From 4477de5ebd945d141e0ded061f804a5051c5f8a9 Mon Sep 17 00:00:00 2001 From: Yuchen Dai Date: Tue, 23 Jul 2019 12:15:37 -0700 Subject: [PATCH] iptables: for listener using filter chain (#15710) * iptables: for listener using filter chain * fix test --- tests/scripts/testdata/empty_parameter_golden.txt | 2 +- tests/scripts/testdata/mode_redirect_golden.txt | 2 +- tests/scripts/testdata/mode_tproxy_and_ipv6_golden.txt | 4 ++-- .../scripts/testdata/mode_tproxy_and_wildcard_port_golden.txt | 2 +- tests/scripts/testdata/mode_tproxy_golden.txt | 2 +- tests/scripts/testdata/outbound_port_exclude_golden.txt | 2 +- tests/scripts/testdata/wildcard_include_ip_range_golden.txt | 2 +- tools/istio-iptables/main.go | 4 ++-- tools/packaging/common/istio-iptables.sh | 4 ++-- 9 files changed, 12 insertions(+), 12 deletions(-) diff --git a/tests/scripts/testdata/empty_parameter_golden.txt b/tests/scripts/testdata/empty_parameter_golden.txt index d60da2ff3a15..2821a2410501 100644 --- a/tests/scripts/testdata/empty_parameter_golden.txt +++ b/tests/scripts/testdata/empty_parameter_golden.txt @@ -48,7 +48,7 @@ iptables -t nat -N ISTIO_IN_REDIRECT iptables -t nat -A ISTIO_IN_REDIRECT -p tcp -j REDIRECT --to-port 15001 iptables -t nat -N ISTIO_OUTPUT iptables -t nat -A OUTPUT -p tcp -j ISTIO_OUTPUT -iptables -t nat -A ISTIO_OUTPUT -o lo ! -d 127.0.0.1/32 -j ISTIO_REDIRECT +iptables -t nat -A ISTIO_OUTPUT -o lo ! -d 127.0.0.1/32 -j ISTIO_IN_REDIRECT iptables -t nat -A ISTIO_OUTPUT -m owner --uid-owner 0 -j RETURN iptables -t nat -A ISTIO_OUTPUT -m owner --uid-owner 0 -j RETURN iptables -t nat -A ISTIO_OUTPUT -m owner --gid-owner 0 -j RETURN diff --git a/tests/scripts/testdata/mode_redirect_golden.txt b/tests/scripts/testdata/mode_redirect_golden.txt index 03b6c6d7623a..3137ed64963e 100644 --- a/tests/scripts/testdata/mode_redirect_golden.txt +++ b/tests/scripts/testdata/mode_redirect_golden.txt @@ -52,7 +52,7 @@ iptables -t nat -A ISTIO_INBOUND -p tcp --dport 5555 -j ISTIO_IN_REDIRECT iptables -t nat -A ISTIO_INBOUND -p tcp --dport 6666 -j ISTIO_IN_REDIRECT iptables -t nat -N ISTIO_OUTPUT iptables -t nat -A OUTPUT -p tcp -j ISTIO_OUTPUT -iptables -t nat -A ISTIO_OUTPUT -o lo ! -d 127.0.0.1/32 -j ISTIO_REDIRECT +iptables -t nat -A ISTIO_OUTPUT -o lo ! -d 127.0.0.1/32 -j ISTIO_IN_REDIRECT iptables -t nat -A ISTIO_OUTPUT -m owner --uid-owner 4321 -j RETURN iptables -t nat -A ISTIO_OUTPUT -m owner --gid-owner 4444 -j RETURN iptables -t nat -A ISTIO_OUTPUT -d 127.0.0.1/32 -j RETURN diff --git a/tests/scripts/testdata/mode_tproxy_and_ipv6_golden.txt b/tests/scripts/testdata/mode_tproxy_and_ipv6_golden.txt index cbd1155d9cfc..0b14ce0e40ea 100644 --- a/tests/scripts/testdata/mode_tproxy_and_ipv6_golden.txt +++ b/tests/scripts/testdata/mode_tproxy_and_ipv6_golden.txt @@ -62,7 +62,7 @@ iptables -t mangle -A ISTIO_INBOUND -p tcp -m socket -j ISTIO_DIVERT iptables -t mangle -A ISTIO_INBOUND -p tcp -j ISTIO_TPROXY iptables -t nat -N ISTIO_OUTPUT iptables -t nat -A OUTPUT -p tcp -j ISTIO_OUTPUT -iptables -t nat -A ISTIO_OUTPUT -o lo ! -d 127.0.0.1/32 -j ISTIO_REDIRECT +iptables -t nat -A ISTIO_OUTPUT -o lo ! -d 127.0.0.1/32 -j ISTIO_IN_REDIRECT iptables -t nat -A ISTIO_OUTPUT -m owner --uid-owner 4321 -j RETURN iptables -t nat -A ISTIO_OUTPUT -m owner --gid-owner 4444 -j RETURN iptables -t nat -A ISTIO_OUTPUT -d 127.0.0.1/32 -j RETURN @@ -96,7 +96,7 @@ ip6tables -t nat -A ISTIO_INBOUND -p tcp --dport 7777 -j RETURN ip6tables -t nat -A ISTIO_INBOUND -p tcp --dport 8888 -j RETURN ip6tables -t nat -N ISTIO_OUTPUT ip6tables -t nat -A OUTPUT -p tcp -j ISTIO_OUTPUT -ip6tables -t nat -A ISTIO_OUTPUT -o lo ! -d ::1/128 -j ISTIO_REDIRECT +ip6tables -t nat -A ISTIO_OUTPUT -o lo ! -d ::1/128 -j ISTIO_IN_REDIRECT ip6tables -t nat -A ISTIO_OUTPUT -m owner --uid-owner 4321 -j RETURN ip6tables -t nat -A ISTIO_OUTPUT -m owner --gid-owner 4444 -j RETURN ip6tables -t nat -A ISTIO_OUTPUT -d ::1/128 -j RETURN diff --git a/tests/scripts/testdata/mode_tproxy_and_wildcard_port_golden.txt b/tests/scripts/testdata/mode_tproxy_and_wildcard_port_golden.txt index 3637483a73c2..bde564c4b812 100644 --- a/tests/scripts/testdata/mode_tproxy_and_wildcard_port_golden.txt +++ b/tests/scripts/testdata/mode_tproxy_and_wildcard_port_golden.txt @@ -62,7 +62,7 @@ iptables -t mangle -A ISTIO_INBOUND -p tcp -m socket -j ISTIO_DIVERT iptables -t mangle -A ISTIO_INBOUND -p tcp -j ISTIO_TPROXY iptables -t nat -N ISTIO_OUTPUT iptables -t nat -A OUTPUT -p tcp -j ISTIO_OUTPUT -iptables -t nat -A ISTIO_OUTPUT -o lo ! -d 127.0.0.1/32 -j ISTIO_REDIRECT +iptables -t nat -A ISTIO_OUTPUT -o lo ! -d 127.0.0.1/32 -j ISTIO_IN_REDIRECT iptables -t nat -A ISTIO_OUTPUT -m owner --uid-owner 4321 -j RETURN iptables -t nat -A ISTIO_OUTPUT -m owner --gid-owner 4444 -j RETURN iptables -t nat -A ISTIO_OUTPUT -d 127.0.0.1/32 -j RETURN diff --git a/tests/scripts/testdata/mode_tproxy_golden.txt b/tests/scripts/testdata/mode_tproxy_golden.txt index fcd9a1045987..cb34f3bfdf54 100644 --- a/tests/scripts/testdata/mode_tproxy_golden.txt +++ b/tests/scripts/testdata/mode_tproxy_golden.txt @@ -63,7 +63,7 @@ iptables -t mangle -A ISTIO_INBOUND -p tcp --dport 6666 -m socket -j ISTIO_DIVER iptables -t mangle -A ISTIO_INBOUND -p tcp --dport 6666 -j ISTIO_TPROXY iptables -t nat -N ISTIO_OUTPUT iptables -t nat -A OUTPUT -p tcp -j ISTIO_OUTPUT -iptables -t nat -A ISTIO_OUTPUT -o lo ! -d 127.0.0.1/32 -j ISTIO_REDIRECT +iptables -t nat -A ISTIO_OUTPUT -o lo ! -d 127.0.0.1/32 -j ISTIO_IN_REDIRECT iptables -t nat -A ISTIO_OUTPUT -m owner --uid-owner 4321 -j RETURN iptables -t nat -A ISTIO_OUTPUT -m owner --gid-owner 4444 -j RETURN iptables -t nat -A ISTIO_OUTPUT -d 127.0.0.1/32 -j RETURN diff --git a/tests/scripts/testdata/outbound_port_exclude_golden.txt b/tests/scripts/testdata/outbound_port_exclude_golden.txt index bbc50ba4bc5d..3e1fd0f8b210 100644 --- a/tests/scripts/testdata/outbound_port_exclude_golden.txt +++ b/tests/scripts/testdata/outbound_port_exclude_golden.txt @@ -54,7 +54,7 @@ iptables -t nat -N ISTIO_OUTPUT iptables -t nat -A OUTPUT -p tcp -j ISTIO_OUTPUT iptables -t nat -A ISTIO_OUTPUT -p tcp --dport 1024 -j RETURN iptables -t nat -A ISTIO_OUTPUT -p tcp --dport 21 -j RETURN -iptables -t nat -A ISTIO_OUTPUT -o lo ! -d 127.0.0.1/32 -j ISTIO_REDIRECT +iptables -t nat -A ISTIO_OUTPUT -o lo ! -d 127.0.0.1/32 -j ISTIO_IN_REDIRECT iptables -t nat -A ISTIO_OUTPUT -m owner --uid-owner 4321 -j RETURN iptables -t nat -A ISTIO_OUTPUT -m owner --gid-owner 4444 -j RETURN iptables -t nat -A ISTIO_OUTPUT -d 127.0.0.1/32 -j RETURN diff --git a/tests/scripts/testdata/wildcard_include_ip_range_golden.txt b/tests/scripts/testdata/wildcard_include_ip_range_golden.txt index 6d548212e9fe..78c7d0eaf70d 100644 --- a/tests/scripts/testdata/wildcard_include_ip_range_golden.txt +++ b/tests/scripts/testdata/wildcard_include_ip_range_golden.txt @@ -52,7 +52,7 @@ iptables -t nat -A ISTIO_INBOUND -p tcp --dport 5555 -j ISTIO_IN_REDIRECT iptables -t nat -A ISTIO_INBOUND -p tcp --dport 6666 -j ISTIO_IN_REDIRECT iptables -t nat -N ISTIO_OUTPUT iptables -t nat -A OUTPUT -p tcp -j ISTIO_OUTPUT -iptables -t nat -A ISTIO_OUTPUT -o lo ! -d 127.0.0.1/32 -j ISTIO_REDIRECT +iptables -t nat -A ISTIO_OUTPUT -o lo ! -d 127.0.0.1/32 -j ISTIO_IN_REDIRECT iptables -t nat -A ISTIO_OUTPUT -m owner --uid-owner 4321 -j RETURN iptables -t nat -A ISTIO_OUTPUT -m owner --gid-owner 4444 -j RETURN iptables -t nat -A ISTIO_OUTPUT -d 127.0.0.1/32 -j RETURN diff --git a/tools/istio-iptables/main.go b/tools/istio-iptables/main.go index 9274af278b99..f187a276c024 100644 --- a/tools/istio-iptables/main.go +++ b/tools/istio-iptables/main.go @@ -333,7 +333,7 @@ func run(args []string, flagSet *flag.FlagSet) { if env.RegisterStringVar("DISABLE_REDIRECTION_ON_LOCAL_LOOPBACK", "", "").Get() == "" { // Redirect app calls back to itself via Envoy when using the service VIP or endpoint // address, e.g. appN => Envoy (client) => Envoy (server) => appN. - ext.RunOrFail(dep.IPTABLES, "-t", "nat", "-A", "ISTIO_OUTPUT", "-o", "lo", "!", "-d", "127.0.0.1/32", "-j", "ISTIO_REDIRECT") + ext.RunOrFail(dep.IPTABLES, "-t", "nat", "-A", "ISTIO_OUTPUT", "-o", "lo", "!", "-d", "127.0.0.1/32", "-j", "ISTIO_IN_REDIRECT") } for _, uid := range split(proxyUID) { @@ -443,7 +443,7 @@ func run(args []string, flagSet *flag.FlagSet) { } // Redirect app calls to back itself via Envoy when using the service VIP or endpoint // address, e.g. appN => Envoy (client) => Envoy (server) => appN. - ext.RunOrFail(dep.IP6TABLES, "-t", "nat", "-A", "ISTIO_OUTPUT", "-o", "lo", "!", "-d", "::1/128", "-j", "ISTIO_REDIRECT") + ext.RunOrFail(dep.IP6TABLES, "-t", "nat", "-A", "ISTIO_OUTPUT", "-o", "lo", "!", "-d", "::1/128", "-j", "ISTIO_IN_REDIRECT") for _, uid := range split(proxyUID) { // Avoid infinite loops. Don't redirect Envoy traffic directly back to diff --git a/tools/packaging/common/istio-iptables.sh b/tools/packaging/common/istio-iptables.sh index a84a9f455ac0..3a11ed6c17af 100755 --- a/tools/packaging/common/istio-iptables.sh +++ b/tools/packaging/common/istio-iptables.sh @@ -410,7 +410,7 @@ fi if [ -z "${DISABLE_REDIRECTION_ON_LOCAL_LOOPBACK-}" ]; then # Redirect app calls back to itself via Envoy when using the service VIP or endpoint # address, e.g. appN => Envoy (client) => Envoy (server) => appN. - iptables -t nat -A ISTIO_OUTPUT -o lo ! -d 127.0.0.1/32 -j ISTIO_REDIRECT + iptables -t nat -A ISTIO_OUTPUT -o lo ! -d 127.0.0.1/32 -j ISTIO_IN_REDIRECT fi for uid in ${PROXY_UID}; do @@ -539,7 +539,7 @@ if [ -n "${ENABLE_INBOUND_IPV6}" ]; then # Redirect app calls to back itself via Envoy when using the service VIP or endpoint # address, e.g. appN => Envoy (client) => Envoy (server) => appN. - ip6tables -t nat -A ISTIO_OUTPUT -o lo ! -d ::1/128 -j ISTIO_REDIRECT + ip6tables -t nat -A ISTIO_OUTPUT -o lo ! -d ::1/128 -j ISTIO_IN_REDIRECT for uid in ${PROXY_UID}; do # Avoid infinite loops. Don't redirect Envoy traffic directly back to