Open Stack

On 10/23/2014 08:57 PM, Brian Haley wrote:
> On 10/23/14 6:22 AM, Elena Ezhova wrote:
>> Hi!
>>
>> I am working on a bug "ping still working once connected even after
>> related security group rule is
>> deleted" (https://bugs.launchpad.net/neutron/+bug/1335375). The gist of
>> the problem is the following: when we delete a security group rule the
>> corresponding rule in iptables is also deleted, but the connection, that
>> was allowed by that rule, is not being destroyed.
>> The reason for such behavior is that in iptables we have the following
>> structure of a chain that filters input packets for an interface of an
>> istance:
> <snip>
>
> Like Miguel said, there's no easy way to identify this on the compute
> node since neither the MAC nor the interface are going to be in the
> conntrack command output.  And you don't want to drop the wrong tenant's
> connections.
>
> Just wondering, if you remove the conntrack entries using the IP/port
> from the router namespace does it drop the connection?  Or will it just
> start working again on the next packet?  Doesn't work for VM to VM
> packets, but those packets are probably less interesting.  It's just my
> first guess.

Presumably this issue affects other conntrack users, no?  What does 
upstream conntrack have to say about the matter?

I tend to avoid such things where I can, but what do "real" firewalls do 
with such matters?  If one removes a rule which allowed a given 
connection through, do they actually go ahead and nuke existing connections?

rick jones