-
Notifications
You must be signed in to change notification settings - Fork 5
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix(secgroups): ICMP Echo Request being blocked #269
base: main
Are you sure you want to change the base?
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
This is dumbest mapping ever. We can either also a.) leave it completely out possibly
OR
b.) set it to -1
this should allow all ICMP types and codes
Wasn't that setting intentional that way to mitigate icmp based attacks
like ping floods? (
https://www.cloudflare.com/learning/ddos/ping-icmp-flood-ddos-attack/)
tcptraceroute to the open ports of the load balancer can still be useful.
I would at least make it optional, so icmp floods can be quickly mitigated.
Niclas Schad ***@***.***> schrieb am Fr., 8. Dez. 2023, 16:44:
… ***@***.**** approved this pull request.
—
Reply to this email directly, view it on GitHub
<#269 (review)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AANPNTXFHCZDKHRUJHAINJDYIMYXDAVCNFSM6AAAAABAMY35HKVHI2DSMVQWIX3LMV43YUDVNRWFEZLROVSXG5CSMV3GSZLXHMYTONZSGY3DQOBVGU>
.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>
|
I'm very certain that this wasn't intentional, as the old values were entirely wrong. Even the comment a few lines above indicates that: yawol/internal/helper/loadbalancer.go Line 204 in f949e16
If you need to mitigate this, just add a security group that blocks ICMP. |
I would also say it is not intentional but also see the point that it can be problematic. Just create a secgroup rule is not that easy because they get reconciled. Maybe we should add it with an setting in wdyt @Kumm-Kai |
This fixes a thing that never worked before 😄
Currently ICMP echo requests are blocked by the ingress security group rules for ICMP, which looks like this:
type=1:code=8
(ICMP type 1 is not used for anything in the ICMP protocol).After this PR the ingress security group rules will look like this:
type=8
(code
seems to be omitted by openstack if it is0
) and allows ICMP echo requests to reach the VM.Egress isn't a problem because the egress security group rule doesn't block anything.