For reasons which will be immediately apparent to anyone who has read my
earlier blog post
about the EC2 Instances Metadata Service (and its use by IAM Roles), I
recently decided that I wanted to intercept outgoing IP packets which had
a destination of 169.254.169.254; in some cases I want to redirect
or block them, and in other cases I want them to proceed unimpeded. To make
things harder, I had two more constraints:
-
I don’t want to write any new kernel code, since venturing into the
kernel introduces a much wider range of potential adverse outcomes if my
code is buggy, and -
I don’t want to make use of firewalls, since users might have their own
firewall rulesets which could conflict with EC2 IMDS-filtering rules; also,
traversing a firewall — even one with a trivial ruleset — has
a cost which can become nontrivial for the sort of high-bandwith applications
which FreeBSD excels at.
(For the same reasons, I’m less than enthusiastic about the suggestion in
Amazon’s
documentation that users consider using local firewall rules to restrict
access to the Instance Metadata Service.)
While I like to consider myself an experienced FreeBSD developer, networking
is not my area of expertise; so I spent a significant amount of time flailing
wildly and reading often wildly-out-of-date documentation while trying to
figure this out. In the hope of helping the next person who wants to do
something like this, here’s some notes about what worked and what didn’t.
