Skip to content
Intercepts and filters requests to the EC2 Instance Metadata Service
C Makefile Shell
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.
freebsd-conf Make sure that the gateway is in the ARP cache Jan 26, 2020
libcperciva Add initial version Jan 24, 2020
Makefile.prog Mention that this is FreeBSD-only (for now) Jan 24, 2020
STYLE Add initial version Jan 24, 2020


imds-filterd (pronounced "I M D S Filter D") is a pair of utilities which work together to intercept and filter requests to the EC2 Instance Metadata Service -- or theoretically any other service at

It validates requests against a configured ruleset which specifies whether given users and groups should be allowed or denied access to certain prefixes in the Instance Metadata Service. For example, "root" could be granted access to everything; most unprivileged users granted access to everything except IAM role credentials; but the www user denied access to the entire Instance Metadata Service in order to guard against SSRF and similar attacks.

At present this code only works on FreeBSD; we hope to support other platforms (e.g., Linux) in the future. (Send patches!)

Code layout

imds-filterd/*  -- Privileged code
  main.c        -- Initialization and event loop
  netconfig.c   -- Gathers information about the network configuration (e.g.
                   where and how to access the IMDS).
  tunsetup.c    -- Creates a virtualized environment and creates tunnels used
                   to redirect packets in and out of it.
  packets.c     -- Pushes packets in and out of the virtualized environment.
  conns.c       -- Provides a mechanism for imds-proxy to connect to the IMDS.
  ident.c       -- Provides an "ident" service used by imds-proxy.
imds-proxy/*    -- Unprivileged filtering HTTP proxy
  main.c        -- Command line parsing, initialization, and connection
  conf.c        -- Reads the configuration and performs queries against it.
  http.c        -- Handles an HTTP connection (possibly forwarding it).
  ident.c       -- Uses imds-filterd to determine the source of a request.
  request.c     -- Parses an HTTP request.
  uri2path.c    -- Extracts and normalizes the path from a Request-URI.
You can’t perform that action at this time.