Skip to content
This repository was archived by the owner on Jul 11, 2023. It is now read-only.

Commit 8dccabb

Browse files
shashankramshashankram
authored
injector: rename iptables chains for clarity (#4379)
Renames the iptables chains and prefixes the custom chains with `OSM_` to indicate these chains are owned by OSM. It renames the custom chains as follows: PROXY_INBOUND -> OSM_PROXY_INBOUND PROXY_OUTPUT -> OSM_PROXY_OUTBOUND PROXY_IN_REDIRECT -> OSM_PROXY_IN_REDIRECT PROXY_REDIRECT -> OSM_PROXY_OUT_REDIRECT Signed-off-by: Shashank Ram <[email protected]>
1 parent 6d99e8a commit 8dccabb

File tree

3 files changed

+62
-62
lines changed

3 files changed

+62
-62
lines changed

pkg/injector/init_container_test.go

+17-17
Original file line numberDiff line numberDiff line change
@@ -38,23 +38,23 @@ var _ = Describe("Test functions creating Envoy bootstrap configuration", func()
3838
`iptables-restore --noflush <<EOF
3939
# OSM sidecar interception rules
4040
*nat
41-
:PROXY_INBOUND - [0:0]
42-
:PROXY_IN_REDIRECT - [0:0]
43-
:PROXY_OUTPUT - [0:0]
44-
:PROXY_REDIRECT - [0:0]
45-
-A PROXY_IN_REDIRECT -p tcp -j REDIRECT --to-port 15003
46-
-A PREROUTING -p tcp -j PROXY_INBOUND
47-
-A PROXY_INBOUND -p tcp --dport 15010 -j RETURN
48-
-A PROXY_INBOUND -p tcp --dport 15901 -j RETURN
49-
-A PROXY_INBOUND -p tcp --dport 15902 -j RETURN
50-
-A PROXY_INBOUND -p tcp --dport 15903 -j RETURN
51-
-A PROXY_INBOUND -p tcp -j PROXY_IN_REDIRECT
52-
-A PROXY_REDIRECT -p tcp -j REDIRECT --to-port 15001
53-
-A PROXY_REDIRECT -p tcp --dport 15000 -j ACCEPT
54-
-A OUTPUT -p tcp -j PROXY_OUTPUT
55-
-A PROXY_OUTPUT -m owner --uid-owner 1500 -j RETURN
56-
-A PROXY_OUTPUT -d 127.0.0.1/32 -j RETURN
57-
-A PROXY_OUTPUT -j PROXY_REDIRECT
41+
:OSM_PROXY_INBOUND - [0:0]
42+
:OSM_PROXY_IN_REDIRECT - [0:0]
43+
:OSM_PROXY_OUTBOUND - [0:0]
44+
:OSM_PROXY_OUT_REDIRECT - [0:0]
45+
-A OSM_PROXY_IN_REDIRECT -p tcp -j REDIRECT --to-port 15003
46+
-A PREROUTING -p tcp -j OSM_PROXY_INBOUND
47+
-A OSM_PROXY_INBOUND -p tcp --dport 15010 -j RETURN
48+
-A OSM_PROXY_INBOUND -p tcp --dport 15901 -j RETURN
49+
-A OSM_PROXY_INBOUND -p tcp --dport 15902 -j RETURN
50+
-A OSM_PROXY_INBOUND -p tcp --dport 15903 -j RETURN
51+
-A OSM_PROXY_INBOUND -p tcp -j OSM_PROXY_IN_REDIRECT
52+
-A OSM_PROXY_OUT_REDIRECT -p tcp -j REDIRECT --to-port 15001
53+
-A OSM_PROXY_OUT_REDIRECT -p tcp --dport 15000 -j ACCEPT
54+
-A OUTPUT -p tcp -j OSM_PROXY_OUTBOUND
55+
-A OSM_PROXY_OUTBOUND -m owner --uid-owner 1500 -j RETURN
56+
-A OSM_PROXY_OUTBOUND -d 127.0.0.1/32 -j RETURN
57+
-A OSM_PROXY_OUTBOUND -j OSM_PROXY_OUT_REDIRECT
5858
COMMIT
5959
EOF
6060
`,

pkg/injector/iptables.go

+24-24
Original file line numberDiff line numberDiff line change
@@ -10,45 +10,45 @@ import (
1010

1111
// iptablesOutboundStaticRules is the list of iptables rules related to outbound traffic interception and redirection
1212
var iptablesOutboundStaticRules = []string{
13-
// Redirects outbound TCP traffic hitting PROXY_REDIRECT chain to Envoy's outbound listener port
14-
fmt.Sprintf("-A PROXY_REDIRECT -p tcp -j REDIRECT --to-port %d", constants.EnvoyOutboundListenerPort),
13+
// Redirects outbound TCP traffic hitting OSM_PROXY_OUT_REDIRECT chain to Envoy's outbound listener port
14+
fmt.Sprintf("-A OSM_PROXY_OUT_REDIRECT -p tcp -j REDIRECT --to-port %d", constants.EnvoyOutboundListenerPort),
1515

1616
// Traffic to the Proxy Admin port flows to the Proxy -- not redirected
17-
fmt.Sprintf("-A PROXY_REDIRECT -p tcp --dport %d -j ACCEPT", constants.EnvoyAdminPort),
17+
fmt.Sprintf("-A OSM_PROXY_OUT_REDIRECT -p tcp --dport %d -j ACCEPT", constants.EnvoyAdminPort),
1818

19-
// For outbound TCP traffic jump from OUTPUT chain to PROXY_OUTPUT chain
20-
"-A OUTPUT -p tcp -j PROXY_OUTPUT",
19+
// For outbound TCP traffic jump from OUTPUT chain to OSM_PROXY_OUTBOUND chain
20+
"-A OUTPUT -p tcp -j OSM_PROXY_OUTBOUND",
2121

2222
// Don't redirect Envoy traffic back to itself, return it to the next chain for processing
23-
fmt.Sprintf("-A PROXY_OUTPUT -m owner --uid-owner %d -j RETURN", constants.EnvoyUID),
23+
fmt.Sprintf("-A OSM_PROXY_OUTBOUND -m owner --uid-owner %d -j RETURN", constants.EnvoyUID),
2424

2525
// Skip localhost traffic, doesn't need to be routed via the proxy
26-
"-A PROXY_OUTPUT -d 127.0.0.1/32 -j RETURN",
26+
"-A OSM_PROXY_OUTBOUND -d 127.0.0.1/32 -j RETURN",
2727

2828
// Redirect remaining outbound traffic to Envoy
29-
"-A PROXY_OUTPUT -j PROXY_REDIRECT",
29+
"-A OSM_PROXY_OUTBOUND -j OSM_PROXY_OUT_REDIRECT",
3030
}
3131

3232
// iptablesInboundStaticRules is the list of iptables rules related to inbound traffic interception and redirection
3333
var iptablesInboundStaticRules = []string{
34-
// Redirects inbound TCP traffic hitting the PROXY_IN_REDIRECT chain to Envoy's inbound listener port
35-
fmt.Sprintf("-A PROXY_IN_REDIRECT -p tcp -j REDIRECT --to-port %d", constants.EnvoyInboundListenerPort),
34+
// Redirects inbound TCP traffic hitting the OSM_PROXY_IN_REDIRECT chain to Envoy's inbound listener port
35+
fmt.Sprintf("-A OSM_PROXY_IN_REDIRECT -p tcp -j REDIRECT --to-port %d", constants.EnvoyInboundListenerPort),
3636

37-
// For inbound traffic jump from PREROUTING chain to PROXY_INBOUND chain
38-
"-A PREROUTING -p tcp -j PROXY_INBOUND",
37+
// For inbound traffic jump from PREROUTING chain to OSM_PROXY_INBOUND chain
38+
"-A PREROUTING -p tcp -j OSM_PROXY_INBOUND",
3939

4040
// Skip metrics query traffic being directed to Envoy's inbound prometheus listener port
41-
fmt.Sprintf("-A PROXY_INBOUND -p tcp --dport %d -j RETURN", constants.EnvoyPrometheusInboundListenerPort),
41+
fmt.Sprintf("-A OSM_PROXY_INBOUND -p tcp --dport %d -j RETURN", constants.EnvoyPrometheusInboundListenerPort),
4242

4343
// Skip inbound health probes; These ports will be explicitly handled by listeners configured on the
4444
// Envoy proxy IF any health probes have been configured in the Pod Spec.
4545
// TODO(draychev): Do not add these if no health probes have been defined (https://github.com/openservicemesh/osm/issues/2243)
46-
fmt.Sprintf("-A PROXY_INBOUND -p tcp --dport %d -j RETURN", livenessProbePort),
47-
fmt.Sprintf("-A PROXY_INBOUND -p tcp --dport %d -j RETURN", readinessProbePort),
48-
fmt.Sprintf("-A PROXY_INBOUND -p tcp --dport %d -j RETURN", startupProbePort),
46+
fmt.Sprintf("-A OSM_PROXY_INBOUND -p tcp --dport %d -j RETURN", livenessProbePort),
47+
fmt.Sprintf("-A OSM_PROXY_INBOUND -p tcp --dport %d -j RETURN", readinessProbePort),
48+
fmt.Sprintf("-A OSM_PROXY_INBOUND -p tcp --dport %d -j RETURN", startupProbePort),
4949

5050
// Redirect remaining inbound traffic to Envoy
51-
"-A PROXY_INBOUND -p tcp -j PROXY_IN_REDIRECT",
51+
"-A OSM_PROXY_INBOUND -p tcp -j OSM_PROXY_IN_REDIRECT",
5252
}
5353

5454
// generateIptablesCommands generates a list of iptables commands to set up sidecar interception and redirection
@@ -57,10 +57,10 @@ func generateIptablesCommands(outboundIPRangeExclusionList []string, outboundPor
5757

5858
fmt.Fprintln(&rules, `# OSM sidecar interception rules
5959
*nat
60-
:PROXY_INBOUND - [0:0]
61-
:PROXY_IN_REDIRECT - [0:0]
62-
:PROXY_OUTPUT - [0:0]
63-
:PROXY_REDIRECT - [0:0]`)
60+
:OSM_PROXY_INBOUND - [0:0]
61+
:OSM_PROXY_IN_REDIRECT - [0:0]
62+
:OSM_PROXY_OUTBOUND - [0:0]
63+
:OSM_PROXY_OUT_REDIRECT - [0:0]`)
6464
var cmds []string
6565

6666
// 1. Create inbound rules
@@ -73,7 +73,7 @@ func generateIptablesCommands(outboundIPRangeExclusionList []string, outboundPor
7373
portExclusionListStr = append(portExclusionListStr, strconv.Itoa(port))
7474
}
7575
inboundPortsToExclude := strings.Join(portExclusionListStr, ",")
76-
rule := fmt.Sprintf("-I PROXY_INBOUND -p tcp --match multiport --dports %s -j RETURN", inboundPortsToExclude)
76+
rule := fmt.Sprintf("-I OSM_PROXY_INBOUND -p tcp --match multiport --dports %s -j RETURN", inboundPortsToExclude)
7777
cmds = append(cmds, rule)
7878
}
7979

@@ -84,7 +84,7 @@ func generateIptablesCommands(outboundIPRangeExclusionList []string, outboundPor
8484
for _, cidr := range outboundIPRangeExclusionList {
8585
// *Note: it is important to use the insert option '-I' instead of the append option '-A' to ensure the exclusion
8686
// rules take precedence over the static redirection rules. Iptables rules are evaluated in order.
87-
rule := fmt.Sprintf("-I PROXY_OUTPUT -d %s -j RETURN", cidr)
87+
rule := fmt.Sprintf("-I OSM_PROXY_OUTBOUND -d %s -j RETURN", cidr)
8888
cmds = append(cmds, rule)
8989
}
9090

@@ -95,7 +95,7 @@ func generateIptablesCommands(outboundIPRangeExclusionList []string, outboundPor
9595
portExclusionListStr = append(portExclusionListStr, strconv.Itoa(port))
9696
}
9797
outboundPortsToExclude := strings.Join(portExclusionListStr, ",")
98-
rule := fmt.Sprintf("-I PROXY_OUTPUT -p tcp --match multiport --dports %s -j RETURN", outboundPortsToExclude)
98+
rule := fmt.Sprintf("-I OSM_PROXY_OUTBOUND -p tcp --match multiport --dports %s -j RETURN", outboundPortsToExclude)
9999
cmds = append(cmds, rule)
100100
}
101101

pkg/injector/iptables_test.go

+21-21
Original file line numberDiff line numberDiff line change
@@ -18,27 +18,27 @@ func TestGenerateIptablesCommands(t *testing.T) {
1818
expected := `iptables-restore --noflush <<EOF
1919
# OSM sidecar interception rules
2020
*nat
21-
:PROXY_INBOUND - [0:0]
22-
:PROXY_IN_REDIRECT - [0:0]
23-
:PROXY_OUTPUT - [0:0]
24-
:PROXY_REDIRECT - [0:0]
25-
-A PROXY_IN_REDIRECT -p tcp -j REDIRECT --to-port 15003
26-
-A PREROUTING -p tcp -j PROXY_INBOUND
27-
-A PROXY_INBOUND -p tcp --dport 15010 -j RETURN
28-
-A PROXY_INBOUND -p tcp --dport 15901 -j RETURN
29-
-A PROXY_INBOUND -p tcp --dport 15902 -j RETURN
30-
-A PROXY_INBOUND -p tcp --dport 15903 -j RETURN
31-
-A PROXY_INBOUND -p tcp -j PROXY_IN_REDIRECT
32-
-I PROXY_INBOUND -p tcp --match multiport --dports 30,40 -j RETURN
33-
-A PROXY_REDIRECT -p tcp -j REDIRECT --to-port 15001
34-
-A PROXY_REDIRECT -p tcp --dport 15000 -j ACCEPT
35-
-A OUTPUT -p tcp -j PROXY_OUTPUT
36-
-A PROXY_OUTPUT -m owner --uid-owner 1500 -j RETURN
37-
-A PROXY_OUTPUT -d 127.0.0.1/32 -j RETURN
38-
-A PROXY_OUTPUT -j PROXY_REDIRECT
39-
-I PROXY_OUTPUT -d 1.1.1.1/32 -j RETURN
40-
-I PROXY_OUTPUT -d 2.2.2.2/32 -j RETURN
41-
-I PROXY_OUTPUT -p tcp --match multiport --dports 10,20 -j RETURN
21+
:OSM_PROXY_INBOUND - [0:0]
22+
:OSM_PROXY_IN_REDIRECT - [0:0]
23+
:OSM_PROXY_OUTBOUND - [0:0]
24+
:OSM_PROXY_OUT_REDIRECT - [0:0]
25+
-A OSM_PROXY_IN_REDIRECT -p tcp -j REDIRECT --to-port 15003
26+
-A PREROUTING -p tcp -j OSM_PROXY_INBOUND
27+
-A OSM_PROXY_INBOUND -p tcp --dport 15010 -j RETURN
28+
-A OSM_PROXY_INBOUND -p tcp --dport 15901 -j RETURN
29+
-A OSM_PROXY_INBOUND -p tcp --dport 15902 -j RETURN
30+
-A OSM_PROXY_INBOUND -p tcp --dport 15903 -j RETURN
31+
-A OSM_PROXY_INBOUND -p tcp -j OSM_PROXY_IN_REDIRECT
32+
-I OSM_PROXY_INBOUND -p tcp --match multiport --dports 30,40 -j RETURN
33+
-A OSM_PROXY_OUT_REDIRECT -p tcp -j REDIRECT --to-port 15001
34+
-A OSM_PROXY_OUT_REDIRECT -p tcp --dport 15000 -j ACCEPT
35+
-A OUTPUT -p tcp -j OSM_PROXY_OUTBOUND
36+
-A OSM_PROXY_OUTBOUND -m owner --uid-owner 1500 -j RETURN
37+
-A OSM_PROXY_OUTBOUND -d 127.0.0.1/32 -j RETURN
38+
-A OSM_PROXY_OUTBOUND -j OSM_PROXY_OUT_REDIRECT
39+
-I OSM_PROXY_OUTBOUND -d 1.1.1.1/32 -j RETURN
40+
-I OSM_PROXY_OUTBOUND -d 2.2.2.2/32 -j RETURN
41+
-I OSM_PROXY_OUTBOUND -p tcp --match multiport --dports 10,20 -j RETURN
4242
COMMIT
4343
EOF
4444
`

0 commit comments

Comments
 (0)