Open Stack

On 10/23/14 6:22 AM, Elena Ezhova wrote:
> Hi!
> 
> I am working on a bug "ping still working once connected even after
> related security group rule is
> deleted" (https://bugs.launchpad.net/neutron/+bug/1335375). The gist of
> the problem is the following: when we delete a security group rule the
> corresponding rule in iptables is also deleted, but the connection, that
> was allowed by that rule, is not being destroyed.
> The reason for such behavior is that in iptables we have the following
> structure of a chain that filters input packets for an interface of an
> istance:
<snip>

Like Miguel said, there's no easy way to identify this on the compute
node since neither the MAC nor the interface are going to be in the
conntrack command output.  And you don't want to drop the wrong tenant's
connections.

Just wondering, if you remove the conntrack entries using the IP/port
from the router namespace does it drop the connection?  Or will it just
start working again on the next packet?  Doesn't work for VM to VM
packets, but those packets are probably less interesting.  It's just my
first guess.

-Brian