Miguel Ángel,

On Thu, Oct 23, 2014 at 5:56 AM, Miguel Angel Ajo Pelayo
<mangel...@redhat.com> wrote:
> Temporarily removing this entry doesn't seem like a good solution
> to me as we can't really know how long do we need to remove this rule to
> induce the connection to close at both ends (it will only close if any
> new activity happens, and timeout is exhausted afterwards).

I think you're right here.  I think any activity will keep the
connection alive in conntrack.  So, we are at the mercy of the
timeouts at both ends.  Assuming an attacker has control over at least
the external endpoint, it could be kept "open" indefinitely generating


OpenStack-dev mailing list

Reply via email to