cnrancher · niusmallnan · Apr 25, 2020 · Apr 25, 2020 · Apr 25, 2020
diff --git a/Dockerfile.dapper b/Dockerfile.dapper
@@ -11,8 +11,8 @@ RUN apt-get update && \
 ENV GOLANG_ARCH_amd64=amd64 GOLANG_ARCH_arm=armv6l GOLANG_ARCH=GOLANG_ARCH_${ARCH} \
     GOPATH=/go PATH=/go/bin:/usr/local/go/bin:${PATH} SHELL=/bin/bash
 
-RUN wget -O - https://storage.googleapis.com/golang/go1.7.3.linux-${!GOLANG_ARCH}.tar.gz | tar -xzf - -C /usr/local && \
-    go get github.com/rancher/trash
+RUN wget -O - https://storage.googleapis.com/golang/go1.13.10.linux-${!GOLANG_ARCH}.tar.gz | tar -xzf - -C /usr/local && \
+    go get github.com/rancher/trash && go get golang.org/x/lint/golint
 
 ENV DOCKER_URL_amd64=https://get.docker.com/builds/Linux/x86_64/docker-1.10.3 \
     DOCKER_URL_arm=https://github.com/rancher/docker/releases/download/v1.10.3-ros1/docker-1.10.3_arm \

diff --git a/hostports/watcher.go b/hostports/watcher.go
@@ -260,7 +260,7 @@ func (w *watcher) apply(prules map[string]PortRule, frules map[string]FilterRule
 	buf.WriteString("*filter\n")
 	buf.WriteString(":CATTLE_FORWARD -\n")
 	buf.WriteString("-F CATTLE_FORWARD\n")
-	buf.WriteString("-A CATTLE_FORWARD -m conntrack --ctstate INVALID -j DROP\n")
+	// buf.WriteString("-A CATTLE_FORWARD -m conntrack --ctstate INVALID -j DROP\n")
 	buf.WriteString("-A CATTLE_FORWARD -m mark --mark 0x1068 -j ACCEPT\n")
 	// For k8s
 	buf.WriteString("-A CATTLE_FORWARD -m mark --mark 0x4000 -j ACCEPT\n")

diff --git a/iptablessync/watcher.go b/iptablessync/watcher.go
@@ -19,6 +19,7 @@ var (
 	// DefaultSyncInterval specifies the default value for arpsync interval in seconds
 	DefaultSyncInterval            = 120
 	DisableCattleNetworkPolicySync = false
+	DisableCattleDropInvalidConn   = false
 )
 
 // IPTablesWatcher makes sure the order of the chains is maintained
@@ -96,6 +97,12 @@ func (iptw *IPTablesWatcher) createChains() error {
 	if !DisableCattleNetworkPolicySync {
 		buf.WriteString(":CATTLE_NETWORK_POLICY -\n")
 	}
+	if !DisableCattleDropInvalidConn {
+		buf.WriteString(":CATTLE_INPUT -\n")
+		buf.WriteString("-F CATTLE_INPUT\n")
+		buf.WriteString("-A CATTLE_INPUT -m conntrack --ctstate INVALID -j DROP\n")
+		buf.WriteString("-A CATTLE_INPUT -j RETURN\n")
+	}
 	buf.WriteString(":CATTLE_FORWARD -\n")
 	buf.WriteString("\nCOMMIT\n")
 
@@ -219,6 +226,19 @@ func (iptw *IPTablesWatcher) checkAndHookChains() error {
 		log.Errorf("iptablessync: err=%v", err)
 	}
 
+	if !DisableCattleDropInvalidConn {
+		if err = checkOneHookRule(hookRule{
+			table:    "filter",
+			chain:    "INPUT",
+			dstChain: "CATTLE_INPUT",
+			spec:     "-j CATTLE_INPUT",
+			num:      "1",
+		}); err != nil {
+			hasErrored = true
+			log.Errorf("iptablessync: err=%v", err)
+		}
+	}
+
 	if !DisableCattleNetworkPolicySync {
 		bridgeSubnet, err := iptw.getBridgeSubnet()
 		if err != nil {

diff --git a/main.go b/main.go
@@ -103,6 +103,10 @@ func main() {
 			Name:  "disable-vxlanhostns-sync",
 			Usage: "Disable sync iptables CATTLE_NETWORK_POLICY chain in vxlan-hostns mode",
 		},
+		cli.BoolFlag{
+			Name:  "disable-drop-invalid-conn",
+			Usage: "Disable drop the invalid conn in CATTLE_INPUT",
+		},
 		cli.BoolFlag{
 			Name:  "debug",
 			Usage: "Turn on debug logging",
@@ -154,6 +158,7 @@ func run(c *cli.Context) error {
 	}
 
 	iptablessync.DisableCattleNetworkPolicySync = c.Bool("disable-vxlanhostns-sync")
+	iptablessync.DisableCattleDropInvalidConn = c.Bool("disable-drop-invalid-conn")
 	if err := iptablessync.Watch(c.Int("iptables-sync-interval"), mClient); err != nil {
 		log.Errorf("Failed to start iptablessync: %v", err)
 	}