Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

iptables drop invalid rst #3484

Merged
merged 2 commits into from
Dec 5, 2023
Merged

iptables drop invalid rst #3484

merged 2 commits into from
Dec 5, 2023

Conversation

changluyi
Copy link
Collaborator

@changluyi changluyi commented Dec 4, 2023
edited by ghost
Loading

Pull Request

What type of this PR

Examples of user facing changes:

  • Features
  • Bug fixes
  • Docs
  • Tests

Which issue(s) this PR fixes

Fixes #(issue-number)

WHAT

🤖[deprecated] Generated by Copilot at a7b0509

Add iptables rules to protect pod subnets from TCP RST attacks and refactor gateway code.

🤖[deprecated] Generated by Copilot at a7b0509

To protect pods from TCP RST
This pull request adds to the MANGLE chest
Some rules for OvnPostrouting
And refactors the routing
To handle different tables with zest

HOW

🤖[deprecated] Generated by Copilot at a7b0509

  • Add iptables rules to drop TCP RST packets from OVN subnets with invalid state (link, link)
  • Declare a variable to store the iptables rules for the MANGLE table and the OvnPostrouting chain (link)
  • Modify the for loop to append the rules to the variable and skip the rest of the loop (link)
  • Call the updateIptablesChain function to apply the rules to the system and log any error (link)

@changluyi
iptables drop invalid rst
a7b0509 
Signed-off-by: changluyi <[email protected]>
zhangzujian
zhangzujian reviewed Dec 4, 2023
View reviewed changes
dist/images/uninstall.sh Outdated
Comment on lines 72 to 73
iptables -t mangle -F OVN-POSTROUTING
iptables -t mangle -X OVN-POSTROUTING
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
iptables -t mangle -F OVN-POSTROUTING
iptables -t mangle -X OVN-POSTROUTING
ip6tables -t mangle -F OVN-POSTROUTING
ip6tables -t mangle -X OVN-POSTROUTING

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

@oilbeater
Copy link
Collaborator

need backport to previous release

@changluyi changluyi merged commit 984f227 into master Dec 5, 2023
59 checks passed
@changluyi changluyi deleted the add_iptables_drop_invalid_rst branch December 5, 2023 05:17
bobz965 pushed a commit that referenced this pull request Jun 6, 2024
@changluyi @bobz965
iptables drop invalid rst (#3484)
43c4c2a 
* iptables drop invalid rst

Signed-off-by: changluyi <[email protected]>

* Update uninstall.sh

---------

Signed-off-by: changluyi <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zhangzujian zhangzujian zhangzujian left review comments

@oilbeater oilbeater oilbeater approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@changluyi @oilbeater @zhangzujian