iptables: reject access to service ip after ipvs/DNAT processing

pkg/daemon/gateway_linux.go

@@ -517,6 +517,8 @@ func (c *Controller) setIptables() error {
 		v4Rules = []util.IPTableRule{
 			// mark packets from pod to service
 			{Table: NAT, Chain: OvnPrerouting, Rule: strings.Fields(`-i ovn0 -m set --match-set ovn40subnets src -m set --match-set ovn40services dst -j MARK --set-xmark 0x4000/0x4000`)},
+			// refuse access to service ip when kube-proxy works in ipvs mode
+			{Table: NAT, Chain: OvnPostrouting, Rule: strings.Fields(`-m set --match-set ovn40services dst -j REJECT`)},
 			// nat packets marked by kube-proxy or kube-ovn
 			{Table: NAT, Chain: OvnPostrouting, Rule: strings.Fields(`-m mark --mark 0x4000/0x4000 -j ` + OvnMasquerade)},
 			// nat service traffic
@@ -555,6 +557,8 @@ func (c *Controller) setIptables() error {
 		v6Rules = []util.IPTableRule{
 			// mark packets from pod to service
 			{Table: NAT, Chain: OvnPrerouting, Rule: strings.Fields(`-i ovn0 -m set --match-set ovn60subnets src -m set --match-set ovn60services dst -j MARK --set-xmark 0x4000/0x4000`)},
+			// refuse access to service ip when kube-proxy works in ipvs mode
+			{Table: NAT, Chain: OvnPostrouting, Rule: strings.Fields(`-m set --match-set ovn60services dst -j REJECT`)},
 			// nat packets marked by kube-proxy or kube-ovn
 			{Table: NAT, Chain: OvnPostrouting, Rule: strings.Fields(`-m mark --mark 0x4000/0x4000 -j ` + OvnMasquerade)},
 			// nat service traffic
@@ -624,9 +628,9 @@ func (c *Controller) setIptables() error {
 			}
 
 			rules := make([]util.IPTableRule, len(iptablesRules)+1)
-			copy(rules, iptablesRules[:1])
-			copy(rules[2:], iptablesRules[1:])
-			rules[1] = util.IPTableRule{
+			copy(rules, iptablesRules[:2])
+			copy(rules[3:], iptablesRules[2:])
+			rules[2] = util.IPTableRule{
 				Table: NAT,
 				Chain: OvnPostrouting,
 				Rule:  strings.Fields(fmt.Sprintf(`-m set --match-set %s src -m set --match-set %s dst -m mark --mark 0x4000/0x4000 -j SNAT --to-source %s`, svcMatchset, matchset, nodeIP)),