Ip6tables ISTIO_OUTBOUND chain missing "catch-dport" rules #30868

emike922 · 2021-02-16T14:36:46Z

Bug description
When deploying applications into the service mesh in an IPv6 cluster with a traffic.sidecar.istio.io/includeOutboundPorts annotation, the respective ip6tables rule to redirect traffic on the specified destination port(s) to Envoy is missing. The corresponding IPv4 iptables rule is created correctly.

Environment:
------------
ENVOY_PORT=
INBOUND_CAPTURE_PORT=
ISTIO_INBOUND_INTERCEPTION_MODE=
ISTIO_INBOUND_TPROXY_MARK=
ISTIO_INBOUND_TPROXY_ROUTE_TABLE=
ISTIO_INBOUND_PORTS=
ISTIO_OUTBOUND_PORTS=
ISTIO_LOCAL_EXCLUDE_PORTS=
ISTIO_SERVICE_CIDR=
ISTIO_SERVICE_EXCLUDE_CIDR=

Variables:
----------
PROXY_PORT=15001
PROXY_INBOUND_CAPTURE_PORT=15006
PROXY_TUNNEL_PORT=15008
PROXY_UID=1337
PROXY_GID=1337
INBOUND_INTERCEPTION_MODE=REDIRECT
INBOUND_TPROXY_MARK=1337
INBOUND_TPROXY_ROUTE_TABLE=133
INBOUND_PORTS_INCLUDE=
INBOUND_PORTS_EXCLUDE=15090,15021,15020
OUTBOUND_IP_RANGES_INCLUDE=
OUTBOUND_IP_RANGES_EXCLUDE=
OUTBOUND_PORTS_INCLUDE=10334
OUTBOUND_PORTS_EXCLUDE=
KUBEVIRT_INTERFACES=
ENABLE_INBOUND_IPV6=true

ip -6 addr add ::6/128 dev lo

...

iptables-save
# Generated by iptables-save v1.8.3 on Mon Feb 15 16:12:05 2021
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:ISTIO_INBOUND - [0:0]
:ISTIO_IN_REDIRECT - [0:0]
:ISTIO_OUTPUT - [0:0]
:ISTIO_REDIRECT - [0:0]
-A OUTPUT -p tcp -j ISTIO_OUTPUT
-A ISTIO_INBOUND -p tcp -m tcp --dport 15008 -j RETURN
-A ISTIO_IN_REDIRECT -p tcp -j REDIRECT --to-ports 15006
-A ISTIO_OUTPUT -s 127.0.0.6/32 -o lo -j RETURN
-A ISTIO_OUTPUT ! -d 127.0.0.1/32 -o lo -m owner --uid-owner 1337 -j ISTIO_IN_REDIRECT
-A ISTIO_OUTPUT -o lo -m owner ! --uid-owner 1337 -j RETURN
-A ISTIO_OUTPUT -m owner --uid-owner 1337 -j RETURN
-A ISTIO_OUTPUT ! -d 127.0.0.1/32 -o lo -m owner --gid-owner 1337 -j ISTIO_IN_REDIRECT
-A ISTIO_OUTPUT -o lo -m owner ! --gid-owner 1337 -j RETURN
-A ISTIO_OUTPUT -m owner --gid-owner 1337 -j RETURN
-A ISTIO_OUTPUT -d 127.0.0.1/32 -j RETURN
-A ISTIO_OUTPUT -p tcp -m tcp --dport 10334 -j ISTIO_REDIRECT  # <<< IPv4 rule
-A ISTIO_REDIRECT -p tcp -j REDIRECT --to-ports 15001
COMMIT
# Completed on Mon Feb 15 16:12:05 2021

---

ip6tables-save
# Generated by ip6tables-save v1.8.3 on Mon Feb 15 16:12:05 2021
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:ISTIO_INBOUND - [0:0]
:ISTIO_IN_REDIRECT - [0:0]
:ISTIO_OUTPUT - [0:0]
:ISTIO_REDIRECT - [0:0]
-A OUTPUT -p tcp -j ISTIO_OUTPUT
-A ISTIO_INBOUND -p tcp -m tcp --dport 15008 -j RETURN
-A ISTIO_IN_REDIRECT -p tcp -j REDIRECT --to-ports 15006
-A ISTIO_OUTPUT -s ::6/128 -o lo -j RETURN
-A ISTIO_OUTPUT ! -d ::1/128 -o lo -m owner --uid-owner 1337 -j ISTIO_IN_REDIRECT
-A ISTIO_OUTPUT -o lo -m owner ! --uid-owner 1337 -j RETURN
-A ISTIO_OUTPUT -m owner --uid-owner 1337 -j RETURN
-A ISTIO_OUTPUT ! -d ::1/128 -o lo -m owner --gid-owner 1337 -j ISTIO_IN_REDIRECT
-A ISTIO_OUTPUT -o lo -m owner ! --gid-owner 1337 -j RETURN
-A ISTIO_OUTPUT -m owner --gid-owner 1337 -j RETURN
-A ISTIO_OUTPUT -d ::1/128 -j RETURN
# <<< Missing IPv6 rule
-A ISTIO_REDIRECT -p tcp -j REDIRECT --to-ports 15001
COMMIT
# Completed on Mon Feb 15 16:12:05 2021

[ ] Docs
[ ] Installation
[X] Networking
[ ] Performance and Scalability
[ ] Extensions and Telemetry
[ ] Security
[ ] Test and Release
[ ] User Experience
[ ] Developer Infrastructure
[ ] Upgrade

Expected behavior
Ip6tables rule is created analogously to iptables rule

Steps to reproduce the bug
Deploy sleep pod with a sidecar container and the traffic.sidecar.istio.io/includeOutboundPorts=12345 annotation in an IPv6 cluster

Version (include the output of istioctl version --remote and kubectl version --short and helm version --short if you used Helm)
1.8.3

How was Istio installed?
Helm

Environment where the bug was observed (cloud vendor, OS, etc)

The text was updated successfully, but these errors were encountered:

emike922 · 2021-02-16T14:44:19Z

istio/tools/istio-iptables/pkg/cmd/run.go

Lines 502 to 509 in e282a1f

    
           func (iptConfigurator *IptablesConfigurator) handleOutboundPortsInclude() { 
        
           	if iptConfigurator.cfg.OutboundPortsInclude != "" { 
        
           		for _, port := range split(iptConfigurator.cfg.OutboundPortsInclude) { 
        
           			iptConfigurator.iptables.AppendRuleV4( 
        
           				constants.ISTIOOUTPUT, constants.NAT, "-p", constants.TCP, "--dport", port, "-j", constants.ISTIOREDIRECT) 
        
           		} 
        
           	} 
        
           }

emike922 · 2021-03-09T14:54:17Z

Looks to me like the entire handleOutboundPortsInclude handling is missing for IPv6, but could simply be copied over after this line in handleInboundIpv6Rules:

istio/tools/istio-iptables/pkg/cmd/run.go

Line 286 in e282a1f

// Apply outbound IPv6 inclusions.

By the way, is it intentional that (almost) all IPv6 rules (inbound and outbound both) are created in handleInboundIpv6Rules, unlike the IPv4 counterparts, which are spread over run, handleInboundPortsInclude, handleOutboundPortsInclude, and handleInboundIpv4Rules?

nrjpoddar · 2021-05-18T14:45:27Z

cc @jacob-delgado for keeping this in mind and making it unstale.

sha-rath · 2021-05-18T16:21:29Z

Not stale..working on it.

ip6tables now includes the rule to redirect traffic to Envoy for the outbound ports listed using the annotation traffic.sidecar.istio.io/includeOutboundPorts

* Fixes #30868. Added the missing ip6tables rule. ip6tables now includes the rule to redirect traffic to Envoy for the outbound ports listed using the annotation traffic.sidecar.istio.io/includeOutboundPorts * Added test case to check ipv6 rules when outbound ports are included * Added release notes * Updated releasenotes/notes/30868.yaml Co-authored-by: sharathchandra <sharath.chandra.balachandra@est.tech>

…33439) * Fixes istio#30868. Added the missing ip6tables rule. ip6tables now includes the rule to redirect traffic to Envoy for the outbound ports listed using the annotation traffic.sidecar.istio.io/includeOutboundPorts * Added test case to check ipv6 rules when outbound ports are included * Added release notes * Updated releasenotes/notes/30868.yaml Co-authored-by: sharathchandra <sharath.chandra.balachandra@est.tech>

istio-policy-bot added the area/networking label Feb 16, 2021

istio-policy-bot added the lifecycle/stale Indicates a PR or issue hasn't been manipulated by an Istio team member for a while label May 18, 2021

istio-policy-bot removed the lifecycle/stale Indicates a PR or issue hasn't been manipulated by an Istio team member for a while label May 18, 2021

sha-rath mentioned this issue Jun 2, 2021

Fixes #30868. Added the missing IPv6 rule. #33221

Merged

istio-testing closed this as completed in 5a03836 Jun 10, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Ip6tables ISTIO_OUTBOUND chain missing "catch-dport" rules #30868

Ip6tables ISTIO_OUTBOUND chain missing "catch-dport" rules #30868

emike922 commented Feb 16, 2021 •

edited by istio-policy-bot

emike922 commented Feb 16, 2021

emike922 commented Mar 9, 2021

nrjpoddar commented May 18, 2021

sha-rath commented May 18, 2021

Ip6tables ISTIO_OUTBOUND chain missing "catch-dport" rules #30868

Ip6tables ISTIO_OUTBOUND chain missing "catch-dport" rules #30868

Comments

emike922 commented Feb 16, 2021 • edited by istio-policy-bot

emike922 commented Feb 16, 2021

emike922 commented Mar 9, 2021

nrjpoddar commented May 18, 2021

sha-rath commented May 18, 2021

emike922 commented Feb 16, 2021 •

edited by istio-policy-bot