[openstack-dev] [Neutron] Killing connection after security group rule deletion

Carl Baldwin carl at ecbaldwin.net
Fri Oct 24 15:20:31 UTC 2014


Miguel Ángel,

On Thu, Oct 23, 2014 at 5:56 AM, Miguel Angel Ajo Pelayo
<mangelajo at redhat.com> wrote:
> Temporarily removing this entry doesn't seem like a good solution
> to me as we can't really know how long do we need to remove this rule to
> induce the connection to close at both ends (it will only close if any
> new activity happens, and timeout is exhausted afterwards).

I think you're right here.  I think any activity will keep the
connection alive in conntrack.  So, we are at the mercy of the
timeouts at both ends.  Assuming an attacker has control over at least
the external endpoint, it could be kept "open" indefinitely generating
"activity".

Carl



More information about the OpenStack-dev mailing list