feat: update tproxy iptables to v0.2.2 (#4328)

* chore: update tproxy to v0.22.2 Signed-off-by: Bart Smykla <bartek@smykla.com>
kumahq · May 23, 2022 · 3de8513 · 3de8513
1 parent 55411f9
commit 3de8513
Show file tree

Hide file tree

Showing 4 changed files with 77 additions and 21 deletions.
diff --git a/.golangci.yml b/.golangci.yml
@@ -28,7 +28,11 @@ linters-settings:
     disabled-checks:
       - singleCaseSwitch
   gci:
-    local-prefixes: github.com/kumahq/kuma
+    sections:
+    - standard
+    - default
+    - prefix(github.com/kumahq/kuma-net)
+    - prefix(github.com/kumahq/kuma)
   importas:
     alias:
     - pkg: github.com/kumahq/kuma/pkg/core/resources/apis/mesh

diff --git a/go.mod b/go.mod
@@ -24,7 +24,7 @@ require (
 	github.com/gruntwork-io/terratest v0.40.10
 	github.com/hoisie/mustache v0.0.0-20160804235033-6375acf62c69
 	github.com/kelseyhightower/envconfig v1.4.0
-	github.com/kumahq/kuma-net v0.1.3
+	github.com/kumahq/kuma-net v0.2.2
 	github.com/kumahq/protoc-gen-kumadoc v0.2.0
 	github.com/lib/pq v1.10.6
 	github.com/miekg/dns v1.1.49

diff --git a/go.sum b/go.sum
@@ -971,8 +971,10 @@ github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/ktrysmt/go-bitbucket v0.6.4/go.mod h1:9u0v3hsd2rqCHRIpbir1oP7F58uo5dq19sBYvuMoyQ4=
 github.com/kumahq/go-control-plane v0.9.10-0.20211022075049-d35edcf0813a h1:RtOjGzZDv0JDtpWthWmxDHXhZRnJBaeIoIHcQrigWdE=
 github.com/kumahq/go-control-plane v0.9.10-0.20211022075049-d35edcf0813a/go.mod h1:utjuSZ1DPHuYf0cTZ8WEsaQf5bwmT1TZiWaQjpJtBF0=
-github.com/kumahq/kuma-net v0.1.3 h1:ZMvPuOf6V6q0dTTz55jpNIF9Py4RvP8Z4U/owg4+xy4=
-github.com/kumahq/kuma-net v0.1.3/go.mod h1:s/78MDdwEnFwTYCcwguYa4EosjGkBouVIPJM79jvync=
+github.com/kumahq/kuma-net v0.2.1 h1:tzubnThQQLGvUvgnc62oNpkzR7ewLWWqRrI0fssdnZw=
+github.com/kumahq/kuma-net v0.2.1/go.mod h1:dUqPEm6BP7TqQvaqYDXnwITekoxdtmXTd6UXVlq3n9w=
+github.com/kumahq/kuma-net v0.2.2 h1:crfuCBbfqFcTnXuiz4QMsuD6aNZ8JLVeYR+MlvEj7+Y=
+github.com/kumahq/kuma-net v0.2.2/go.mod h1:dUqPEm6BP7TqQvaqYDXnwITekoxdtmXTd6UXVlq3n9w=
 github.com/kumahq/protoc-gen-kumadoc v0.2.0 h1:3P1PZyw/tI1TYL6QmaePuLqGuarhYkL9ZxjN2yPTLXY=
 github.com/kumahq/protoc-gen-kumadoc v0.2.0/go.mod h1:F+c9RjgKlv1Q3UEoPJCtMJw8Fd+X5PfG5jlkTSfZOMA=
 github.com/lann/builder v0.0.0-20180802200727-47ae307949d0/go.mod h1:dXGbAdH5GtBTC4WfIxhKZfyBF/HBFgRZSWwZ9g/He9o=

diff --git a/pkg/transparentproxy/transparentproxy_experimental.go b/pkg/transparentproxy/transparentproxy_experimental.go
@@ -1,14 +1,18 @@
 package transparentproxy
 
 import (
+	"net"
+	"os/exec"
 	"strconv"
 	"strings"
 
 	"github.com/pkg/errors"
 
 	"github.com/kumahq/kuma-net/iptables/builder"
 	kumanet_config "github.com/kumahq/kuma-net/iptables/config"
+
 	"github.com/kumahq/kuma/pkg/transparentproxy/config"
+	"github.com/kumahq/kuma/pkg/transparentproxy/istio/tools/istio-iptables/pkg/constants"
 )
 
 var _ TransparentProxy = &ExperimentalTransparentProxy{}
@@ -30,6 +34,39 @@ func splitPorts(ports string) ([]uint16, error) {
 	return result, nil
 }
 
+func hasLocalIPv6() (bool, error) {
+	addrs, err := net.InterfaceAddrs()
+	if err != nil {
+		return false, err
+	}
+
+	for _, a := range addrs {
+		if ipnet, ok := a.(*net.IPNet); ok &&
+			!ipnet.IP.IsLoopback() &&
+			ipnet.IP.To4() == nil {
+			return true, nil
+		}
+	}
+
+	return false, nil
+}
+
+func shouldEnableIPv6() (bool, error) {
+	hasIPv6Address, err := hasLocalIPv6()
+	if !hasIPv6Address || err != nil {
+		return false, err
+	}
+
+	// We are executing this command to work around the problem with COS_CONTAINERD
+	// image which is being used on GKE nodes. This image is missing "ip6tables_nat"
+	// kernel module which is adding `nat` table, so we are checking if this table
+	// exists and if so, we are assuming we can safely proceed with ip6tables
+	// ref. https://github.com/kumahq/kuma/issues/2046
+	err = exec.Command(constants.IP6TABLES, "-t", constants.NAT, "-L").Run()
+
+	return err == nil, nil
+}
+
 func (tp *ExperimentalTransparentProxy) Setup(tpConfig *config.TransparentProxyConfig) (string, error) {
 	redirectInboundPort, err := strconv.ParseUint(tpConfig.RedirectPortInBound, 10, 16)
 	if err != nil {
@@ -40,6 +77,19 @@ func (tp *ExperimentalTransparentProxy) Setup(tpConfig *config.TransparentProxyC
 		)
 	}
 
+	var redirectInboundPortIPv6 uint64
+
+	if tpConfig.RedirectPortInBoundV6 != "" {
+		redirectInboundPortIPv6, err = strconv.ParseUint(tpConfig.RedirectPortInBoundV6, 10, 16)
+		if err != nil {
+			return "", errors.Wrapf(
+				err,
+				"inbound redirect port IPv6 (%s), is not valid uint16",
+				tpConfig.RedirectPortInBound,
+			)
+		}
+	}
+
 	redirectOutboundPort, err := strconv.ParseUint(tpConfig.RedirectPortOutBound, 10, 16)
 	if err != nil {
 		return "", errors.Wrapf(
@@ -74,38 +124,38 @@ func (tp *ExperimentalTransparentProxy) Setup(tpConfig *config.TransparentProxyC
 		}
 	}
 
-	defaultConfig := kumanet_config.DefaultConfig()
+	ipv6, err := shouldEnableIPv6()
+	if err != nil {
+		return "", errors.Wrap(err, "cannot verify if IPv6 should be enabled")
+	}
 
-	cfg := &kumanet_config.Config{
-		Owner: &kumanet_config.Owner{
+	cfg := kumanet_config.Config{
+		Owner: kumanet_config.Owner{
 			UID: tpConfig.UID,
-			GID: tpConfig.GID,
 		},
-		Redirect: &kumanet_config.Redirect{
+		Redirect: kumanet_config.Redirect{
 			NamePrefix: "KUMA_",
-			Inbound: &kumanet_config.TrafficFlow{
-				Port:          uint16(redirectInboundPort),
-				Chain:         defaultConfig.Redirect.Inbound.Chain,
-				RedirectChain: defaultConfig.Redirect.Inbound.RedirectChain,
-				ExcludePorts:  excludeInboundPorts,
+			Inbound: kumanet_config.TrafficFlow{
+				Port:         uint16(redirectInboundPort),
+				PortIPv6:     uint16(redirectInboundPortIPv6),
+				ExcludePorts: excludeInboundPorts,
 			},
-			Outbound: &kumanet_config.TrafficFlow{
-				Port:          uint16(redirectOutboundPort),
-				Chain:         defaultConfig.Redirect.Outbound.Chain,
-				RedirectChain: defaultConfig.Redirect.Outbound.RedirectChain,
-				ExcludePorts:  excludeOutboundPorts,
+			Outbound: kumanet_config.TrafficFlow{
+				Port:         uint16(redirectOutboundPort),
+				ExcludePorts: excludeOutboundPorts,
 			},
-			DNS: &kumanet_config.DNS{
+			DNS: kumanet_config.DNS{
 				Enabled:            tpConfig.RedirectAllDNSTraffic,
 				Port:               uint16(agentDNSListenerPort),
 				ConntrackZoneSplit: tpConfig.SkipDNSConntrackZoneSplit,
 			},
 		},
+		IPv6:    ipv6,
 		Verbose: tpConfig.Verbose,
 	}
 
 	if tpConfig.DryRun {
-		return builder.BuildIPTables(cfg)
+		return builder.BuildIPTables(cfg, ipv6)
 	}
 
 	return builder.RestoreIPTables(cfg)