iptables: reject access to service ip after ipvs/DNAT processing

pkg/daemon/gateway_linux.go

@@ -519,6 +519,9 @@ func (c *Controller) setIptables() error {
 			{Table: NAT, Chain: OvnPrerouting, Rule: strings.Fields(`-i ovn0 -m set --match-set ovn40subnets src -m set --match-set ovn40services dst -j MARK --set-xmark 0x4000/0x4000`)},
 			// nat packets marked by kube-proxy or kube-ovn
 			{Table: NAT, Chain: OvnPostrouting, Rule: strings.Fields(`-m mark --mark 0x4000/0x4000 -j ` + OvnMasquerade)},
+			// refuse access to service ip when kube-proxy works in ipvs mode
+			{Table: NAT, Chain: OvnPostrouting, Rule: strings.Fields(`-m set --match-set ovn40services dst -j REJECT`)},
+			// do not nat node port service traffic with external traffic policy set to local
 			// nat service traffic
 			{Table: NAT, Chain: OvnPostrouting, Rule: strings.Fields(`-m set --match-set ovn40subnets src -m set --match-set ovn40subnets dst -j ` + OvnMasquerade)},
 			// do not nat node port service traffic with external traffic policy set to local
@@ -557,6 +560,8 @@ func (c *Controller) setIptables() error {
 			{Table: NAT, Chain: OvnPrerouting, Rule: strings.Fields(`-i ovn0 -m set --match-set ovn60subnets src -m set --match-set ovn60services dst -j MARK --set-xmark 0x4000/0x4000`)},
 			// nat packets marked by kube-proxy or kube-ovn
 			{Table: NAT, Chain: OvnPostrouting, Rule: strings.Fields(`-m mark --mark 0x4000/0x4000 -j ` + OvnMasquerade)},
+			// refuse access to service ip when kube-proxy works in ipvs mode
+			{Table: NAT, Chain: OvnPostrouting, Rule: strings.Fields(`-m set --match-set ovn60services dst -j REJECT`)},
 			// nat service traffic
 			{Table: NAT, Chain: OvnPostrouting, Rule: strings.Fields(`-m set --match-set ovn60subnets src -m set --match-set ovn60subnets dst -j ` + OvnMasquerade)},
 			// do not nat node port service traffic with external traffic policy set to local