Skip to content

Commit

Permalink
Merge pull request #425 from openshift-cherrypick-robot/cherry-pick-4…
Browse files Browse the repository at this point in the history 
…00-to-release-4.6

[release-4.6] Bug 1921274: Fix MCS-blocking iptables rules
  • Loading branch information
@openshift-merge-robot
openshift-merge-robot committed Feb 4, 2021
2 parents 1f11fac + 0175f53 commit 115d2ee
Show file tree
Hide file tree
Showing 3 changed files with 29 additions and 32 deletions.
8 changes: 4 additions & 4 deletions go-controller/pkg/cni/OCP_HACKS.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,10 +13,10 @@ import (
// OCP HACK: block access to MCS/metadata; https://github.com/openshift/ovn-kubernetes/pull/19
var iptablesCommands = [][]string{
// Block MCS
{"-A", "OUTPUT", "-p", "tcp", "-m", "tcp", "--dport", "22623", "-j", "REJECT"},
{"-A", "OUTPUT", "-p", "tcp", "-m", "tcp", "--dport", "22624", "-j", "REJECT"},
{"-A", "FORWARD", "-p", "tcp", "-m", "tcp", "--dport", "22623", "-j", "REJECT"},
{"-A", "FORWARD", "-p", "tcp", "-m", "tcp", "--dport", "22624", "-j", "REJECT"},
{"-A", "OUTPUT", "-p", "tcp", "-m", "tcp", "--dport", "22623", "--syn", "-j", "REJECT"},
{"-A", "OUTPUT", "-p", "tcp", "-m", "tcp", "--dport", "22624", "--syn", "-j", "REJECT"},
{"-A", "FORWARD", "-p", "tcp", "-m", "tcp", "--dport", "22623", "--syn", "-j", "REJECT"},
{"-A", "FORWARD", "-p", "tcp", "-m", "tcp", "--dport", "22624", "--syn", "-j", "REJECT"},
}

var iptables4OnlyCommands = [][]string{
Expand Down
45 changes: 21 additions & 24 deletions go-controller/pkg/node/OCP_HACKS.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,30 +15,27 @@ import (

// Block MCS Access. https://github.com/openshift/ovn-kubernetes/pull/170
func generateBlockMCSRules(rules *[]iptRule, protocol iptables.Protocol) {
*rules = append(*rules, iptRule{
table: "filter",
chain: "FORWARD",
args: []string{"-p", "tcp", "-m", "tcp", "--dport", "22623", "-j", "REJECT"},
protocol: protocol,
})
*rules = append(*rules, iptRule{
table: "filter",
chain: "FORWARD",
args: []string{"-p", "tcp", "-m", "tcp", "--dport", "22624", "-j", "REJECT"},
protocol: protocol,
})
*rules = append(*rules, iptRule{
table: "filter",
chain: "OUTPUT",
args: []string{"-p", "tcp", "-m", "tcp", "--dport", "22623", "-j", "REJECT"},
protocol: protocol,
})
*rules = append(*rules, iptRule{
table: "filter",
chain: "OUTPUT",
args: []string{"-p", "tcp", "-m", "tcp", "--dport", "22624", "-j", "REJECT"},
protocol: protocol,
})
var delRules []iptRule

for _, chain := range []string{"FORWARD", "OUTPUT"} {
for _, port := range []string{"22623", "22624"} {
*rules = append(*rules, iptRule{
table: "filter",
chain: chain,
args: []string{"-p", "tcp", "-m", "tcp", "--dport", port, "--syn", "-j", "REJECT"},
protocol: protocol,
})
// Delete the old "--syn"-less rules on upgrade
delRules = append(delRules, iptRule{
table: "filter",
chain: chain,
args: []string{"-p", "tcp", "-m", "tcp", "--dport", port, "-j", "REJECT"},
protocol: protocol,
})
}
}

delIptRules(delRules)
}

// initSharedGatewayNoBridge is used in order to run local gateway mode without moving the NIC to an ovs bridge
Expand Down
8 changes: 4 additions & 4 deletions go-controller/pkg/node/gateway_init_linux_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -464,12 +464,12 @@ func expectedIPTablesRules(gatewayIP string) map[string]util.FakeTable {

// OCP HACK: Block MCS Access. https://github.com/openshift/ovn-kubernetes/pull/170
table["filter"]["FORWARD"] = append(table["filter"]["FORWARD"],
"-p tcp -m tcp --dport 22624 -j REJECT",
"-p tcp -m tcp --dport 22623 -j REJECT",
"-p tcp -m tcp --dport 22624 --syn -j REJECT",
"-p tcp -m tcp --dport 22623 --syn -j REJECT",
)
table["filter"]["OUTPUT"] = append(table["filter"]["OUTPUT"],
"-p tcp -m tcp --dport 22624 -j REJECT",
"-p tcp -m tcp --dport 22623 -j REJECT",
"-p tcp -m tcp --dport 22624 --syn -j REJECT",
"-p tcp -m tcp --dport 22623 --syn -j REJECT",
)
// END OCP HACK

Expand Down

0 comments on commit 115d2ee

Please sign in to comment.