Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Istio 1.18 iptable rules fail due to inverted destination port match #9865

Closed
Champ-Goblem opened this issue Jan 5, 2024 · 2 comments · Fixed by #9866
Closed

Istio 1.18 iptable rules fail due to inverted destination port match #9865

Champ-Goblem opened this issue Jan 5, 2024 · 2 comments · Fixed by #9866
Assignees
@kevinGC
Labels
type: bug Something isn't working

Comments

@Champ-Goblem
Copy link
Contributor

Description

It was noticed on Istio 1.18 that the init-container, which configures the IP table rules, fails to start in gVisor. After examining the rules one-by-one, the following rule fails to validate in gVisor:

iptables-legacy -t nat -A ISTIO_OUTPUT ! -d 127.0.0.1/32 -o lo -p tcp -m tcp ! --dport 15008 -m owner --uid-owner 1337 -j ISTIO_IN_REDIRECT

This rule can be reduced further to determine that the ! --dport flag causes issues:

iptables-legacy -t nat -A OUTPUT -o lo -p tcp -m tcp ! --dport 1234

Fails with the following error message:

iptables: Invalid argument. Run `dmesg' for more information.

However, removing the ! allows the rule to create:

iptables-legacy -t nat -A OUTPUT -o lo -p tcp -m tcp --dport 1234

Steps to reproduce

No response

runsc version

No response

docker version (if using docker)

No response

uname

No response

kubectl (if using Kubernetes)

No response

repo state (if built from source)

No response

runsc debug logs (if available)

No response
@Champ-Goblem Champ-Goblem added the type: bug Something isn't working label Jan 5, 2024
@Champ-Goblem Champ-Goblem mentioned this issue Jan 5, 2024
Merged
@kevinGC kevinGC self-assigned this Jan 5, 2024
@kevinGC
Copy link
Collaborator

kevinGC commented Jan 5, 2024

Thanks, I didn't know Istio wrote rules like this. Should be a straightforward change to support.

@Champ-Goblem
Copy link
Contributor Author

Champ-Goblem commented Jan 5, 2024
edited
Loading

Hey @kevinGC I have created a PR with the change already, if not seen

@copybara-service copybara-service bot mentioned this issue Jan 5, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kevinGC kevinGC

Labels
type: bug Something isn't working
Projects
None yet
Milestone
No milestone
2 participants
@kevinGC @Champ-Goblem