<div dir="ltr">I have reported it on neutron project<div><a href="https://bugs.launchpad.net/neutron/+bug/1334926">https://bugs.launchpad.net/neutron/+bug/1334926</a><br></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">
On Fri, Jun 27, 2014 at 5:07 AM, Vishvananda Ishaya <span dir="ltr"><<a href="mailto:vishvananda@gmail.com" target="_blank">vishvananda@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
I missed that going in, but it appears that clean_conntrack is not done on<br>
disassociate, just during migration. It sounds like we should remove the<br>
explicit call in migrate, and just always call it from remove_floating_ip.<br>
<br>
Vish<br>
<br>
On Jun 26, 2014, at 1:48 PM, Brian Haley <<a href="mailto:brian.haley@hp.com">brian.haley@hp.com</a>> wrote:<br>
<br>
> Signed PGP part<br>
<div class="im HOEnZb">> I believe nova-network does this by using 'conntrack -D -r $fixed_ip' when the<br>
> floating IP goes away (search for clean_conntrack), Neutron doesn't when it<br>
> removes the floating IP.  Seems like it's possible to close most of that gap<br>
> in the l3-agent - when it removes the IP from it's qg- interface it can do a<br>
> similar operation.<br>
><br>
</div><div class="HOEnZb"><div class="h5">> -Brian<br>
><br>
> On 06/26/2014 03:36 PM, Vishvananda Ishaya wrote:<br>
> > I believe this will affect nova-network as well. We probably should use<br>
> > something like the linux cutter utility to kill any ongoing connections<br>
> > after we remove the nat rule.<br>
> ><br>
> > Vish<br>
> ><br>
> > On Jun 25, 2014, at 8:18 PM, Xurong Yang <<a href="mailto:idopra@gmail.com">idopra@gmail.com</a>> wrote:<br>
> ><br>
> >> Hi folks,<br>
> >><br>
> >> After we create an SSH connection to a VM via its floating ip, even<br>
> >> though we have removed the floating ip association, we can still access<br>
> >> the VM via that connection. Namely, SSH is not disconnected when the<br>
> >> floating ip is not valid. Any good solution about this security issue?<br>
> >><br>
> >> Thanks Xurong Yang _______________________________________________<br>
> >> OpenStack-dev mailing list <a href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a><br>
> >> <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
> ><br>
> ><br>
> ><br>
> > _______________________________________________ OpenStack-dev mailing list<br>
> >  <a href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a><br>
> > <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
> ><br>
><br>
><br>
> _______________________________________________<br>
> OpenStack-dev mailing list<br>
> <a href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a><br>
> <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br>
</div></div><br>_______________________________________________<br>
OpenStack-dev mailing list<br>
<a href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br></blockquote></div><br></div>