From 902f20f12e61f9800bc3238330f9b131b3ef0620 Mon Sep 17 00:00:00 2001 From: Viktor Tuska Date: Thu, 8 Feb 2024 15:22:36 +0100 Subject: [PATCH 1/2] Use skip-subnets setting for outbound network traffic https://github.com/linkerd/linkerd2/issues/10726 config.linkerd.io/skip-subnets is only skipping inbound traffic for the subnet, The documentation does not mention inbound only. This change adds the skip subnet cidr blocks to the Outgoing Traffic Rules. After this change the PROXY_INIT_OUTPUT iptables table contains the necessary rules. Signed-off-by: Viktor Tuska --- internal/iptables/iptables.go | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/internal/iptables/iptables.go b/internal/iptables/iptables.go index 4356c04b..98192ddc 100644 --- a/internal/iptables/iptables.go +++ b/internal/iptables/iptables.go @@ -119,6 +119,8 @@ func (fc FirewallConfiguration) addOutgoingTrafficRules(existingRules []byte, co // Ignore loopback commands = append(commands, fc.makeIgnoreLoopback(outputChainName, "ignore-loopback")) + // Ignore subnets + commands = fc.addRulesForIgnoredSubnets(outputChainName, "d", commands) // Ignore ports commands = fc.addRulesForIgnoredPorts(fc.OutboundPortsToIgnore, outputChainName, commands) @@ -145,7 +147,7 @@ func (fc FirewallConfiguration) addIncomingTrafficRules(existingRules []byte, co commands = append(commands, fc.makeFlushChain(redirectChainName)) } commands = fc.addRulesForIgnoredPorts(fc.InboundPortsToIgnore, redirectChainName, commands) - commands = fc.addRulesForIgnoredSubnets(redirectChainName, commands) + commands = fc.addRulesForIgnoredSubnets(redirectChainName, "s", commands) commands = fc.addRulesForInboundPortRedirect(redirectChainName, commands) if preroutingRuleRegex.Find(existingRules) == nil { @@ -191,9 +193,9 @@ func (fc FirewallConfiguration) addRulesForIgnoredPorts(portsToIgnore []string, return commands } -func (fc FirewallConfiguration) addRulesForIgnoredSubnets(chainName string, commands []*exec.Cmd) []*exec.Cmd { +func (fc FirewallConfiguration) addRulesForIgnoredSubnets(chainName string, dFlag string, commands []*exec.Cmd) []*exec.Cmd { for _, subnet := range fc.SubnetsToIgnore { - commands = append(commands, fc.makeIgnoreSubnet(chainName, subnet, fmt.Sprintf("ignore-subnet-%s", subnet))) + commands = append(commands, fc.makeIgnoreSubnet(chainName, subnet, dFlag, fmt.Sprintf("ignore-subnet-%s", subnet))) } return commands } @@ -299,13 +301,13 @@ func (fc FirewallConfiguration) makeIgnorePorts(chainName string, destinations [ "--comment", formatComment(comment)) } -func (fc FirewallConfiguration) makeIgnoreSubnet(chainName string, subnet string, comment string) *exec.Cmd { +func (fc FirewallConfiguration) makeIgnoreSubnet(chainName string, subnet string, dFlag string, comment string) *exec.Cmd { return exec.Command(fc.BinPath, "-t", "nat", "-A", chainName, "-p", "all", "-j", "RETURN", - "-s", subnet, + "-" + dFlag, subnet, "-m", "comment", "--comment", formatComment(comment)) } From a04b03ab8d47909f2f765e37e68b4df0e139755d Mon Sep 17 00:00:00 2001 From: Viktor Tuska Date: Fri, 9 Feb 2024 16:36:15 +0100 Subject: [PATCH 2/2] gofmt iptables.go Signed-off-by: Viktor Tuska --- internal/iptables/iptables.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/iptables/iptables.go b/internal/iptables/iptables.go index 98192ddc..73208d02 100644 --- a/internal/iptables/iptables.go +++ b/internal/iptables/iptables.go @@ -307,7 +307,7 @@ func (fc FirewallConfiguration) makeIgnoreSubnet(chainName string, subnet string "-A", chainName, "-p", "all", "-j", "RETURN", - "-" + dFlag, subnet, + "-"+dFlag, subnet, "-m", "comment", "--comment", formatComment(comment)) }