fix(nsc): TCPMSS rules are created per-service and for reply packets …

…only Fixes #1671
cloudnativelabs · May 27, 2024 · 5fdde06 · 5fdde06
1 parent c4bf206
commit 5fdde06
Showing 1 changed file with 20 additions and 30 deletions.
diff --git a/pkg/controllers/proxy/network_services_controller.go b/pkg/controllers/proxy/network_services_controller.go
@@ -1629,17 +1629,16 @@ func (nsc *NetworkServicesController) setupMangleTableRule(ip string, protocol s
 	}
 
 	// setup iptables rule TCPMSS for DSR mode to fix mtu problem
-	mtuArgs := []string{"-d", ip, "-m", tcpProtocol, "-p", tcpProtocol, "--tcp-flags", "SYN,RST", "SYN", "-j", "TCPMSS",
-		"--set-mss", strconv.Itoa(tcpMSS)}
-	err = iptablesCmdHandler.AppendUnique("mangle", "PREROUTING", mtuArgs...)
-	if err != nil {
-		return fmt.Errorf("failed to run iptables command to set up TCPMSS due to %v", err)
-	}
-	mtuArgs[0] = "-s"
-	err = iptablesCmdHandler.AppendUnique("mangle", "POSTROUTING", mtuArgs...)
-	if err != nil {
-		return fmt.Errorf("failed to run iptables command to set up TCPMSS due to %v", err)
+	// only reply packets from PODs are altered here
+	if protocol == tcpProtocol {
+		mtuArgs := []string{"-s", ip, "-m", tcpProtocol, "-p", tcpProtocol, "--sport", port,
+			"--tcp-flags", "SYN,RST", "SYN", "-j", "TCPMSS", "--set-mss", strconv.Itoa(tcpMSS)}
+		err = iptablesCmdHandler.AppendUnique("mangle", "PREROUTING", mtuArgs...)
+		if err != nil {
+			return fmt.Errorf("failed to run iptables command to set up TCPMSS due to %v", err)
+		}
 	}
+
 	return nil
 }
 
@@ -1678,29 +1677,20 @@ func (nsc *NetworkServicesController) cleanupMangleTableRule(ip string, protocol
 	}
 
 	// cleanup iptables rule TCPMSS
-	mtuArgs := []string{"-d", ip, "-m", tcpProtocol, "-p", tcpProtocol, "--tcp-flags", "SYN,RST", "SYN", "-j", "TCPMSS",
-		"--set-mss", strconv.Itoa(tcpMSS)}
-	exists, err = iptablesCmdHandler.Exists("mangle", "PREROUTING", mtuArgs...)
-	if err != nil {
-		return fmt.Errorf("failed to cleanup iptables command to set up TCPMSS due to %v", err)
-	}
-	if exists {
-		klog.V(2).Infof("removing mangle rule with: iptables -D PREROUTING -t mangle %s", args)
-		err = iptablesCmdHandler.Delete("mangle", "PREROUTING", mtuArgs...)
+	// only reply packets from PODs are altered here
+	if protocol == tcpProtocol {
+		mtuArgs := []string{"-s", ip, "-m", tcpProtocol, "-p", tcpProtocol, "--sport", port,
+			"--tcp-flags", "SYN,RST", "SYN", "-j", "TCPMSS", "--set-mss", strconv.Itoa(tcpMSS)}
+		exists, err = iptablesCmdHandler.Exists("mangle", "PREROUTING", mtuArgs...)
 		if err != nil {
 			return fmt.Errorf("failed to cleanup iptables command to set up TCPMSS due to %v", err)
 		}
-	}
-	mtuArgs[0] = "-s"
-	exists, err = iptablesCmdHandler.Exists("mangle", "POSTROUTING", mtuArgs...)
-	if err != nil {
-		return fmt.Errorf("failed to cleanup iptables command to set up TCPMSS due to %v", err)
-	}
-	if exists {
-		klog.V(2).Infof("removing mangle rule with: iptables -D POSTROUTING -t mangle %s", args)
-		err = iptablesCmdHandler.Delete("mangle", "POSTROUTING", mtuArgs...)
-		if err != nil {
-			return fmt.Errorf("failed to cleanup iptables command to set up TCPMSS due to %v", err)
+		if exists {
+			klog.V(2).Infof("removing mangle rule with: iptables -D PREROUTING -t mangle %s", args)
+			err = iptablesCmdHandler.Delete("mangle", "PREROUTING", mtuArgs...)
+			if err != nil {
+				return fmt.Errorf("failed to cleanup iptables command to set up TCPMSS due to %v", err)
+			}
 		}
 	}