From 5d308ac5fa079086d8a982bc3646a8c13a0950dd Mon Sep 17 00:00:00 2001
From: Aaron U'Ren <aauren@gmail.com>
Date: Fri, 24 May 2024 18:43:36 -0500
Subject: [PATCH] fix(nsc): remove previous TCPMSS rules

---
 .../proxy/network_services_controller.go      | 20 +++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/pkg/controllers/proxy/network_services_controller.go b/pkg/controllers/proxy/network_services_controller.go
index af09bd65d6..b68d838c91 100644
--- a/pkg/controllers/proxy/network_services_controller.go
+++ b/pkg/controllers/proxy/network_services_controller.go
@@ -1694,6 +1694,26 @@ func (nsc *NetworkServicesController) cleanupMangleTableRule(ip string, protocol
 		}
 	}
 
+	// Previous versions of MTU args were this way, we will clean then up for the next couple of versions to ensure
+	// that old mangle table rules don't stick around
+	// TODO: remove after v2.4.X or above
+	for firstArg, chain := range map[string]string{"-s": "POSTROUTING", "-d": "PREROUTING"} {
+		prevMTUArgs := []string{firstArg, ip, "-m", tcpProtocol, "-p", tcpProtocol, "--tcp-flags", "SYN,RST", "SYN",
+			"-j", "TCPMSS", "--set-mss", strconv.Itoa(tcpMSS)}
+		klog.V(2).Infof("looking for mangle rule with: %s -t mangle %s", chain, prevMTUArgs)
+		exists, err = iptablesCmdHandler.Exists("mangle", chain, prevMTUArgs...)
+		if err != nil {
+			return fmt.Errorf("failed to cleanup iptables command to set up TCPMSS due to %v", err)
+		}
+		if exists {
+			klog.V(2).Infof("removing mangle rule with: iptables -D %s -t mangle %s", chain, prevMTUArgs)
+			err = iptablesCmdHandler.Delete("mangle", chain, prevMTUArgs...)
+			if err != nil {
+				return fmt.Errorf("failed to cleanup iptables command to set up TCPMSS due to %v", err)
+			}
+		}
+	}
+
 	return nil
 }