From 90c830574c9f7f6786201e4fb3ce2951accff7e9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E5=BC=A0=E7=A5=96=E5=BB=BA?= <zhangzujian.7@gmail.com>
Date: Tue, 25 Jul 2023 09:49:32 +0800
Subject: [PATCH] iptables: add --random-fully to SNAT rules (#3066)

---
 pkg/daemon/gateway_linux.go | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/pkg/daemon/gateway_linux.go b/pkg/daemon/gateway_linux.go
index 48ff160e3b2..b743f418035 100644
--- a/pkg/daemon/gateway_linux.go
+++ b/pkg/daemon/gateway_linux.go
@@ -698,7 +698,8 @@ func (c *Controller) setIptables() error {
 		var natPreroutingRules, natPostroutingRules, ovnMasqueradeRules []util.IPTableRule
 		for _, rule := range iptablesRules {
 			if rule.Table == NAT {
-				if c.k8siptables[protocol].HasRandomFully() && rule.Rule[len(rule.Rule)-1] == "MASQUERADE" {
+				if c.k8siptables[protocol].HasRandomFully() &&
+					(rule.Rule[len(rule.Rule)-1] == "MASQUERADE" || util.ContainsString(rule.Rule, "SNAT")) {
 					rule.Rule = append(rule.Rule, "--random-fully")
 				}
 
@@ -721,13 +722,18 @@ func (c *Controller) setIptables() error {
 			}
 		}
 
+		var randomFully string
+		if c.k8siptables[protocol].HasRandomFully() {
+			randomFully = "--random-fully"
+		}
+
 		// add iptables rule for nat gw with designative ip in centralized subnet
 		for cidr, ip := range centralGwNatIPs {
 			if util.CheckProtocol(cidr) != protocol {
 				continue
 			}
 
-			s := fmt.Sprintf("-s %s -m set ! --match-set %s dst -j SNAT --to-source %s", cidr, matchset, ip)
+			s := fmt.Sprintf("-s %s -m set ! --match-set %s dst -j SNAT --to-source %s %s", cidr, matchset, ip, randomFully)
 			rule := util.IPTableRule{
 				Table: NAT,
 				Chain: OvnPostrouting,