OCPBUGS-54457: Drop SYNACK as well in MCS side

[tssurya]

When we converted MCS block rules from
iptables to nftables looks like match
criteria changed a bit.

Currently if a client from outside initiates
a connection and pod tries to send back synack
this is getting accepted by MCO(MCS metadata service) on the host instead of it going back to the client
because MCS rules is NOT rejecting a SYNACK packet.

old match: "tcp dport { 22623, 22624 } tcp flags syn" -> This matches TCP packets destined for ports 22623 or 22624 -> It matches packets that have only the SYN flag set -> This would not match both SYN and SYN+ACK packets because it only checks if the SYN flag is present

new match: "tcp dport { 22623, 22624 } tcp flags syn / fin,rst,ack" -> This matches TCP packets destined for ports 22623 or 22624 -> The / operator is a mask that requires the SYN flag to be set AND any of the other flags from the mask (FIN, RST, ACK) to be set -> This means it will match SYN, SYN+ACK, SYN+RST, SYN+FIN

same as https://github.com/openshift/ovn-kubernetes/pull/2240/files but for SDN

[openshift-ci-robot]

@tssurya: This pull request references Jira Issue OCPBUGS-54457, which is invalid:

• expected the bug to target the "4.16.z" version, but no target version was set
• release note text must be set and not match the template OR release note type must be set to "Release Note Not Required". For more information you can reference the OpenShift Bug Process.
• expected Jira Issue OCPBUGS-54457 to depend on a bug targeting a version in 4.17.0, 4.17.z and in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but no dependents were found

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

When we converted MCS block rules from
iptables to nftables looks like match
criteria changed a bit.

Currently if a client from outside initiates
a connection and pod tries to send back synack
this is getting accepted by MCO(MCS metadata service) on the host instead of it going back to the client
because MCS rules is NOT rejecting a SYNACK packet.

old match: "tcp dport { 22623, 22624 } tcp flags syn" -> This matches TCP packets destined for ports 22623 or 22624 -> It matches packets that have only the SYN flag set -> This would not match both SYN and SYN+ACK packets because it only checks if the SYN flag is present

new match: "tcp dport { 22623, 22624 } tcp flags syn / fin,rst,ack" -> This matches TCP packets destined for ports 22623 or 22624 -> The / operator is a mask that requires the SYN flag to be set AND any of the other flags from the mask (FIN, RST, ACK) to be set -> This means it will match SYN, SYN+ACK, SYN+RST, SYN+FIN

same as https://github.com/openshift/ovn-kubernetes/pull/2240/files but for SDN

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[danwinship]

/approve
/lgtm
/label backport-risk-assessed

You'll have to create a dummy 4.17 bug in jira and then close it to appease the bot and get jira/valid-bug

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: danwinship, tssurya

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [danwinship]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[huiran0826]

/jira refresh

[openshift-ci-robot]

@huiran0826: This pull request references Jira Issue OCPBUGS-54457, which is invalid:

• expected the bug to target the "4.16.z" version, but no target version was set
• release note text must be set and not match the template OR release note type must be set to "Release Note Not Required". For more information you can reference the OpenShift Bug Process.
• expected dependent Jira Issue OCPBUGS-57723 to target a version in 4.17.0, 4.17.z, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[huiran0826]

/jira refresh

[openshift-ci-robot]

@huiran0826: This pull request references Jira Issue OCPBUGS-54457, which is invalid:

• release note text must be set and not match the template OR release note type must be set to "Release Note Not Required". For more information you can reference the OpenShift Bug Process.

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[huiran0826]

/jira refresh

[openshift-ci-robot]

@huiran0826: This pull request references Jira Issue OCPBUGS-54457, which is valid. The bug has been moved to the POST state.

7 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.16.z) matches configured target version for branch (4.16.z)
• bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)
• release note type set to "Release Note Not Required"
• dependent bug Jira Issue OCPBUGS-57723 is in the state Closed (Done), which is one of the valid states (VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA))
• dependent Jira Issue OCPBUGS-57723 targets the "4.17.z" version, which is one of the valid target versions: 4.17.0, 4.17.z
• bug has dependents

Requesting review from QA contact:
/cc @huiran0826

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[huiran0826]

/label cherry-pick-approved
/label qe-approved

[openshift-ci-robot]

@tssurya: This pull request references Jira Issue OCPBUGS-54457, which is valid.

7 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.16.z) matches configured target version for branch (4.16.z)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)
• release note type set to "Release Note Not Required"
• dependent bug Jira Issue OCPBUGS-57723 is in the state Closed (Done), which is one of the valid states (VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA))
• dependent Jira Issue OCPBUGS-57723 targets the "4.17.z" version, which is one of the valid target versions: 4.17.0, 4.17.z
• bug has dependents

Requesting review from QA contact:
/cc @huiran0826

In response to this:

When we converted MCS block rules from
iptables to nftables looks like match
criteria changed a bit.

Currently if a client from outside initiates
a connection and pod tries to send back synack
this is getting accepted by MCO(MCS metadata service) on the host instead of it going back to the client
because MCS rules is NOT rejecting a SYNACK packet.

old match: "tcp dport { 22623, 22624 } tcp flags syn" -> This matches TCP packets destined for ports 22623 or 22624 -> It matches packets that have only the SYN flag set -> This would not match both SYN and SYN+ACK packets because it only checks if the SYN flag is present

new match: "tcp dport { 22623, 22624 } tcp flags syn / fin,rst,ack" -> This matches TCP packets destined for ports 22623 or 22624 -> The / operator is a mask that requires the SYN flag to be set AND any of the other flags from the mask (FIN, RST, ACK) to be set -> This means it will match SYN, SYN+ACK, SYN+RST, SYN+FIN

same as https://github.com/openshift/ovn-kubernetes/pull/2240/files but for SDN

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[huiran0826]

/retest-required

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD cbddb0b and 2 for PR HEAD 13c761f in total

[tssurya]

/retest-required

[openshift-ci]

@tssurya: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/security	13c761f	link	false	/test security
ci/prow/e2e-aws-live-migration-sdn-ovn-rollback	13c761f	link	false	/test e2e-aws-live-migration-sdn-ovn-rollback

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD cbddb0b and 2 for PR HEAD 13c761f in total

[openshift-ci-robot]

@tssurya: Jira Issue OCPBUGS-54457: All pull requests linked via external trackers have merged:

• openshift/sdn#658

Jira Issue OCPBUGS-54457 has been moved to the MODIFIED state.

In response to this:

When we converted MCS block rules from
iptables to nftables looks like match
criteria changed a bit.

Currently if a client from outside initiates
a connection and pod tries to send back synack
this is getting accepted by MCO(MCS metadata service) on the host instead of it going back to the client
because MCS rules is NOT rejecting a SYNACK packet.

old match: "tcp dport { 22623, 22624 } tcp flags syn" -> This matches TCP packets destined for ports 22623 or 22624 -> It matches packets that have only the SYN flag set -> This would not match both SYN and SYN+ACK packets because it only checks if the SYN flag is present

new match: "tcp dport { 22623, 22624 } tcp flags syn / fin,rst,ack" -> This matches TCP packets destined for ports 22623 or 22624 -> The / operator is a mask that requires the SYN flag to be set AND any of the other flags from the mask (FIN, RST, ACK) to be set -> This means it will match SYN, SYN+ACK, SYN+RST, SYN+FIN

same as https://github.com/openshift/ovn-kubernetes/pull/2240/files but for SDN

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-bot]

[ART PR BUILD NOTIFIER]

Distgit: kube-proxy
This PR has been included in build kube-proxy-container-v4.16.0-202506202104.p0.g53fea06.assembly.stream.el9.
All builds following this will include this PR.

[openshift-bot]

[ART PR BUILD NOTIFIER]

Distgit: ose-sdn
This PR has been included in build ose-node-container-v4.16.0-202506202104.p0.g53fea06.assembly.stream.el9.
All builds following this will include this PR.

[openshift-merge-robot]

Fix included in accepted release 4.16.0-0.nightly-2025-06-20-215901