-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I believe nova-network does this by using 'conntrack -D -r $fixed_ip' when the floating IP goes away (search for clean_conntrack), Neutron doesn't when it removes the floating IP. Seems like it's possible to close most of that gap in the l3-agent - when it removes the IP from it's qg- interface it can do a similar operation.
- -Brian On 06/26/2014 03:36 PM, Vishvananda Ishaya wrote: > I believe this will affect nova-network as well. We probably should use > something like the linux cutter utility to kill any ongoing connections > after we remove the nat rule. > > Vish > > On Jun 25, 2014, at 8:18 PM, Xurong Yang <ido...@gmail.com> wrote: > >> Hi folks, >> >> After we create an SSH connection to a VM via its floating ip, even >> though we have removed the floating ip association, we can still access >> the VM via that connection. Namely, SSH is not disconnected when the >> floating ip is not valid. Any good solution about this security issue? >> >> Thanks Xurong Yang _______________________________________________ >> OpenStack-dev mailing list OpenStack-dev@lists.openstack.org >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > > > _______________________________________________ OpenStack-dev mailing list > OpenStack-dev@lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJTrIcUAAoJEIYQqpVulyUoAXgH/Az/t1aH+zrtEPTrn89oumw0 ru/ZJJj6M2zn/ASml9durZW2knSsHzE0H39Y1Y51AvD4TYfD4C16l9ZiwGRE8tsG b4qKFdRzMBrEKwEttV0SsCOYMcBA6+A7w/NBkDUQnr9y6dwQcf2v+pvVKx0u/kXa 1vroeraoClY/wIJOrTj5sORfXEaI5l1FgbGf2i33AFuKDyxATUST6ROzazQ6i/tw eXmKjl0IBgY1xBYww0kolZOv+VwZt4V+4BMp9GggrsB7zwW2N2YRO5B42cg2zqUU T4Kfsf0PaFb2FIDP1tjbAS5FtQucHitH6g5lr7aK1QFBeWehHz8yTeAlTh66NfQ= =8kPr -----END PGP SIGNATURE----- _______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
