From ead74cd558eb7fbd8a6056891741255402a71353 Mon Sep 17 00:00:00 2001 From: t4lz Date: Tue, 24 Dec 2024 15:39:28 +0200 Subject: [PATCH] use input chain for IPv6 --- mirrord/agent/src/steal/ip_tables.rs | 8 ++-- mirrord/agent/src/steal/ip_tables/mesh.rs | 4 +- .../agent/src/steal/ip_tables/mesh/istio.rs | 4 +- .../agent/src/steal/ip_tables/prerouting.rs | 44 ++++++++++++++----- mirrord/agent/src/steal/ip_tables/standard.rs | 10 +++-- mirrord/agent/src/steal/subscriptions.rs | 1 + tests/src/utils.rs | 2 +- 7 files changed, 51 insertions(+), 22 deletions(-) diff --git a/mirrord/agent/src/steal/ip_tables.rs b/mirrord/agent/src/steal/ip_tables.rs index f8dd3ed3724..6d623ba5299 100644 --- a/mirrord/agent/src/steal/ip_tables.rs +++ b/mirrord/agent/src/steal/ip_tables.rs @@ -254,7 +254,6 @@ pub(crate) enum Redirects { /// Wrapper struct for IPTables so it flushes on drop. pub(crate) struct SafeIpTables { redirect: Redirects, - ipv6: bool, } /// Wrapper for using iptables. This creates a a new chain on creation and deletes it on drop. @@ -270,6 +269,7 @@ where ipt: IPT, flush_connections: bool, pod_ips: Option<&str>, + ipv6: bool, ) -> Result { let ipt = Arc::new(ipt); @@ -281,11 +281,11 @@ where _ => Redirects::Mesh(MeshRedirect::create(ipt.clone(), vendor, pod_ips)?), } } else { - match StandardRedirect::create(ipt.clone(), pod_ips) { + match StandardRedirect::create(ipt.clone(), pod_ips, ipv6) { Err(err) => { warn!("Unable to create StandardRedirect chain: {err}"); - Redirects::PrerouteFallback(PreroutingRedirect::create(ipt.clone())?) + Redirects::PrerouteFallback(PreroutingRedirect::create_prerouting(ipt.clone())?) } Ok(standard) => Redirects::Standard(standard), } @@ -314,7 +314,7 @@ where Err(err) => { warn!("Unable to load StandardRedirect chain: {err}"); - Redirects::PrerouteFallback(PreroutingRedirect::load(ipt.clone())?) + Redirects::PrerouteFallback(PreroutingRedirect::load_prerouting(ipt.clone())?) } Ok(standard) => Redirects::Standard(standard), } diff --git a/mirrord/agent/src/steal/ip_tables/mesh.rs b/mirrord/agent/src/steal/ip_tables/mesh.rs index 88fdff5d0b1..0ddd4f77921 100644 --- a/mirrord/agent/src/steal/ip_tables/mesh.rs +++ b/mirrord/agent/src/steal/ip_tables/mesh.rs @@ -30,7 +30,7 @@ where IPT: IPTables, { pub fn create(ipt: Arc, vendor: MeshVendor, pod_ips: Option<&str>) -> Result { - let prerouting = PreroutingRedirect::create(ipt.clone())?; + let prerouting = PreroutingRedirect::create_prerouting(ipt.clone())?; for port in Self::get_skip_ports(&ipt, &vendor)? { prerouting.add_rule(&format!("-m multiport -p tcp ! --dports {port} -j RETURN"))?; @@ -46,7 +46,7 @@ where } pub fn load(ipt: Arc, vendor: MeshVendor) -> Result { - let prerouting = PreroutingRedirect::load(ipt.clone())?; + let prerouting = PreroutingRedirect::load_prerouting(ipt.clone())?; let output = OutputRedirect::load(ipt, IPTABLE_MESH.to_string())?; Ok(MeshRedirect { diff --git a/mirrord/agent/src/steal/ip_tables/mesh/istio.rs b/mirrord/agent/src/steal/ip_tables/mesh/istio.rs index cd3d4b06fa9..a4e9a57a3e1 100644 --- a/mirrord/agent/src/steal/ip_tables/mesh/istio.rs +++ b/mirrord/agent/src/steal/ip_tables/mesh/istio.rs @@ -21,14 +21,14 @@ where IPT: IPTables, { pub fn create(ipt: Arc, pod_ips: Option<&str>) -> Result { - let prerouting = PreroutingRedirect::create(ipt.clone())?; + let prerouting = PreroutingRedirect::create_prerouting(ipt.clone())?; let output = OutputRedirect::create(ipt, IPTABLE_MESH.to_string(), pod_ips)?; Ok(AmbientRedirect { prerouting, output }) } pub fn load(ipt: Arc) -> Result { - let prerouting = PreroutingRedirect::load(ipt.clone())?; + let prerouting = PreroutingRedirect::load_prerouting(ipt.clone())?; let output = OutputRedirect::load(ipt, IPTABLE_MESH.to_string())?; Ok(AmbientRedirect { prerouting, output }) diff --git a/mirrord/agent/src/steal/ip_tables/prerouting.rs b/mirrord/agent/src/steal/ip_tables/prerouting.rs index 486b0ca1b51..10a801bc5a3 100644 --- a/mirrord/agent/src/steal/ip_tables/prerouting.rs +++ b/mirrord/agent/src/steal/ip_tables/prerouting.rs @@ -10,24 +10,45 @@ use crate::{ pub(crate) struct PreroutingRedirect { managed: IPTableChain, + chain_name: &'static str, } impl PreroutingRedirect where IPT: IPTables, { - const ENTRYPOINT: &'static str = "PREROUTING"; + pub fn create_prerouting(ipt: Arc) -> Result { + Self::create(ipt, "PREROUTING") + } + + pub fn create_input(ipt: Arc) -> Result { + Self::create(ipt, "INPUT") + } - pub fn create(ipt: Arc) -> Result { + pub fn create(ipt: Arc, chain_name: &'static str) -> Result { let managed = IPTableChain::create(ipt, IPTABLE_PREROUTING.to_string())?; - Ok(PreroutingRedirect { managed }) + Ok(PreroutingRedirect { + managed, + chain_name, + }) + } + + pub fn load_prerouting(ipt: Arc) -> Result { + Self::load(ipt, "PREROUTING") + } + + pub fn load_input(ipt: Arc) -> Result { + Self::load(ipt, "INPUT") } - pub fn load(ipt: Arc) -> Result { + pub fn load(ipt: Arc, chain_name: &'static str) -> Result { let managed = IPTableChain::load(ipt, IPTABLE_PREROUTING.to_string())?; - Ok(PreroutingRedirect { managed }) + Ok(PreroutingRedirect { + managed, + chain_name, + }) } } @@ -38,7 +59,7 @@ where { async fn mount_entrypoint(&self) -> Result<()> { self.managed.inner().add_rule( - Self::ENTRYPOINT, + &self.chain_name, &format!("-j {}", self.managed.chain_name()), )?; @@ -47,7 +68,7 @@ where async fn unmount_entrypoint(&self) -> Result<()> { self.managed.inner().remove_rule( - Self::ENTRYPOINT, + &self.chain_name, &format!("-j {}", self.managed.chain_name()), )?; @@ -114,7 +135,8 @@ mod tests { .times(1) .returning(|_| Ok(())); - let prerouting = PreroutingRedirect::create(Arc::new(mock)).expect("Unable to create"); + let prerouting = + PreroutingRedirect::create_prerouting(Arc::new(mock)).expect("Unable to create"); assert!(prerouting.add_redirect(69, 420).await.is_ok()); } @@ -151,7 +173,8 @@ mod tests { .times(1) .returning(|_| Ok(())); - let prerouting = PreroutingRedirect::create(Arc::new(mock)).expect("Unable to create"); + let prerouting = + PreroutingRedirect::create_prerouting(Arc::new(mock)).expect("Unable to create"); assert!(prerouting.add_redirect(69, 420).await.is_ok()); assert!(prerouting.add_redirect(169, 1420).await.is_ok()); @@ -179,7 +202,8 @@ mod tests { .times(1) .returning(|_| Ok(())); - let prerouting = PreroutingRedirect::create(Arc::new(mock)).expect("Unable to create"); + let prerouting = + PreroutingRedirect::create_prerouting(Arc::new(mock)).expect("Unable to create"); assert!(prerouting.remove_redirect(69, 420).await.is_ok()); } diff --git a/mirrord/agent/src/steal/ip_tables/standard.rs b/mirrord/agent/src/steal/ip_tables/standard.rs index 3302b05c02e..1c200b1a168 100644 --- a/mirrord/agent/src/steal/ip_tables/standard.rs +++ b/mirrord/agent/src/steal/ip_tables/standard.rs @@ -20,15 +20,19 @@ impl StandardRedirect where IPT: IPTables, { - pub fn create(ipt: Arc, pod_ips: Option<&str>) -> Result { - let prerouting = PreroutingRedirect::create(ipt.clone())?; + pub fn create(ipt: Arc, pod_ips: Option<&str>, ipv6: bool) -> Result { + let prerouting = if ipv6 { + PreroutingRedirect::create_input(ipt.clone())? + } else { + PreroutingRedirect::create_prerouting(ipt.clone())? + }; let output = OutputRedirect::create(ipt, IPTABLE_STANDARD.to_string(), pod_ips)?; Ok(StandardRedirect { prerouting, output }) } pub fn load(ipt: Arc) -> Result { - let prerouting = PreroutingRedirect::load(ipt.clone())?; + let prerouting = PreroutingRedirect::load_prerouting(ipt.clone())?; let output = OutputRedirect::load(ipt, IPTABLE_STANDARD.to_string())?; Ok(StandardRedirect { prerouting, output }) diff --git a/mirrord/agent/src/steal/subscriptions.rs b/mirrord/agent/src/steal/subscriptions.rs index 419f9222967..ddb7f9e1aba 100644 --- a/mirrord/agent/src/steal/subscriptions.rs +++ b/mirrord/agent/src/steal/subscriptions.rs @@ -83,6 +83,7 @@ impl PortRedirector for IptablesListener { }, self.flush_connections || self.ipv6, self.pod_ips.as_deref(), + self.ipv6, ) .await?; self.iptables.insert(safe) diff --git a/tests/src/utils.rs b/tests/src/utils.rs index 2f6af6bdad1..91790eee562 100644 --- a/tests/src/utils.rs +++ b/tests/src/utils.rs @@ -589,7 +589,7 @@ pub async fn run_exec( // base_env.insert("MIRRORD_AGENT_IMAGE", "test"); base_env.insert( "MIRRORD_AGENT_IMAGE", - "docker.io/t4lz/mirrord-agent:2024-12-22_2", + "docker.io/t4lz/mirrord-agent:2024-12-23", ); base_env.insert("MIRRORD_AGENT_TTL", "180"); // TODO: delete base_env.insert("MIRRORD_CHECK_VERSION", "false");