<div style="line-height:1.7;color:#000000;font-size:14px;font-family:Arial">I think this problem also exist in security group!<br><br><br><br><br><div></div><div id="divNeteaseMailCard"></div><br>At 2014-06-27 11:20:31, "stanzgy" <stan.zgy@gmail.com> wrote:<br> <blockquote id="isReplyContent" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid"><div dir="ltr">I have filed this bug on nova<br><a href="https://bugs.launchpad.net/nova/+bug/1334938">https://bugs.launchpad.net/nova/+bug/1334938</a><br></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Fri, Jun 27, 2014 at 10:19 AM, Yongsheng Gong <span dir="ltr"><<a href="mailto:gongysh@unitedstack.com" target="_blank">gongysh@unitedstack.com</a>></span> wrote:<br>

<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">I have reported it on neutron project<div><a href="https://bugs.launchpad.net/neutron/+bug/1334926" target="_blank">https://bugs.launchpad.net/neutron/+bug/1334926</a><br>

</div></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><br><div class="gmail_quote">
On Fri, Jun 27, 2014 at 5:07 AM, Vishvananda Ishaya <span dir="ltr"><<a href="mailto:vishvananda@gmail.com" target="_blank">vishvananda@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">


I missed that going in, but it appears that clean_conntrack is not done on<br>
disassociate, just during migration. It sounds like we should remove the<br>
explicit call in migrate, and just always call it from remove_floating_ip.<br>
<br>
Vish<br>
<br>
On Jun 26, 2014, at 1:48 PM, Brian Haley <<a href="mailto:brian.haley@hp.com" target="_blank">brian.haley@hp.com</a>> wrote:<br>
<br>
> Signed PGP part<br>
<div>> I believe nova-network does this by using 'conntrack -D -r $fixed_ip' when the<br>
> floating IP goes away (search for clean_conntrack), Neutron doesn't when it<br>
> removes the floating IP.  Seems like it's possible to close most of that gap<br>
> in the l3-agent - when it removes the IP from it's qg- interface it can do a<br>
> similar operation.<br>
><br>
</div><div><div>> -Brian<br>
><br>
> On 06/26/2014 03:36 PM, Vishvananda Ishaya wrote:<br>
> > I believe this will affect nova-network as well. We probably should use<br>
> > something like the linux cutter utility to kill any ongoing connections<br>
> > after we remove the nat rule.<br>
> ><br>
> > Vish<br>
> ><br>
> > On Jun 25, 2014, at 8:18 PM, Xurong Yang <<a href="mailto:idopra@gmail.com" target="_blank">idopra@gmail.com</a>> wrote:<br>
> ><br>
> >> Hi folks,<br>
> >><br>
> >> After we create an SSH connection to a VM via its floating ip, even<br>
> >> though we have removed the floating ip association, we can still access<br>
> >> the VM via that connection. Namely, SSH is not disconnected when the<br>
> >> floating ip is not valid. Any good solution about this security issue?<br>
> >><br>
> >> Thanks Xurong Yang _______________________________________________<br>
> >> OpenStack-dev mailing list <a href="mailto:OpenStack-dev@lists.openstack.org" target="_blank">OpenStack-dev@lists.openstack.org</a><br>
> >> <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
> ><br>
> ><br>
> ><br>
> > _______________________________________________ OpenStack-dev mailing list<br>
> >  <a href="mailto:OpenStack-dev@lists.openstack.org" target="_blank">OpenStack-dev@lists.openstack.org</a><br>
> > <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
> ><br>
><br>
><br>
> _______________________________________________<br>
> OpenStack-dev mailing list<br>
> <a href="mailto:OpenStack-dev@lists.openstack.org" target="_blank">OpenStack-dev@lists.openstack.org</a><br>
> <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br>
</div></div><br>_______________________________________________<br>
OpenStack-dev mailing list<br>
<a href="mailto:OpenStack-dev@lists.openstack.org" target="_blank">OpenStack-dev@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br></blockquote></div><br></div>
</div></div><br>_______________________________________________<br>
OpenStack-dev mailing list<br>
<a href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br></blockquote></div><br><br clear="all"><br>-- <br>Best Regards,<br><br>Gengyuan Zhang<br>NetEase Inc.
</div>
</blockquote></div><br><br><span title="neteasefooter"><span id="netease_mail_footer"></span></span>