From b75ee3f1d5a307cd5e125a8ea66725492aaa0eac Mon Sep 17 00:00:00 2001 From: Sridhar Gaddam Date: Wed, 13 Sep 2023 16:12:04 +0530 Subject: [PATCH] Update the firewall rules to be more restricted This PR includes the remote cluster CIDRs as part of the OVN iptable rules, so that only Submariner traffic is processed by these rules. Signed-off-by: Sridhar Gaddam --- .../handlers/ovn/gateway_dataplane.go | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/pkg/routeagent_driver/handlers/ovn/gateway_dataplane.go b/pkg/routeagent_driver/handlers/ovn/gateway_dataplane.go index 31d403564..48e38ebbd 100644 --- a/pkg/routeagent_driver/handlers/ovn/gateway_dataplane.go +++ b/pkg/routeagent_driver/handlers/ovn/gateway_dataplane.go @@ -102,9 +102,20 @@ func (ovn *Handler) getForwardingRuleSpecs() ([][]string, error) { "this will be retried") } - rules := [][]string{ - {"-i", OVNK8sMgmntIntfName, "-o", ovn.cableRoutingInterface.Name, "-j", "ACCEPT"}, - {"-i", ovn.cableRoutingInterface.Name, "-o", OVNK8sMgmntIntfName, "-j", "ACCEPT"}, + // On the Gateway node, the incoming traffic first lands on the br-ex, which includes the physical interface. + // The OpenFlow rules on the br-ex subsequently direct Submariner traffic to the local networking stack. + // To reroute incoming traffic over the ovn-k8s-mp0 interface, we employ routes in table 149. Before the traffic + // hits ovn-k8s-mp0, firewall rules would be processed. Therefore, we include these firewall rules in the FORWARDing + // chain to allow such traffic. Similar thing happens for outbound traffic as well, and we use routes in table 150. + rules := [][]string{} + for _, remoteCIDR := range ovn.getRemoteSubnets().UnsortedList() { + rules = append(rules, + []string{ + "-d", remoteCIDR, "-i", OVNK8sMgmntIntfName, "-o", ovn.cableRoutingInterface.Name, "-j", "ACCEPT", + }, + []string{ + "-s", remoteCIDR, "-i", ovn.cableRoutingInterface.Name, "-o", OVNK8sMgmntIntfName, "-j", "ACCEPT", + }) } return rules, nil