Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

iptables: reject access to invalid service port when kube-proxy works in IPVS mode #3059

Merged
merged 2 commits into from
Jul 31, 2023
Merged

iptables: reject access to invalid service port when kube-proxy works in IPVS mode #3059

merged 2 commits into from
Jul 31, 2023

Conversation

zhangzujian
Copy link
Member

@zhangzujian zhangzujian commented Jul 21, 2023
edited
Loading

What type of this PR

  • Bug fixes

Which issue(s) this PR fixes:

Reject access to invalid service port, such as 10.96.0.1:22, when kube-proxy works in IPVS mode.

WHAT

🤖 Generated by Copilot at d0496c7

Improve service proxy support in kube-ovn. Add iptables rules to handle different service modes and policies in gateway_linux.go.

🤖 Generated by Copilot at d0496c7

To support services with proxy modes
And traffic policies for different loads
We add some rules to iptables
To reject some packets with labels
That match ovn40services or ovn60services nodes

HOW

🤖 Generated by Copilot at d0496c7

  • Add iptables rules to support services with different proxy modes and traffic policies (link, link)

@zhangzujian zhangzujian force-pushed the fix-svc branch 2 times, most recently from a7562fa to 0bc1fe4 Compare July 21, 2023 05:23
@zhangzujian zhangzujian deleted the fix-svc branch July 21, 2023 08:00
@zhangzujian zhangzujian reopened this Jul 21, 2023
@zhangzujian zhangzujian force-pushed the fix-svc branch 4 times, most recently from 4bdf354 to 8f69b4c Compare July 23, 2023 03:05
@zhangzujian zhangzujian changed the title iptables: reject access to service ip after ipvs/DNAT processing iptables: reject access to service ip if the packets are not DNATed by ipvs Jul 23, 2023
@zhangzujian zhangzujian changed the title iptables: reject access to service ip if the packets are not DNATed by ipvs iptables: reject access to invalid service ports when kube-proxy works in IPVS mode Jul 24, 2023
@zhangzujian zhangzujian changed the title iptables: reject access to invalid service ports when kube-proxy works in IPVS mode iptables: reject access to invalid service ip when kube-proxy works in IPVS mode Jul 24, 2023
@zhangzujian zhangzujian changed the title iptables: reject access to invalid service ip when kube-proxy works in IPVS mode iptables: reject access to invalid service port when kube-proxy works in IPVS mode Jul 24, 2023
@zhangzujian zhangzujian marked this pull request as ready for review July 24, 2023 05:15
@zhangzujian zhangzujian marked this pull request as draft July 24, 2023 06:02
@zhangzujian zhangzujian marked this pull request as ready for review July 24, 2023 07:05
@zhangzujian zhangzujian requested a review from oilbeater July 24, 2023 07:05
@zhangzujian zhangzujian merged commit c6c472a into kubeovn:master Jul 31, 2023
zhoulw pushed a commit to zhoulw/kube-ovn that referenced this pull request Aug 2, 2023
@zhangzujian
iptables: reject access to invalid service port when kube-proxy works…
1aaeb73 
… in IPVS mode (kubeovn#3059)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@oilbeater oilbeater oilbeater approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@zhangzujian @oilbeater