floating ip was dissociated which means it should have been removed from the gateway device.
How long did the connection stay up? Was this a matter of the l3 agent getting a little behind and not processing the update for a while? Can you confirm that the floating ip was removed from the router's gateway device? This isn't to say that we shouldn't explicitly cut connections in the connection tracker regardless of the answer to these questions. Carl On Jun 26, 2014 11:01 AM, "Miguel Angel Ajo Pelayo" <mangel...@redhat.com> wrote: > Yes, once a connection has past the nat tables, > and it's on the kernel connection tracker, it > will keep working even if you remove the nat rule. > > Doing that would require manipulating the kernel > connection tracking to kill that connection, > I'm not familiar with that part of the linux network > stack, not sure if it's possible, but that would be > the perfect way. (kill nat connection on ext ip=float ip int_ip = internal > ip)... > > > > > ----- Original Message ----- > > Hi folks, > > > > After we create an SSH connection to a VM via its floating ip, even > though we > > have removed the floating ip association, we can still access the VM via > > that connection. Namely, SSH is not disconnected when the floating ip is > not > > valid. Any good solution about this security issue? > > > > Thanks > > Xurong Yang > > > > _______________________________________________ > > OpenStack-dev mailing list > > OpenStack-dev@lists.openstack.org > > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > > > _______________________________________________ > OpenStack-dev mailing list > OpenStack-dev@lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >
_______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
