search

farrellit / ec2metadata-role-assumption

a simple role assumption service that exports resultant credentials the same way the ec2metadata service does, and provides endpoints for arbitrary metadata like in EC2 land.
8 stars 30 forks source link

(linux) 169.265.169.254 on loopback is shared outside of loopback interface #30

Open jagibson opened 6 years ago

jagibson commented 6 years ago

Only the 127.0.0.0/8 IP address range stays on the loopback interface in Linux. Any other address space will be presented to the network as just another address. Consequently 169.265.169.254 will be shared out to at least the local network. This can cause problems if multiple people on the network are running ec2metadata at the same time. In fact, other users will be able to operate on my own assumed role.

I have not found a way to force Linux to treat 169.255.169.254 as it would 127.0.0.1 and truly keep it internal to the host. I'm still researching that. Possible workarounds are denying traffic (including arp) in iptables or going back to the old method of just using iptables entirely.

jagibson commented 6 years ago

Found a fix. Patch forthcoming

jagibson commented 6 years ago

31 @farrellit