Return packets from DNS servers matched against incorrect conntrack zone

[nberkley-gp]

Is this the right place to submit this?

• This is not a security vulnerability or a crashing bug
• This is not a question about how to use Istio

Bug Description

When setting up DNS capture (but not captureAllDNS) we create a rule in the raw table like -A PREROUTING -d 10.19.0.2/32 -p udp -m udp --sport 53 -j CT --zone 1 which is intended to match return packets from the upstream DNS server and move them to conntrack zone 1 so they can match the flows created by the outgoing packets. The end result being that we always end up with pairs of UNREPLIED conntrack flows when talking to the upstream DNS server like so:

udp      17 29 src=10.17.65.80 dst=10.19.0.2 sport=58059 dport=53 [UNREPLIED] src=10.19.0.2 dst=10.17.65.80 sport=53 dport=58059 mark=0 zone=1 use=1
udp      17 29 src=10.19.0.2 dst=10.17.65.80 sport=53 dport=58059 [UNREPLIED] src=10.17.65.80 dst=10.19.0.2 sport=58059 dport=53 mark=0 use=1

When really we should have a single established flow in zone 1, something like:

udp      17 29 src=10.17.65.80 dst=10.19.0.2 sport=58059 dport=53 src=10.19.0.2 dst=10.17.65.80 sport=53 dport=58059 mark=0 zone=1 use=1

This is mostly benign as far as I can tell, but clearly unintended/malformed.

Version

# istio
client version: 1.18.2
control plane version: 1.18.2
data plane version: 1.18.2 (47 proxies)
# k8s
Client Version: v1.25.3
Kustomize Version: v4.5.7
Server Version: v1.25.11

Additional Information

Don't really need debugging information here, it's this line: https://github.com/istio/istio/blob/master/tools/istio-iptables/pkg/capture/run.go#L692C3-L692C3. I'll have a PR up shortly.