[openstack-dev] [Neutron]One security issue about floating ip

shihanzhang ayshihanzhang at 126.com
Sat Jun 28 03:57:56 UTC 2014


I think this problem also exist in security group!






At 2014-06-27 11:20:31, "stanzgy" <stan.zgy at gmail.com> wrote:

I have filed this bug on nova
https://bugs.launchpad.net/nova/+bug/1334938




On Fri, Jun 27, 2014 at 10:19 AM, Yongsheng Gong <gongysh at unitedstack.com> wrote:

I have reported it on neutron project
https://bugs.launchpad.net/neutron/+bug/1334926




On Fri, Jun 27, 2014 at 5:07 AM, Vishvananda Ishaya <vishvananda at gmail.com> wrote:
I missed that going in, but it appears that clean_conntrack is not done on
disassociate, just during migration. It sounds like we should remove the
explicit call in migrate, and just always call it from remove_floating_ip.

Vish

On Jun 26, 2014, at 1:48 PM, Brian Haley <brian.haley at hp.com> wrote:

> Signed PGP part

> I believe nova-network does this by using 'conntrack -D -r $fixed_ip' when the
> floating IP goes away (search for clean_conntrack), Neutron doesn't when it
> removes the floating IP.  Seems like it's possible to close most of that gap
> in the l3-agent - when it removes the IP from it's qg- interface it can do a
> similar operation.
>

> -Brian
>
> On 06/26/2014 03:36 PM, Vishvananda Ishaya wrote:
> > I believe this will affect nova-network as well. We probably should use
> > something like the linux cutter utility to kill any ongoing connections
> > after we remove the nat rule.
> >
> > Vish
> >
> > On Jun 25, 2014, at 8:18 PM, Xurong Yang <idopra at gmail.com> wrote:
> >
> >> Hi folks,
> >>
> >> After we create an SSH connection to a VM via its floating ip, even
> >> though we have removed the floating ip association, we can still access
> >> the VM via that connection. Namely, SSH is not disconnected when the
> >> floating ip is not valid. Any good solution about this security issue?
> >>
> >> Thanks Xurong Yang _______________________________________________
> >> OpenStack-dev mailing list OpenStack-dev at lists.openstack.org
> >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> >
> >
> >
> > _______________________________________________ OpenStack-dev mailing list
> >  OpenStack-dev at lists.openstack.org
> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> >
>
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev



_______________________________________________
OpenStack-dev mailing list
OpenStack-dev at lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev





_______________________________________________
OpenStack-dev mailing list
OpenStack-dev at lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev





--
Best Regards,

Gengyuan Zhang
NetEase Inc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140628/25499168/attachment.html>


More information about the OpenStack-dev mailing list