Allow OVH probes on Fedora CoreOS fcos

!OVH Probes for Fedora CoreOS.md

OVH Probes for Fedora CoreOS

The probes for OVH are dynamic, based on the IPs given to you.

You could manually assign but you'd have to do that in all cases.

This can baked into your ignition.

Install

Modify our post docker firewall script to add the rules; On startup create chains for each physical interface.

Use the dispacher part of NetworkManager to add rules; On device up flush rules from that chain, add the specific rule we want.

Use specific chains per device so we can flush them rather than having to pick and choose which lines we specifically need to remove.

File Locations

10_ovh_probes_iptables.sh = /etc/NetworkManager/dispatcher.d/10_ovh_probes_iptables.sh
iptables-post-docker.sh = /etc/sysconfig/iptables-post-docker

10_ovh_probes_iptables.sh

#!/usr/bin/bash
if [ "${NM_DISPATCHER_ACTION}" != "dhcp4-change" ]; then
    exit
fi

if grep -w "${DEVICE_IFACE}" <<<"$(shopt -s nullglob; basename /sys/devices/pci*/*/*/net/* /sys/devices/vif-*/net/*)"; then
  iptables -F "DHCP_OVH_PROBE_${DEVICE_IFACE}"
  iptables -A "DHCP_OVH_PROBE_${DEVICE_IFACE}" -p ICMP -s $(cut -d . -f 1-3 <<<"${IP4_ADDRESS_0}").250/31 -j ACCEPT
fi

iptables-post-docker.sh

for ovhprobe in 92.222.184.0/23 92.222.186.0/24 167.114.37.0/24 139.99.1.144/28; do
    /usr/sbin/iptables -A INPUT -p ICMP -s ${ovhprobe} -j ACCEPT
done

for device in $(shopt -s nullglob; /usr/bin/basename /sys/devices/pci*/*/*/net/* /sys/devices/vif-*/net/*); do
    /usr/sbin/iptables -N "DHCP_OVH_PROBE_${device}"
    /usr/sbin/iptables -A INPUT -p ICMP -j "DHCP_OVH_PROBE_${device}"
done