Fixes istio#30868. Added the missing ip6tables rule.

ip6tables now includes the rule to redirect traffic to Envoy for the outbound ports listed using the annotation traffic.sidecar.istio.io/includeOutboundPorts
Nordix · Jun 1, 2021 · 434bc48 · 434bc48
1 parent ef9bdaa
commit 434bc48
Showing 1 changed file with 7 additions and 0 deletions.
diff --git a/tools/istio-iptables/pkg/cmd/run.go b/tools/istio-iptables/pkg/cmd/run.go
@@ -303,6 +303,13 @@ func (iptConfigurator *IptablesConfigurator) handleInboundIpv6Rules(ipv6RangesEx
 		iptConfigurator.iptables.AppendRuleV6(constants.ISTIOOUTPUT, constants.NAT, "-d", cidr.String(), "-j", constants.RETURN)
 	}
 	// Apply outbound IPv6 inclusions.
+	if iptConfigurator.cfg.OutboundPortsInclude != "" {
+		for _, port := range split(iptConfigurator.cfg.OutboundPortsInclude) {
+			iptConfigurator.iptables.AppendRuleV6(
+				constants.ISTIOOUTPUT, constants.NAT, "-p", constants.TCP, "--dport", port, "-j", constants.ISTIOREDIRECT)
+		}
+	}
+
 	if ipv6RangesInclude.IsWildcard {
 		// Wildcard specified. Redirect all remaining outbound traffic to Envoy.
 		iptConfigurator.iptables.AppendRuleV6(constants.ISTIOOUTPUT, constants.NAT, "-j", constants.ISTIOREDIRECT)