From 35c7eaf52fbb7740954d2059f8fe19e6e1f7f455 Mon Sep 17 00:00:00 2001
From: changluyi <47097611+changluyi@users.noreply.github.com>
Date: Wed, 6 Dec 2023 16:14:59 +0800
Subject: [PATCH] add drop invalid rst 1.12 (#3490)

* add drop invalid rst

Signed-off-by: Changlu Yi <clyi@alauda.io>

* typo

Signed-off-by: changluyi <clyi@alauda.io>

---------

Signed-off-by: Changlu Yi <clyi@alauda.io>
Signed-off-by: changluyi <clyi@alauda.io>
---
 dist/images/uninstall.sh    |  4 ++++
 pkg/daemon/gateway_linux.go | 16 +++++++++++++++-
 2 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/dist/images/uninstall.sh b/dist/images/uninstall.sh
index 5390503da9c..0be293236ef 100644
--- a/dist/images/uninstall.sh
+++ b/dist/images/uninstall.sh
@@ -29,6 +29,8 @@ iptables -t mangle -F OVN-PREROUTING
 iptables -t mangle -X OVN-PREROUTING
 iptables -t mangle -F OVN-OUTPUT
 iptables -t mangle -X OVN-OUTPUT
+iptables -t mangle -F OVN-POSTROUTING
+iptables -t mangle -X OVN-POSTROUTING
 
 sleep 1
 
@@ -67,6 +69,8 @@ ip6tables -t mangle -F OVN-PREROUTING
 ip6tables -t mangle -X OVN-PREROUTING
 ip6tables -t mangle -F OVN-OUTPUT
 ip6tables -t mangle -X OVN-OUTPUT
+ip6tables -t mangle -F OVN-POSTROUTING
+ip6tables -t mangle -X OVN-POSTROUTING
 
 sleep 1
 
diff --git a/pkg/daemon/gateway_linux.go b/pkg/daemon/gateway_linux.go
index e55492bf1fe..a3878b86625 100644
--- a/pkg/daemon/gateway_linux.go
+++ b/pkg/daemon/gateway_linux.go
@@ -551,6 +551,8 @@ func (c *Controller) setIptables() error {
 			{Table: "filter", Chain: "FORWARD", Rule: strings.Fields(`-m set --match-set ovn40services dst -j ACCEPT`)},
 			// Output unmark to bypass kernel nat checksum issue https://github.com/flannel-io/flannel/issues/1279
 			{Table: "filter", Chain: "OUTPUT", Rule: strings.Fields(`-p udp -m udp --dport 6081 -j MARK --set-xmark 0x0`)},
+			// Drop invalid rst
+			{Table: MANGLE, Chain: OvnPostrouting, Rule: strings.Fields(`-p tcp -m set --match-set ovn40subnets src -m tcp --tcp-flags RST RST -m state --state INVALID -j DROP`)},
 		}
 		v6Rules = []util.IPTableRule{
 			// mark packets from pod to service
@@ -588,6 +590,8 @@ func (c *Controller) setIptables() error {
 			{Table: "filter", Chain: "FORWARD", Rule: strings.Fields(`-m set --match-set ovn60services dst -j ACCEPT`)},
 			// Output unmark to bypass kernel nat checksum issue https://github.com/flannel-io/flannel/issues/1279
 			{Table: "filter", Chain: "OUTPUT", Rule: strings.Fields(`-p udp -m udp --dport 6081 -j MARK --set-xmark 0x0`)},
+			// Drop invalid rst
+			{Table: MANGLE, Chain: OvnPostrouting, Rule: strings.Fields(`-p tcp -m set --match-set ovn60subnets src -m tcp --tcp-flags RST RST -m state --state INVALID -j DROP`)},
 		}
 	)
 	protocols := make([]string, 2)
@@ -710,7 +714,7 @@ func (c *Controller) setIptables() error {
 			}
 		}
 
-		var natPreroutingRules, natPostroutingRules, ovnMasqueradeRules []util.IPTableRule
+		var natPreroutingRules, natPostroutingRules, ovnMasqueradeRules, manglePostroutingRules []util.IPTableRule
 		for _, rule := range iptablesRules {
 			if rule.Table == NAT {
 				if c.k8siptables[protocol].HasRandomFully() &&
@@ -729,6 +733,11 @@ func (c *Controller) setIptables() error {
 					ovnMasqueradeRules = append(ovnMasqueradeRules, rule)
 					continue
 				}
+			} else if rule.Table == MANGLE {
+				if rule.Chain == OvnPostrouting {
+					manglePostroutingRules = append(manglePostroutingRules, rule)
+					continue
+				}
 			}
 
 			if err = c.createIptablesRule(ipt, rule); err != nil {
@@ -780,6 +789,11 @@ func (c *Controller) setIptables() error {
 			return err
 		}
 
+		if err = c.updateIptablesChain(ipt, MANGLE, OvnPostrouting, Postrouting, manglePostroutingRules); err != nil {
+			klog.Errorf("failed to update chain %s/%s: %v", MANGLE, OvnPostrouting, err)
+			return err
+		}
+
 		if err = c.cleanObsoleteIptablesRules(protocol, obsoleteRules); err != nil {
 			klog.Errorf("failed to clean legacy iptables rules: %v", err)
 			return err