Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add drop invalid rst 1.12 #3490

Merged
merged 2 commits into from
Dec 6, 2023
Merged

add drop invalid rst 1.12 #3490

merged 2 commits into from
Dec 6, 2023

Conversation

changluyi
Copy link
Collaborator

@changluyi changluyi commented Dec 6, 2023
edited by ghost
Loading

Pull Request

What type of this PR

Examples of user facing changes:

  • Features
  • Bug fixes
  • Docs
  • Tests

Which issue(s) this PR fixes

Fixes #(issue-number)

WHAT

🤖[deprecated] Generated by Copilot at 674b3ac

Add iptables rules to protect pod subnets from TCP RST attacks and refactor setIptables function in gateway_linux.go

🤖[deprecated] Generated by Copilot at 674b3ac

To protect pods from TCP RST
This pull request adds to the quest
It updates setIptables
With rules for MANGLE
And separates it from NAT at best

HOW

🤖[deprecated] Generated by Copilot at 674b3ac

  • Add iptables rules to drop TCP RST packets from OVN subnets with invalid state (link, link)
  • Declare a variable to store iptables rules for the MANGLE table and the OvnPostrouting chain (link)
  • Filter and append iptables rules for the MANGLE table and the OvnPostrouting chain to the variable (link)
  • Update the iptables chain for the MANGLE table and the OvnPostrouting chain with the variable (link)

@changluyi
add drop invalid rst
674b3ac 
Signed-off-by: Changlu Yi <[email protected]>
oilbeater
oilbeater requested changes Dec 6, 2023
View reviewed changes
pkg/daemon/gateway_linux.go Outdated
@@ -710,7 +714,7 @@ func (c *Controller) setIptables() error {
}
}

var natPreroutingRules, natPostroutingRules, ovnMasqueradeRules []util.IPTableRule
var natPreroutingRules, natPostroutingRules, ovnMasqueradeRules, manglePostrutingRules []util.IPTableRule
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
var natPreroutingRules, natPostroutingRules, ovnMasqueradeRules, manglePostrutingRules []util.IPTableRule
var natPreroutingRules, natPostroutingRules, ovnMasqueradeRules, manglePostroutingRules []util.IPTableRule

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

1

@changluyi
typo
23eabe2 
Signed-off-by: changluyi <[email protected]>
@changluyi changluyi merged commit 35c7eaf into release-1.12 Dec 6, 2023
53 checks passed
@changluyi changluyi deleted the add_iptables_drop_invalid_rst-1.12 branch December 6, 2023 08:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@oilbeater oilbeater oilbeater approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@changluyi @oilbeater