injector: rename iptables chains for clarity (#4379)

Renames the iptables chains and prefixes the custom chains with `OSM_` to indicate these chains are owned by OSM. It renames the custom chains as follows: PROXY_INBOUND -> OSM_PROXY_INBOUND PROXY_OUTPUT -> OSM_PROXY_OUTBOUND PROXY_IN_REDIRECT -> OSM_PROXY_IN_REDIRECT PROXY_REDIRECT -> OSM_PROXY_OUT_REDIRECT Signed-off-by: Shashank Ram <[email protected]>
openservicemesh · Jan 7, 2022 · 2b93d98 · 2b93d98
1 parent c61bf17
commit 2b93d98
Show file tree

Hide file tree

Showing 3 changed files with 62 additions and 62 deletions.
diff --git a/pkg/injector/init_container_test.go b/pkg/injector/init_container_test.go
@@ -38,23 +38,23 @@ var _ = Describe("Test functions creating Envoy bootstrap configuration", func()
 					`iptables-restore --noflush <<EOF
 # OSM sidecar interception rules
 *nat
-:PROXY_INBOUND - [0:0]
-:PROXY_IN_REDIRECT - [0:0]
-:PROXY_OUTPUT - [0:0]
-:PROXY_REDIRECT - [0:0]
--A PROXY_IN_REDIRECT -p tcp -j REDIRECT --to-port 15003
--A PREROUTING -p tcp -j PROXY_INBOUND
--A PROXY_INBOUND -p tcp --dport 15010 -j RETURN
--A PROXY_INBOUND -p tcp --dport 15901 -j RETURN
--A PROXY_INBOUND -p tcp --dport 15902 -j RETURN
--A PROXY_INBOUND -p tcp --dport 15903 -j RETURN
--A PROXY_INBOUND -p tcp -j PROXY_IN_REDIRECT
--A PROXY_REDIRECT -p tcp -j REDIRECT --to-port 15001
--A PROXY_REDIRECT -p tcp --dport 15000 -j ACCEPT
--A OUTPUT -p tcp -j PROXY_OUTPUT
--A PROXY_OUTPUT -m owner --uid-owner 1500 -j RETURN
--A PROXY_OUTPUT -d 127.0.0.1/32 -j RETURN
--A PROXY_OUTPUT -j PROXY_REDIRECT
+:OSM_PROXY_INBOUND - [0:0]
+:OSM_PROXY_IN_REDIRECT - [0:0]
+:OSM_PROXY_OUTBOUND - [0:0]
+:OSM_PROXY_OUT_REDIRECT - [0:0]
+-A OSM_PROXY_IN_REDIRECT -p tcp -j REDIRECT --to-port 15003
+-A PREROUTING -p tcp -j OSM_PROXY_INBOUND
+-A OSM_PROXY_INBOUND -p tcp --dport 15010 -j RETURN
+-A OSM_PROXY_INBOUND -p tcp --dport 15901 -j RETURN
+-A OSM_PROXY_INBOUND -p tcp --dport 15902 -j RETURN
+-A OSM_PROXY_INBOUND -p tcp --dport 15903 -j RETURN
+-A OSM_PROXY_INBOUND -p tcp -j OSM_PROXY_IN_REDIRECT
+-A OSM_PROXY_OUT_REDIRECT -p tcp -j REDIRECT --to-port 15001
+-A OSM_PROXY_OUT_REDIRECT -p tcp --dport 15000 -j ACCEPT
+-A OUTPUT -p tcp -j OSM_PROXY_OUTBOUND
+-A OSM_PROXY_OUTBOUND -m owner --uid-owner 1500 -j RETURN
+-A OSM_PROXY_OUTBOUND -d 127.0.0.1/32 -j RETURN
+-A OSM_PROXY_OUTBOUND -j OSM_PROXY_OUT_REDIRECT
 COMMIT
 EOF
 `,

diff --git a/pkg/injector/iptables.go b/pkg/injector/iptables.go
@@ -10,45 +10,45 @@ import (
 
 // iptablesOutboundStaticRules is the list of iptables rules related to outbound traffic interception and redirection
 var iptablesOutboundStaticRules = []string{
-	// Redirects outbound TCP traffic hitting PROXY_REDIRECT chain to Envoy's outbound listener port
-	fmt.Sprintf("-A PROXY_REDIRECT -p tcp -j REDIRECT --to-port %d", constants.EnvoyOutboundListenerPort),
+	// Redirects outbound TCP traffic hitting OSM_PROXY_OUT_REDIRECT chain to Envoy's outbound listener port
+	fmt.Sprintf("-A OSM_PROXY_OUT_REDIRECT -p tcp -j REDIRECT --to-port %d", constants.EnvoyOutboundListenerPort),
 
 	// Traffic to the Proxy Admin port flows to the Proxy -- not redirected
-	fmt.Sprintf("-A PROXY_REDIRECT -p tcp --dport %d -j ACCEPT", constants.EnvoyAdminPort),
+	fmt.Sprintf("-A OSM_PROXY_OUT_REDIRECT -p tcp --dport %d -j ACCEPT", constants.EnvoyAdminPort),
 
-	// For outbound TCP traffic jump from OUTPUT chain to PROXY_OUTPUT chain
-	"-A OUTPUT -p tcp -j PROXY_OUTPUT",
+	// For outbound TCP traffic jump from OUTPUT chain to OSM_PROXY_OUTBOUND chain
+	"-A OUTPUT -p tcp -j OSM_PROXY_OUTBOUND",
 
 	// Don't redirect Envoy traffic back to itself, return it to the next chain for processing
-	fmt.Sprintf("-A PROXY_OUTPUT -m owner --uid-owner %d -j RETURN", constants.EnvoyUID),
+	fmt.Sprintf("-A OSM_PROXY_OUTBOUND -m owner --uid-owner %d -j RETURN", constants.EnvoyUID),
 
 	// Skip localhost traffic, doesn't need to be routed via the proxy
-	"-A PROXY_OUTPUT -d 127.0.0.1/32 -j RETURN",
+	"-A OSM_PROXY_OUTBOUND -d 127.0.0.1/32 -j RETURN",
 
 	// Redirect remaining outbound traffic to Envoy
-	"-A PROXY_OUTPUT -j PROXY_REDIRECT",
+	"-A OSM_PROXY_OUTBOUND -j OSM_PROXY_OUT_REDIRECT",
 }
 
 // iptablesInboundStaticRules is the list of iptables rules related to inbound traffic interception and redirection
 var iptablesInboundStaticRules = []string{
-	// Redirects inbound TCP traffic hitting the PROXY_IN_REDIRECT chain to Envoy's inbound listener port
-	fmt.Sprintf("-A PROXY_IN_REDIRECT -p tcp -j REDIRECT --to-port %d", constants.EnvoyInboundListenerPort),
+	// Redirects inbound TCP traffic hitting the OSM_PROXY_IN_REDIRECT chain to Envoy's inbound listener port
+	fmt.Sprintf("-A OSM_PROXY_IN_REDIRECT -p tcp -j REDIRECT --to-port %d", constants.EnvoyInboundListenerPort),
 
-	// For inbound traffic jump from PREROUTING chain to PROXY_INBOUND chain
-	"-A PREROUTING -p tcp -j PROXY_INBOUND",
+	// For inbound traffic jump from PREROUTING chain to OSM_PROXY_INBOUND chain
+	"-A PREROUTING -p tcp -j OSM_PROXY_INBOUND",
 
 	// Skip metrics query traffic being directed to Envoy's inbound prometheus listener port
-	fmt.Sprintf("-A PROXY_INBOUND -p tcp --dport %d -j RETURN", constants.EnvoyPrometheusInboundListenerPort),
+	fmt.Sprintf("-A OSM_PROXY_INBOUND -p tcp --dport %d -j RETURN", constants.EnvoyPrometheusInboundListenerPort),
 
 	// Skip inbound health probes; These ports will be explicitly handled by listeners configured on the
 	// Envoy proxy IF any health probes have been configured in the Pod Spec.
 	// TODO(draychev): Do not add these if no health probes have been defined (https://github.com/openservicemesh/osm/issues/2243)
-	fmt.Sprintf("-A PROXY_INBOUND -p tcp --dport %d -j RETURN", livenessProbePort),
-	fmt.Sprintf("-A PROXY_INBOUND -p tcp --dport %d -j RETURN", readinessProbePort),
-	fmt.Sprintf("-A PROXY_INBOUND -p tcp --dport %d -j RETURN", startupProbePort),
+	fmt.Sprintf("-A OSM_PROXY_INBOUND -p tcp --dport %d -j RETURN", livenessProbePort),
+	fmt.Sprintf("-A OSM_PROXY_INBOUND -p tcp --dport %d -j RETURN", readinessProbePort),
+	fmt.Sprintf("-A OSM_PROXY_INBOUND -p tcp --dport %d -j RETURN", startupProbePort),
 
 	// Redirect remaining inbound traffic to Envoy
-	"-A PROXY_INBOUND -p tcp -j PROXY_IN_REDIRECT",
+	"-A OSM_PROXY_INBOUND -p tcp -j OSM_PROXY_IN_REDIRECT",
 }
 
 // generateIptablesCommands generates a list of iptables commands to set up sidecar interception and redirection
@@ -57,10 +57,10 @@ func generateIptablesCommands(outboundIPRangeExclusionList []string, outboundPor
 
 	fmt.Fprintln(&rules, `# OSM sidecar interception rules
 *nat
-:PROXY_INBOUND - [0:0]
-:PROXY_IN_REDIRECT - [0:0]
-:PROXY_OUTPUT - [0:0]
-:PROXY_REDIRECT - [0:0]`)
+:OSM_PROXY_INBOUND - [0:0]
+:OSM_PROXY_IN_REDIRECT - [0:0]
+:OSM_PROXY_OUTBOUND - [0:0]
+:OSM_PROXY_OUT_REDIRECT - [0:0]`)
 	var cmds []string
 
 	// 1. Create inbound rules
@@ -73,7 +73,7 @@ func generateIptablesCommands(outboundIPRangeExclusionList []string, outboundPor
 			portExclusionListStr = append(portExclusionListStr, strconv.Itoa(port))
 		}
 		inboundPortsToExclude := strings.Join(portExclusionListStr, ",")
-		rule := fmt.Sprintf("-I PROXY_INBOUND -p tcp --match multiport --dports %s -j RETURN", inboundPortsToExclude)
+		rule := fmt.Sprintf("-I OSM_PROXY_INBOUND -p tcp --match multiport --dports %s -j RETURN", inboundPortsToExclude)
 		cmds = append(cmds, rule)
 	}
 
@@ -84,7 +84,7 @@ func generateIptablesCommands(outboundIPRangeExclusionList []string, outboundPor
 	for _, cidr := range outboundIPRangeExclusionList {
 		// *Note: it is important to use the insert option '-I' instead of the append option '-A' to ensure the exclusion
 		// rules take precedence over the static redirection rules. Iptables rules are evaluated in order.
-		rule := fmt.Sprintf("-I PROXY_OUTPUT -d %s -j RETURN", cidr)
+		rule := fmt.Sprintf("-I OSM_PROXY_OUTBOUND -d %s -j RETURN", cidr)
 		cmds = append(cmds, rule)
 	}
 
@@ -95,7 +95,7 @@ func generateIptablesCommands(outboundIPRangeExclusionList []string, outboundPor
 			portExclusionListStr = append(portExclusionListStr, strconv.Itoa(port))
 		}
 		outboundPortsToExclude := strings.Join(portExclusionListStr, ",")
-		rule := fmt.Sprintf("-I PROXY_OUTPUT -p tcp --match multiport --dports %s -j RETURN", outboundPortsToExclude)
+		rule := fmt.Sprintf("-I OSM_PROXY_OUTBOUND -p tcp --match multiport --dports %s -j RETURN", outboundPortsToExclude)
 		cmds = append(cmds, rule)
 	}
 

diff --git a/pkg/injector/iptables_test.go b/pkg/injector/iptables_test.go
@@ -18,27 +18,27 @@ func TestGenerateIptablesCommands(t *testing.T) {
 	expected := `iptables-restore --noflush <<EOF
 # OSM sidecar interception rules
 *nat
-:PROXY_INBOUND - [0:0]
-:PROXY_IN_REDIRECT - [0:0]
-:PROXY_OUTPUT - [0:0]
-:PROXY_REDIRECT - [0:0]
--A PROXY_IN_REDIRECT -p tcp -j REDIRECT --to-port 15003
--A PREROUTING -p tcp -j PROXY_INBOUND
--A PROXY_INBOUND -p tcp --dport 15010 -j RETURN
--A PROXY_INBOUND -p tcp --dport 15901 -j RETURN
--A PROXY_INBOUND -p tcp --dport 15902 -j RETURN
--A PROXY_INBOUND -p tcp --dport 15903 -j RETURN
--A PROXY_INBOUND -p tcp -j PROXY_IN_REDIRECT
--I PROXY_INBOUND -p tcp --match multiport --dports 30,40 -j RETURN
--A PROXY_REDIRECT -p tcp -j REDIRECT --to-port 15001
--A PROXY_REDIRECT -p tcp --dport 15000 -j ACCEPT
--A OUTPUT -p tcp -j PROXY_OUTPUT
--A PROXY_OUTPUT -m owner --uid-owner 1500 -j RETURN
--A PROXY_OUTPUT -d 127.0.0.1/32 -j RETURN
--A PROXY_OUTPUT -j PROXY_REDIRECT
--I PROXY_OUTPUT -d 1.1.1.1/32 -j RETURN
--I PROXY_OUTPUT -d 2.2.2.2/32 -j RETURN
--I PROXY_OUTPUT -p tcp --match multiport --dports 10,20 -j RETURN
+:OSM_PROXY_INBOUND - [0:0]
+:OSM_PROXY_IN_REDIRECT - [0:0]
+:OSM_PROXY_OUTBOUND - [0:0]
+:OSM_PROXY_OUT_REDIRECT - [0:0]
+-A OSM_PROXY_IN_REDIRECT -p tcp -j REDIRECT --to-port 15003
+-A PREROUTING -p tcp -j OSM_PROXY_INBOUND
+-A OSM_PROXY_INBOUND -p tcp --dport 15010 -j RETURN
+-A OSM_PROXY_INBOUND -p tcp --dport 15901 -j RETURN
+-A OSM_PROXY_INBOUND -p tcp --dport 15902 -j RETURN
+-A OSM_PROXY_INBOUND -p tcp --dport 15903 -j RETURN
+-A OSM_PROXY_INBOUND -p tcp -j OSM_PROXY_IN_REDIRECT
+-I OSM_PROXY_INBOUND -p tcp --match multiport --dports 30,40 -j RETURN
+-A OSM_PROXY_OUT_REDIRECT -p tcp -j REDIRECT --to-port 15001
+-A OSM_PROXY_OUT_REDIRECT -p tcp --dport 15000 -j ACCEPT
+-A OUTPUT -p tcp -j OSM_PROXY_OUTBOUND
+-A OSM_PROXY_OUTBOUND -m owner --uid-owner 1500 -j RETURN
+-A OSM_PROXY_OUTBOUND -d 127.0.0.1/32 -j RETURN
+-A OSM_PROXY_OUTBOUND -j OSM_PROXY_OUT_REDIRECT
+-I OSM_PROXY_OUTBOUND -d 1.1.1.1/32 -j RETURN
+-I OSM_PROXY_OUTBOUND -d 2.2.2.2/32 -j RETURN
+-I OSM_PROXY_OUTBOUND -p tcp --match multiport --dports 10,20 -j RETURN
 COMMIT
 EOF
 `