On 10/23/14 6:22 AM, Elena Ezhova wrote: > Hi! > > I am working on a bug "ping still working once connected even after > related security group rule is > deleted" (https://bugs.launchpad.net/neutron/+bug/1335375). The gist of > the problem is the following: when we delete a security group rule the > corresponding rule in iptables is also deleted, but the connection, that > was allowed by that rule, is not being destroyed. > The reason for such behavior is that in iptables we have the following > structure of a chain that filters input packets for an interface of an > istance: <snip>
Like Miguel said, there's no easy way to identify this on the compute node since neither the MAC nor the interface are going to be in the conntrack command output. And you don't want to drop the wrong tenant's connections. Just wondering, if you remove the conntrack entries using the IP/port from the router namespace does it drop the connection? Or will it just start working again on the next packet? Doesn't work for VM to VM packets, but those packets are probably less interesting. It's just my first guess. -Brian _______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
