Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issues with Security Groups and ICMP #815

Closed
youngm opened this issue May 4, 2017 · 5 comments
Closed

Issues with Security Groups and ICMP #815

youngm opened this issue May 4, 2017 · 5 comments
Labels
accepted

Comments

@youngm
Copy link
Contributor

youngm commented May 4, 2017

Issue

It appears the CC api documentation doesn't match the current security group api docs: https://apidocs.cloudfoundry.org/258/security_groups/creating_a_security_group.html

That doc says:

The egress rules for apps that belong to this security group. A rule consists of a protocol 
(tcp,icmp,udp,all), destination CIDR or destination range, port or port range (tcp,udp,all)

This documentation fragment seems to imply that I can specify protocol all with a port. However if I try this against CF release 257 I get get error Server error, status code: 400, error code: 300001, message: The security group is invalid: rules rule number 1 contains the invalid field 'ports'.

The question is, is the Cloud Controller wrong or is the documentation wrong? To help answer that let me give you my use case.

Context

I have an existing security group rule with a protocal of all. Because of a change I now need to block a single TCP/UDP port from that rule. To, do this it might seem trivial enough to simply make a security group that excludes that port range (2 rules). But, because I cannot specify ports with the protocol all that means I need to break out tcp and udp into different rules (4 rules). Not a big deal, but now how do I make an icmp worksthe way it did when protocol was all? icmp requires a type and a code. In order to replicate icmp behavior I had before do I need to make a rule for every icmp type and code?

All I want to do is block people from connecting to a certain port on a given cidr.

Thoughts?

Steps to Reproduce

Try to craft a security group and supports all protocols but excludes a port.

Expected result

Not too difficult

Current result

You get a huge rule with all the icmp opt ins required once protocol is not all

Possible Fix

Support protocol all with ports that assumes you want to keep the functionality of icmp in the all protocol without port state that works today.
@cf-gitbot
Copy link

We have created an issue in Pivotal Tracker to manage this:

https://www.pivotaltracker.com/story/show/144905401

The labels on this github issue will be updated when the story is started.

@zrob
Copy link
Contributor

zrob commented May 9, 2017

Hi @youngm

It looks like you can set type and code to -1 to get the allow all behavior for icmp rules. Docs are definitely sparse, so we'll take a look at updating that.

@youngm
Copy link
Contributor Author

youngm commented May 9, 2017

Thanks @zrob I'll give -1 a try.

@zrob
Copy link
Contributor

zrob commented May 24, 2017

@youngm did this resolve the issue for you?

@youngm
Copy link
Contributor Author

youngm commented May 24, 2017

Yups sorry I forgot to close. @zrob

@youngm youngm closed this as completed May 24, 2017
@youngm youngm mentioned this issue May 26, 2017
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
accepted
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@youngm @zrob @cf-gitbot