use input chain for IPv6

metalbear-co · Dec 24, 2024 · ead74cd · ead74cd
1 parent b65663e
commit ead74cd
Show file tree

Hide file tree

Showing 7 changed files with 51 additions and 22 deletions.
diff --git a/mirrord/agent/src/steal/ip_tables.rs b/mirrord/agent/src/steal/ip_tables.rs
@@ -254,7 +254,6 @@ pub(crate) enum Redirects<IPT: IPTables + Send + Sync> {
 /// Wrapper struct for IPTables so it flushes on drop.
 pub(crate) struct SafeIpTables<IPT: IPTables + Send + Sync> {
     redirect: Redirects<IPT>,
-    ipv6: bool,
 }
 
 /// Wrapper for using iptables. This creates a a new chain on creation and deletes it on drop.
@@ -270,6 +269,7 @@ where
         ipt: IPT,
         flush_connections: bool,
         pod_ips: Option<&str>,
+        ipv6: bool,
     ) -> Result<Self> {
         let ipt = Arc::new(ipt);
 
@@ -281,11 +281,11 @@ where
                 _ => Redirects::Mesh(MeshRedirect::create(ipt.clone(), vendor, pod_ips)?),
             }
         } else {
-            match StandardRedirect::create(ipt.clone(), pod_ips) {
+            match StandardRedirect::create(ipt.clone(), pod_ips, ipv6) {
                 Err(err) => {
                     warn!("Unable to create StandardRedirect chain: {err}");
 
-                    Redirects::PrerouteFallback(PreroutingRedirect::create(ipt.clone())?)
+                    Redirects::PrerouteFallback(PreroutingRedirect::create_prerouting(ipt.clone())?)
                 }
                 Ok(standard) => Redirects::Standard(standard),
             }
@@ -314,7 +314,7 @@ where
                 Err(err) => {
                     warn!("Unable to load StandardRedirect chain: {err}");
 
-                    Redirects::PrerouteFallback(PreroutingRedirect::load(ipt.clone())?)
+                    Redirects::PrerouteFallback(PreroutingRedirect::load_prerouting(ipt.clone())?)
                 }
                 Ok(standard) => Redirects::Standard(standard),
             }

diff --git a/mirrord/agent/src/steal/ip_tables/mesh.rs b/mirrord/agent/src/steal/ip_tables/mesh.rs
@@ -30,7 +30,7 @@ where
     IPT: IPTables,
 {
     pub fn create(ipt: Arc<IPT>, vendor: MeshVendor, pod_ips: Option<&str>) -> Result<Self> {
-        let prerouting = PreroutingRedirect::create(ipt.clone())?;
+        let prerouting = PreroutingRedirect::create_prerouting(ipt.clone())?;
 
         for port in Self::get_skip_ports(&ipt, &vendor)? {
             prerouting.add_rule(&format!("-m multiport -p tcp ! --dports {port} -j RETURN"))?;
@@ -46,7 +46,7 @@ where
     }
 
     pub fn load(ipt: Arc<IPT>, vendor: MeshVendor) -> Result<Self> {
-        let prerouting = PreroutingRedirect::load(ipt.clone())?;
+        let prerouting = PreroutingRedirect::load_prerouting(ipt.clone())?;
         let output = OutputRedirect::load(ipt, IPTABLE_MESH.to_string())?;
 
         Ok(MeshRedirect {

diff --git a/mirrord/agent/src/steal/ip_tables/mesh/istio.rs b/mirrord/agent/src/steal/ip_tables/mesh/istio.rs
@@ -21,14 +21,14 @@ where
     IPT: IPTables,
 {
     pub fn create(ipt: Arc<IPT>, pod_ips: Option<&str>) -> Result<Self> {
-        let prerouting = PreroutingRedirect::create(ipt.clone())?;
+        let prerouting = PreroutingRedirect::create_prerouting(ipt.clone())?;
         let output = OutputRedirect::create(ipt, IPTABLE_MESH.to_string(), pod_ips)?;
 
         Ok(AmbientRedirect { prerouting, output })
     }
 
     pub fn load(ipt: Arc<IPT>) -> Result<Self> {
-        let prerouting = PreroutingRedirect::load(ipt.clone())?;
+        let prerouting = PreroutingRedirect::load_prerouting(ipt.clone())?;
         let output = OutputRedirect::load(ipt, IPTABLE_MESH.to_string())?;
 
         Ok(AmbientRedirect { prerouting, output })

diff --git a/mirrord/agent/src/steal/ip_tables/prerouting.rs b/mirrord/agent/src/steal/ip_tables/prerouting.rs
@@ -10,24 +10,45 @@ use crate::{
 
 pub(crate) struct PreroutingRedirect<IPT: IPTables> {
     managed: IPTableChain<IPT>,
+    chain_name: &'static str,
 }
 
 impl<IPT> PreroutingRedirect<IPT>
 where
     IPT: IPTables,
 {
-    const ENTRYPOINT: &'static str = "PREROUTING";
+    pub fn create_prerouting(ipt: Arc<IPT>) -> Result<Self> {
+        Self::create(ipt, "PREROUTING")
+    }
+
+    pub fn create_input(ipt: Arc<IPT>) -> Result<Self> {
+        Self::create(ipt, "INPUT")
+    }
 
-    pub fn create(ipt: Arc<IPT>) -> Result<Self> {
+    pub fn create(ipt: Arc<IPT>, chain_name: &'static str) -> Result<Self> {
         let managed = IPTableChain::create(ipt, IPTABLE_PREROUTING.to_string())?;
 
-        Ok(PreroutingRedirect { managed })
+        Ok(PreroutingRedirect {
+            managed,
+            chain_name,
+        })
+    }
+
+    pub fn load_prerouting(ipt: Arc<IPT>) -> Result<Self> {
+        Self::load(ipt, "PREROUTING")
+    }
+
+    pub fn load_input(ipt: Arc<IPT>) -> Result<Self> {
+        Self::load(ipt, "INPUT")
     }
 
-    pub fn load(ipt: Arc<IPT>) -> Result<Self> {
+    pub fn load(ipt: Arc<IPT>, chain_name: &'static str) -> Result<Self> {
         let managed = IPTableChain::load(ipt, IPTABLE_PREROUTING.to_string())?;
 
-        Ok(PreroutingRedirect { managed })
+        Ok(PreroutingRedirect {
+            managed,
+            chain_name,
+        })
     }
 }
 
@@ -38,7 +59,7 @@ where
 {
     async fn mount_entrypoint(&self) -> Result<()> {
         self.managed.inner().add_rule(
-            Self::ENTRYPOINT,
+            &self.chain_name,
             &format!("-j {}", self.managed.chain_name()),
         )?;
 
@@ -47,7 +68,7 @@ where
 
     async fn unmount_entrypoint(&self) -> Result<()> {
         self.managed.inner().remove_rule(
-            Self::ENTRYPOINT,
+            &self.chain_name,
             &format!("-j {}", self.managed.chain_name()),
         )?;
 
@@ -114,7 +135,8 @@ mod tests {
             .times(1)
             .returning(|_| Ok(()));
 
-        let prerouting = PreroutingRedirect::create(Arc::new(mock)).expect("Unable to create");
+        let prerouting =
+            PreroutingRedirect::create_prerouting(Arc::new(mock)).expect("Unable to create");
 
         assert!(prerouting.add_redirect(69, 420).await.is_ok());
     }
@@ -151,7 +173,8 @@ mod tests {
             .times(1)
             .returning(|_| Ok(()));
 
-        let prerouting = PreroutingRedirect::create(Arc::new(mock)).expect("Unable to create");
+        let prerouting =
+            PreroutingRedirect::create_prerouting(Arc::new(mock)).expect("Unable to create");
 
         assert!(prerouting.add_redirect(69, 420).await.is_ok());
         assert!(prerouting.add_redirect(169, 1420).await.is_ok());
@@ -179,7 +202,8 @@ mod tests {
             .times(1)
             .returning(|_| Ok(()));
 
-        let prerouting = PreroutingRedirect::create(Arc::new(mock)).expect("Unable to create");
+        let prerouting =
+            PreroutingRedirect::create_prerouting(Arc::new(mock)).expect("Unable to create");
 
         assert!(prerouting.remove_redirect(69, 420).await.is_ok());
     }

diff --git a/mirrord/agent/src/steal/ip_tables/standard.rs b/mirrord/agent/src/steal/ip_tables/standard.rs
@@ -20,15 +20,19 @@ impl<IPT> StandardRedirect<IPT>
 where
     IPT: IPTables,
 {
-    pub fn create(ipt: Arc<IPT>, pod_ips: Option<&str>) -> Result<Self> {
-        let prerouting = PreroutingRedirect::create(ipt.clone())?;
+    pub fn create(ipt: Arc<IPT>, pod_ips: Option<&str>, ipv6: bool) -> Result<Self> {
+        let prerouting = if ipv6 {
+            PreroutingRedirect::create_input(ipt.clone())?
+        } else {
+            PreroutingRedirect::create_prerouting(ipt.clone())?
+        };
         let output = OutputRedirect::create(ipt, IPTABLE_STANDARD.to_string(), pod_ips)?;
 
         Ok(StandardRedirect { prerouting, output })
     }
 
     pub fn load(ipt: Arc<IPT>) -> Result<Self> {
-        let prerouting = PreroutingRedirect::load(ipt.clone())?;
+        let prerouting = PreroutingRedirect::load_prerouting(ipt.clone())?;
         let output = OutputRedirect::load(ipt, IPTABLE_STANDARD.to_string())?;
 
         Ok(StandardRedirect { prerouting, output })

diff --git a/mirrord/agent/src/steal/subscriptions.rs b/mirrord/agent/src/steal/subscriptions.rs
@@ -83,6 +83,7 @@ impl PortRedirector for IptablesListener {
                 },
                 self.flush_connections || self.ipv6,
                 self.pod_ips.as_deref(),
+                self.ipv6,
             )
             .await?;
             self.iptables.insert(safe)

diff --git a/tests/src/utils.rs b/tests/src/utils.rs
@@ -589,7 +589,7 @@ pub async fn run_exec(
     // base_env.insert("MIRRORD_AGENT_IMAGE", "test");
     base_env.insert(
         "MIRRORD_AGENT_IMAGE",
-        "docker.io/t4lz/mirrord-agent:2024-12-22_2",
+        "docker.io/t4lz/mirrord-agent:2024-12-23",
     );
     base_env.insert("MIRRORD_AGENT_TTL", "180"); // TODO: delete
     base_env.insert("MIRRORD_CHECK_VERSION", "false");