I have filed this bug on nova https://bugs.launchpad.net/nova/+bug/1334938
On Fri, Jun 27, 2014 at 10:19 AM, Yongsheng Gong <gong...@unitedstack.com> wrote: > I have reported it on neutron project > https://bugs.launchpad.net/neutron/+bug/1334926 > > > On Fri, Jun 27, 2014 at 5:07 AM, Vishvananda Ishaya <vishvana...@gmail.com > > wrote: > >> I missed that going in, but it appears that clean_conntrack is not done on >> disassociate, just during migration. It sounds like we should remove the >> explicit call in migrate, and just always call it from remove_floating_ip. >> >> Vish >> >> On Jun 26, 2014, at 1:48 PM, Brian Haley <brian.ha...@hp.com> wrote: >> >> > Signed PGP part >> > I believe nova-network does this by using 'conntrack -D -r $fixed_ip' >> when the >> > floating IP goes away (search for clean_conntrack), Neutron doesn't >> when it >> > removes the floating IP. Seems like it's possible to close most of >> that gap >> > in the l3-agent - when it removes the IP from it's qg- interface it can >> do a >> > similar operation. >> > >> > -Brian >> > >> > On 06/26/2014 03:36 PM, Vishvananda Ishaya wrote: >> > > I believe this will affect nova-network as well. We probably should >> use >> > > something like the linux cutter utility to kill any ongoing >> connections >> > > after we remove the nat rule. >> > > >> > > Vish >> > > >> > > On Jun 25, 2014, at 8:18 PM, Xurong Yang <ido...@gmail.com> wrote: >> > > >> > >> Hi folks, >> > >> >> > >> After we create an SSH connection to a VM via its floating ip, even >> > >> though we have removed the floating ip association, we can still >> access >> > >> the VM via that connection. Namely, SSH is not disconnected when the >> > >> floating ip is not valid. Any good solution about this security >> issue? >> > >> >> > >> Thanks Xurong Yang _______________________________________________ >> > >> OpenStack-dev mailing list OpenStack-dev@lists.openstack.org >> > >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >> > > >> > > >> > > >> > > _______________________________________________ OpenStack-dev mailing >> list >> > > OpenStack-dev@lists.openstack.org >> > > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >> > > >> > >> > >> > _______________________________________________ >> > OpenStack-dev mailing list >> > OpenStack-dev@lists.openstack.org >> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >> >> >> _______________________________________________ >> OpenStack-dev mailing list >> OpenStack-dev@lists.openstack.org >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >> >> > > _______________________________________________ > OpenStack-dev mailing list > OpenStack-dev@lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > -- Best Regards, Gengyuan Zhang NetEase Inc.
_______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
