bugfix:

* fix clusterip been masqueraded * fix security group assertions Signed-off-by: bingshen.wbs <bingshen.wbs@alibaba-inc.com>
River-sh · Apr 9, 2024 · 6b5edb3 · 6b5edb3
1 parent 057d6c7
commit 6b5edb3
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 5 deletions.
diff --git a/pkg/skoop/network/aliyun/assertion.go b/pkg/skoop/network/aliyun/assertion.go
@@ -797,10 +797,6 @@ func sortSecurityGroupRules(sgs []*ecs.DescribeSecurityGroupAttributeResponseBod
 			return *a.Priority < *b.Priority
 		}
 
-		if *a.Policy != *b.Policy {
-			return *a.Policy == string(securityPolicyVerdictAccept)
-		}
-
 		if (a.SourceCidrIp != nil && *a.SourceCidrIp != "") || (b.SourceCidrIp != nil && *b.SourceCidrIp != "") {
 			if (a.SourceCidrIp == nil || *a.SourceCidrIp == "") || (b.SourceCidrIp == nil || *b.SourceCidrIp == "") {
 				return a.SourceCidrIp != nil && *a.SourceCidrIp != ""
@@ -833,6 +829,10 @@ func sortSecurityGroupRules(sgs []*ecs.DescribeSecurityGroupAttributeResponseBod
 			}
 		}
 
+		if *a.Policy != *b.Policy {
+			return *a.Policy == string(securityPolicyVerdictDrop)
+		}
+
 		return (pEndA - pStartA) < (pEndB - pStartB)
 	})
 }

diff --git a/pkg/skoop/service/service.go b/pkg/skoop/service/service.go
@@ -142,7 +142,7 @@ func (k *KubeProxyServiceProcessor) shouldMasquerade(packet model.Packet, svc *v
 	if targetPort != 0 && slices.Contains(serviceLBIPs(svc), dst) {
 		masquerade = !isTrafficLocalService(svc)
 	} else if targetPort != 0 && dst == svc.Spec.ClusterIP && k.clusterCIDR != nil {
-		masquerade = !k.clusterCIDR.Contains(packet.Dst)
+		masquerade = !k.clusterCIDR.Contains(packet.Src)
 	} else {
 		targetPortByNodePort := serviceTargetPortByNodePort(svc, packet.Dport, packet.Protocol)
 		if targetPortByNodePort != 0 {