You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This is not a security vulnerability or a crashing bug
This is not a question about how to use Istio
Bug Description
When setting up DNS capture (but not captureAllDNS) we create a rule in the raw table like -A PREROUTING -d 10.19.0.2/32 -p udp -m udp --sport 53 -j CT --zone 1 which is intended to match return packets from the upstream DNS server and move them to conntrack zone 1 so they can match the flows created by the outgoing packets. The end result being that we always end up with pairs of UNREPLIED conntrack flows when talking to the upstream DNS server like so:
Is this the right place to submit this?
Bug Description
When setting up DNS capture (but not
captureAllDNS
) we create a rule in the raw table like-A PREROUTING -d 10.19.0.2/32 -p udp -m udp --sport 53 -j CT --zone 1
which is intended to match return packets from the upstream DNS server and move them to conntrack zone 1 so they can match the flows created by the outgoing packets. The end result being that we always end up with pairs of UNREPLIED conntrack flows when talking to the upstream DNS server like so:When really we should have a single established flow in zone 1, something like:
This is mostly benign as far as I can tell, but clearly unintended/malformed.
Version
Additional Information
Don't really need debugging information here, it's this line: https://github.com/istio/istio/blob/master/tools/istio-iptables/pkg/capture/run.go#L692C3-L692C3. I'll have a PR up shortly.
The text was updated successfully, but these errors were encountered: