Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

iptables: reject access to invalid service port only for TCP #3843

Merged
merged 1 commit into from
Mar 22, 2024
Merged

iptables: reject access to invalid service port only for TCP #3843

merged 1 commit into from
Mar 22, 2024

Conversation

zhangzujian
Copy link
Member

@zhangzujian zhangzujian commented Mar 20, 2024
edited

Pull Request

What type of this PR

Examples of user facing changes:

  • Features
  • Bug fixes
  • Docs
  • Tests

Which issue(s) this PR fixes

When OVN LB is disabled, some application cannot resolve domain names:

PACKET: 2 144388f2 IN=ovn0 MACSRC=0:0:0:fb:29:2a MACDST=0:0:0:2a:b2:3e MACPROTO=0800 SRC=10.16.0.9 DST=10.96.0.10 LEN=82 TOS=0x0 TTL=63 ID=37904DF SPORT=48914 DPORT=53
 TRACE: 2 144388f2 raw:PREROUTING:rule:0x2:CONTINUE  -4 -t raw -A PREROUTING -p udp -m udp --dport 53 -j TRACE
 TRACE: 2 144388f2 raw:PREROUTING:return:
 TRACE: 2 144388f2 raw:PREROUTING:policy:ACCEPT
PACKET: 2 144388f2 IN=ovn0 MACSRC=0:0:0:fb:29:2a MACDST=0:0:0:2a:b2:3e MACPROTO=0800 SRC=10.16.0.9 DST=10.96.0.10 LEN=82 TOS=0x0 TTL=63 ID=37904DF SPORT=48914 DPORT=53
 TRACE: 2 144388f2 nat:PREROUTING:rule:0x95:JUMP:OVN-PREROUTING  -4 -t nat -A PREROUTING -m comment --comment "kube-ovn prerouting rules" -j OVN-PREROUTING
 TRACE: 2 144388f2 nat:OVN-PREROUTING:rule:0x96:CONTINUE  -4 -t nat -A OVN-PREROUTING -i ovn0 -m set --match-set ovn40subnets src -m set --match-set KUBE-CLUSTER-IP dst,dst -j MARK --set-xmark 0x4000/0x4000
 TRACE: 2 144388f2 nat:OVN-PREROUTING:return:
 TRACE: 2 144388f2 nat:PREROUTING:rule:0x15:JUMP:KUBE-SERVICES  -4 -t nat -A PREROUTING -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
 TRACE: 2 144388f2 nat:KUBE-SERVICES:rule:0x394:JUMP:KUBE-NODE-PORT  -4 -t nat -A KUBE-SERVICES -m addrtype --dst-type LOCAL -j KUBE-NODE-PORT
 TRACE: 2 144388f2 nat:KUBE-NODE-PORT:return:
 TRACE: 2 144388f2 nat:KUBE-SERVICES:rule:0x396:ACCEPT  -4 -t nat -A KUBE-SERVICES -m set --match-set KUBE-CLUSTER-IP dst,dst -j ACCEPT
PACKET: 2 144388f2 IN=ovn0 MACSRC=0:0:0:fb:29:2a MACDST=0:0:0:2a:b2:3e MACPROTO=0800 SRC=10.16.0.9 DST=10.96.0.10 LEN=82 TOS=0x0 TTL=63 ID=37904DF SPORT=48914 DPORT=53 MARK=0x4000
 TRACE: 2 144388f2 filter:INPUT:rule:0x9b:ACCEPT  -4 -t filter -A INPUT -m set --match-set ovn40services dst -j ACCEPT
PACKET: 2 144388f2 OUT=ovn0 LL=0x0 0000002affffffb23e000000fffffffb292a0800 SRC=10.16.0.9 DST=10.16.0.6 LEN=82 TOS=0x0 TTL=62 ID=37904DF SPORT=48914 DPORT=53 MARK=0x4000
 TRACE: 2 144388f2 raw:OUTPUT:rule:0x4:CONTINUE  -4 -t raw -A OUTPUT -p udp -m udp --dport 53 -j TRACE
 TRACE: 2 144388f2 raw:OUTPUT:return:
 TRACE: 2 144388f2 raw:OUTPUT:policy:ACCEPT
PACKET: 2 144388f2 OUT=ovn0 LL=0x0 0000002affffffb23e000000fffffffb292a0800 SRC=10.16.0.9 DST=10.16.0.6 LEN=82 TOS=0x0 TTL=62 ID=37904DF SPORT=48914 DPORT=53 MARK=0x4000
 TRACE: 2 144388f2 filter:OUTPUT:rule:0x14:JUMP:KUBE-IPVS-OUT-FILTER  -4 -t filter -A OUTPUT -m comment --comment "kubernetes ipvs access filter" -j KUBE-IPVS-OUT-FILTER
 TRACE: 2 144388f2 filter:KUBE-IPVS-OUT-FILTER:return:
 TRACE: 2 144388f2 filter:OUTPUT:rule:0x3:JUMP:KUBE-FIREWALL  -4 -t filter -A OUTPUT -j KUBE-FIREWALL
 TRACE: 2 144388f2 filter:KUBE-FIREWALL:return:
 TRACE: 2 144388f2 filter:OUTPUT:return:
 TRACE: 2 144388f2 filter:OUTPUT:policy:ACCEPT
PACKET: 2 144388f2 IN=ovn0 OUT=ovn0 MACSRC=0:0:0:fb:29:2a MACDST=0:0:0:2a:b2:3e MACPROTO=0800 SRC=10.16.0.9 DST=10.16.0.6 LEN=82 TOS=0x0 TTL=62 ID=37904DF SPORT=48914 DPORT=53 MARK=0x4000
 TRACE: 2 144388f2 mangle:POSTROUTING:rule:0x7:JUMP:OVN-POSTROUTING  -4 -t mangle -A POSTROUTING -m comment --comment "kube-ovn postrouting rules" -j OVN-POSTROUTING
 TRACE: 2 144388f2 mangle:OVN-POSTROUTING:return:
 TRACE: 2 144388f2 mangle:POSTROUTING:return:
 TRACE: 2 144388f2 mangle:POSTROUTING:policy:ACCEPT
PACKET: 2 144388f2 IN=ovn0 OUT=ovn0 MACSRC=0:0:0:fb:29:2a MACDST=0:0:0:2a:b2:3e MACPROTO=0800 SRC=10.16.0.9 DST=10.16.0.6 LEN=82 TOS=0x0 TTL=62 ID=37904DF SPORT=48914 DPORT=53 MARK=0x4000
 TRACE: 2 144388f2 nat:POSTROUTING:rule:0x9f:JUMP:OVN-POSTROUTING  -4 -t nat -A POSTROUTING -m comment --comment "kube-ovn postrouting rules" -j OVN-POSTROUTING
 TRACE: 2 144388f2 nat:OVN-POSTROUTING:rule:0xa1:JUMP:OVN-MASQUERADE  -4 -t nat -A OVN-POSTROUTING -m mark --mark 0x4000/0x4000 -j OVN-MASQUERADE
 TRACE: 2 144388f2 nat:OVN-MASQUERADE:rule:0x9c:CONTINUE  -4 -t nat -A OVN-MASQUERADE -j MARK --set-xmark 0x0/0xffffffff
 TRACE: 2 144388f2 nat:OVN-MASQUERADE:rule:0x9d:ACCEPT  -4 -t nat -A OVN-MASQUERADE -j MASQUERADE --random-fully
PACKET: 2 e160365d IN=ovn0 MACSRC=0:0:0:fb:29:2a MACDST=0:0:0:2a:b2:3e MACPROTO=0800 SRC=10.16.0.9 DST=10.96.0.10 LEN=82 TOS=0x0 TTL=63 ID=37905DF SPORT=48914 DPORT=53
 TRACE: 2 e160365d raw:PREROUTING:rule:0x2:CONTINUE  -4 -t raw -A PREROUTING -p udp -m udp --dport 53 -j TRACE
 TRACE: 2 e160365d raw:PREROUTING:return:
 TRACE: 2 e160365d raw:PREROUTING:policy:ACCEPT
PACKET: 2 e160365d IN=ovn0 MACSRC=0:0:0:fb:29:2a MACDST=0:0:0:2a:b2:3e MACPROTO=0800 SRC=10.16.0.9 DST=10.96.0.10 LEN=82 TOS=0x0 TTL=63 ID=37905DF SPORT=48914 DPORT=53
 TRACE: 2 e160365d filter:INPUT:rule:0xa1:DROP  -4 -t filter -A INPUT -m mark ! --mark 0x4000/0x4000 -m set --match-set ovn40services dst -m conntrack --ctstate NEW -j REJECT --reject-with icmp-port-unreachable

@zhangzujian
iptables: reject access to invalid service port only for TCP
5b773c4 
Signed-off-by: zhangzujian <zhangzujian.7@gmail.com>
@zhangzujian zhangzujian added bug Something isn't working need backport labels Mar 20, 2024
@zhangzujian zhangzujian marked this pull request as ready for review March 20, 2024 03:23
@zhangzujian zhangzujian merged commit 07ac371 into kubeovn:master Mar 22, 2024
59 of 60 checks passed
@zhangzujian zhangzujian deleted the fix-iptables branch March 22, 2024 02:22
zhangzujian added a commit that referenced this pull request Mar 22, 2024
@zhangzujian
iptables: reject access to invalid service port only for TCP (#3843)
9ba5133 
Signed-off-by: zhangzujian <zhangzujian.7@gmail.com>
bobz965 pushed a commit that referenced this pull request Mar 22, 2024
@zhangzujian @bobz965
iptables: reject access to invalid service port only for TCP (#3843)
4d9fc1d 
Signed-off-by: zhangzujian <zhangzujian.7@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@oilbeater oilbeater oilbeater approved these changes

Assignees
No one assigned
Labels
bug Something isn't working need backport
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@zhangzujian @oilbeater