chore(transparentproxy) iptables DNS rules order (#1821)

Signed-off-by: Nikolay Nikolaev <nikolay.nikolaev@konghq.com>

app/kumactl/cmd/completion/testdata/bash.golden

@@ -2401,6 +2401,9 @@ _kumactl_install_transparent-proxy()
     flags+=("--redirect-dns-port=")
     two_word_flags+=("--redirect-dns-port")
     local_nonpersistent_flags+=("--redirect-dns-port=")
+    flags+=("--redirect-dns-upstream-target-chain=")
+    two_word_flags+=("--redirect-dns-upstream-target-chain")
+    local_nonpersistent_flags+=("--redirect-dns-upstream-target-chain=")
     flags+=("--redirect-inbound")
     local_nonpersistent_flags+=("--redirect-inbound")
     flags+=("--redirect-inbound-port=")

app/kumactl/cmd/completion/testdata/zsh.golden

@@ -977,6 +977,7 @@ function _kumactl_install_transparent-proxy {
     '--modify-resolv-conf[skip modifying the host `/etc/resolv.conf`]' \
     '--redirect-dns[redirect the DNS requests to a specified port]' \
     '--redirect-dns-port[the port where the DNS agent is listening]:' \
+    '--redirect-dns-upstream-target-chain[(optional) the iptables chain where the upstream DNS requests should be directed to. Use with care.]:' \
     '--redirect-inbound[redirect the inbound traffic to the Envoy. Should be disabled for Gateway data plane proxies.]' \
     '--redirect-inbound-port[inbound port redirected to Envoy, as specified in dataplane'\''s `networking.transparentProxying.redirectPortInbound`]:' \
     '--redirect-inbound-port-v6[IPv6 inbound port redirected to Envoy, as specified in dataplane'\''s `networking.transparentProxying.redirectPortInboundV6`]:' \

app/kumactl/cmd/install/install_transparent_proxy.go

@@ -20,42 +20,44 @@ import (
 )
 
 type transparenProxyArgs struct {
-	DryRun                bool
-	ModifyIptables        bool
-	RedirectPortOutBound  string
-	RedirectInbound       bool
-	RedirectPortInBound   string
-	RedirectPortInBoundV6 string
-	ExcludeInboundPorts   string
-	ExcludeOutboundPorts  string
-	UID                   string
-	User                  string
-	RedirectDNS           bool
-	AgentDNSListenerPort  string
-	ModifyResolvConf      bool
-	StoreFirewalld        bool
-	KumaCpIP              net.IP
+	DryRun                 bool
+	ModifyIptables         bool
+	RedirectPortOutBound   string
+	RedirectInbound        bool
+	RedirectPortInBound    string
+	RedirectPortInBoundV6  string
+	ExcludeInboundPorts    string
+	ExcludeOutboundPorts   string
+	UID                    string
+	User                   string
+	RedirectDNS            bool
+	AgentDNSListenerPort   string
+	DNSUpstreamTargetChain string
+	ModifyResolvConf       bool
+	StoreFirewalld         bool
+	KumaCpIP               net.IP
 }
 
 var defaultCpIP = net.IPv4(0, 0, 0, 0)
 
 func newInstallTransparentProxy() *cobra.Command {
 	args := transparenProxyArgs{
-		DryRun:                false,
-		ModifyIptables:        true,
-		RedirectPortOutBound:  "15001",
-		RedirectInbound:       true,
-		RedirectPortInBound:   "15006",
-		RedirectPortInBoundV6: "15010",
-		ExcludeInboundPorts:   "",
-		ExcludeOutboundPorts:  "",
-		UID:                   "",
-		User:                  "",
-		RedirectDNS:           false,
-		AgentDNSListenerPort:  "15053",
-		ModifyResolvConf:      false,
-		StoreFirewalld:        false,
-		KumaCpIP:              defaultCpIP,
+		DryRun:                 false,
+		ModifyIptables:         true,
+		RedirectPortOutBound:   "15001",
+		RedirectInbound:        true,
+		RedirectPortInBound:    "15006",
+		RedirectPortInBoundV6:  "15010",
+		ExcludeInboundPorts:    "",
+		ExcludeOutboundPorts:   "",
+		UID:                    "",
+		User:                   "",
+		RedirectDNS:            false,
+		AgentDNSListenerPort:   "15053",
+		DNSUpstreamTargetChain: "RETURN",
+		ModifyResolvConf:       false,
+		StoreFirewalld:         false,
+		KumaCpIP:               defaultCpIP,
 	}
 	cmd := &cobra.Command{
 		Use:   "transparent-proxy",
@@ -158,6 +160,7 @@ runuser -u kuma-dp -- \
 	cmd.Flags().StringVar(&args.UID, "kuma-dp-uid", args.UID, "the UID of the user that will run kuma-dp")
 	cmd.Flags().BoolVar(&args.RedirectDNS, "redirect-dns", args.RedirectDNS, "redirect the DNS requests to a specified port")
 	cmd.Flags().StringVar(&args.AgentDNSListenerPort, "redirect-dns-port", args.AgentDNSListenerPort, "the port where the DNS agent is listening")
+	cmd.Flags().StringVar(&args.DNSUpstreamTargetChain, "redirect-dns-upstream-target-chain", args.DNSUpstreamTargetChain, "(optional) the iptables chain where the upstream DNS requests should be directed to. Use with care.")
 	cmd.Flags().BoolVar(&args.ModifyResolvConf, "modify-resolv-conf", args.ModifyResolvConf, "skip modifying the host `/etc/resolv.conf`")
 	cmd.Flags().BoolVar(&args.StoreFirewalld, "store-firewalld", args.StoreFirewalld, "store the iptables changes with firewalld")
 	cmd.Flags().IPVar(&args.KumaCpIP, "kuma-cp-ip", args.KumaCpIP, "the IP address of the Kuma CP which exposes the DNS service on port 53.")
@@ -190,17 +193,18 @@ func modifyIpTables(cmd *cobra.Command, args *transparenProxyArgs) error {
 		_, _ = cmd.OutOrStdout().Write([]byte("kumactl is about to apply the iptables rules that will enable transparent proxying on the machine. The SSH connection may drop. If that happens, just reconnect again."))
 	}
 	output, err := tp.Setup(&config.TransparentProxyConfig{
-		DryRun:                args.DryRun,
-		RedirectPortOutBound:  args.RedirectPortOutBound,
-		RedirectInBound:       args.RedirectInbound,
-		RedirectPortInBound:   args.RedirectPortInBound,
-		RedirectPortInBoundV6: args.RedirectPortInBoundV6,
-		ExcludeInboundPorts:   args.ExcludeInboundPorts,
-		ExcludeOutboundPorts:  args.ExcludeOutboundPorts,
-		UID:                   uid,
-		GID:                   gid,
-		RedirectDNS:           args.RedirectDNS,
-		AgentDNSListenerPort:  args.AgentDNSListenerPort,
+		DryRun:                 args.DryRun,
+		RedirectPortOutBound:   args.RedirectPortOutBound,
+		RedirectInBound:        args.RedirectInbound,
+		RedirectPortInBound:    args.RedirectPortInBound,
+		RedirectPortInBoundV6:  args.RedirectPortInBoundV6,
+		ExcludeInboundPorts:    args.ExcludeInboundPorts,
+		ExcludeOutboundPorts:   args.ExcludeOutboundPorts,
+		UID:                    uid,
+		GID:                    gid,
+		RedirectDNS:            args.RedirectDNS,
+		AgentDNSListenerPort:   args.AgentDNSListenerPort,
+		DNSUpstreamTargetChain: args.DNSUpstreamTargetChain,
 	})
 	if err != nil {
 		return errors.Wrap(err, "failed to setup transparent proxy")

app/kumactl/cmd/install/install_transparent_proxy_test.go

@@ -76,6 +76,7 @@ var _ = Describe("kumactl install tracing", func() {
 				"--kuma-cp-ip", "1.2.3.4",
 				"--redirect-dns",
 				"--redirect-dns-port", "12345",
+				"--redirect-dns-upstream-target-chain", "DOCKER_OUTPUT",
 			},
 			goldenFile: "install-transparent-proxy.dns.golden.txt",
 		}),

app/kumactl/cmd/install/testdata/install-transparent-proxy.dns.golden.txt

@@ -11,14 +11,14 @@
 -A OUTPUT -p tcp -j (.*)_OUTPUT
 -A (.*)_OUTPUT -o lo -s 127.0.0.6/32 -j RETURN
 -A (.*)_OUTPUT -o lo ! -d 127.0.0.1/32 -p tcp ! --dport 53 -m owner --uid-owner 0 -j (.*)_IN_REDIRECT
--A (.*)_OUTPUT -o lo -p tcp ! --dport 53 -m owner ! --uid-owner 0 -j RETURN
+-A (.*)_OUTPUT -o lo -p tcp ! --dport 53 -m owner ! --uid-owner 0 -j DOCKER_OUTPUT
 -A (.*)_OUTPUT -m owner --uid-owner 0 -j RETURN
 -A (.*)_OUTPUT -o lo ! -d 127.0.0.1/32 -m owner --gid-owner 0 -j (.*)_IN_REDIRECT
--A (.*)_OUTPUT -o lo -p tcp ! --dport 53 -m owner ! --gid-owner 0 -j RETURN
+-A (.*)_OUTPUT -o lo -p tcp ! --dport 53 -m owner ! --gid-owner 0 -j DOCKER_OUTPUT
 -A (.*)_OUTPUT -m owner --gid-owner 0 -j RETURN
 -A (.*)_OUTPUT -p tcp --dport 53 -d (.*) -j REDIRECT --to-ports 12345
 -A (.*)_OUTPUT -d 127.0.0.1/32 -j RETURN
 -A (.*)_OUTPUT -j (.*)_REDIRECT
--A OUTPUT -p udp --dport 53 -m owner --uid-owner 0 -j RETURN
--A OUTPUT -p udp --dport 53 -m owner --gid-owner 0 -j RETURN
--A OUTPUT -p udp --dport 53 -d (.*) -j REDIRECT --to-port 12345
+-I OUTPUT 1 -p udp --dport 53 -m owner --uid-owner 0 -j DOCKER_OUTPUT
+-I OUTPUT 2 -p udp --dport 53 -m owner --gid-owner 0 -j DOCKER_OUTPUT
+-I OUTPUT 3 -p udp --dport 53 -d (.*) -j REDIRECT --to-port 12345

pkg/transparentproxy/config/config.go

@@ -1,15 +1,16 @@
 package config
 
 type TransparentProxyConfig struct {
-	DryRun                bool
-	RedirectPortOutBound  string
-	RedirectInBound       bool
-	RedirectPortInBound   string
-	RedirectPortInBoundV6 string
-	ExcludeInboundPorts   string
-	ExcludeOutboundPorts  string
-	UID                   string
-	GID                   string
-	RedirectDNS           bool
-	AgentDNSListenerPort  string
+	DryRun                 bool
+	RedirectPortOutBound   string
+	RedirectInBound        bool
+	RedirectPortInBound    string
+	RedirectPortInBoundV6  string
+	ExcludeInboundPorts    string
+	ExcludeOutboundPorts   string
+	UID                    string
+	GID                    string
+	RedirectDNS            bool
+	AgentDNSListenerPort   string
+	DNSUpstreamTargetChain string
 }

pkg/transparentproxy/istio/istio.go

@@ -43,6 +43,7 @@ func (tp *IstioTransparentProxy) Setup(cfg *config.TransparentProxyConfig) (stri
 	viper.Set(constants.RunValidation, false)
 	viper.Set(constants.RedirectDNS, cfg.RedirectDNS)
 	viper.Set(constants.AgentDNSListenerPort, cfg.AgentDNSListenerPort)
+	viper.Set(constants.DNSUpstreamTargetChain, cfg.DNSUpstreamTargetChain)
 
 	tp.redirectStdOutStdErr()
 	defer func() {
@@ -65,6 +66,7 @@ func (tp *IstioTransparentProxy) Setup(cfg *config.TransparentProxyConfig) (stri
 func (tp *IstioTransparentProxy) Cleanup(dryRun bool) (string, error) {
 
 	viper.Set(constants.DryRun, dryRun)
+	viper.Set(constants.DNSUpstreamTargetChain, "")
 
 	tp.redirectStdOutStdErr()
 	defer func() {

pkg/transparentproxy/istio/tools/istio-clean-iptables/pkg/cmd/cleanup.go

@@ -41,6 +41,7 @@ func removeOldChains(cfg *config.Config, ext dep.Dependencies, cmd string) {
 	if redirectDNS {
 		common.HandleDNSUDP(common.DeleteOps, builder.NewIptablesBuilder(), ext, cmd,
 			cfg.AgentDNSListenerPort,
+			cfg.DNSUpstreamTargetChain,
 			cfg.ProxyUID, cfg.ProxyGID, cfg.DNSServersV4)
 	}
 

pkg/transparentproxy/istio/tools/istio-clean-iptables/pkg/cmd/root.go

@@ -51,11 +51,12 @@ var rootCmd = &cobra.Command{
 
 func constructConfig() *config.Config {
 	cfg := &config.Config{
-		DryRun:               viper.GetBool(constants.DryRun),
-		ProxyUID:             viper.GetString(constants.ProxyUID),
-		ProxyGID:             viper.GetString(constants.ProxyGID),
-		RedirectDNS:          viper.GetBool(constants.RedirectDNS),
-		AgentDNSListenerPort: viper.GetString(constants.AgentDNSListenerPort),
+		DryRun:                 viper.GetBool(constants.DryRun),
+		ProxyUID:               viper.GetString(constants.ProxyUID),
+		ProxyGID:               viper.GetString(constants.ProxyGID),
+		RedirectDNS:            viper.GetBool(constants.RedirectDNS),
+		AgentDNSListenerPort:   viper.GetString(constants.AgentDNSListenerPort),
+		DNSUpstreamTargetChain: viper.GetString(constants.DNSUpstreamTargetChain),
 	}
 
 	// TODO: Make this more configurable, maybe with an allowlist of users to be captured for output instead of a denylist.
@@ -120,6 +121,11 @@ func bindFlags(cmd *cobra.Command, args []string) {
 		handleError(err)
 	}
 	viper.SetDefault(constants.AgentDNSListenerPort, constants.IstioAgentDNSListenerPort)
+
+	if err := viper.BindPFlag(constants.DNSUpstreamTargetChain, cmd.Flags().Lookup(constants.DNSUpstreamTargetChain)); err != nil {
+		handleError(err)
+	}
+	viper.SetDefault(constants.DNSUpstreamTargetChain, constants.RETURN)
 }
 
 // https://github.com/spf13/viper/issues/233.

pkg/transparentproxy/istio/tools/istio-clean-iptables/pkg/config/config.go

@@ -22,13 +22,14 @@ import (
 // Command line options
 // nolint: maligned
 type Config struct {
-	DryRun               bool     `json:"DRY_RUN"`
-	ProxyUID             string   `json:"PROXY_UID"`
-	ProxyGID             string   `json:"PROXY_GID"`
-	RedirectDNS          bool     `json:"REDIRECT_DNS"`
-	DNSServersV4         []string `json:"DNS_SERVERS_V4"`
-	DNSServersV6         []string `json:"DNS_SERVERS_V6"`
-	AgentDNSListenerPort string   `json:"AGENT_DNS_LISTENER_PORT"`
+	DryRun                 bool     `json:"DRY_RUN"`
+	ProxyUID               string   `json:"PROXY_UID"`
+	ProxyGID               string   `json:"PROXY_GID"`
+	RedirectDNS            bool     `json:"REDIRECT_DNS"`
+	DNSServersV4           []string `json:"DNS_SERVERS_V4"`
+	DNSServersV6           []string `json:"DNS_SERVERS_V6"`
+	AgentDNSListenerPort   string   `json:"AGENT_DNS_LISTENER_PORT"`
+	DNSUpstreamTargetChain string   `json:"DNS_UPSTREAM_TARGET_CHAIN"`
 }
 
 func (c *Config) String() string {
@@ -48,5 +49,6 @@ func (c *Config) Print() {
 	fmt.Printf("DNS_CAPTURE=%t\n", c.RedirectDNS)
 	fmt.Printf("DNS_SERVERS=%s,%s\n", c.DNSServersV4, c.DNSServersV6)
 	fmt.Printf("AGENT_DNS_LISTENER_PORT=%s\n", c.AgentDNSListenerPort)
+	fmt.Printf("DNS_UPSTREAM_TARGET_CHAIN=%s\n", c.DNSUpstreamTargetChain)
 	fmt.Println("")
 }

pkg/transparentproxy/istio/tools/istio-iptables/pkg/cmd/root.go

@@ -100,6 +100,7 @@ func constructConfig() *config.Config {
 		RunValidation:           viper.GetBool(constants.RunValidation),
 		RedirectDNS:             viper.GetBool(constants.RedirectDNS),
 		AgentDNSListenerPort:    viper.GetString(constants.AgentDNSListenerPort),
+		DNSUpstreamTargetChain:  viper.GetString(constants.DNSUpstreamTargetChain),
 	}
 
 	// TODO: Make this more configurable, maybe with an allowlist of users to be captured for output instead of a denylist.
@@ -312,6 +313,11 @@ func bindFlags(cmd *cobra.Command, args []string) {
 		handleError(err)
 	}
 	viper.SetDefault(constants.AgentDNSListenerPort, constants.IstioAgentDNSListenerPort)
+
+	if err := viper.BindPFlag(constants.DNSUpstreamTargetChain, cmd.Flags().Lookup(constants.DNSUpstreamTargetChain)); err != nil {
+		handleError(err)
+	}
+	viper.SetDefault(constants.DNSUpstreamTargetChain, constants.RETURN)
 }
 
 // https://github.com/spf13/viper/issues/233.