diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-oracle-oci/files/iptables-rules b/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-oracle-oci/files/iptables-rules new file mode 100644 index 0000000000..72fd71d65b --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-oracle-oci/files/iptables-rules @@ -0,0 +1,16 @@ +# Loaded by oracle-oci-iptables.service +*mangle +:oracle-oci-link-local - +-A oracle-oci-link-local -d 169.254.0.2/32 -p tcp -m owner --uid-owner 0 -m tcp --dport 3260 -m comment --comment "See the Oracle-Provided Images section in the Oracle Bare Metal documentation for security impact of modifying or removing this rule" -j ACCEPT +-A oracle-oci-link-local -d 169.254.2.0/24 -p tcp -m owner --uid-owner 0 -m tcp --dport 3260 -m comment --comment "See the Oracle-Provided Images section in the Oracle Bare Metal documentation for security impact of modifying or removing this rule" -j ACCEPT +-A oracle-oci-link-local -d 169.254.0.2/32 -p tcp -m tcp --dport 80 -m comment --comment "See the Oracle-Provided Images section in the Oracle Bare Metal documentation for security impact of modifying or removing this rule" -j ACCEPT +-A oracle-oci-link-local -d 169.254.169.254/32 -p udp -m udp --dport 53 -m comment --comment "See the Oracle-Provided Images section in the Oracle Bare Metal documentation for security impact of modifying or removing this rule" -j ACCEPT +-A oracle-oci-link-local -d 169.254.169.254/32 -p tcp -m tcp --dport 53 -m comment --comment "See the Oracle-Provided Images section in the Oracle Bare Metal documentation for security impact of modifying or removing this rule" -j ACCEPT +-A oracle-oci-link-local -d 169.254.0.3/32 -p tcp -m owner --uid-owner 0 -m tcp --dport 80 -m comment --comment "See the Oracle-Provided Images section in the Oracle Bare Metal documentation for security impact of modifying or removing this rule" -j ACCEPT +-A oracle-oci-link-local -d 169.254.0.4/32 -p tcp -m tcp --dport 80 -m comment --comment "See the Oracle-Provided Images section in the Oracle Bare Metal documentation for security impact of modifying or removing this rule" -j ACCEPT +-A oracle-oci-link-local -d 169.254.169.254/32 -p tcp -m tcp --dport 80 -m comment --comment "See the Oracle-Provided Images section in the Oracle Bare Metal documentation for security impact of modifying or removing this rule" -j ACCEPT +-A oracle-oci-link-local -d 169.254.169.254/32 -p udp -m udp --dport 67 -m comment --comment "See the Oracle-Provided Images section in the Oracle Bare Metal documentation for security impact of modifying or removing this rule" -j ACCEPT +-A oracle-oci-link-local -d 169.254.169.254/32 -p udp -m udp --dport 69 -m comment --comment "See the Oracle-Provided Images section in the Oracle Bare Metal documentation for security impact of modifying or removing this rule" -j ACCEPT +# REJECT unavailable in POSTROUTING +-A oracle-oci-link-local -d 169.254.0.0/16 -m comment --comment "See the Oracle-Provided Images section in the Oracle Bare Metal documentation for security impact of modifying or removing this rule" -j DROP +COMMIT diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-oracle-oci/files/units/oracle-oci-iptables.service b/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-oracle-oci/files/units/oracle-oci-iptables.service new file mode 100644 index 0000000000..b3f82926be --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-oracle-oci/files/units/oracle-oci-iptables.service @@ -0,0 +1,21 @@ +[Unit] +Description=Oracle OCI Firewall Rules + +Before=network.target + +After=iptables-restore.service +# Avoid races in case both are queued +Before=iptables-save.service + +[Service] +Type=oneshot +# Load oracle-oci-link-local chain, overwriting any existing contents. +# Invoke rules from mangle/POSTROUTING because fewer firewall tools are +# likely to change it. +ExecStart=/usr/sbin/iptables-restore --noflush /usr/share/oem/iptables-rules +# Insert jump to link-local chain at beginning of mangle/POSTROUTING, only +# if the existing ruleset doesn't have it. +ExecStart=/bin/sh -c "/usr/sbin/iptables -t mangle -C POSTROUTING -d 169.254.0.0/16 -j oracle-oci-link-local 2>/dev/null || iptables -t mangle -I POSTROUTING 1 -d 169.254.0.0/16 -j oracle-oci-link-local" + +[Install] +WantedBy=basic.target diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-oracle-oci/oem-oracle-oci-0.1.0.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-oracle-oci/oem-oracle-oci-0.2.0.ebuild similarity index 93% rename from sdk_container/src/third_party/coreos-overlay/coreos-base/oem-oracle-oci/oem-oracle-oci-0.1.0.ebuild rename to sdk_container/src/third_party/coreos-overlay/coreos-base/oem-oracle-oci/oem-oracle-oci-0.2.0.ebuild index c3cd4d6cf6..d9c9aee72a 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-oracle-oci/oem-oracle-oci-0.1.0.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-oracle-oci/oem-oracle-oci-0.2.0.ebuild @@ -22,6 +22,7 @@ src_prepare() { src_install() { insinto "/usr/share/oem" doins "${FILESDIR}/grub.cfg" + doins "${FILESDIR}/iptables-rules" doins "${T}/oem-release" doins -r "${FILESDIR}/units" }