[openstack-dev] [Neutron]One security issue about floating ip

stanzgy stan.zgy at gmail.com
Fri Jun 27 03:20:31 UTC 2014


I have filed this bug on nova
https://bugs.launchpad.net/nova/+bug/1334938


On Fri, Jun 27, 2014 at 10:19 AM, Yongsheng Gong <gongysh at unitedstack.com>
wrote:

> I have reported it on neutron project
> https://bugs.launchpad.net/neutron/+bug/1334926
>
>
> On Fri, Jun 27, 2014 at 5:07 AM, Vishvananda Ishaya <vishvananda at gmail.com
> > wrote:
>
>> I missed that going in, but it appears that clean_conntrack is not done on
>> disassociate, just during migration. It sounds like we should remove the
>> explicit call in migrate, and just always call it from remove_floating_ip.
>>
>> Vish
>>
>> On Jun 26, 2014, at 1:48 PM, Brian Haley <brian.haley at hp.com> wrote:
>>
>> > Signed PGP part
>> > I believe nova-network does this by using 'conntrack -D -r $fixed_ip'
>> when the
>> > floating IP goes away (search for clean_conntrack), Neutron doesn't
>> when it
>> > removes the floating IP.  Seems like it's possible to close most of
>> that gap
>> > in the l3-agent - when it removes the IP from it's qg- interface it can
>> do a
>> > similar operation.
>> >
>> > -Brian
>> >
>> > On 06/26/2014 03:36 PM, Vishvananda Ishaya wrote:
>> > > I believe this will affect nova-network as well. We probably should
>> use
>> > > something like the linux cutter utility to kill any ongoing
>> connections
>> > > after we remove the nat rule.
>> > >
>> > > Vish
>> > >
>> > > On Jun 25, 2014, at 8:18 PM, Xurong Yang <idopra at gmail.com> wrote:
>> > >
>> > >> Hi folks,
>> > >>
>> > >> After we create an SSH connection to a VM via its floating ip, even
>> > >> though we have removed the floating ip association, we can still
>> access
>> > >> the VM via that connection. Namely, SSH is not disconnected when the
>> > >> floating ip is not valid. Any good solution about this security
>> issue?
>> > >>
>> > >> Thanks Xurong Yang _______________________________________________
>> > >> OpenStack-dev mailing list OpenStack-dev at lists.openstack.org
>> > >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>> > >
>> > >
>> > >
>> > > _______________________________________________ OpenStack-dev mailing
>> list
>> > >  OpenStack-dev at lists.openstack.org
>> > > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>> > >
>> >
>> >
>> > _______________________________________________
>> > OpenStack-dev mailing list
>> > OpenStack-dev at lists.openstack.org
>> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>>
>> _______________________________________________
>> OpenStack-dev mailing list
>> OpenStack-dev at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>>
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>


-- 
Best Regards,

Gengyuan Zhang
NetEase Inc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140627/b2f91765/attachment.html>


More information about the OpenStack-dev mailing list