+++ This bug was initially created as a clone of Bug #1825021 +++

Description of problem:
A service with no endpoints in a ROKS cluster, when accessed, should return a 'REFUSED' response. It instead times out.

How reproducible:
Always

Steps to Reproduce:
1. Create a service with no matching endpoints
2. Curl the service endpoint from a pod

Actual results:
The request times out

Expected results:
The request results in a REJECTED response

Additional info:
Currently failing https://github.com/openshift/origin/blob/4d0922fb92f85f566cb22bbaaedf587e8a50aca4/vendor/k8s.io/kubernetes/test/e2e/network/service.go#L2582

— Additional comment from Brad on 2021-09-22 19:35:51 UTC —

I believe this is fixed in Calico 3.16, see https://docs.projectcalico.org/archive/v3.16/release-notes/
“Connections to services without endpoints are now properly rejected in iptables dataplane mode. The fix required moving the iptables ACCEPT rule to the end of the filter FORWARD chain; if you have your own rules in that chain then please check that they do not drop or reject pod traffic before it reaches the ACCEPT rule https://github.com/projectcalico/felix/pull/2424 (@caseydavenport)”