From 184a27c073062a66f05aedcf0ee08f97fd0b8318 Mon Sep 17 00:00:00 2001
From: Eoin Fennessy <efenness@redhat.com>
Date: Wed, 8 May 2024 14:33:35 +0100
Subject: [PATCH 1/3] iptables: use `ISTIO_OUTPUT` chain for DNS UDP rules

---
 .../pkg/cmd/testdata/dns-uid-gid.golden       | 56 +++++++++---------
 .../pkg/cmd/testdata/dns.golden               | 24 ++++----
 .../outbound-owner-groups-exclude.golden      | 32 +++++-----
 .../cmd/testdata/outbound-owner-groups.golden | 28 ++++-----
 tools/istio-iptables/pkg/capture/run.go       |  2 +-
 .../pkg/capture/testdata/dns-uid-gid.golden   | 58 ++++++++++---------
 .../pkg/capture/testdata/ip-range.golden      | 29 +++++-----
 ...6-dns-outbound-owner-groups-exclude.golden | 34 ++++++-----
 .../ipv6-dns-outbound-owner-groups.golden     | 30 +++++-----
 .../capture/testdata/ipv6-dns-uid-gid.golden  | 50 ++++++++--------
 .../testdata/loopback-outbound-iprange.golden | 29 +++++-----
 .../pkg/capture/testdata/tproxy.golden        | 30 +++++-----
 12 files changed, 207 insertions(+), 195 deletions(-)

diff --git a/tools/istio-clean-iptables/pkg/cmd/testdata/dns-uid-gid.golden b/tools/istio-clean-iptables/pkg/cmd/testdata/dns-uid-gid.golden
index 9eba379b4f4f..72ef7cbae351 100644
--- a/tools/istio-clean-iptables/pkg/cmd/testdata/dns-uid-gid.golden
+++ b/tools/istio-clean-iptables/pkg/cmd/testdata/dns-uid-gid.golden
@@ -32,35 +32,35 @@ ip6tables -t nat -F ISTIO_REDIRECT
 ip6tables -t nat -X ISTIO_REDIRECT
 ip6tables -t nat -F ISTIO_IN_REDIRECT
 ip6tables -t nat -X ISTIO_IN_REDIRECT
-iptables -t nat -D OUTPUT -p udp --dport 53 -m owner --uid-owner 3 -j RETURN
-ip6tables -t nat -D OUTPUT -p udp --dport 53 -m owner --uid-owner 3 -j RETURN
-iptables -t nat -D OUTPUT -p udp --dport 53 -m owner --uid-owner 4 -j RETURN
-ip6tables -t nat -D OUTPUT -p udp --dport 53 -m owner --uid-owner 4 -j RETURN
-iptables -t nat -D OUTPUT -p udp --dport 53 -m owner --gid-owner 1 -j RETURN
-ip6tables -t nat -D OUTPUT -p udp --dport 53 -m owner --gid-owner 1 -j RETURN
-iptables -t nat -D OUTPUT -p udp --dport 53 -m owner --gid-owner 2 -j RETURN
-ip6tables -t nat -D OUTPUT -p udp --dport 53 -m owner --gid-owner 2 -j RETURN
-iptables -t nat -D OUTPUT -p udp --dport 53 -d 127.0.0.53/32 -j REDIRECT --to-port 15053
-ip6tables -t nat -D OUTPUT -p udp --dport 53 -d ::127.0.0.53/128 -j REDIRECT --to-port 15053
-iptables -t raw -D OUTPUT -p udp --dport 53 -m owner --uid-owner 3 -j CT --zone 1
-ip6tables -t raw -D OUTPUT -p udp --dport 53 -m owner --uid-owner 3 -j CT --zone 1
-iptables -t raw -D OUTPUT -p udp --sport 15053 -m owner --uid-owner 3 -j CT --zone 2
-ip6tables -t raw -D OUTPUT -p udp --sport 15053 -m owner --uid-owner 3 -j CT --zone 2
-iptables -t raw -D OUTPUT -p udp --dport 53 -m owner --uid-owner 4 -j CT --zone 1
-ip6tables -t raw -D OUTPUT -p udp --dport 53 -m owner --uid-owner 4 -j CT --zone 1
-iptables -t raw -D OUTPUT -p udp --sport 15053 -m owner --uid-owner 4 -j CT --zone 2
-ip6tables -t raw -D OUTPUT -p udp --sport 15053 -m owner --uid-owner 4 -j CT --zone 2
-iptables -t raw -D OUTPUT -p udp --dport 53 -m owner --gid-owner 1 -j CT --zone 1
-ip6tables -t raw -D OUTPUT -p udp --dport 53 -m owner --gid-owner 1 -j CT --zone 1
-iptables -t raw -D OUTPUT -p udp --sport 15053 -m owner --gid-owner 1 -j CT --zone 2
-ip6tables -t raw -D OUTPUT -p udp --sport 15053 -m owner --gid-owner 1 -j CT --zone 2
-iptables -t raw -D OUTPUT -p udp --dport 53 -m owner --gid-owner 2 -j CT --zone 1
-ip6tables -t raw -D OUTPUT -p udp --dport 53 -m owner --gid-owner 2 -j CT --zone 1
-iptables -t raw -D OUTPUT -p udp --sport 15053 -m owner --gid-owner 2 -j CT --zone 2
-ip6tables -t raw -D OUTPUT -p udp --sport 15053 -m owner --gid-owner 2 -j CT --zone 2
-iptables -t raw -D OUTPUT -p udp --dport 53 -d 127.0.0.53/32 -j CT --zone 2
+iptables -t nat -D ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 3 -j RETURN
+ip6tables -t nat -D ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 3 -j RETURN
+iptables -t nat -D ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 4 -j RETURN
+ip6tables -t nat -D ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 4 -j RETURN
+iptables -t nat -D ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 1 -j RETURN
+ip6tables -t nat -D ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 1 -j RETURN
+iptables -t nat -D ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 2 -j RETURN
+ip6tables -t nat -D ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 2 -j RETURN
+iptables -t nat -D ISTIO_OUTPUT -p udp --dport 53 -d 127.0.0.53/32 -j REDIRECT --to-port 15053
+ip6tables -t nat -D ISTIO_OUTPUT -p udp --dport 53 -d ::127.0.0.53/128 -j REDIRECT --to-port 15053
+iptables -t raw -D ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 3 -j CT --zone 1
+ip6tables -t raw -D ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 3 -j CT --zone 1
+iptables -t raw -D ISTIO_OUTPUT -p udp --sport 15053 -m owner --uid-owner 3 -j CT --zone 2
+ip6tables -t raw -D ISTIO_OUTPUT -p udp --sport 15053 -m owner --uid-owner 3 -j CT --zone 2
+iptables -t raw -D ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 4 -j CT --zone 1
+ip6tables -t raw -D ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 4 -j CT --zone 1
+iptables -t raw -D ISTIO_OUTPUT -p udp --sport 15053 -m owner --uid-owner 4 -j CT --zone 2
+ip6tables -t raw -D ISTIO_OUTPUT -p udp --sport 15053 -m owner --uid-owner 4 -j CT --zone 2
+iptables -t raw -D ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 1 -j CT --zone 1
+ip6tables -t raw -D ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 1 -j CT --zone 1
+iptables -t raw -D ISTIO_OUTPUT -p udp --sport 15053 -m owner --gid-owner 1 -j CT --zone 2
+ip6tables -t raw -D ISTIO_OUTPUT -p udp --sport 15053 -m owner --gid-owner 1 -j CT --zone 2
+iptables -t raw -D ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 2 -j CT --zone 1
+ip6tables -t raw -D ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 2 -j CT --zone 1
+iptables -t raw -D ISTIO_OUTPUT -p udp --sport 15053 -m owner --gid-owner 2 -j CT --zone 2
+ip6tables -t raw -D ISTIO_OUTPUT -p udp --sport 15053 -m owner --gid-owner 2 -j CT --zone 2
+iptables -t raw -D ISTIO_OUTPUT -p udp --dport 53 -d 127.0.0.53/32 -j CT --zone 2
 iptables -t raw -D PREROUTING -p udp --sport 53 -s 127.0.0.53/32 -j CT --zone 1
-ip6tables -t raw -D OUTPUT -p udp --dport 53 -d ::127.0.0.53/128 -j CT --zone 2
+ip6tables -t raw -D ISTIO_OUTPUT -p udp --dport 53 -d ::127.0.0.53/128 -j CT --zone 2
 ip6tables -t raw -D PREROUTING -p udp --sport 53 -s ::127.0.0.53/128 -j CT --zone 1
 iptables-save
 ip6tables-save
diff --git a/tools/istio-clean-iptables/pkg/cmd/testdata/dns.golden b/tools/istio-clean-iptables/pkg/cmd/testdata/dns.golden
index ecb2629fe03a..a22f41b646d2 100644
--- a/tools/istio-clean-iptables/pkg/cmd/testdata/dns.golden
+++ b/tools/istio-clean-iptables/pkg/cmd/testdata/dns.golden
@@ -32,17 +32,17 @@ ip6tables -t nat -F ISTIO_REDIRECT
 ip6tables -t nat -X ISTIO_REDIRECT
 ip6tables -t nat -F ISTIO_IN_REDIRECT
 ip6tables -t nat -X ISTIO_IN_REDIRECT
-iptables -t nat -D OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j RETURN
-ip6tables -t nat -D OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j RETURN
-iptables -t nat -D OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j RETURN
-ip6tables -t nat -D OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j RETURN
-iptables -t raw -D OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j CT --zone 1
-ip6tables -t raw -D OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j CT --zone 1
-iptables -t raw -D OUTPUT -p udp --sport 15053 -m owner --uid-owner 1337 -j CT --zone 2
-ip6tables -t raw -D OUTPUT -p udp --sport 15053 -m owner --uid-owner 1337 -j CT --zone 2
-iptables -t raw -D OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j CT --zone 1
-ip6tables -t raw -D OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j CT --zone 1
-iptables -t raw -D OUTPUT -p udp --sport 15053 -m owner --gid-owner 1337 -j CT --zone 2
-ip6tables -t raw -D OUTPUT -p udp --sport 15053 -m owner --gid-owner 1337 -j CT --zone 2
+iptables -t nat -D ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j RETURN
+ip6tables -t nat -D ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j RETURN
+iptables -t nat -D ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j RETURN
+ip6tables -t nat -D ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j RETURN
+iptables -t raw -D ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j CT --zone 1
+ip6tables -t raw -D ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j CT --zone 1
+iptables -t raw -D ISTIO_OUTPUT -p udp --sport 15053 -m owner --uid-owner 1337 -j CT --zone 2
+ip6tables -t raw -D ISTIO_OUTPUT -p udp --sport 15053 -m owner --uid-owner 1337 -j CT --zone 2
+iptables -t raw -D ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j CT --zone 1
+ip6tables -t raw -D ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j CT --zone 1
+iptables -t raw -D ISTIO_OUTPUT -p udp --sport 15053 -m owner --gid-owner 1337 -j CT --zone 2
+ip6tables -t raw -D ISTIO_OUTPUT -p udp --sport 15053 -m owner --gid-owner 1337 -j CT --zone 2
 iptables-save
 ip6tables-save
diff --git a/tools/istio-clean-iptables/pkg/cmd/testdata/outbound-owner-groups-exclude.golden b/tools/istio-clean-iptables/pkg/cmd/testdata/outbound-owner-groups-exclude.golden
index 8ecfc8326438..0a8350a945fa 100644
--- a/tools/istio-clean-iptables/pkg/cmd/testdata/outbound-owner-groups-exclude.golden
+++ b/tools/istio-clean-iptables/pkg/cmd/testdata/outbound-owner-groups-exclude.golden
@@ -32,21 +32,21 @@ ip6tables -t nat -F ISTIO_REDIRECT
 ip6tables -t nat -X ISTIO_REDIRECT
 ip6tables -t nat -F ISTIO_IN_REDIRECT
 ip6tables -t nat -X ISTIO_IN_REDIRECT
-iptables -t nat -D OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j RETURN
-ip6tables -t nat -D OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j RETURN
-iptables -t nat -D OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j RETURN
-ip6tables -t nat -D OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j RETURN
-iptables -t nat -D OUTPUT -p udp --dport 53 -m owner --gid-owner 888 -j RETURN
-ip6tables -t nat -D OUTPUT -p udp --dport 53 -m owner --gid-owner 888 -j RETURN
-iptables -t nat -D OUTPUT -p udp --dport 53 -m owner --gid-owner ftp -j RETURN
-ip6tables -t nat -D OUTPUT -p udp --dport 53 -m owner --gid-owner ftp -j RETURN
-iptables -t raw -D OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j CT --zone 1
-ip6tables -t raw -D OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j CT --zone 1
-iptables -t raw -D OUTPUT -p udp --sport 15053 -m owner --uid-owner 1337 -j CT --zone 2
-ip6tables -t raw -D OUTPUT -p udp --sport 15053 -m owner --uid-owner 1337 -j CT --zone 2
-iptables -t raw -D OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j CT --zone 1
-ip6tables -t raw -D OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j CT --zone 1
-iptables -t raw -D OUTPUT -p udp --sport 15053 -m owner --gid-owner 1337 -j CT --zone 2
-ip6tables -t raw -D OUTPUT -p udp --sport 15053 -m owner --gid-owner 1337 -j CT --zone 2
+iptables -t nat -D ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j RETURN
+ip6tables -t nat -D ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j RETURN
+iptables -t nat -D ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j RETURN
+ip6tables -t nat -D ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j RETURN
+iptables -t nat -D ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 888 -j RETURN
+ip6tables -t nat -D ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 888 -j RETURN
+iptables -t nat -D ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner ftp -j RETURN
+ip6tables -t nat -D ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner ftp -j RETURN
+iptables -t raw -D ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j CT --zone 1
+ip6tables -t raw -D ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j CT --zone 1
+iptables -t raw -D ISTIO_OUTPUT -p udp --sport 15053 -m owner --uid-owner 1337 -j CT --zone 2
+ip6tables -t raw -D ISTIO_OUTPUT -p udp --sport 15053 -m owner --uid-owner 1337 -j CT --zone 2
+iptables -t raw -D ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j CT --zone 1
+ip6tables -t raw -D ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j CT --zone 1
+iptables -t raw -D ISTIO_OUTPUT -p udp --sport 15053 -m owner --gid-owner 1337 -j CT --zone 2
+ip6tables -t raw -D ISTIO_OUTPUT -p udp --sport 15053 -m owner --gid-owner 1337 -j CT --zone 2
 iptables-save
 ip6tables-save
diff --git a/tools/istio-clean-iptables/pkg/cmd/testdata/outbound-owner-groups.golden b/tools/istio-clean-iptables/pkg/cmd/testdata/outbound-owner-groups.golden
index 2ddedc4832b2..f6577fe033ed 100644
--- a/tools/istio-clean-iptables/pkg/cmd/testdata/outbound-owner-groups.golden
+++ b/tools/istio-clean-iptables/pkg/cmd/testdata/outbound-owner-groups.golden
@@ -32,19 +32,19 @@ ip6tables -t nat -F ISTIO_REDIRECT
 ip6tables -t nat -X ISTIO_REDIRECT
 ip6tables -t nat -F ISTIO_IN_REDIRECT
 ip6tables -t nat -X ISTIO_IN_REDIRECT
-iptables -t nat -D OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j RETURN
-ip6tables -t nat -D OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j RETURN
-iptables -t nat -D OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j RETURN
-ip6tables -t nat -D OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j RETURN
-iptables -t nat -D OUTPUT -p udp --dport 53 -m owner ! --gid-owner java -m owner ! --gid-owner 202 -j RETURN
-ip6tables -t nat -D OUTPUT -p udp --dport 53 -m owner ! --gid-owner java -m owner ! --gid-owner 202 -j RETURN
-iptables -t raw -D OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j CT --zone 1
-ip6tables -t raw -D OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j CT --zone 1
-iptables -t raw -D OUTPUT -p udp --sport 15053 -m owner --uid-owner 1337 -j CT --zone 2
-ip6tables -t raw -D OUTPUT -p udp --sport 15053 -m owner --uid-owner 1337 -j CT --zone 2
-iptables -t raw -D OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j CT --zone 1
-ip6tables -t raw -D OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j CT --zone 1
-iptables -t raw -D OUTPUT -p udp --sport 15053 -m owner --gid-owner 1337 -j CT --zone 2
-ip6tables -t raw -D OUTPUT -p udp --sport 15053 -m owner --gid-owner 1337 -j CT --zone 2
+iptables -t nat -D ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j RETURN
+ip6tables -t nat -D ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j RETURN
+iptables -t nat -D ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j RETURN
+ip6tables -t nat -D ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j RETURN
+iptables -t nat -D ISTIO_OUTPUT -p udp --dport 53 -m owner ! --gid-owner java -m owner ! --gid-owner 202 -j RETURN
+ip6tables -t nat -D ISTIO_OUTPUT -p udp --dport 53 -m owner ! --gid-owner java -m owner ! --gid-owner 202 -j RETURN
+iptables -t raw -D ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j CT --zone 1
+ip6tables -t raw -D ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j CT --zone 1
+iptables -t raw -D ISTIO_OUTPUT -p udp --sport 15053 -m owner --uid-owner 1337 -j CT --zone 2
+ip6tables -t raw -D ISTIO_OUTPUT -p udp --sport 15053 -m owner --uid-owner 1337 -j CT --zone 2
+iptables -t raw -D ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j CT --zone 1
+ip6tables -t raw -D ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j CT --zone 1
+iptables -t raw -D ISTIO_OUTPUT -p udp --sport 15053 -m owner --gid-owner 1337 -j CT --zone 2
+ip6tables -t raw -D ISTIO_OUTPUT -p udp --sport 15053 -m owner --gid-owner 1337 -j CT --zone 2
 iptables-save
 ip6tables-save
diff --git a/tools/istio-iptables/pkg/capture/run.go b/tools/istio-iptables/pkg/capture/run.go
index 31b772a6345c..21a1b8a525ce 100644
--- a/tools/istio-iptables/pkg/capture/run.go
+++ b/tools/istio-iptables/pkg/capture/run.go
@@ -616,7 +616,7 @@ func HandleDNSUDP(
 		ext:      ext,
 		ops:      ops,
 		table:    constants.NAT,
-		chain:    constants.OUTPUT,
+		chain:    constants.ISTIOOUTPUT,
 		iptV:     iptV,
 		ipt6V:    ipt6V,
 	}
diff --git a/tools/istio-iptables/pkg/capture/testdata/dns-uid-gid.golden b/tools/istio-iptables/pkg/capture/testdata/dns-uid-gid.golden
index 23adbcf85730..e3a687f33f64 100644
--- a/tools/istio-iptables/pkg/capture/testdata/dns-uid-gid.golden
+++ b/tools/istio-iptables/pkg/capture/testdata/dns-uid-gid.golden
@@ -2,6 +2,7 @@ iptables -t nat -N ISTIO_INBOUND
 iptables -t nat -N ISTIO_REDIRECT
 iptables -t nat -N ISTIO_IN_REDIRECT
 iptables -t nat -N ISTIO_OUTPUT
+iptables -t raw -N ISTIO_OUTPUT
 iptables -t nat -A ISTIO_INBOUND -p tcp --dport 15008 -j RETURN
 iptables -t nat -A ISTIO_REDIRECT -p tcp -j REDIRECT --to-ports 15001
 iptables -t nat -A ISTIO_IN_REDIRECT -p tcp -j REDIRECT --to-ports 15006
@@ -21,25 +22,26 @@ iptables -t nat -A ISTIO_OUTPUT -o lo -p tcp ! --dport 53 -m owner ! --gid-owner
 iptables -t nat -A ISTIO_OUTPUT -m owner --gid-owner 2 -j RETURN
 iptables -t nat -A ISTIO_OUTPUT -p tcp --dport 53 -d 127.0.0.53/32 -j REDIRECT --to-ports 15053
 iptables -t nat -A ISTIO_OUTPUT -d 127.0.0.1/32 -j RETURN
-iptables -t nat -A OUTPUT -p udp --dport 53 -m owner --uid-owner 3 -j RETURN
-iptables -t nat -A OUTPUT -p udp --dport 53 -m owner --uid-owner 4 -j RETURN
-iptables -t nat -A OUTPUT -p udp --dport 53 -m owner --gid-owner 1 -j RETURN
-iptables -t nat -A OUTPUT -p udp --dport 53 -m owner --gid-owner 2 -j RETURN
-iptables -t nat -A OUTPUT -p udp --dport 53 -d 127.0.0.53/32 -j REDIRECT --to-port 15053
-iptables -t raw -A OUTPUT -p udp --dport 53 -m owner --uid-owner 3 -j CT --zone 1
-iptables -t raw -A OUTPUT -p udp --sport 15053 -m owner --uid-owner 3 -j CT --zone 2
-iptables -t raw -A OUTPUT -p udp --dport 53 -m owner --uid-owner 4 -j CT --zone 1
-iptables -t raw -A OUTPUT -p udp --sport 15053 -m owner --uid-owner 4 -j CT --zone 2
-iptables -t raw -A OUTPUT -p udp --dport 53 -m owner --gid-owner 1 -j CT --zone 1
-iptables -t raw -A OUTPUT -p udp --sport 15053 -m owner --gid-owner 1 -j CT --zone 2
-iptables -t raw -A OUTPUT -p udp --dport 53 -m owner --gid-owner 2 -j CT --zone 1
-iptables -t raw -A OUTPUT -p udp --sport 15053 -m owner --gid-owner 2 -j CT --zone 2
-iptables -t raw -A OUTPUT -p udp --dport 53 -d 127.0.0.53/32 -j CT --zone 2
+iptables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 3 -j RETURN
+iptables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 4 -j RETURN
+iptables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 1 -j RETURN
+iptables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 2 -j RETURN
+iptables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -d 127.0.0.53/32 -j REDIRECT --to-port 15053
+iptables -t raw -A ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 3 -j CT --zone 1
+iptables -t raw -A ISTIO_OUTPUT -p udp --sport 15053 -m owner --uid-owner 3 -j CT --zone 2
+iptables -t raw -A ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 4 -j CT --zone 1
+iptables -t raw -A ISTIO_OUTPUT -p udp --sport 15053 -m owner --uid-owner 4 -j CT --zone 2
+iptables -t raw -A ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 1 -j CT --zone 1
+iptables -t raw -A ISTIO_OUTPUT -p udp --sport 15053 -m owner --gid-owner 1 -j CT --zone 2
+iptables -t raw -A ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 2 -j CT --zone 1
+iptables -t raw -A ISTIO_OUTPUT -p udp --sport 15053 -m owner --gid-owner 2 -j CT --zone 2
+iptables -t raw -A ISTIO_OUTPUT -p udp --dport 53 -d 127.0.0.53/32 -j CT --zone 2
 iptables -t raw -A PREROUTING -p udp --sport 53 -s 127.0.0.53/32 -j CT --zone 1
 ip6tables -t nat -N ISTIO_INBOUND
 ip6tables -t nat -N ISTIO_REDIRECT
 ip6tables -t nat -N ISTIO_IN_REDIRECT
 ip6tables -t nat -N ISTIO_OUTPUT
+ip6tables -t raw -N ISTIO_OUTPUT
 ip6tables -t nat -A ISTIO_INBOUND -p tcp --dport 15008 -j RETURN
 ip6tables -t nat -A ISTIO_REDIRECT -p tcp -j REDIRECT --to-ports 15001
 ip6tables -t nat -A ISTIO_IN_REDIRECT -p tcp -j REDIRECT --to-ports 15006
@@ -59,20 +61,20 @@ ip6tables -t nat -A ISTIO_OUTPUT -o lo -p tcp ! --dport 53 -m owner ! --gid-owne
 ip6tables -t nat -A ISTIO_OUTPUT -m owner --gid-owner 2 -j RETURN
 ip6tables -t nat -A ISTIO_OUTPUT -p tcp --dport 53 -d ::127.0.0.53/128 -j REDIRECT --to-ports 15053
 ip6tables -t nat -A ISTIO_OUTPUT -d ::1/128 -j RETURN
-ip6tables -t nat -A OUTPUT -p udp --dport 53 -m owner --uid-owner 3 -j RETURN
-ip6tables -t nat -A OUTPUT -p udp --dport 53 -m owner --uid-owner 4 -j RETURN
-ip6tables -t nat -A OUTPUT -p udp --dport 53 -m owner --gid-owner 1 -j RETURN
-ip6tables -t nat -A OUTPUT -p udp --dport 53 -m owner --gid-owner 2 -j RETURN
-ip6tables -t nat -A OUTPUT -p udp --dport 53 -d ::127.0.0.53/128 -j REDIRECT --to-port 15053
-ip6tables -t raw -A OUTPUT -p udp --dport 53 -m owner --uid-owner 3 -j CT --zone 1
-ip6tables -t raw -A OUTPUT -p udp --sport 15053 -m owner --uid-owner 3 -j CT --zone 2
-ip6tables -t raw -A OUTPUT -p udp --dport 53 -m owner --uid-owner 4 -j CT --zone 1
-ip6tables -t raw -A OUTPUT -p udp --sport 15053 -m owner --uid-owner 4 -j CT --zone 2
-ip6tables -t raw -A OUTPUT -p udp --dport 53 -m owner --gid-owner 1 -j CT --zone 1
-ip6tables -t raw -A OUTPUT -p udp --sport 15053 -m owner --gid-owner 1 -j CT --zone 2
-ip6tables -t raw -A OUTPUT -p udp --dport 53 -m owner --gid-owner 2 -j CT --zone 1
-ip6tables -t raw -A OUTPUT -p udp --sport 15053 -m owner --gid-owner 2 -j CT --zone 2
-ip6tables -t raw -A OUTPUT -p udp --dport 53 -d ::127.0.0.53/128 -j CT --zone 2
+ip6tables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 3 -j RETURN
+ip6tables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 4 -j RETURN
+ip6tables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 1 -j RETURN
+ip6tables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 2 -j RETURN
+ip6tables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -d ::127.0.0.53/128 -j REDIRECT --to-port 15053
+ip6tables -t raw -A ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 3 -j CT --zone 1
+ip6tables -t raw -A ISTIO_OUTPUT -p udp --sport 15053 -m owner --uid-owner 3 -j CT --zone 2
+ip6tables -t raw -A ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 4 -j CT --zone 1
+ip6tables -t raw -A ISTIO_OUTPUT -p udp --sport 15053 -m owner --uid-owner 4 -j CT --zone 2
+ip6tables -t raw -A ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 1 -j CT --zone 1
+ip6tables -t raw -A ISTIO_OUTPUT -p udp --sport 15053 -m owner --gid-owner 1 -j CT --zone 2
+ip6tables -t raw -A ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 2 -j CT --zone 1
+ip6tables -t raw -A ISTIO_OUTPUT -p udp --sport 15053 -m owner --gid-owner 2 -j CT --zone 2
+ip6tables -t raw -A ISTIO_OUTPUT -p udp --dport 53 -d ::127.0.0.53/128 -j CT --zone 2
 ip6tables -t raw -A PREROUTING -p udp --sport 53 -s ::127.0.0.53/128 -j CT --zone 1
 iptables-save
 ip6tables-save
diff --git a/tools/istio-iptables/pkg/capture/testdata/ip-range.golden b/tools/istio-iptables/pkg/capture/testdata/ip-range.golden
index a03b0541bc5d..3ee6210e53da 100644
--- a/tools/istio-iptables/pkg/capture/testdata/ip-range.golden
+++ b/tools/istio-iptables/pkg/capture/testdata/ip-range.golden
@@ -2,6 +2,7 @@ iptables -t nat -N ISTIO_INBOUND
 iptables -t nat -N ISTIO_REDIRECT
 iptables -t nat -N ISTIO_IN_REDIRECT
 iptables -t nat -N ISTIO_OUTPUT
+iptables -t raw -N ISTIO_OUTPUT
 iptables -t nat -A ISTIO_INBOUND -p tcp --dport 15008 -j RETURN
 iptables -t nat -A ISTIO_REDIRECT -p tcp -j REDIRECT --to-ports 15001
 iptables -t nat -A ISTIO_IN_REDIRECT -p tcp -j REDIRECT --to-ports 15006
@@ -24,19 +25,19 @@ iptables -t nat -A ISTIO_OUTPUT -d 127.0.0.1/32 -j RETURN
 iptables -t nat -A ISTIO_OUTPUT -d 1.1.0.0/16 -j RETURN
 iptables -t nat -A ISTIO_OUTPUT -d 9.9.0.0/16 -j ISTIO_REDIRECT
 iptables -t nat -A ISTIO_OUTPUT -j RETURN
-iptables -t nat -A OUTPUT -p udp --dport 53 -m owner --uid-owner 3 -j RETURN
-iptables -t nat -A OUTPUT -p udp --dport 53 -m owner --uid-owner 4 -j RETURN
-iptables -t nat -A OUTPUT -p udp --dport 53 -m owner --gid-owner 1 -j RETURN
-iptables -t nat -A OUTPUT -p udp --dport 53 -m owner --gid-owner 2 -j RETURN
-iptables -t nat -A OUTPUT -p udp --dport 53 -d 127.0.0.53/32 -j REDIRECT --to-port 15053
-iptables -t raw -A OUTPUT -p udp --dport 53 -m owner --uid-owner 3 -j CT --zone 1
-iptables -t raw -A OUTPUT -p udp --sport 15053 -m owner --uid-owner 3 -j CT --zone 2
-iptables -t raw -A OUTPUT -p udp --dport 53 -m owner --uid-owner 4 -j CT --zone 1
-iptables -t raw -A OUTPUT -p udp --sport 15053 -m owner --uid-owner 4 -j CT --zone 2
-iptables -t raw -A OUTPUT -p udp --dport 53 -m owner --gid-owner 1 -j CT --zone 1
-iptables -t raw -A OUTPUT -p udp --sport 15053 -m owner --gid-owner 1 -j CT --zone 2
-iptables -t raw -A OUTPUT -p udp --dport 53 -m owner --gid-owner 2 -j CT --zone 1
-iptables -t raw -A OUTPUT -p udp --sport 15053 -m owner --gid-owner 2 -j CT --zone 2
-iptables -t raw -A OUTPUT -p udp --dport 53 -d 127.0.0.53/32 -j CT --zone 2
+iptables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 3 -j RETURN
+iptables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 4 -j RETURN
+iptables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 1 -j RETURN
+iptables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 2 -j RETURN
+iptables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -d 127.0.0.53/32 -j REDIRECT --to-port 15053
+iptables -t raw -A ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 3 -j CT --zone 1
+iptables -t raw -A ISTIO_OUTPUT -p udp --sport 15053 -m owner --uid-owner 3 -j CT --zone 2
+iptables -t raw -A ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 4 -j CT --zone 1
+iptables -t raw -A ISTIO_OUTPUT -p udp --sport 15053 -m owner --uid-owner 4 -j CT --zone 2
+iptables -t raw -A ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 1 -j CT --zone 1
+iptables -t raw -A ISTIO_OUTPUT -p udp --sport 15053 -m owner --gid-owner 1 -j CT --zone 2
+iptables -t raw -A ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 2 -j CT --zone 1
+iptables -t raw -A ISTIO_OUTPUT -p udp --sport 15053 -m owner --gid-owner 2 -j CT --zone 2
+iptables -t raw -A ISTIO_OUTPUT -p udp --dport 53 -d 127.0.0.53/32 -j CT --zone 2
 iptables -t raw -A PREROUTING -p udp --sport 53 -s 127.0.0.53/32 -j CT --zone 1
 iptables-save
diff --git a/tools/istio-iptables/pkg/capture/testdata/ipv6-dns-outbound-owner-groups-exclude.golden b/tools/istio-iptables/pkg/capture/testdata/ipv6-dns-outbound-owner-groups-exclude.golden
index 66b3b1657fb9..05cf308a41fb 100644
--- a/tools/istio-iptables/pkg/capture/testdata/ipv6-dns-outbound-owner-groups-exclude.golden
+++ b/tools/istio-iptables/pkg/capture/testdata/ipv6-dns-outbound-owner-groups-exclude.golden
@@ -2,6 +2,7 @@ iptables -t nat -N ISTIO_INBOUND
 iptables -t nat -N ISTIO_REDIRECT
 iptables -t nat -N ISTIO_IN_REDIRECT
 iptables -t nat -N ISTIO_OUTPUT
+iptables -t raw -N ISTIO_OUTPUT
 iptables -t nat -A ISTIO_INBOUND -p tcp --dport 15008 -j RETURN
 iptables -t nat -A ISTIO_REDIRECT -p tcp -j REDIRECT --to-ports 15001
 iptables -t nat -A ISTIO_IN_REDIRECT -p tcp -j REDIRECT --to-ports 15006
@@ -16,18 +17,19 @@ iptables -t nat -A ISTIO_OUTPUT -m owner --gid-owner 1337 -j RETURN
 iptables -t nat -A ISTIO_OUTPUT -m owner --gid-owner 888 -j RETURN
 iptables -t nat -A ISTIO_OUTPUT -m owner --gid-owner ftp -j RETURN
 iptables -t nat -A ISTIO_OUTPUT -d 127.0.0.1/32 -j RETURN
-iptables -t nat -A OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j RETURN
-iptables -t nat -A OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j RETURN
-iptables -t nat -A OUTPUT -p udp --dport 53 -m owner --gid-owner 888 -j RETURN
-iptables -t nat -A OUTPUT -p udp --dport 53 -m owner --gid-owner ftp -j RETURN
-iptables -t raw -A OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j CT --zone 1
-iptables -t raw -A OUTPUT -p udp --sport 15053 -m owner --uid-owner 1337 -j CT --zone 2
-iptables -t raw -A OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j CT --zone 1
-iptables -t raw -A OUTPUT -p udp --sport 15053 -m owner --gid-owner 1337 -j CT --zone 2
+iptables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j RETURN
+iptables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j RETURN
+iptables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 888 -j RETURN
+iptables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner ftp -j RETURN
+iptables -t raw -A ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j CT --zone 1
+iptables -t raw -A ISTIO_OUTPUT -p udp --sport 15053 -m owner --uid-owner 1337 -j CT --zone 2
+iptables -t raw -A ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j CT --zone 1
+iptables -t raw -A ISTIO_OUTPUT -p udp --sport 15053 -m owner --gid-owner 1337 -j CT --zone 2
 ip6tables -t nat -N ISTIO_INBOUND
 ip6tables -t nat -N ISTIO_REDIRECT
 ip6tables -t nat -N ISTIO_IN_REDIRECT
 ip6tables -t nat -N ISTIO_OUTPUT
+ip6tables -t raw -N ISTIO_OUTPUT
 ip6tables -t nat -A ISTIO_INBOUND -p tcp --dport 15008 -j RETURN
 ip6tables -t nat -A ISTIO_REDIRECT -p tcp -j REDIRECT --to-ports 15001
 ip6tables -t nat -A ISTIO_IN_REDIRECT -p tcp -j REDIRECT --to-ports 15006
@@ -42,13 +44,13 @@ ip6tables -t nat -A ISTIO_OUTPUT -m owner --gid-owner 1337 -j RETURN
 ip6tables -t nat -A ISTIO_OUTPUT -m owner --gid-owner 888 -j RETURN
 ip6tables -t nat -A ISTIO_OUTPUT -m owner --gid-owner ftp -j RETURN
 ip6tables -t nat -A ISTIO_OUTPUT -d ::1/128 -j RETURN
-ip6tables -t nat -A OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j RETURN
-ip6tables -t nat -A OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j RETURN
-ip6tables -t nat -A OUTPUT -p udp --dport 53 -m owner --gid-owner 888 -j RETURN
-ip6tables -t nat -A OUTPUT -p udp --dport 53 -m owner --gid-owner ftp -j RETURN
-ip6tables -t raw -A OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j CT --zone 1
-ip6tables -t raw -A OUTPUT -p udp --sport 15053 -m owner --uid-owner 1337 -j CT --zone 2
-ip6tables -t raw -A OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j CT --zone 1
-ip6tables -t raw -A OUTPUT -p udp --sport 15053 -m owner --gid-owner 1337 -j CT --zone 2
+ip6tables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j RETURN
+ip6tables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j RETURN
+ip6tables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 888 -j RETURN
+ip6tables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner ftp -j RETURN
+ip6tables -t raw -A ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j CT --zone 1
+ip6tables -t raw -A ISTIO_OUTPUT -p udp --sport 15053 -m owner --uid-owner 1337 -j CT --zone 2
+ip6tables -t raw -A ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j CT --zone 1
+ip6tables -t raw -A ISTIO_OUTPUT -p udp --sport 15053 -m owner --gid-owner 1337 -j CT --zone 2
 iptables-save
 ip6tables-save
diff --git a/tools/istio-iptables/pkg/capture/testdata/ipv6-dns-outbound-owner-groups.golden b/tools/istio-iptables/pkg/capture/testdata/ipv6-dns-outbound-owner-groups.golden
index 63654d4b8304..6459396a5612 100644
--- a/tools/istio-iptables/pkg/capture/testdata/ipv6-dns-outbound-owner-groups.golden
+++ b/tools/istio-iptables/pkg/capture/testdata/ipv6-dns-outbound-owner-groups.golden
@@ -2,6 +2,7 @@ iptables -t nat -N ISTIO_INBOUND
 iptables -t nat -N ISTIO_REDIRECT
 iptables -t nat -N ISTIO_IN_REDIRECT
 iptables -t nat -N ISTIO_OUTPUT
+iptables -t raw -N ISTIO_OUTPUT
 iptables -t nat -A ISTIO_INBOUND -p tcp --dport 15008 -j RETURN
 iptables -t nat -A ISTIO_REDIRECT -p tcp -j REDIRECT --to-ports 15001
 iptables -t nat -A ISTIO_IN_REDIRECT -p tcp -j REDIRECT --to-ports 15006
@@ -15,17 +16,18 @@ iptables -t nat -A ISTIO_OUTPUT -o lo -p tcp ! --dport 53 -m owner ! --gid-owner
 iptables -t nat -A ISTIO_OUTPUT -m owner --gid-owner 1337 -j RETURN
 iptables -t nat -A ISTIO_OUTPUT -m owner ! --gid-owner java -m owner ! --gid-owner 202 -j RETURN
 iptables -t nat -A ISTIO_OUTPUT -d 127.0.0.1/32 -j RETURN
-iptables -t nat -A OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j RETURN
-iptables -t nat -A OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j RETURN
-iptables -t nat -A OUTPUT -p udp --dport 53 -m owner ! --gid-owner java -m owner ! --gid-owner 202 -j RETURN
-iptables -t raw -A OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j CT --zone 1
-iptables -t raw -A OUTPUT -p udp --sport 15053 -m owner --uid-owner 1337 -j CT --zone 2
-iptables -t raw -A OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j CT --zone 1
-iptables -t raw -A OUTPUT -p udp --sport 15053 -m owner --gid-owner 1337 -j CT --zone 2
+iptables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j RETURN
+iptables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j RETURN
+iptables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -m owner ! --gid-owner java -m owner ! --gid-owner 202 -j RETURN
+iptables -t raw -A ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j CT --zone 1
+iptables -t raw -A ISTIO_OUTPUT -p udp --sport 15053 -m owner --uid-owner 1337 -j CT --zone 2
+iptables -t raw -A ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j CT --zone 1
+iptables -t raw -A ISTIO_OUTPUT -p udp --sport 15053 -m owner --gid-owner 1337 -j CT --zone 2
 ip6tables -t nat -N ISTIO_INBOUND
 ip6tables -t nat -N ISTIO_REDIRECT
 ip6tables -t nat -N ISTIO_IN_REDIRECT
 ip6tables -t nat -N ISTIO_OUTPUT
+ip6tables -t raw -N ISTIO_OUTPUT
 ip6tables -t nat -A ISTIO_INBOUND -p tcp --dport 15008 -j RETURN
 ip6tables -t nat -A ISTIO_REDIRECT -p tcp -j REDIRECT --to-ports 15001
 ip6tables -t nat -A ISTIO_IN_REDIRECT -p tcp -j REDIRECT --to-ports 15006
@@ -39,12 +41,12 @@ ip6tables -t nat -A ISTIO_OUTPUT -o lo -p tcp ! --dport 53 -m owner ! --gid-owne
 ip6tables -t nat -A ISTIO_OUTPUT -m owner --gid-owner 1337 -j RETURN
 ip6tables -t nat -A ISTIO_OUTPUT -m owner ! --gid-owner java -m owner ! --gid-owner 202 -j RETURN
 ip6tables -t nat -A ISTIO_OUTPUT -d ::1/128 -j RETURN
-ip6tables -t nat -A OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j RETURN
-ip6tables -t nat -A OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j RETURN
-ip6tables -t nat -A OUTPUT -p udp --dport 53 -m owner ! --gid-owner java -m owner ! --gid-owner 202 -j RETURN
-ip6tables -t raw -A OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j CT --zone 1
-ip6tables -t raw -A OUTPUT -p udp --sport 15053 -m owner --uid-owner 1337 -j CT --zone 2
-ip6tables -t raw -A OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j CT --zone 1
-ip6tables -t raw -A OUTPUT -p udp --sport 15053 -m owner --gid-owner 1337 -j CT --zone 2
+ip6tables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j RETURN
+ip6tables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j RETURN
+ip6tables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -m owner ! --gid-owner java -m owner ! --gid-owner 202 -j RETURN
+ip6tables -t raw -A ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j CT --zone 1
+ip6tables -t raw -A ISTIO_OUTPUT -p udp --sport 15053 -m owner --uid-owner 1337 -j CT --zone 2
+ip6tables -t raw -A ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j CT --zone 1
+ip6tables -t raw -A ISTIO_OUTPUT -p udp --sport 15053 -m owner --gid-owner 1337 -j CT --zone 2
 iptables-save
 ip6tables-save
diff --git a/tools/istio-iptables/pkg/capture/testdata/ipv6-dns-uid-gid.golden b/tools/istio-iptables/pkg/capture/testdata/ipv6-dns-uid-gid.golden
index e8f19e4f08c1..edf93d0c7c2e 100644
--- a/tools/istio-iptables/pkg/capture/testdata/ipv6-dns-uid-gid.golden
+++ b/tools/istio-iptables/pkg/capture/testdata/ipv6-dns-uid-gid.golden
@@ -2,6 +2,7 @@ iptables -t nat -N ISTIO_INBOUND
 iptables -t nat -N ISTIO_REDIRECT
 iptables -t nat -N ISTIO_IN_REDIRECT
 iptables -t nat -N ISTIO_OUTPUT
+iptables -t raw -N ISTIO_OUTPUT
 iptables -t nat -A ISTIO_INBOUND -p tcp --dport 15008 -j RETURN
 iptables -t nat -A ISTIO_REDIRECT -p tcp -j REDIRECT --to-ports 15001
 iptables -t nat -A ISTIO_IN_REDIRECT -p tcp -j REDIRECT --to-ports 15006
@@ -20,22 +21,23 @@ iptables -t nat -A ISTIO_OUTPUT -o lo ! -d 127.0.0.1/32 -p tcp ! --dport 15008 -
 iptables -t nat -A ISTIO_OUTPUT -o lo -p tcp ! --dport 53 -m owner ! --gid-owner 2 -j RETURN
 iptables -t nat -A ISTIO_OUTPUT -m owner --gid-owner 2 -j RETURN
 iptables -t nat -A ISTIO_OUTPUT -d 127.0.0.1/32 -j RETURN
-iptables -t nat -A OUTPUT -p udp --dport 53 -m owner --uid-owner 3 -j RETURN
-iptables -t nat -A OUTPUT -p udp --dport 53 -m owner --uid-owner 4 -j RETURN
-iptables -t nat -A OUTPUT -p udp --dport 53 -m owner --gid-owner 1 -j RETURN
-iptables -t nat -A OUTPUT -p udp --dport 53 -m owner --gid-owner 2 -j RETURN
-iptables -t raw -A OUTPUT -p udp --dport 53 -m owner --uid-owner 3 -j CT --zone 1
-iptables -t raw -A OUTPUT -p udp --sport 15053 -m owner --uid-owner 3 -j CT --zone 2
-iptables -t raw -A OUTPUT -p udp --dport 53 -m owner --uid-owner 4 -j CT --zone 1
-iptables -t raw -A OUTPUT -p udp --sport 15053 -m owner --uid-owner 4 -j CT --zone 2
-iptables -t raw -A OUTPUT -p udp --dport 53 -m owner --gid-owner 1 -j CT --zone 1
-iptables -t raw -A OUTPUT -p udp --sport 15053 -m owner --gid-owner 1 -j CT --zone 2
-iptables -t raw -A OUTPUT -p udp --dport 53 -m owner --gid-owner 2 -j CT --zone 1
-iptables -t raw -A OUTPUT -p udp --sport 15053 -m owner --gid-owner 2 -j CT --zone 2
+iptables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 3 -j RETURN
+iptables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 4 -j RETURN
+iptables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 1 -j RETURN
+iptables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 2 -j RETURN
+iptables -t raw -A ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 3 -j CT --zone 1
+iptables -t raw -A ISTIO_OUTPUT -p udp --sport 15053 -m owner --uid-owner 3 -j CT --zone 2
+iptables -t raw -A ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 4 -j CT --zone 1
+iptables -t raw -A ISTIO_OUTPUT -p udp --sport 15053 -m owner --uid-owner 4 -j CT --zone 2
+iptables -t raw -A ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 1 -j CT --zone 1
+iptables -t raw -A ISTIO_OUTPUT -p udp --sport 15053 -m owner --gid-owner 1 -j CT --zone 2
+iptables -t raw -A ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 2 -j CT --zone 1
+iptables -t raw -A ISTIO_OUTPUT -p udp --sport 15053 -m owner --gid-owner 2 -j CT --zone 2
 ip6tables -t nat -N ISTIO_INBOUND
 ip6tables -t nat -N ISTIO_REDIRECT
 ip6tables -t nat -N ISTIO_IN_REDIRECT
 ip6tables -t nat -N ISTIO_OUTPUT
+ip6tables -t raw -N ISTIO_OUTPUT
 ip6tables -t nat -A ISTIO_INBOUND -p tcp --dport 15008 -j RETURN
 ip6tables -t nat -A ISTIO_REDIRECT -p tcp -j REDIRECT --to-ports 15001
 ip6tables -t nat -A ISTIO_IN_REDIRECT -p tcp -j REDIRECT --to-ports 15006
@@ -54,17 +56,17 @@ ip6tables -t nat -A ISTIO_OUTPUT -o lo ! -d ::1/128 -p tcp ! --dport 15008 -m ow
 ip6tables -t nat -A ISTIO_OUTPUT -o lo -p tcp ! --dport 53 -m owner ! --gid-owner 2 -j RETURN
 ip6tables -t nat -A ISTIO_OUTPUT -m owner --gid-owner 2 -j RETURN
 ip6tables -t nat -A ISTIO_OUTPUT -d ::1/128 -j RETURN
-ip6tables -t nat -A OUTPUT -p udp --dport 53 -m owner --uid-owner 3 -j RETURN
-ip6tables -t nat -A OUTPUT -p udp --dport 53 -m owner --uid-owner 4 -j RETURN
-ip6tables -t nat -A OUTPUT -p udp --dport 53 -m owner --gid-owner 1 -j RETURN
-ip6tables -t nat -A OUTPUT -p udp --dport 53 -m owner --gid-owner 2 -j RETURN
-ip6tables -t raw -A OUTPUT -p udp --dport 53 -m owner --uid-owner 3 -j CT --zone 1
-ip6tables -t raw -A OUTPUT -p udp --sport 15053 -m owner --uid-owner 3 -j CT --zone 2
-ip6tables -t raw -A OUTPUT -p udp --dport 53 -m owner --uid-owner 4 -j CT --zone 1
-ip6tables -t raw -A OUTPUT -p udp --sport 15053 -m owner --uid-owner 4 -j CT --zone 2
-ip6tables -t raw -A OUTPUT -p udp --dport 53 -m owner --gid-owner 1 -j CT --zone 1
-ip6tables -t raw -A OUTPUT -p udp --sport 15053 -m owner --gid-owner 1 -j CT --zone 2
-ip6tables -t raw -A OUTPUT -p udp --dport 53 -m owner --gid-owner 2 -j CT --zone 1
-ip6tables -t raw -A OUTPUT -p udp --sport 15053 -m owner --gid-owner 2 -j CT --zone 2
+ip6tables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 3 -j RETURN
+ip6tables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 4 -j RETURN
+ip6tables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 1 -j RETURN
+ip6tables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 2 -j RETURN
+ip6tables -t raw -A ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 3 -j CT --zone 1
+ip6tables -t raw -A ISTIO_OUTPUT -p udp --sport 15053 -m owner --uid-owner 3 -j CT --zone 2
+ip6tables -t raw -A ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 4 -j CT --zone 1
+ip6tables -t raw -A ISTIO_OUTPUT -p udp --sport 15053 -m owner --uid-owner 4 -j CT --zone 2
+ip6tables -t raw -A ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 1 -j CT --zone 1
+ip6tables -t raw -A ISTIO_OUTPUT -p udp --sport 15053 -m owner --gid-owner 1 -j CT --zone 2
+ip6tables -t raw -A ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 2 -j CT --zone 1
+ip6tables -t raw -A ISTIO_OUTPUT -p udp --sport 15053 -m owner --gid-owner 2 -j CT --zone 2
 iptables-save
 ip6tables-save
diff --git a/tools/istio-iptables/pkg/capture/testdata/loopback-outbound-iprange.golden b/tools/istio-iptables/pkg/capture/testdata/loopback-outbound-iprange.golden
index 0811246f203e..714fb4fc8b8a 100644
--- a/tools/istio-iptables/pkg/capture/testdata/loopback-outbound-iprange.golden
+++ b/tools/istio-iptables/pkg/capture/testdata/loopback-outbound-iprange.golden
@@ -2,6 +2,7 @@ iptables -t nat -N ISTIO_INBOUND
 iptables -t nat -N ISTIO_REDIRECT
 iptables -t nat -N ISTIO_IN_REDIRECT
 iptables -t nat -N ISTIO_OUTPUT
+iptables -t raw -N ISTIO_OUTPUT
 iptables -t nat -A ISTIO_INBOUND -p tcp --dport 15008 -j RETURN
 iptables -t nat -A ISTIO_REDIRECT -p tcp -j REDIRECT --to-ports 15001
 iptables -t nat -A ISTIO_IN_REDIRECT -p tcp -j REDIRECT --to-ports 15006
@@ -19,19 +20,19 @@ iptables -t nat -A ISTIO_OUTPUT -p tcp --dport 53 -d 127.0.0.53/32 -j REDIRECT -
 iptables -t nat -A ISTIO_OUTPUT -d 127.0.0.1/32 -j RETURN
 iptables -t nat -A ISTIO_OUTPUT -d 127.1.2.3/32 -j ISTIO_REDIRECT
 iptables -t nat -A ISTIO_OUTPUT -j RETURN
-iptables -t nat -A OUTPUT -p udp --dport 53 -m owner --uid-owner 3 -j RETURN
-iptables -t nat -A OUTPUT -p udp --dport 53 -m owner --uid-owner 4 -j RETURN
-iptables -t nat -A OUTPUT -p udp --dport 53 -m owner --gid-owner 1 -j RETURN
-iptables -t nat -A OUTPUT -p udp --dport 53 -m owner --gid-owner 2 -j RETURN
-iptables -t nat -A OUTPUT -p udp --dport 53 -d 127.0.0.53/32 -j REDIRECT --to-port 15053
-iptables -t raw -A OUTPUT -p udp --dport 53 -m owner --uid-owner 3 -j CT --zone 1
-iptables -t raw -A OUTPUT -p udp --sport 15053 -m owner --uid-owner 3 -j CT --zone 2
-iptables -t raw -A OUTPUT -p udp --dport 53 -m owner --uid-owner 4 -j CT --zone 1
-iptables -t raw -A OUTPUT -p udp --sport 15053 -m owner --uid-owner 4 -j CT --zone 2
-iptables -t raw -A OUTPUT -p udp --dport 53 -m owner --gid-owner 1 -j CT --zone 1
-iptables -t raw -A OUTPUT -p udp --sport 15053 -m owner --gid-owner 1 -j CT --zone 2
-iptables -t raw -A OUTPUT -p udp --dport 53 -m owner --gid-owner 2 -j CT --zone 1
-iptables -t raw -A OUTPUT -p udp --sport 15053 -m owner --gid-owner 2 -j CT --zone 2
-iptables -t raw -A OUTPUT -p udp --dport 53 -d 127.0.0.53/32 -j CT --zone 2
+iptables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 3 -j RETURN
+iptables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 4 -j RETURN
+iptables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 1 -j RETURN
+iptables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 2 -j RETURN
+iptables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -d 127.0.0.53/32 -j REDIRECT --to-port 15053
+iptables -t raw -A ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 3 -j CT --zone 1
+iptables -t raw -A ISTIO_OUTPUT -p udp --sport 15053 -m owner --uid-owner 3 -j CT --zone 2
+iptables -t raw -A ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 4 -j CT --zone 1
+iptables -t raw -A ISTIO_OUTPUT -p udp --sport 15053 -m owner --uid-owner 4 -j CT --zone 2
+iptables -t raw -A ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 1 -j CT --zone 1
+iptables -t raw -A ISTIO_OUTPUT -p udp --sport 15053 -m owner --gid-owner 1 -j CT --zone 2
+iptables -t raw -A ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 2 -j CT --zone 1
+iptables -t raw -A ISTIO_OUTPUT -p udp --sport 15053 -m owner --gid-owner 2 -j CT --zone 2
+iptables -t raw -A ISTIO_OUTPUT -p udp --dport 53 -d 127.0.0.53/32 -j CT --zone 2
 iptables -t raw -A PREROUTING -p udp --sport 53 -s 127.0.0.53/32 -j CT --zone 1
 iptables-save
diff --git a/tools/istio-iptables/pkg/capture/testdata/tproxy.golden b/tools/istio-iptables/pkg/capture/testdata/tproxy.golden
index a881218dd2c4..1685993e39e4 100644
--- a/tools/istio-iptables/pkg/capture/testdata/tproxy.golden
+++ b/tools/istio-iptables/pkg/capture/testdata/tproxy.golden
@@ -5,6 +5,7 @@ iptables -t mangle -N ISTIO_DIVERT
 iptables -t mangle -N ISTIO_TPROXY
 iptables -t mangle -N ISTIO_INBOUND
 iptables -t nat -N ISTIO_OUTPUT
+iptables -t raw -N ISTIO_OUTPUT
 iptables -t nat -A PREROUTING -i not-istio-nic -j RETURN
 iptables -t nat -A OUTPUT -o not-istio-nic -j RETURN
 iptables -t mangle -A PREROUTING -i not-istio-nic -j RETURN
@@ -31,14 +32,14 @@ iptables -t nat -A ISTIO_OUTPUT -d 127.0.0.1/32 -j RETURN
 iptables -t nat -A ISTIO_OUTPUT -d 1.1.0.0/16 -j RETURN
 iptables -t nat -A ISTIO_OUTPUT -d 9.9.0.0/16 -j ISTIO_REDIRECT
 iptables -t nat -A ISTIO_OUTPUT -j RETURN
-iptables -t nat -A OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j RETURN
-iptables -t nat -A OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j RETURN
-iptables -t nat -A OUTPUT -p udp --dport 53 -d 127.0.0.53/32 -j REDIRECT --to-port 15053
-iptables -t raw -A OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j CT --zone 1
-iptables -t raw -A OUTPUT -p udp --sport 15053 -m owner --uid-owner 1337 -j CT --zone 2
-iptables -t raw -A OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j CT --zone 1
-iptables -t raw -A OUTPUT -p udp --sport 15053 -m owner --gid-owner 1337 -j CT --zone 2
-iptables -t raw -A OUTPUT -p udp --dport 53 -d 127.0.0.53/32 -j CT --zone 2
+iptables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j RETURN
+iptables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j RETURN
+iptables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -d 127.0.0.53/32 -j REDIRECT --to-port 15053
+iptables -t raw -A ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j CT --zone 1
+iptables -t raw -A ISTIO_OUTPUT -p udp --sport 15053 -m owner --uid-owner 1337 -j CT --zone 2
+iptables -t raw -A ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j CT --zone 1
+iptables -t raw -A ISTIO_OUTPUT -p udp --sport 15053 -m owner --gid-owner 1337 -j CT --zone 2
+iptables -t raw -A ISTIO_OUTPUT -p udp --dport 53 -d 127.0.0.53/32 -j CT --zone 2
 iptables -t raw -A PREROUTING -p udp --sport 53 -s 127.0.0.53/32 -j CT --zone 1
 iptables -t mangle -A PREROUTING -p tcp -m mark --mark 1337 -j CONNMARK --save-mark
 iptables -t mangle -A OUTPUT -p tcp -o lo -m mark --mark 1337 -j RETURN
@@ -55,6 +56,7 @@ ip6tables -t mangle -N ISTIO_DIVERT
 ip6tables -t mangle -N ISTIO_TPROXY
 ip6tables -t mangle -N ISTIO_INBOUND
 ip6tables -t nat -N ISTIO_OUTPUT
+ip6tables -t raw -N ISTIO_OUTPUT
 ip6tables -t nat -A PREROUTING -i not-istio-nic -j RETURN
 ip6tables -t nat -A OUTPUT -o not-istio-nic -j RETURN
 ip6tables -t mangle -A PREROUTING -i not-istio-nic -j RETURN
@@ -77,12 +79,12 @@ ip6tables -t nat -A ISTIO_OUTPUT -o lo ! -d ::1/128 -p tcp ! --dport 15008 -m ow
 ip6tables -t nat -A ISTIO_OUTPUT -o lo -p tcp ! --dport 53 -m owner ! --gid-owner 1337 -j RETURN
 ip6tables -t nat -A ISTIO_OUTPUT -m owner --gid-owner 1337 -j RETURN
 ip6tables -t nat -A ISTIO_OUTPUT -d ::1/128 -j RETURN
-ip6tables -t nat -A OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j RETURN
-ip6tables -t nat -A OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j RETURN
-ip6tables -t raw -A OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j CT --zone 1
-ip6tables -t raw -A OUTPUT -p udp --sport 15053 -m owner --uid-owner 1337 -j CT --zone 2
-ip6tables -t raw -A OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j CT --zone 1
-ip6tables -t raw -A OUTPUT -p udp --sport 15053 -m owner --gid-owner 1337 -j CT --zone 2
+ip6tables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j RETURN
+ip6tables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j RETURN
+ip6tables -t raw -A ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j CT --zone 1
+ip6tables -t raw -A ISTIO_OUTPUT -p udp --sport 15053 -m owner --uid-owner 1337 -j CT --zone 2
+ip6tables -t raw -A ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j CT --zone 1
+ip6tables -t raw -A ISTIO_OUTPUT -p udp --sport 15053 -m owner --gid-owner 1337 -j CT --zone 2
 ip6tables -t mangle -A PREROUTING -p tcp -m mark --mark 1337 -j CONNMARK --save-mark
 ip6tables -t mangle -A OUTPUT -p tcp -o lo -m mark --mark 1337 -j RETURN
 ip6tables -t mangle -A OUTPUT ! -d ::1/128 -p tcp -o lo -m owner --uid-owner 1337 -j MARK --set-mark 1338

From c52d2d1f5c9389cf5d42b2b995da41f0ea4a1a82 Mon Sep 17 00:00:00 2001
From: Eoin Fennessy <efenness@redhat.com>
Date: Wed, 8 May 2024 15:49:40 +0100
Subject: [PATCH 2/3] make gen

---
 cni/pkg/plugin/testdata/dns.txt.golden | 17 +++++++++--------
 1 file changed, 9 insertions(+), 8 deletions(-)

diff --git a/cni/pkg/plugin/testdata/dns.txt.golden b/cni/pkg/plugin/testdata/dns.txt.golden
index 13d33034a658..3900562a9f25 100644
--- a/cni/pkg/plugin/testdata/dns.txt.golden
+++ b/cni/pkg/plugin/testdata/dns.txt.golden
@@ -23,15 +23,16 @@
 -A ISTIO_OUTPUT -p tcp --dport 53 -j REDIRECT --to-ports 15053
 -A ISTIO_OUTPUT -d 127.0.0.1/32 -j RETURN
 -A ISTIO_OUTPUT -j ISTIO_REDIRECT
--A OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j RETURN
--A OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j RETURN
--A OUTPUT -p udp --dport 53 -j REDIRECT --to-port 15053
+-A ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j RETURN
+-A ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j RETURN
+-A ISTIO_OUTPUT -p udp --dport 53 -j REDIRECT --to-port 15053
 COMMIT
 * raw
--A OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j CT --zone 1
--A OUTPUT -p udp --sport 15053 -m owner --uid-owner 1337 -j CT --zone 2
--A OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j CT --zone 1
--A OUTPUT -p udp --sport 15053 -m owner --gid-owner 1337 -j CT --zone 2
--A OUTPUT -p udp --dport 53 -j CT --zone 2
+-N ISTIO_OUTPUT
+-A ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j CT --zone 1
+-A ISTIO_OUTPUT -p udp --sport 15053 -m owner --uid-owner 1337 -j CT --zone 2
+-A ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j CT --zone 1
+-A ISTIO_OUTPUT -p udp --sport 15053 -m owner --gid-owner 1337 -j CT --zone 2
+-A ISTIO_OUTPUT -p udp --dport 53 -j CT --zone 2
 -A PREROUTING -p udp --sport 53 -j CT --zone 1
 COMMIT

From 700e5d6362224d623f8eb300a777ddb3aae7af2d Mon Sep 17 00:00:00 2001
From: Eoin Fennessy <efenness@redhat.com>
Date: Thu, 9 May 2024 11:22:27 +0100
Subject: [PATCH 3/3] Add jumps to ISTIO_OUTPUT chain for UDP traffic

---
 cni/pkg/plugin/testdata/dns.txt.golden                      | 2 ++
 tools/istio-clean-iptables/pkg/cmd/cleanup.go               | 6 ++++++
 .../pkg/cmd/testdata/dns-uid-gid.golden                     | 4 ++++
 tools/istio-clean-iptables/pkg/cmd/testdata/dns.golden      | 4 ++++
 tools/istio-clean-iptables/pkg/cmd/testdata/empty.golden    | 4 ++++
 .../pkg/cmd/testdata/inbound-interception-mode.golden       | 4 ++++
 .../pkg/cmd/testdata/outbound-owner-groups-exclude.golden   | 4 ++++
 .../pkg/cmd/testdata/outbound-owner-groups.golden           | 4 ++++
 tools/istio-iptables/pkg/capture/run.go                     | 6 +++++-
 .../istio-iptables/pkg/capture/testdata/dns-uid-gid.golden  | 4 ++++
 tools/istio-iptables/pkg/capture/testdata/ip-range.golden   | 2 ++
 .../testdata/ipv6-dns-outbound-owner-groups-exclude.golden  | 4 ++++
 .../capture/testdata/ipv6-dns-outbound-owner-groups.golden  | 4 ++++
 .../pkg/capture/testdata/ipv6-dns-uid-gid.golden            | 4 ++++
 .../pkg/capture/testdata/loopback-outbound-iprange.golden   | 2 ++
 tools/istio-iptables/pkg/capture/testdata/tproxy.golden     | 4 ++++
 16 files changed, 61 insertions(+), 1 deletion(-)

diff --git a/cni/pkg/plugin/testdata/dns.txt.golden b/cni/pkg/plugin/testdata/dns.txt.golden
index 3900562a9f25..1b5b0e8b0824 100644
--- a/cni/pkg/plugin/testdata/dns.txt.golden
+++ b/cni/pkg/plugin/testdata/dns.txt.golden
@@ -23,12 +23,14 @@
 -A ISTIO_OUTPUT -p tcp --dport 53 -j REDIRECT --to-ports 15053
 -A ISTIO_OUTPUT -d 127.0.0.1/32 -j RETURN
 -A ISTIO_OUTPUT -j ISTIO_REDIRECT
+-A OUTPUT -p udp -j ISTIO_OUTPUT
 -A ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j RETURN
 -A ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j RETURN
 -A ISTIO_OUTPUT -p udp --dport 53 -j REDIRECT --to-port 15053
 COMMIT
 * raw
 -N ISTIO_OUTPUT
+-A OUTPUT -p udp -j ISTIO_OUTPUT
 -A ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j CT --zone 1
 -A ISTIO_OUTPUT -p udp --sport 15053 -m owner --uid-owner 1337 -j CT --zone 2
 -A ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j CT --zone 1
diff --git a/tools/istio-clean-iptables/pkg/cmd/cleanup.go b/tools/istio-clean-iptables/pkg/cmd/cleanup.go
index a1165547b8a2..5cfe8dc4db95 100644
--- a/tools/istio-clean-iptables/pkg/cmd/cleanup.go
+++ b/tools/istio-clean-iptables/pkg/cmd/cleanup.go
@@ -89,6 +89,12 @@ func removeOldChains(cfg *config.Config, ext dep.Dependencies, iptV *dep.Iptable
 // TODO BML drop `HandleDSNUDP` and friends, no real need to tread UDP rules specially
 // or create unique abstractions for them
 func cleanupDNSUDP(cfg *config.Config, ext dep.Dependencies, iptV, ipt6V *dep.IptablesVersion) {
+	// Remove UDP jumps from OUTPUT chain to ISTIOOUTPUT chain
+	ext.RunQuietlyAndIgnore(constants.IPTables, iptV, nil, "-t", constants.NAT, "-D", constants.OUTPUT, "-p", constants.UDP, "-j", constants.ISTIOOUTPUT)
+	ext.RunQuietlyAndIgnore(constants.IPTables, iptV, nil, "-t", constants.RAW, "-D", constants.OUTPUT, "-p", constants.UDP, "-j", constants.ISTIOOUTPUT)
+	ext.RunQuietlyAndIgnore(constants.IPTables, ipt6V, nil, "-t", constants.NAT, "-D", constants.OUTPUT, "-p", constants.UDP, "-j", constants.ISTIOOUTPUT)
+	ext.RunQuietlyAndIgnore(constants.IPTables, ipt6V, nil, "-t", constants.RAW, "-D", constants.OUTPUT, "-p", constants.UDP, "-j", constants.ISTIOOUTPUT)
+
 	// Remove the old DNS UDP rules
 	if cfg.RedirectDNS {
 		ownerGroupsFilter := types.ParseInterceptFilter(cfg.OwnerGroupsInclude, cfg.OwnerGroupsExclude)
diff --git a/tools/istio-clean-iptables/pkg/cmd/testdata/dns-uid-gid.golden b/tools/istio-clean-iptables/pkg/cmd/testdata/dns-uid-gid.golden
index 72ef7cbae351..060fc0b4e34b 100644
--- a/tools/istio-clean-iptables/pkg/cmd/testdata/dns-uid-gid.golden
+++ b/tools/istio-clean-iptables/pkg/cmd/testdata/dns-uid-gid.golden
@@ -32,6 +32,10 @@ ip6tables -t nat -F ISTIO_REDIRECT
 ip6tables -t nat -X ISTIO_REDIRECT
 ip6tables -t nat -F ISTIO_IN_REDIRECT
 ip6tables -t nat -X ISTIO_IN_REDIRECT
+iptables -t nat -D OUTPUT -p udp -j ISTIO_OUTPUT
+iptables -t raw -D OUTPUT -p udp -j ISTIO_OUTPUT
+ip6tables -t nat -D OUTPUT -p udp -j ISTIO_OUTPUT
+ip6tables -t raw -D OUTPUT -p udp -j ISTIO_OUTPUT
 iptables -t nat -D ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 3 -j RETURN
 ip6tables -t nat -D ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 3 -j RETURN
 iptables -t nat -D ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 4 -j RETURN
diff --git a/tools/istio-clean-iptables/pkg/cmd/testdata/dns.golden b/tools/istio-clean-iptables/pkg/cmd/testdata/dns.golden
index a22f41b646d2..1dbc7c402b0f 100644
--- a/tools/istio-clean-iptables/pkg/cmd/testdata/dns.golden
+++ b/tools/istio-clean-iptables/pkg/cmd/testdata/dns.golden
@@ -32,6 +32,10 @@ ip6tables -t nat -F ISTIO_REDIRECT
 ip6tables -t nat -X ISTIO_REDIRECT
 ip6tables -t nat -F ISTIO_IN_REDIRECT
 ip6tables -t nat -X ISTIO_IN_REDIRECT
+iptables -t nat -D OUTPUT -p udp -j ISTIO_OUTPUT
+iptables -t raw -D OUTPUT -p udp -j ISTIO_OUTPUT
+ip6tables -t nat -D OUTPUT -p udp -j ISTIO_OUTPUT
+ip6tables -t raw -D OUTPUT -p udp -j ISTIO_OUTPUT
 iptables -t nat -D ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j RETURN
 ip6tables -t nat -D ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j RETURN
 iptables -t nat -D ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j RETURN
diff --git a/tools/istio-clean-iptables/pkg/cmd/testdata/empty.golden b/tools/istio-clean-iptables/pkg/cmd/testdata/empty.golden
index ed81b4954953..2971c77b4fd9 100644
--- a/tools/istio-clean-iptables/pkg/cmd/testdata/empty.golden
+++ b/tools/istio-clean-iptables/pkg/cmd/testdata/empty.golden
@@ -32,5 +32,9 @@ ip6tables -t nat -F ISTIO_REDIRECT
 ip6tables -t nat -X ISTIO_REDIRECT
 ip6tables -t nat -F ISTIO_IN_REDIRECT
 ip6tables -t nat -X ISTIO_IN_REDIRECT
+iptables -t nat -D OUTPUT -p udp -j ISTIO_OUTPUT
+iptables -t raw -D OUTPUT -p udp -j ISTIO_OUTPUT
+ip6tables -t nat -D OUTPUT -p udp -j ISTIO_OUTPUT
+ip6tables -t raw -D OUTPUT -p udp -j ISTIO_OUTPUT
 iptables-save
 ip6tables-save
\ No newline at end of file
diff --git a/tools/istio-clean-iptables/pkg/cmd/testdata/inbound-interception-mode.golden b/tools/istio-clean-iptables/pkg/cmd/testdata/inbound-interception-mode.golden
index 714f36158820..f9c41a0e7696 100644
--- a/tools/istio-clean-iptables/pkg/cmd/testdata/inbound-interception-mode.golden
+++ b/tools/istio-clean-iptables/pkg/cmd/testdata/inbound-interception-mode.golden
@@ -36,5 +36,9 @@ ip6tables -t nat -F ISTIO_REDIRECT
 ip6tables -t nat -X ISTIO_REDIRECT
 ip6tables -t nat -F ISTIO_IN_REDIRECT
 ip6tables -t nat -X ISTIO_IN_REDIRECT
+iptables -t nat -D OUTPUT -p udp -j ISTIO_OUTPUT
+iptables -t raw -D OUTPUT -p udp -j ISTIO_OUTPUT
+ip6tables -t nat -D OUTPUT -p udp -j ISTIO_OUTPUT
+ip6tables -t raw -D OUTPUT -p udp -j ISTIO_OUTPUT
 iptables-save
 ip6tables-save
\ No newline at end of file
diff --git a/tools/istio-clean-iptables/pkg/cmd/testdata/outbound-owner-groups-exclude.golden b/tools/istio-clean-iptables/pkg/cmd/testdata/outbound-owner-groups-exclude.golden
index 0a8350a945fa..093db2495884 100644
--- a/tools/istio-clean-iptables/pkg/cmd/testdata/outbound-owner-groups-exclude.golden
+++ b/tools/istio-clean-iptables/pkg/cmd/testdata/outbound-owner-groups-exclude.golden
@@ -32,6 +32,10 @@ ip6tables -t nat -F ISTIO_REDIRECT
 ip6tables -t nat -X ISTIO_REDIRECT
 ip6tables -t nat -F ISTIO_IN_REDIRECT
 ip6tables -t nat -X ISTIO_IN_REDIRECT
+iptables -t nat -D OUTPUT -p udp -j ISTIO_OUTPUT
+iptables -t raw -D OUTPUT -p udp -j ISTIO_OUTPUT
+ip6tables -t nat -D OUTPUT -p udp -j ISTIO_OUTPUT
+ip6tables -t raw -D OUTPUT -p udp -j ISTIO_OUTPUT
 iptables -t nat -D ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j RETURN
 ip6tables -t nat -D ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j RETURN
 iptables -t nat -D ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j RETURN
diff --git a/tools/istio-clean-iptables/pkg/cmd/testdata/outbound-owner-groups.golden b/tools/istio-clean-iptables/pkg/cmd/testdata/outbound-owner-groups.golden
index f6577fe033ed..9f67f1eede74 100644
--- a/tools/istio-clean-iptables/pkg/cmd/testdata/outbound-owner-groups.golden
+++ b/tools/istio-clean-iptables/pkg/cmd/testdata/outbound-owner-groups.golden
@@ -32,6 +32,10 @@ ip6tables -t nat -F ISTIO_REDIRECT
 ip6tables -t nat -X ISTIO_REDIRECT
 ip6tables -t nat -F ISTIO_IN_REDIRECT
 ip6tables -t nat -X ISTIO_IN_REDIRECT
+iptables -t nat -D OUTPUT -p udp -j ISTIO_OUTPUT
+iptables -t raw -D OUTPUT -p udp -j ISTIO_OUTPUT
+ip6tables -t nat -D OUTPUT -p udp -j ISTIO_OUTPUT
+ip6tables -t raw -D OUTPUT -p udp -j ISTIO_OUTPUT
 iptables -t nat -D ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j RETURN
 ip6tables -t nat -D ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j RETURN
 iptables -t nat -D ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j RETURN
diff --git a/tools/istio-iptables/pkg/capture/run.go b/tools/istio-iptables/pkg/capture/run.go
index 21a1b8a525ce..45807339dd7a 100644
--- a/tools/istio-iptables/pkg/capture/run.go
+++ b/tools/istio-iptables/pkg/capture/run.go
@@ -349,7 +349,7 @@ func (cfg *IptablesConfigurator) Run() error {
 
 	// TODO: change the default behavior to not intercept any output - user may use http_proxy or another
 	// iptablesOrFail wrapper (like ufw). Current default is similar with 0.1
-	// Jump to the ISTIOOUTPUT chain from OUTPUT chain for all tcp traffic, and UDP dns (if enabled)
+	// Jump to the ISTIOOUTPUT chain from OUTPUT chain for all tcp traffic
 	cfg.ruleBuilder.AppendRule(iptableslog.JumpOutbound, constants.OUTPUT, constants.NAT, "-p", constants.TCP, "-j", constants.ISTIOOUTPUT)
 	// Apply port based exclusions. Must be applied before connections back to self are redirected.
 	if cfg.cfg.OutboundPortsExclude != "" {
@@ -509,6 +509,10 @@ func (cfg *IptablesConfigurator) Run() error {
 	cfg.handleOutboundIncludeRules(ipv6RangesInclude, cfg.ruleBuilder.AppendRuleV6, cfg.ruleBuilder.InsertRuleV6)
 
 	if redirectDNS {
+		// Jump from OUTPUT chain to ISTIOOUTPUT chain for all UDP traffic
+		cfg.ruleBuilder.AppendRule(iptableslog.JumpOutbound, constants.OUTPUT, constants.NAT, "-p", constants.UDP, "-j", constants.ISTIOOUTPUT)
+		cfg.ruleBuilder.AppendRule(iptableslog.JumpOutbound, constants.OUTPUT, constants.RAW, "-p", constants.UDP, "-j", constants.ISTIOOUTPUT)
+
 		HandleDNSUDP(
 			AppendOps, cfg.ruleBuilder, cfg.ext, &iptVer, &ipt6Ver,
 			cfg.cfg.ProxyUID, cfg.cfg.ProxyGID,
diff --git a/tools/istio-iptables/pkg/capture/testdata/dns-uid-gid.golden b/tools/istio-iptables/pkg/capture/testdata/dns-uid-gid.golden
index e3a687f33f64..88bd58e92cae 100644
--- a/tools/istio-iptables/pkg/capture/testdata/dns-uid-gid.golden
+++ b/tools/istio-iptables/pkg/capture/testdata/dns-uid-gid.golden
@@ -22,6 +22,8 @@ iptables -t nat -A ISTIO_OUTPUT -o lo -p tcp ! --dport 53 -m owner ! --gid-owner
 iptables -t nat -A ISTIO_OUTPUT -m owner --gid-owner 2 -j RETURN
 iptables -t nat -A ISTIO_OUTPUT -p tcp --dport 53 -d 127.0.0.53/32 -j REDIRECT --to-ports 15053
 iptables -t nat -A ISTIO_OUTPUT -d 127.0.0.1/32 -j RETURN
+iptables -t nat -A OUTPUT -p udp -j ISTIO_OUTPUT
+iptables -t raw -A OUTPUT -p udp -j ISTIO_OUTPUT
 iptables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 3 -j RETURN
 iptables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 4 -j RETURN
 iptables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 1 -j RETURN
@@ -61,6 +63,8 @@ ip6tables -t nat -A ISTIO_OUTPUT -o lo -p tcp ! --dport 53 -m owner ! --gid-owne
 ip6tables -t nat -A ISTIO_OUTPUT -m owner --gid-owner 2 -j RETURN
 ip6tables -t nat -A ISTIO_OUTPUT -p tcp --dport 53 -d ::127.0.0.53/128 -j REDIRECT --to-ports 15053
 ip6tables -t nat -A ISTIO_OUTPUT -d ::1/128 -j RETURN
+ip6tables -t nat -A OUTPUT -p udp -j ISTIO_OUTPUT
+ip6tables -t raw -A OUTPUT -p udp -j ISTIO_OUTPUT
 ip6tables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 3 -j RETURN
 ip6tables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 4 -j RETURN
 ip6tables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 1 -j RETURN
diff --git a/tools/istio-iptables/pkg/capture/testdata/ip-range.golden b/tools/istio-iptables/pkg/capture/testdata/ip-range.golden
index 3ee6210e53da..6223692fb166 100644
--- a/tools/istio-iptables/pkg/capture/testdata/ip-range.golden
+++ b/tools/istio-iptables/pkg/capture/testdata/ip-range.golden
@@ -25,6 +25,8 @@ iptables -t nat -A ISTIO_OUTPUT -d 127.0.0.1/32 -j RETURN
 iptables -t nat -A ISTIO_OUTPUT -d 1.1.0.0/16 -j RETURN
 iptables -t nat -A ISTIO_OUTPUT -d 9.9.0.0/16 -j ISTIO_REDIRECT
 iptables -t nat -A ISTIO_OUTPUT -j RETURN
+iptables -t nat -A OUTPUT -p udp -j ISTIO_OUTPUT
+iptables -t raw -A OUTPUT -p udp -j ISTIO_OUTPUT
 iptables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 3 -j RETURN
 iptables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 4 -j RETURN
 iptables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 1 -j RETURN
diff --git a/tools/istio-iptables/pkg/capture/testdata/ipv6-dns-outbound-owner-groups-exclude.golden b/tools/istio-iptables/pkg/capture/testdata/ipv6-dns-outbound-owner-groups-exclude.golden
index 05cf308a41fb..92cfe370a80e 100644
--- a/tools/istio-iptables/pkg/capture/testdata/ipv6-dns-outbound-owner-groups-exclude.golden
+++ b/tools/istio-iptables/pkg/capture/testdata/ipv6-dns-outbound-owner-groups-exclude.golden
@@ -17,6 +17,8 @@ iptables -t nat -A ISTIO_OUTPUT -m owner --gid-owner 1337 -j RETURN
 iptables -t nat -A ISTIO_OUTPUT -m owner --gid-owner 888 -j RETURN
 iptables -t nat -A ISTIO_OUTPUT -m owner --gid-owner ftp -j RETURN
 iptables -t nat -A ISTIO_OUTPUT -d 127.0.0.1/32 -j RETURN
+iptables -t nat -A OUTPUT -p udp -j ISTIO_OUTPUT
+iptables -t raw -A OUTPUT -p udp -j ISTIO_OUTPUT
 iptables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j RETURN
 iptables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j RETURN
 iptables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 888 -j RETURN
@@ -44,6 +46,8 @@ ip6tables -t nat -A ISTIO_OUTPUT -m owner --gid-owner 1337 -j RETURN
 ip6tables -t nat -A ISTIO_OUTPUT -m owner --gid-owner 888 -j RETURN
 ip6tables -t nat -A ISTIO_OUTPUT -m owner --gid-owner ftp -j RETURN
 ip6tables -t nat -A ISTIO_OUTPUT -d ::1/128 -j RETURN
+ip6tables -t nat -A OUTPUT -p udp -j ISTIO_OUTPUT
+ip6tables -t raw -A OUTPUT -p udp -j ISTIO_OUTPUT
 ip6tables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j RETURN
 ip6tables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j RETURN
 ip6tables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 888 -j RETURN
diff --git a/tools/istio-iptables/pkg/capture/testdata/ipv6-dns-outbound-owner-groups.golden b/tools/istio-iptables/pkg/capture/testdata/ipv6-dns-outbound-owner-groups.golden
index 6459396a5612..25a94f5d52d0 100644
--- a/tools/istio-iptables/pkg/capture/testdata/ipv6-dns-outbound-owner-groups.golden
+++ b/tools/istio-iptables/pkg/capture/testdata/ipv6-dns-outbound-owner-groups.golden
@@ -16,6 +16,8 @@ iptables -t nat -A ISTIO_OUTPUT -o lo -p tcp ! --dport 53 -m owner ! --gid-owner
 iptables -t nat -A ISTIO_OUTPUT -m owner --gid-owner 1337 -j RETURN
 iptables -t nat -A ISTIO_OUTPUT -m owner ! --gid-owner java -m owner ! --gid-owner 202 -j RETURN
 iptables -t nat -A ISTIO_OUTPUT -d 127.0.0.1/32 -j RETURN
+iptables -t nat -A OUTPUT -p udp -j ISTIO_OUTPUT
+iptables -t raw -A OUTPUT -p udp -j ISTIO_OUTPUT
 iptables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j RETURN
 iptables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j RETURN
 iptables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -m owner ! --gid-owner java -m owner ! --gid-owner 202 -j RETURN
@@ -41,6 +43,8 @@ ip6tables -t nat -A ISTIO_OUTPUT -o lo -p tcp ! --dport 53 -m owner ! --gid-owne
 ip6tables -t nat -A ISTIO_OUTPUT -m owner --gid-owner 1337 -j RETURN
 ip6tables -t nat -A ISTIO_OUTPUT -m owner ! --gid-owner java -m owner ! --gid-owner 202 -j RETURN
 ip6tables -t nat -A ISTIO_OUTPUT -d ::1/128 -j RETURN
+ip6tables -t nat -A OUTPUT -p udp -j ISTIO_OUTPUT
+ip6tables -t raw -A OUTPUT -p udp -j ISTIO_OUTPUT
 ip6tables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j RETURN
 ip6tables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j RETURN
 ip6tables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -m owner ! --gid-owner java -m owner ! --gid-owner 202 -j RETURN
diff --git a/tools/istio-iptables/pkg/capture/testdata/ipv6-dns-uid-gid.golden b/tools/istio-iptables/pkg/capture/testdata/ipv6-dns-uid-gid.golden
index edf93d0c7c2e..7a04ac47bd44 100644
--- a/tools/istio-iptables/pkg/capture/testdata/ipv6-dns-uid-gid.golden
+++ b/tools/istio-iptables/pkg/capture/testdata/ipv6-dns-uid-gid.golden
@@ -21,6 +21,8 @@ iptables -t nat -A ISTIO_OUTPUT -o lo ! -d 127.0.0.1/32 -p tcp ! --dport 15008 -
 iptables -t nat -A ISTIO_OUTPUT -o lo -p tcp ! --dport 53 -m owner ! --gid-owner 2 -j RETURN
 iptables -t nat -A ISTIO_OUTPUT -m owner --gid-owner 2 -j RETURN
 iptables -t nat -A ISTIO_OUTPUT -d 127.0.0.1/32 -j RETURN
+iptables -t nat -A OUTPUT -p udp -j ISTIO_OUTPUT
+iptables -t raw -A OUTPUT -p udp -j ISTIO_OUTPUT
 iptables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 3 -j RETURN
 iptables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 4 -j RETURN
 iptables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 1 -j RETURN
@@ -56,6 +58,8 @@ ip6tables -t nat -A ISTIO_OUTPUT -o lo ! -d ::1/128 -p tcp ! --dport 15008 -m ow
 ip6tables -t nat -A ISTIO_OUTPUT -o lo -p tcp ! --dport 53 -m owner ! --gid-owner 2 -j RETURN
 ip6tables -t nat -A ISTIO_OUTPUT -m owner --gid-owner 2 -j RETURN
 ip6tables -t nat -A ISTIO_OUTPUT -d ::1/128 -j RETURN
+ip6tables -t nat -A OUTPUT -p udp -j ISTIO_OUTPUT
+ip6tables -t raw -A OUTPUT -p udp -j ISTIO_OUTPUT
 ip6tables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 3 -j RETURN
 ip6tables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 4 -j RETURN
 ip6tables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 1 -j RETURN
diff --git a/tools/istio-iptables/pkg/capture/testdata/loopback-outbound-iprange.golden b/tools/istio-iptables/pkg/capture/testdata/loopback-outbound-iprange.golden
index 714fb4fc8b8a..3e65e9497a9d 100644
--- a/tools/istio-iptables/pkg/capture/testdata/loopback-outbound-iprange.golden
+++ b/tools/istio-iptables/pkg/capture/testdata/loopback-outbound-iprange.golden
@@ -20,6 +20,8 @@ iptables -t nat -A ISTIO_OUTPUT -p tcp --dport 53 -d 127.0.0.53/32 -j REDIRECT -
 iptables -t nat -A ISTIO_OUTPUT -d 127.0.0.1/32 -j RETURN
 iptables -t nat -A ISTIO_OUTPUT -d 127.1.2.3/32 -j ISTIO_REDIRECT
 iptables -t nat -A ISTIO_OUTPUT -j RETURN
+iptables -t nat -A OUTPUT -p udp -j ISTIO_OUTPUT
+iptables -t raw -A OUTPUT -p udp -j ISTIO_OUTPUT
 iptables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 3 -j RETURN
 iptables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 4 -j RETURN
 iptables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 1 -j RETURN
diff --git a/tools/istio-iptables/pkg/capture/testdata/tproxy.golden b/tools/istio-iptables/pkg/capture/testdata/tproxy.golden
index 1685993e39e4..0427e0acc76d 100644
--- a/tools/istio-iptables/pkg/capture/testdata/tproxy.golden
+++ b/tools/istio-iptables/pkg/capture/testdata/tproxy.golden
@@ -32,6 +32,8 @@ iptables -t nat -A ISTIO_OUTPUT -d 127.0.0.1/32 -j RETURN
 iptables -t nat -A ISTIO_OUTPUT -d 1.1.0.0/16 -j RETURN
 iptables -t nat -A ISTIO_OUTPUT -d 9.9.0.0/16 -j ISTIO_REDIRECT
 iptables -t nat -A ISTIO_OUTPUT -j RETURN
+iptables -t nat -A OUTPUT -p udp -j ISTIO_OUTPUT
+iptables -t raw -A OUTPUT -p udp -j ISTIO_OUTPUT
 iptables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j RETURN
 iptables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j RETURN
 iptables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -d 127.0.0.53/32 -j REDIRECT --to-port 15053
@@ -79,6 +81,8 @@ ip6tables -t nat -A ISTIO_OUTPUT -o lo ! -d ::1/128 -p tcp ! --dport 15008 -m ow
 ip6tables -t nat -A ISTIO_OUTPUT -o lo -p tcp ! --dport 53 -m owner ! --gid-owner 1337 -j RETURN
 ip6tables -t nat -A ISTIO_OUTPUT -m owner --gid-owner 1337 -j RETURN
 ip6tables -t nat -A ISTIO_OUTPUT -d ::1/128 -j RETURN
+ip6tables -t nat -A OUTPUT -p udp -j ISTIO_OUTPUT
+ip6tables -t raw -A OUTPUT -p udp -j ISTIO_OUTPUT
 ip6tables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j RETURN
 ip6tables -t nat -A ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j RETURN
 ip6tables -t raw -A ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j CT --zone 1