On 10/23/2014 08:57 PM, Brian Haley wrote:
On 10/23/14 6:22 AM, Elena Ezhova wrote:
Hi!
I am working on a bug "ping still working once connected even after
related security group rule is
deleted" (https://bugs.launchpad.net/neutron/+bug/1335375). The gist of
the problem is the following: when we delete a security group rule the
corresponding rule in iptables is also deleted, but the connection, that
was allowed by that rule, is not being destroyed.
The reason for such behavior is that in iptables we have the following
structure of a chain that filters input packets for an interface of an
istance:
<snip>
Like Miguel said, there's no easy way to identify this on the compute
node since neither the MAC nor the interface are going to be in the
conntrack command output. And you don't want to drop the wrong tenant's
connections.
Just wondering, if you remove the conntrack entries using the IP/port
from the router namespace does it drop the connection? Or will it just
start working again on the next packet? Doesn't work for VM to VM
packets, but those packets are probably less interesting. It's just my
first guess.
Presumably this issue affects other conntrack users, no? What does
upstream conntrack have to say about the matter?
I tend to avoid such things where I can, but what do "real" firewalls do
with such matters? If one removes a rule which allowed a given
connection through, do they actually go ahead and nuke existing connections?
rick jones
_______________________________________________
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
