iptables drop invalid rst (#3484)

* iptables drop invalid rst Signed-off-by: changluyi <[email protected]> * Update uninstall.sh --------- Signed-off-by: changluyi <[email protected]>
kubeovn · Dec 5, 2023 · 984f227 · 984f227
1 parent 7436dc4
commit 984f227
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 1 deletion.
diff --git a/dist/images/uninstall.sh b/dist/images/uninstall.sh
@@ -29,6 +29,8 @@ iptables -t mangle -F OVN-PREROUTING
 iptables -t mangle -X OVN-PREROUTING
 iptables -t mangle -F OVN-OUTPUT
 iptables -t mangle -X OVN-OUTPUT
+iptables -t mangle -F OVN-POSTROUTING
+iptables -t mangle -X OVN-POSTROUTING
 
 sleep 1
 
@@ -67,6 +69,8 @@ ip6tables -t mangle -F OVN-PREROUTING
 ip6tables -t mangle -X OVN-PREROUTING
 ip6tables -t mangle -F OVN-OUTPUT
 ip6tables -t mangle -X OVN-OUTPUT
+ip6tables -t mangle -F OVN-POSTROUTING
+ip6tables -t mangle -X OVN-POSTROUTING
 
 sleep 1
 

diff --git a/pkg/daemon/gateway_linux.go b/pkg/daemon/gateway_linux.go
@@ -551,6 +551,8 @@ func (c *Controller) setIptables() error {
 			{Table: "filter", Chain: "FORWARD", Rule: strings.Fields(`-m set --match-set ovn40services dst -j ACCEPT`)},
 			// Output unmark to bypass kernel nat checksum issue https://github.com/flannel-io/flannel/issues/1279
 			{Table: "filter", Chain: "OUTPUT", Rule: strings.Fields(`-p udp -m udp --dport 6081 -j MARK --set-xmark 0x0`)},
+			// Drop invalid rst
+			{Table: MANGLE, Chain: OvnPostrouting, Rule: strings.Fields(`-p tcp -m set --match-set ovn40subnets src -m tcp --tcp-flags RST RST -m state --state INVALID -j DROP`)},
 		}
 		v6Rules = []util.IPTableRule{
 			// mark packets from pod to service
@@ -588,6 +590,8 @@ func (c *Controller) setIptables() error {
 			{Table: "filter", Chain: "FORWARD", Rule: strings.Fields(`-m set --match-set ovn60services dst -j ACCEPT`)},
 			// Output unmark to bypass kernel nat checksum issue https://github.com/flannel-io/flannel/issues/1279
 			{Table: "filter", Chain: "OUTPUT", Rule: strings.Fields(`-p udp -m udp --dport 6081 -j MARK --set-xmark 0x0`)},
+			// Drop invalid rst
+			{Table: MANGLE, Chain: OvnPostrouting, Rule: strings.Fields(`-p tcp -m set --match-set ovn60subnets src -m tcp --tcp-flags RST RST -m state --state INVALID -j DROP`)},
 		}
 	)
 	protocols := make([]string, 2)
@@ -710,7 +714,7 @@ func (c *Controller) setIptables() error {
 			}
 		}
 
-		var natPreroutingRules, natPostroutingRules, ovnMasqueradeRules []util.IPTableRule
+		var natPreroutingRules, natPostroutingRules, ovnMasqueradeRules, manglePostrutingRules []util.IPTableRule
 		for _, rule := range iptablesRules {
 			if rule.Table == NAT {
 				if c.k8siptables[protocol].HasRandomFully() &&
@@ -729,6 +733,11 @@ func (c *Controller) setIptables() error {
 					ovnMasqueradeRules = append(ovnMasqueradeRules, rule)
 					continue
 				}
+			} else if rule.Table == MANGLE {
+				if rule.Chain == OvnPostrouting {
+					manglePostrutingRules = append(manglePostrutingRules, rule)
+					continue
+				}
 			}
 
 			if err = c.createIptablesRule(ipt, rule); err != nil {
@@ -780,6 +789,11 @@ func (c *Controller) setIptables() error {
 			return err
 		}
 
+		if err = c.updateIptablesChain(ipt, MANGLE, OvnPostrouting, Postrouting, manglePostrutingRules); err != nil {
+			klog.Errorf("failed to update chain %s/%s: %v", MANGLE, OvnPostrouting, err)
+			return err
+		}
+
 		if err = c.cleanObsoleteIptablesRules(protocol, obsoleteRules); err != nil {
 			klog.Errorf("failed to clean legacy iptables rules: %v", err)
 			return err