Close #23

disable OutboundIPRanges configuration when OutboundPorts set
sofastack · Sep 5, 2018 · f71c826 · f71c826
1 parent d636440
commit f71c826
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 18 deletions.
diff --git a/install/kubernetes/helm/istio/templates/sidecar-injector-configmap.yaml b/install/kubernetes/helm/istio/templates/sidecar-injector-configmap.yaml
@@ -31,11 +31,11 @@ data:
         {{ "[[ if (isset .ObjectMeta.Annotations \"traffic.sidecar.istio.io/includeOutboundPorts\") -]]" }}
         - "-o"
         {{ "- \"[[ index .ObjectMeta.Annotations \"traffic.sidecar.istio.io/includeOutboundPorts\"  ]]\"" }}
-        {{ "[[ end -]]" }}
         {{ "[[ if (isset .ObjectMeta.Annotations \"traffic.sidecar.istio.io/excludeOutboundPorts\") -]]" }}
         - "-z"
         {{ "- \"[[ index .ObjectMeta.Annotations \"traffic.sidecar.istio.io/excludeOutboundPorts\"  ]]\"" }}
-        {{ "[[ end -]]" }}    
+        {{ "[[ end -]]" }}
+        {{ "[[ else -]]" }}
         - "-i"
         {{ "[[ if (isset .ObjectMeta.Annotations \"traffic.sidecar.istio.io/includeOutboundIPRanges\") -]]" }}
         {{ "- \"[[ index .ObjectMeta.Annotations \"traffic.sidecar.istio.io/includeOutboundIPRanges\"  ]]\"" }}
@@ -48,6 +48,7 @@ data:
         {{ "[[ else -]]" }}
         - "{{ .Values.global.proxy.excludeIPRanges }}"
         {{ "[[ end -]]" }}
+        {{ "[[ end -]]" }}
         - "-b"
         {{ "[[ if (isset .ObjectMeta.Annotations \"traffic.sidecar.istio.io/includeInboundPorts\") -]]" }}
         {{ "- \"[[ index .ObjectMeta.Annotations \"traffic.sidecar.istio.io/includeInboundPorts\"  ]]\"" }}

diff --git a/tools/deb/istio-iptables.sh b/tools/deb/istio-iptables.sh
@@ -287,24 +287,22 @@ done
 iptables -t nat -A ISTIO_OUTPUT -d 127.0.0.1/32 -j RETURN
 
 if [ -n "${OUTBOUND_PORTS_INCLUDE}" ]; then
-  if [ -n "${OUTBOUND_PORTS_INCLUDE}" ]; then
-    if [ "${OUTBOUND_PORTS_INCLUDE}" == "*" ]; then
-      # Redirect exclusions must be applied before inclusions.
-      if [ -n "${OUTBOUND_PORTS_EXCLUDE}" ]; then
-        for port in ${OUTBOUND_PORTS_EXCLUDE}; do
-          iptables -t nat -A ISTIO_OUTPUT -p tcp --dport ${port} -j RETURN
-        done
-      fi
-      # Redirect remaining outbound traffic to Envoy
-      iptables -t nat -A ISTIO_OUTPUT -j ISTIO_REDIRECT
-    else
-      # User has specified a non-empty list of ports to be redirected to Envoy.
-      for port in ${OUTBOUND_PORTS_INCLUDE}; do
-        iptables -t nat -A ISTIO_OUTPUT -p tcp --dport ${port} -j ISTIO_REDIRECT
+  if [ "${OUTBOUND_PORTS_INCLUDE}" == "*" ]; then
+    # Redirect exclusions must be applied before inclusions.
+    if [ -n "${OUTBOUND_PORTS_EXCLUDE}" ]; then
+      for port in ${OUTBOUND_PORTS_EXCLUDE}; do
+        iptables -t nat -A ISTIO_OUTPUT -p tcp --dport ${port} -j RETURN
       done
-      # All other traffic is not redirected.
-      iptables -t nat -A ISTIO_OUTPUT -j RETURN
     fi
+    # Redirect remaining outbound traffic to Envoy
+    iptables -t nat -A ISTIO_OUTPUT -j ISTIO_REDIRECT
+  else
+    # User has specified a non-empty list of ports to be redirected to Envoy.
+    for port in ${OUTBOUND_PORTS_INCLUDE}; do
+      iptables -t nat -A ISTIO_OUTPUT -p tcp --dport ${port} -j ISTIO_REDIRECT
+    done
+    # All other traffic is not redirected.
+    iptables -t nat -A ISTIO_OUTPUT -j RETURN
   fi
 else
   if [ "${OUTBOUND_IP_RANGES_INCLUDE}" == "*" ]; then