Skip to content

Commit

Permalink
iptables: filter table accepts from-proxy packets
Browse files Browse the repository at this point in the history
GKE has DROP policy for filter table, so we have to explicitly accept
proxy traffic.

Signed-off-by: Zhichuan Liang <[email protected]>
  • Loading branch information
jschwinger233 authored and aanm committed Dec 14, 2023
1 parent 9fbd5a8 commit 244a5e9
Showing 1 changed file with 6 additions and 4 deletions.
10 changes: 6 additions & 4 deletions pkg/datapath/iptables/iptables.go
Original file line number Diff line number Diff line change
Expand Up @@ -526,6 +526,8 @@ func (m *Manager) installStaticProxyRules() error {
matchProxyReply := fmt.Sprintf("%#08x/%#08x", linux_defaults.MagicMarkIsProxy, linux_defaults.MagicMarkProxyNoIDMask)
// L7 proxy upstream return traffic has Endpoint ID in the mask
matchL7ProxyUpstream := fmt.Sprintf("%#08x/%#08x", linux_defaults.MagicMarkIsProxyEPID, linux_defaults.MagicMarkProxyMask)
// match traffic from a proxy (either in forward or in return direction)
matchFromProxy := fmt.Sprintf("%#08x/%#08x", linux_defaults.MagicMarkIsProxy, linux_defaults.MagicMarkProxyMask)

if m.sharedCfg.EnableIPv4 {
// No conntrack for traffic to proxy
Expand Down Expand Up @@ -598,8 +600,8 @@ func (m *Manager) installStaticProxyRules() error {
if err := ip4tables.runProg([]string{
"-t", "filter",
"-A", ciliumOutputChain,
"-m", "mark", "--mark", matchProxyReply,
"-m", "comment", "--comment", "cilium: ACCEPT for proxy return traffic",
"-m", "mark", "--mark", matchFromProxy,
"-m", "comment", "--comment", "cilium: ACCEPT for proxy traffic",
"-j", "ACCEPT"}); err != nil {
return err
}
Expand Down Expand Up @@ -672,8 +674,8 @@ func (m *Manager) installStaticProxyRules() error {
if err := ip6tables.runProg([]string{
"-t", "filter",
"-A", ciliumOutputChain,
"-m", "mark", "--mark", matchProxyReply,
"-m", "comment", "--comment", "cilium: ACCEPT for proxy return traffic",
"-m", "mark", "--mark", matchFromProxy,
"-m", "comment", "--comment", "cilium: ACCEPT for proxy traffic",
"-j", "ACCEPT"}); err != nil {
return err
}
Expand Down

0 comments on commit 244a5e9

Please sign in to comment.