From d04912423ca04e866f76454603fc83ca859427ed Mon Sep 17 00:00:00 2001
From: changluyi <47097611+changluyi@users.noreply.github.com>
Date: Wed, 6 Dec 2023 14:11:48 +0800
Subject: [PATCH] iptables drop invalid rst (#3492)

Signed-off-by: changluyi <clyi@alauda.io>
---
 dist/images/uninstall.sh | 2 ++
 pkg/daemon/gateway.go    | 4 ++++
 2 files changed, 6 insertions(+)

diff --git a/dist/images/uninstall.sh b/dist/images/uninstall.sh
index 37504c5f30b..7416e75ce28 100644
--- a/dist/images/uninstall.sh
+++ b/dist/images/uninstall.sh
@@ -34,6 +34,7 @@ iptables -t filter -D FORWARD -m set --match-set ovn40subnets src -j ACCEPT
 iptables -t filter -D FORWARD -m set --match-set ovn40services dst -j ACCEPT
 iptables -t filter -D FORWARD -m set --match-set ovn40services src -j ACCEPT
 iptables -t filter -D OUTPUT -p udp -m udp --dport 6081 -j MARK --set-xmark 0x0
+iptables -t mangle -D POSTROUTING -p tcp -m set --match-set ovn40subnets src -m tcp --tcp-flags RST RST -m state --state INVALID -j DROP
 
 if [ -n "$nodeIPv4" ]; then
     iptables -t nat -D POSTROUTING ! -s "$nodeIPv4" -m mark --mark 0x4000/0x4000 -j MASQUERADE
@@ -61,6 +62,7 @@ ip6tables -t filter -D FORWARD -m set --match-set ovn60subnets src -j ACCEPT
 ip6tables -t filter -D FORWARD -m set --match-set ovn60services dst -j ACCEPT
 ip6tables -t filter -D FORWARD -m set --match-set ovn60services src -j ACCEPT
 ip6tables -t filter -D OUTPUT -p udp -m udp --dport 6081 -j MARK --set-xmark 0x0
+ip6tables -t mangle -D POSTROUTING -p tcp -m set --match-set ovn40subnets src -m tcp --tcp-flags RST RST -m state --state INVALID -j DROP
 
 if [ -n "$nodeIPv6" ]; then
     ip6tables -t nat -D POSTROUTING ! -s "$nodeIPv6" -m mark --mark 0x4000/0x4000 -j MASQUERADE
diff --git a/pkg/daemon/gateway.go b/pkg/daemon/gateway.go
index 83935769621..2f1cd1aead3 100644
--- a/pkg/daemon/gateway.go
+++ b/pkg/daemon/gateway.go
@@ -403,6 +403,8 @@ func (c *Controller) setIptables() error {
 			{Table: "filter", Chain: "FORWARD", Rule: strings.Fields(`-m set --match-set ovn40services dst -j ACCEPT`)},
 			// Output unmark to bypass kernel nat checksum issue https://github.com/flannel-io/flannel/issues/1279
 			{Table: "filter", Chain: "OUTPUT", Rule: strings.Fields(`-p udp -m udp --dport 6081 -j MARK --set-xmark 0x0`)},
+			// Drop invalid rst
+			{Table: "mangle", Chain: "POSTROUTING", Rule: strings.Fields(`-p tcp -m set --match-set ovn40subnets src -m tcp --tcp-flags RST RST -m state --state INVALID -j DROP`)},
 		}
 		v6Rules = []util.IPTableRule{
 			// nat service traffic
@@ -425,6 +427,8 @@ func (c *Controller) setIptables() error {
 			{Table: "filter", Chain: "FORWARD", Rule: strings.Fields(`-m set --match-set ovn60services dst -j ACCEPT`)},
 			// Output unmark to bypass kernel nat checksum issue https://github.com/flannel-io/flannel/issues/1279
 			{Table: "filter", Chain: "OUTPUT", Rule: strings.Fields(`-p udp -m udp --dport 6081 -j MARK --set-xmark 0x0`)},
+			// Drop invalid rst
+			{Table: "mangle", Chain: "POSTROUTING", Rule: strings.Fields(`-p tcp -m set --match-set ovn60subnets src -m tcp --tcp-flags RST RST -m state --state INVALID -j DROP`)},
 		}
 	)
 	protocols := make([]string, 2)