Skip to content

Commit

Permalink
iptables: add --random-fully to SNAT rules (#3066)
Browse files Browse the repository at this point in the history
  • Loading branch information
zhangzujian authored Jul 25, 2023
1 parent 1350397 commit 90c8305
Showing 1 changed file with 8 additions and 2 deletions.
10 changes: 8 additions & 2 deletions pkg/daemon/gateway_linux.go
Original file line number Diff line number Diff line change
Expand Up @@ -698,7 +698,8 @@ func (c *Controller) setIptables() error {
var natPreroutingRules, natPostroutingRules, ovnMasqueradeRules []util.IPTableRule
for _, rule := range iptablesRules {
if rule.Table == NAT {
if c.k8siptables[protocol].HasRandomFully() && rule.Rule[len(rule.Rule)-1] == "MASQUERADE" {
if c.k8siptables[protocol].HasRandomFully() &&
(rule.Rule[len(rule.Rule)-1] == "MASQUERADE" || util.ContainsString(rule.Rule, "SNAT")) {
rule.Rule = append(rule.Rule, "--random-fully")
}

Expand All @@ -721,13 +722,18 @@ func (c *Controller) setIptables() error {
}
}

var randomFully string
if c.k8siptables[protocol].HasRandomFully() {
randomFully = "--random-fully"
}

// add iptables rule for nat gw with designative ip in centralized subnet
for cidr, ip := range centralGwNatIPs {
if util.CheckProtocol(cidr) != protocol {
continue
}

s := fmt.Sprintf("-s %s -m set ! --match-set %s dst -j SNAT --to-source %s", cidr, matchset, ip)
s := fmt.Sprintf("-s %s -m set ! --match-set %s dst -j SNAT --to-source %s %s", cidr, matchset, ip, randomFully)
rule := util.IPTableRule{
Table: NAT,
Chain: OvnPostrouting,
Expand Down

0 comments on commit 90c8305

Please sign in to comment.