ec2 group module, support for icmp protocol

[iain wright]

I'm wondering if the ec2 groups module supports the icmp protocol.

I've tried a few combinations of rules and am not having much luck -- i don't see an example for it in the docs here: https://github.com/ansible/ansible/blob/release1.6.3/library/cloud/ec2_group

Thank you,
iain

[James Cammarata]

Looking through the code, I don't see any reason why an ICMP rule should not work. We do not filter based on the specified protocol in the list.

According to http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group-rule.html, when creating an ICMP rule, the from_port should be used to specify the ICMP type number (or -1 for all ICMP types). 

Feel free to send us a pull request with an example for an ICMP rule as well.

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/99cdbaef-0492-4042-a405-8059afada15c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[iain wright]

Thanks James! Will give this a shot and add the example

--

Iain Wright

This email message is confidential, intended only for the recipient(s) named above and may contain information that is privileged, exempt from disclosure under applicable law. If you are not the intended recipient, do not disclose or disseminate the message to anyone except the intended recipient. If you have received this message in error, or are not the named recipient(s), please immediately notify the sender by return email, and delete all copies of this message.

--
You received this message because you are subscribed to a topic in the Google Groups "Ansible Project" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ansible-project/Iprc78P2yu4/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ansible-proje...@googlegroups.com.

To post to this group, send email to ansible...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAMFyvFhik-RCmcETKK8Tw7UnXP53hQjM4HteY_csqNaOE6xieQ%40mail.gmail.com.

[Markus Klems]

Hi,

I tried the solution as follows but it does not work for me:

  - proto: icmp
    from_port: 0
    to_port: 0
    cidr_ip: 0.0.0.0/0
  - proto: icmp
    from_port: 8
    to_port: 8
    cidr_ip: 0.0.0.0/0

In my AWS security group dashboard, I can see the following two lines added:

Custom ICMP Rule

Echo Request

8

0.0.0.0/0

Custom ICMP Rule

Echo Reply

0

0.0.0.0/0

Unfortunately, I still cannot ping my server. When I manually add the two custom ICMP rules on the AWS dashboard it works, though. When I add the ICMP rules on the dashboard, the port number is "N/A" whereas when I add the rules with Ansible they correspond to the ICMP type number.

Does it work for anybody else / could you post an example?

Thanks,

Markus

[Dan Vaida]

I guess you misunderstood how ICMP works.

Try this:

        - proto: icmp

          from_port: -1

          to_port: -1

[Markus Klems]

Hi Dan,

thanks for your feedback. In fact, the -1 solution does work in ansible. However, this will open traffic to all ICMP types (which I would like to avoid). According to James Cammarata's link earlier in this conversation, the ICMP code types map to AWS from_port settings when we want to set ICMP rules up with ansible/boto through the AWS API:

"The start of port range for the TCP and UDP protocols, or an ICMP type number. An ICMP type number of -1 indicates a wildcard (i.e., any ICMP type number)."

Maybe I am still misunderstanding something. Could you give a code example to only open echo (8) and echo reply (0)? This is possible when I use the AWS dashboard, so it should also be possible programmatically.

Thanks so much,

Markus

[Dan Vaida]

Hey Markus,

Apologies for rushing in like that. Always a bad idea to answer in mailing list threads while commuting :)

What version of Ansible are you sporting?

Brian committed this piece of code: https://github.com/ansible/ansible-modules-core/commit/e174c9b4741a14dc5ab3cbe0506cef4010396155

I believe it could help you.

[Markus Klems]

Hi Dan,

Apologies for rushing in like that. Always a bad idea to answer in mailing list threads while commuting :)

no problemo, my question was probably phrased a bit oddly ;-)
 

What version of Ansible are you sporting?

Brian committed this piece of code: https://github.com/ansible/ansible-modules-core/commit/e174c9b4741a14dc5ab3cbe0506cef4010396155

I believe it could help you.

I have just upgraded to "ansible 1.9 (devel 5738ee1cb3)" but it's still the same problem.
Well, this is not a show stopper for my project. I will use the -1 solution and move on with other tasks.

Thanks & best regards,

Markus