-
Notifications
You must be signed in to change notification settings - Fork 354
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Issues with Security Groups and ICMP #815
Comments
We have created an issue in Pivotal Tracker to manage this: https://www.pivotaltracker.com/story/show/144905401 The labels on this github issue will be updated when the story is started. |
Hi @youngm It looks like you can set |
Thanks @zrob I'll give -1 a try. |
@youngm did this resolve the issue for you? |
Yups sorry I forgot to close. @zrob |
Issue
It appears the CC api documentation doesn't match the current security group api docs: https://apidocs.cloudfoundry.org/258/security_groups/creating_a_security_group.html
That doc says:
This documentation fragment seems to imply that I can specify protocol
all
with a port. However if I try this against CF release 257 I get get errorServer error, status code: 400, error code: 300001, message: The security group is invalid: rules rule number 1 contains the invalid field 'ports'
.The question is, is the Cloud Controller wrong or is the documentation wrong? To help answer that let me give you my use case.
Context
I have an existing security group rule with a protocal of
all
. Because of a change I now need to block a single TCP/UDP port from that rule. To, do this it might seem trivial enough to simply make a security group that excludes that port range (2 rules). But, because I cannot specifyports
with the protocolall
that means I need to break outtcp
andudp
into different rules (4 rules). Not a big deal, but now how do I make anicmp
worksthe way it did when protocol wasall
?icmp
requires a type and a code. In order to replicate icmp behavior I had before do I need to make a rule for every icmp type and code?All I want to do is block people from connecting to a certain port on a given cidr.
Thoughts?
Steps to Reproduce
Try to craft a security group and supports all protocols but excludes a port.
Expected result
Not too difficult
Current result
You get a huge rule with all the icmp opt ins required once protocol is not
all
Possible Fix
Support protocol
all
withports
that assumes you want to keep the functionality of icmp in theall
protocol without port state that works today.The text was updated successfully, but these errors were encountered: