Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

iptables: use ISTIO_OUTPUT chain for DNS UDP rules #50915

Merged
merged 3 commits into from
May 13, 2024
Merged

iptables: use ISTIO_OUTPUT chain for DNS UDP rules #50915

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
184a27c
iptables: use `ISTIO_OUTPUT` chain for DNS UDP rules
eoinfennessy May 8, 2024
c52d2d1
make gen
eoinfennessy May 8, 2024
700e5d6
Add jumps to ISTIO_OUTPUT chain for UDP traffic
eoinfennessy May 9, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
19 changes: 11 additions & 8 deletions cni/pkg/plugin/testdata/dns.txt.golden
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,15 +23,18 @@
-A ISTIO_OUTPUT -p tcp --dport 53 -j REDIRECT --to-ports 15053
-A ISTIO_OUTPUT -d 127.0.0.1/32 -j RETURN
-A ISTIO_OUTPUT -j ISTIO_REDIRECT
-A OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j RETURN
-A OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j RETURN
-A OUTPUT -p udp --dport 53 -j REDIRECT --to-port 15053
-A OUTPUT -p udp -j ISTIO_OUTPUT
-A ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j RETURN
-A ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j RETURN
-A ISTIO_OUTPUT -p udp --dport 53 -j REDIRECT --to-port 15053
COMMIT
* raw
-A OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j CT --zone 1
-A OUTPUT -p udp --sport 15053 -m owner --uid-owner 1337 -j CT --zone 2
-A OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j CT --zone 1
-A OUTPUT -p udp --sport 15053 -m owner --gid-owner 1337 -j CT --zone 2
-A OUTPUT -p udp --dport 53 -j CT --zone 2
-N ISTIO_OUTPUT
-A OUTPUT -p udp -j ISTIO_OUTPUT
-A ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j CT --zone 1
-A ISTIO_OUTPUT -p udp --sport 15053 -m owner --uid-owner 1337 -j CT --zone 2
-A ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j CT --zone 1
-A ISTIO_OUTPUT -p udp --sport 15053 -m owner --gid-owner 1337 -j CT --zone 2
-A ISTIO_OUTPUT -p udp --dport 53 -j CT --zone 2
-A PREROUTING -p udp --sport 53 -j CT --zone 1
COMMIT
6 changes: 6 additions & 0 deletions tools/istio-clean-iptables/pkg/cmd/cleanup.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -89,6 +89,12 @@ func removeOldChains(cfg *config.Config, ext dep.Dependencies, iptV *dep.Iptable
// TODO BML drop `HandleDSNUDP` and friends, no real need to tread UDP rules specially
// or create unique abstractions for them
func cleanupDNSUDP(cfg *config.Config, ext dep.Dependencies, iptV, ipt6V *dep.IptablesVersion) {
// Remove UDP jumps from OUTPUT chain to ISTIOOUTPUT chain
ext.RunQuietlyAndIgnore(constants.IPTables, iptV, nil, "-t", constants.NAT, "-D", constants.OUTPUT, "-p", constants.UDP, "-j", constants.ISTIOOUTPUT)
ext.RunQuietlyAndIgnore(constants.IPTables, iptV, nil, "-t", constants.RAW, "-D", constants.OUTPUT, "-p", constants.UDP, "-j", constants.ISTIOOUTPUT)
ext.RunQuietlyAndIgnore(constants.IPTables, ipt6V, nil, "-t", constants.NAT, "-D", constants.OUTPUT, "-p", constants.UDP, "-j", constants.ISTIOOUTPUT)
ext.RunQuietlyAndIgnore(constants.IPTables, ipt6V, nil, "-t", constants.RAW, "-D", constants.OUTPUT, "-p", constants.UDP, "-j", constants.ISTIOOUTPUT)

// Remove the old DNS UDP rules
if cfg.RedirectDNS {
ownerGroupsFilter := types.ParseInterceptFilter(cfg.OwnerGroupsInclude, cfg.OwnerGroupsExclude)
Expand Down
60 changes: 32 additions & 28 deletions tools/istio-clean-iptables/pkg/cmd/testdata/dns-uid-gid.golden
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,35 +32,39 @@ ip6tables -t nat -F ISTIO_REDIRECT
ip6tables -t nat -X ISTIO_REDIRECT
ip6tables -t nat -F ISTIO_IN_REDIRECT
ip6tables -t nat -X ISTIO_IN_REDIRECT
iptables -t nat -D OUTPUT -p udp --dport 53 -m owner --uid-owner 3 -j RETURN
ip6tables -t nat -D OUTPUT -p udp --dport 53 -m owner --uid-owner 3 -j RETURN
iptables -t nat -D OUTPUT -p udp --dport 53 -m owner --uid-owner 4 -j RETURN
ip6tables -t nat -D OUTPUT -p udp --dport 53 -m owner --uid-owner 4 -j RETURN
iptables -t nat -D OUTPUT -p udp --dport 53 -m owner --gid-owner 1 -j RETURN
ip6tables -t nat -D OUTPUT -p udp --dport 53 -m owner --gid-owner 1 -j RETURN
iptables -t nat -D OUTPUT -p udp --dport 53 -m owner --gid-owner 2 -j RETURN
ip6tables -t nat -D OUTPUT -p udp --dport 53 -m owner --gid-owner 2 -j RETURN
iptables -t nat -D OUTPUT -p udp --dport 53 -d 127.0.0.53/32 -j REDIRECT --to-port 15053
ip6tables -t nat -D OUTPUT -p udp --dport 53 -d ::127.0.0.53/128 -j REDIRECT --to-port 15053
iptables -t raw -D OUTPUT -p udp --dport 53 -m owner --uid-owner 3 -j CT --zone 1
ip6tables -t raw -D OUTPUT -p udp --dport 53 -m owner --uid-owner 3 -j CT --zone 1
iptables -t raw -D OUTPUT -p udp --sport 15053 -m owner --uid-owner 3 -j CT --zone 2
ip6tables -t raw -D OUTPUT -p udp --sport 15053 -m owner --uid-owner 3 -j CT --zone 2
iptables -t raw -D OUTPUT -p udp --dport 53 -m owner --uid-owner 4 -j CT --zone 1
ip6tables -t raw -D OUTPUT -p udp --dport 53 -m owner --uid-owner 4 -j CT --zone 1
iptables -t raw -D OUTPUT -p udp --sport 15053 -m owner --uid-owner 4 -j CT --zone 2
ip6tables -t raw -D OUTPUT -p udp --sport 15053 -m owner --uid-owner 4 -j CT --zone 2
iptables -t raw -D OUTPUT -p udp --dport 53 -m owner --gid-owner 1 -j CT --zone 1
ip6tables -t raw -D OUTPUT -p udp --dport 53 -m owner --gid-owner 1 -j CT --zone 1
iptables -t raw -D OUTPUT -p udp --sport 15053 -m owner --gid-owner 1 -j CT --zone 2
ip6tables -t raw -D OUTPUT -p udp --sport 15053 -m owner --gid-owner 1 -j CT --zone 2
iptables -t raw -D OUTPUT -p udp --dport 53 -m owner --gid-owner 2 -j CT --zone 1
ip6tables -t raw -D OUTPUT -p udp --dport 53 -m owner --gid-owner 2 -j CT --zone 1
iptables -t raw -D OUTPUT -p udp --sport 15053 -m owner --gid-owner 2 -j CT --zone 2
ip6tables -t raw -D OUTPUT -p udp --sport 15053 -m owner --gid-owner 2 -j CT --zone 2
iptables -t raw -D OUTPUT -p udp --dport 53 -d 127.0.0.53/32 -j CT --zone 2
iptables -t nat -D OUTPUT -p udp -j ISTIO_OUTPUT
iptables -t raw -D OUTPUT -p udp -j ISTIO_OUTPUT
ip6tables -t nat -D OUTPUT -p udp -j ISTIO_OUTPUT
ip6tables -t raw -D OUTPUT -p udp -j ISTIO_OUTPUT
iptables -t nat -D ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 3 -j RETURN
ip6tables -t nat -D ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 3 -j RETURN
iptables -t nat -D ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 4 -j RETURN
ip6tables -t nat -D ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 4 -j RETURN
iptables -t nat -D ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 1 -j RETURN
ip6tables -t nat -D ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 1 -j RETURN
iptables -t nat -D ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 2 -j RETURN
ip6tables -t nat -D ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 2 -j RETURN
iptables -t nat -D ISTIO_OUTPUT -p udp --dport 53 -d 127.0.0.53/32 -j REDIRECT --to-port 15053
ip6tables -t nat -D ISTIO_OUTPUT -p udp --dport 53 -d ::127.0.0.53/128 -j REDIRECT --to-port 15053
iptables -t raw -D ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 3 -j CT --zone 1
ip6tables -t raw -D ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 3 -j CT --zone 1
iptables -t raw -D ISTIO_OUTPUT -p udp --sport 15053 -m owner --uid-owner 3 -j CT --zone 2
ip6tables -t raw -D ISTIO_OUTPUT -p udp --sport 15053 -m owner --uid-owner 3 -j CT --zone 2
iptables -t raw -D ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 4 -j CT --zone 1
ip6tables -t raw -D ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 4 -j CT --zone 1
iptables -t raw -D ISTIO_OUTPUT -p udp --sport 15053 -m owner --uid-owner 4 -j CT --zone 2
ip6tables -t raw -D ISTIO_OUTPUT -p udp --sport 15053 -m owner --uid-owner 4 -j CT --zone 2
iptables -t raw -D ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 1 -j CT --zone 1
ip6tables -t raw -D ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 1 -j CT --zone 1
iptables -t raw -D ISTIO_OUTPUT -p udp --sport 15053 -m owner --gid-owner 1 -j CT --zone 2
ip6tables -t raw -D ISTIO_OUTPUT -p udp --sport 15053 -m owner --gid-owner 1 -j CT --zone 2
iptables -t raw -D ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 2 -j CT --zone 1
ip6tables -t raw -D ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 2 -j CT --zone 1
iptables -t raw -D ISTIO_OUTPUT -p udp --sport 15053 -m owner --gid-owner 2 -j CT --zone 2
ip6tables -t raw -D ISTIO_OUTPUT -p udp --sport 15053 -m owner --gid-owner 2 -j CT --zone 2
iptables -t raw -D ISTIO_OUTPUT -p udp --dport 53 -d 127.0.0.53/32 -j CT --zone 2
iptables -t raw -D PREROUTING -p udp --sport 53 -s 127.0.0.53/32 -j CT --zone 1
ip6tables -t raw -D OUTPUT -p udp --dport 53 -d ::127.0.0.53/128 -j CT --zone 2
ip6tables -t raw -D ISTIO_OUTPUT -p udp --dport 53 -d ::127.0.0.53/128 -j CT --zone 2
ip6tables -t raw -D PREROUTING -p udp --sport 53 -s ::127.0.0.53/128 -j CT --zone 1
iptables-save
ip6tables-save
28 changes: 16 additions & 12 deletions tools/istio-clean-iptables/pkg/cmd/testdata/dns.golden
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,17 +32,21 @@ ip6tables -t nat -F ISTIO_REDIRECT
ip6tables -t nat -X ISTIO_REDIRECT
ip6tables -t nat -F ISTIO_IN_REDIRECT
ip6tables -t nat -X ISTIO_IN_REDIRECT
iptables -t nat -D OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j RETURN
ip6tables -t nat -D OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j RETURN
iptables -t nat -D OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j RETURN
ip6tables -t nat -D OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j RETURN
iptables -t raw -D OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j CT --zone 1
ip6tables -t raw -D OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j CT --zone 1
iptables -t raw -D OUTPUT -p udp --sport 15053 -m owner --uid-owner 1337 -j CT --zone 2
ip6tables -t raw -D OUTPUT -p udp --sport 15053 -m owner --uid-owner 1337 -j CT --zone 2
iptables -t raw -D OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j CT --zone 1
ip6tables -t raw -D OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j CT --zone 1
iptables -t raw -D OUTPUT -p udp --sport 15053 -m owner --gid-owner 1337 -j CT --zone 2
ip6tables -t raw -D OUTPUT -p udp --sport 15053 -m owner --gid-owner 1337 -j CT --zone 2
iptables -t nat -D OUTPUT -p udp -j ISTIO_OUTPUT
iptables -t raw -D OUTPUT -p udp -j ISTIO_OUTPUT
ip6tables -t nat -D OUTPUT -p udp -j ISTIO_OUTPUT
ip6tables -t raw -D OUTPUT -p udp -j ISTIO_OUTPUT
iptables -t nat -D ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j RETURN
ip6tables -t nat -D ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j RETURN
iptables -t nat -D ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j RETURN
ip6tables -t nat -D ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j RETURN
iptables -t raw -D ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j CT --zone 1
ip6tables -t raw -D ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j CT --zone 1
iptables -t raw -D ISTIO_OUTPUT -p udp --sport 15053 -m owner --uid-owner 1337 -j CT --zone 2
ip6tables -t raw -D ISTIO_OUTPUT -p udp --sport 15053 -m owner --uid-owner 1337 -j CT --zone 2
iptables -t raw -D ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j CT --zone 1
ip6tables -t raw -D ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j CT --zone 1
iptables -t raw -D ISTIO_OUTPUT -p udp --sport 15053 -m owner --gid-owner 1337 -j CT --zone 2
ip6tables -t raw -D ISTIO_OUTPUT -p udp --sport 15053 -m owner --gid-owner 1337 -j CT --zone 2
iptables-save
ip6tables-save
4 changes: 4 additions & 0 deletions tools/istio-clean-iptables/pkg/cmd/testdata/empty.golden
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,5 +32,9 @@ ip6tables -t nat -F ISTIO_REDIRECT
ip6tables -t nat -X ISTIO_REDIRECT
ip6tables -t nat -F ISTIO_IN_REDIRECT
ip6tables -t nat -X ISTIO_IN_REDIRECT
iptables -t nat -D OUTPUT -p udp -j ISTIO_OUTPUT
iptables -t raw -D OUTPUT -p udp -j ISTIO_OUTPUT
ip6tables -t nat -D OUTPUT -p udp -j ISTIO_OUTPUT
ip6tables -t raw -D OUTPUT -p udp -j ISTIO_OUTPUT
iptables-save
ip6tables-save
4 changes: 4 additions & 0 deletions tools/istio-clean-iptables/pkg/cmd/testdata/inbound-interception-mode.golden
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,5 +36,9 @@ ip6tables -t nat -F ISTIO_REDIRECT
ip6tables -t nat -X ISTIO_REDIRECT
ip6tables -t nat -F ISTIO_IN_REDIRECT
ip6tables -t nat -X ISTIO_IN_REDIRECT
iptables -t nat -D OUTPUT -p udp -j ISTIO_OUTPUT
iptables -t raw -D OUTPUT -p udp -j ISTIO_OUTPUT
ip6tables -t nat -D OUTPUT -p udp -j ISTIO_OUTPUT
ip6tables -t raw -D OUTPUT -p udp -j ISTIO_OUTPUT
iptables-save
ip6tables-save
36 changes: 20 additions & 16 deletions tools/istio-clean-iptables/pkg/cmd/testdata/outbound-owner-groups-exclude.golden
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,21 +32,25 @@ ip6tables -t nat -F ISTIO_REDIRECT
ip6tables -t nat -X ISTIO_REDIRECT
ip6tables -t nat -F ISTIO_IN_REDIRECT
ip6tables -t nat -X ISTIO_IN_REDIRECT
iptables -t nat -D OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j RETURN
ip6tables -t nat -D OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j RETURN
iptables -t nat -D OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j RETURN
ip6tables -t nat -D OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j RETURN
iptables -t nat -D OUTPUT -p udp --dport 53 -m owner --gid-owner 888 -j RETURN
ip6tables -t nat -D OUTPUT -p udp --dport 53 -m owner --gid-owner 888 -j RETURN
iptables -t nat -D OUTPUT -p udp --dport 53 -m owner --gid-owner ftp -j RETURN
ip6tables -t nat -D OUTPUT -p udp --dport 53 -m owner --gid-owner ftp -j RETURN
iptables -t raw -D OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j CT --zone 1
ip6tables -t raw -D OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j CT --zone 1
iptables -t raw -D OUTPUT -p udp --sport 15053 -m owner --uid-owner 1337 -j CT --zone 2
ip6tables -t raw -D OUTPUT -p udp --sport 15053 -m owner --uid-owner 1337 -j CT --zone 2
iptables -t raw -D OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j CT --zone 1
ip6tables -t raw -D OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j CT --zone 1
iptables -t raw -D OUTPUT -p udp --sport 15053 -m owner --gid-owner 1337 -j CT --zone 2
ip6tables -t raw -D OUTPUT -p udp --sport 15053 -m owner --gid-owner 1337 -j CT --zone 2
iptables -t nat -D OUTPUT -p udp -j ISTIO_OUTPUT
iptables -t raw -D OUTPUT -p udp -j ISTIO_OUTPUT
ip6tables -t nat -D OUTPUT -p udp -j ISTIO_OUTPUT
ip6tables -t raw -D OUTPUT -p udp -j ISTIO_OUTPUT
iptables -t nat -D ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j RETURN
ip6tables -t nat -D ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j RETURN
iptables -t nat -D ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j RETURN
ip6tables -t nat -D ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j RETURN
iptables -t nat -D ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 888 -j RETURN
ip6tables -t nat -D ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 888 -j RETURN
iptables -t nat -D ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner ftp -j RETURN
ip6tables -t nat -D ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner ftp -j RETURN
iptables -t raw -D ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j CT --zone 1
ip6tables -t raw -D ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j CT --zone 1
iptables -t raw -D ISTIO_OUTPUT -p udp --sport 15053 -m owner --uid-owner 1337 -j CT --zone 2
ip6tables -t raw -D ISTIO_OUTPUT -p udp --sport 15053 -m owner --uid-owner 1337 -j CT --zone 2
iptables -t raw -D ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j CT --zone 1
ip6tables -t raw -D ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j CT --zone 1
iptables -t raw -D ISTIO_OUTPUT -p udp --sport 15053 -m owner --gid-owner 1337 -j CT --zone 2
ip6tables -t raw -D ISTIO_OUTPUT -p udp --sport 15053 -m owner --gid-owner 1337 -j CT --zone 2
iptables-save
ip6tables-save
32 changes: 18 additions & 14 deletions tools/istio-clean-iptables/pkg/cmd/testdata/outbound-owner-groups.golden
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,19 +32,23 @@ ip6tables -t nat -F ISTIO_REDIRECT
ip6tables -t nat -X ISTIO_REDIRECT
ip6tables -t nat -F ISTIO_IN_REDIRECT
ip6tables -t nat -X ISTIO_IN_REDIRECT
iptables -t nat -D OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j RETURN
ip6tables -t nat -D OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j RETURN
iptables -t nat -D OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j RETURN
ip6tables -t nat -D OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j RETURN
iptables -t nat -D OUTPUT -p udp --dport 53 -m owner ! --gid-owner java -m owner ! --gid-owner 202 -j RETURN
ip6tables -t nat -D OUTPUT -p udp --dport 53 -m owner ! --gid-owner java -m owner ! --gid-owner 202 -j RETURN
iptables -t raw -D OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j CT --zone 1
ip6tables -t raw -D OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j CT --zone 1
iptables -t raw -D OUTPUT -p udp --sport 15053 -m owner --uid-owner 1337 -j CT --zone 2
ip6tables -t raw -D OUTPUT -p udp --sport 15053 -m owner --uid-owner 1337 -j CT --zone 2
iptables -t raw -D OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j CT --zone 1
ip6tables -t raw -D OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j CT --zone 1
iptables -t raw -D OUTPUT -p udp --sport 15053 -m owner --gid-owner 1337 -j CT --zone 2
ip6tables -t raw -D OUTPUT -p udp --sport 15053 -m owner --gid-owner 1337 -j CT --zone 2
iptables -t nat -D OUTPUT -p udp -j ISTIO_OUTPUT
iptables -t raw -D OUTPUT -p udp -j ISTIO_OUTPUT
ip6tables -t nat -D OUTPUT -p udp -j ISTIO_OUTPUT
ip6tables -t raw -D OUTPUT -p udp -j ISTIO_OUTPUT
iptables -t nat -D ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j RETURN
ip6tables -t nat -D ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j RETURN
iptables -t nat -D ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j RETURN
ip6tables -t nat -D ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j RETURN
iptables -t nat -D ISTIO_OUTPUT -p udp --dport 53 -m owner ! --gid-owner java -m owner ! --gid-owner 202 -j RETURN
ip6tables -t nat -D ISTIO_OUTPUT -p udp --dport 53 -m owner ! --gid-owner java -m owner ! --gid-owner 202 -j RETURN
iptables -t raw -D ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j CT --zone 1
ip6tables -t raw -D ISTIO_OUTPUT -p udp --dport 53 -m owner --uid-owner 1337 -j CT --zone 1
iptables -t raw -D ISTIO_OUTPUT -p udp --sport 15053 -m owner --uid-owner 1337 -j CT --zone 2
ip6tables -t raw -D ISTIO_OUTPUT -p udp --sport 15053 -m owner --uid-owner 1337 -j CT --zone 2
iptables -t raw -D ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j CT --zone 1
ip6tables -t raw -D ISTIO_OUTPUT -p udp --dport 53 -m owner --gid-owner 1337 -j CT --zone 1
iptables -t raw -D ISTIO_OUTPUT -p udp --sport 15053 -m owner --gid-owner 1337 -j CT --zone 2
ip6tables -t raw -D ISTIO_OUTPUT -p udp --sport 15053 -m owner --gid-owner 1337 -j CT --zone 2
iptables-save
ip6tables-save
8 changes: 6 additions & 2 deletions tools/istio-iptables/pkg/capture/run.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -349,7 +349,7 @@ func (cfg *IptablesConfigurator) Run() error {

// TODO: change the default behavior to not intercept any output - user may use http_proxy or another
// iptablesOrFail wrapper (like ufw). Current default is similar with 0.1
// Jump to the ISTIOOUTPUT chain from OUTPUT chain for all tcp traffic, and UDP dns (if enabled)
// Jump to the ISTIOOUTPUT chain from OUTPUT chain for all tcp traffic
cfg.ruleBuilder.AppendRule(iptableslog.JumpOutbound, constants.OUTPUT, constants.NAT, "-p", constants.TCP, "-j", constants.ISTIOOUTPUT)
// Apply port based exclusions. Must be applied before connections back to self are redirected.
if cfg.cfg.OutboundPortsExclude != "" {
Expand Down Expand Up @@ -509,6 +509,10 @@ func (cfg *IptablesConfigurator) Run() error {
cfg.handleOutboundIncludeRules(ipv6RangesInclude, cfg.ruleBuilder.AppendRuleV6, cfg.ruleBuilder.InsertRuleV6)

if redirectDNS {
// Jump from OUTPUT chain to ISTIOOUTPUT chain for all UDP traffic
cfg.ruleBuilder.AppendRule(iptableslog.JumpOutbound, constants.OUTPUT, constants.NAT, "-p", constants.UDP, "-j", constants.ISTIOOUTPUT)
cfg.ruleBuilder.AppendRule(iptableslog.JumpOutbound, constants.OUTPUT, constants.RAW, "-p", constants.UDP, "-j", constants.ISTIOOUTPUT)

HandleDNSUDP(
AppendOps, cfg.ruleBuilder, cfg.ext, &iptVer, &ipt6Ver,
cfg.cfg.ProxyUID, cfg.cfg.ProxyGID,
Expand Down Expand Up @@ -616,7 +620,7 @@ func HandleDNSUDP(
ext: ext,
ops: ops,
table: constants.NAT,
chain: constants.OUTPUT,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You need to insert the jump to the istio chain, since we are no longer using the default one.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you, @bleggett! I've added the required jumps in the latest commit. The integration tests look OK now.

chain: constants.ISTIOOUTPUT,
iptV: iptV,
ipt6V: ipt6V,
}
Expand Down