I missed that going in, but it appears that clean_conntrack is not done on disassociate, just during migration. It sounds like we should remove the explicit call in migrate, and just always call it from remove_floating_ip.
Vish On Jun 26, 2014, at 1:48 PM, Brian Haley <brian.ha...@hp.com> wrote: > Signed PGP part > I believe nova-network does this by using 'conntrack -D -r $fixed_ip' when the > floating IP goes away (search for clean_conntrack), Neutron doesn't when it > removes the floating IP. Seems like it's possible to close most of that gap > in the l3-agent - when it removes the IP from it's qg- interface it can do a > similar operation. > > -Brian > > On 06/26/2014 03:36 PM, Vishvananda Ishaya wrote: > > I believe this will affect nova-network as well. We probably should use > > something like the linux cutter utility to kill any ongoing connections > > after we remove the nat rule. > > > > Vish > > > > On Jun 25, 2014, at 8:18 PM, Xurong Yang <ido...@gmail.com> wrote: > > > >> Hi folks, > >> > >> After we create an SSH connection to a VM via its floating ip, even > >> though we have removed the floating ip association, we can still access > >> the VM via that connection. Namely, SSH is not disconnected when the > >> floating ip is not valid. Any good solution about this security issue? > >> > >> Thanks Xurong Yang _______________________________________________ > >> OpenStack-dev mailing list OpenStack-dev@lists.openstack.org > >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > > > > > > > _______________________________________________ OpenStack-dev mailing list > > OpenStack-dev@lists.openstack.org > > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > > > > _______________________________________________ > OpenStack-dev mailing list > OpenStack-dev@lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
