iptables, dnsproxy: Fix regex matching for bind addr

In a previous change [1], the bind address for the proxy changed from 0.0.0.0 to localhost. This broke restoring the old proxy port and caused Cilium to always allocate a new proxy port. Fix it by changing the regex string to include the new bind address as well as the previously used "0.0.0.0" and "::", for backwards-compatibility reasons on upgrade. Found by code inspection. [1]: #25309 Fixes: 5304088 ("dnsproxy: bind dns proxy to localhost only") Fixes: #25309 Signed-off-by: Chris Tarazi <chris@isovalent.com>
cilium · Sep 10, 2023 · 1f8e015 · 1f8e015
1 parent f1913e3
commit 1f8e015
Show file tree

Hide file tree

Showing 3 changed files with 89 additions and 59 deletions.
diff --git a/pkg/datapath/iptables/iptables.go b/pkg/datapath/iptables/iptables.go
@@ -27,6 +27,7 @@ import (
 	"github.com/cilium/cilium/pkg/datapath/linux/route"
 	datapath "github.com/cilium/cilium/pkg/datapath/types"
 	"github.com/cilium/cilium/pkg/defaults"
+	"github.com/cilium/cilium/pkg/fqdn/proxy/ipfamily"
 	"github.com/cilium/cilium/pkg/ip"
 	ipamOption "github.com/cilium/cilium/pkg/ipam/option"
 	lb "github.com/cilium/cilium/pkg/loadbalancer"
@@ -1032,7 +1033,12 @@ func (m *IptablesManager) doGetProxyPort(prog iptablesInterface, name string) ui
 		return 0
 	}
 
-	re := regexp.MustCompile(name + ".*TPROXY redirect (0.0.0.0|::):([1-9][0-9]*) mark")
+	re := regexp.MustCompile(
+		name + ".*TPROXY redirect " +
+			"(0.0.0.0|" + ipfamily.IPv4().Localhost +
+			"|::|" + ipfamily.IPv6().Localhost + ")" +
+			":([1-9][0-9]*) mark",
+	)
 	strs := re.FindAllString(rules, -1)
 	if len(strs) == 0 {
 		return 0