From f71c826f8d66f2d3697a9ce535d9a35091ab0512 Mon Sep 17 00:00:00 2001 From: "linzhengchun.lzc" Date: Wed, 5 Sep 2018 14:47:18 +0800 Subject: [PATCH] Close #23 disable OutboundIPRanges configuration when OutboundPorts set --- .../templates/sidecar-injector-configmap.yaml | 5 ++-- tools/deb/istio-iptables.sh | 30 +++++++++---------- 2 files changed, 17 insertions(+), 18 deletions(-) diff --git a/install/kubernetes/helm/istio/templates/sidecar-injector-configmap.yaml b/install/kubernetes/helm/istio/templates/sidecar-injector-configmap.yaml index d95afc36f87d..457842317c02 100644 --- a/install/kubernetes/helm/istio/templates/sidecar-injector-configmap.yaml +++ b/install/kubernetes/helm/istio/templates/sidecar-injector-configmap.yaml @@ -31,11 +31,11 @@ data: {{ "[[ if (isset .ObjectMeta.Annotations \"traffic.sidecar.istio.io/includeOutboundPorts\") -]]" }} - "-o" {{ "- \"[[ index .ObjectMeta.Annotations \"traffic.sidecar.istio.io/includeOutboundPorts\" ]]\"" }} - {{ "[[ end -]]" }} {{ "[[ if (isset .ObjectMeta.Annotations \"traffic.sidecar.istio.io/excludeOutboundPorts\") -]]" }} - "-z" {{ "- \"[[ index .ObjectMeta.Annotations \"traffic.sidecar.istio.io/excludeOutboundPorts\" ]]\"" }} - {{ "[[ end -]]" }} + {{ "[[ end -]]" }} + {{ "[[ else -]]" }} - "-i" {{ "[[ if (isset .ObjectMeta.Annotations \"traffic.sidecar.istio.io/includeOutboundIPRanges\") -]]" }} {{ "- \"[[ index .ObjectMeta.Annotations \"traffic.sidecar.istio.io/includeOutboundIPRanges\" ]]\"" }} @@ -48,6 +48,7 @@ data: {{ "[[ else -]]" }} - "{{ .Values.global.proxy.excludeIPRanges }}" {{ "[[ end -]]" }} + {{ "[[ end -]]" }} - "-b" {{ "[[ if (isset .ObjectMeta.Annotations \"traffic.sidecar.istio.io/includeInboundPorts\") -]]" }} {{ "- \"[[ index .ObjectMeta.Annotations \"traffic.sidecar.istio.io/includeInboundPorts\" ]]\"" }} diff --git a/tools/deb/istio-iptables.sh b/tools/deb/istio-iptables.sh index c4bfa23a67b6..edefd04d2c78 100755 --- a/tools/deb/istio-iptables.sh +++ b/tools/deb/istio-iptables.sh @@ -287,24 +287,22 @@ done iptables -t nat -A ISTIO_OUTPUT -d 127.0.0.1/32 -j RETURN if [ -n "${OUTBOUND_PORTS_INCLUDE}" ]; then - if [ -n "${OUTBOUND_PORTS_INCLUDE}" ]; then - if [ "${OUTBOUND_PORTS_INCLUDE}" == "*" ]; then - # Redirect exclusions must be applied before inclusions. - if [ -n "${OUTBOUND_PORTS_EXCLUDE}" ]; then - for port in ${OUTBOUND_PORTS_EXCLUDE}; do - iptables -t nat -A ISTIO_OUTPUT -p tcp --dport ${port} -j RETURN - done - fi - # Redirect remaining outbound traffic to Envoy - iptables -t nat -A ISTIO_OUTPUT -j ISTIO_REDIRECT - else - # User has specified a non-empty list of ports to be redirected to Envoy. - for port in ${OUTBOUND_PORTS_INCLUDE}; do - iptables -t nat -A ISTIO_OUTPUT -p tcp --dport ${port} -j ISTIO_REDIRECT + if [ "${OUTBOUND_PORTS_INCLUDE}" == "*" ]; then + # Redirect exclusions must be applied before inclusions. + if [ -n "${OUTBOUND_PORTS_EXCLUDE}" ]; then + for port in ${OUTBOUND_PORTS_EXCLUDE}; do + iptables -t nat -A ISTIO_OUTPUT -p tcp --dport ${port} -j RETURN done - # All other traffic is not redirected. - iptables -t nat -A ISTIO_OUTPUT -j RETURN fi + # Redirect remaining outbound traffic to Envoy + iptables -t nat -A ISTIO_OUTPUT -j ISTIO_REDIRECT + else + # User has specified a non-empty list of ports to be redirected to Envoy. + for port in ${OUTBOUND_PORTS_INCLUDE}; do + iptables -t nat -A ISTIO_OUTPUT -p tcp --dport ${port} -j ISTIO_REDIRECT + done + # All other traffic is not redirected. + iptables -t nat -A ISTIO_OUTPUT -j RETURN fi else if [ "${OUTBOUND_IP_RANGES_INCLUDE}" == "*" ]; then