test(transparent-proxy): add exclude ports flags to tproxy tests (#10871

)

Signed-off-by: Bart Smykla <[email protected]>

test/transparentproxy/config.go

@@ -99,6 +99,8 @@ var defaultConfig = TransparentProxyConfig{
 			"--exclude-outbound-ports-for-uids", "53,3000-5000:106-108",
 			"--exclude-outbound-ips", "10.0.0.1,192.168.0.0/24,fe80::1",
 			"--exclude-outbound-ips", "fd00::/8",
+			"--exclude-outbound-ports", "1,22,333",
+			"--exclude-inbound-ports", "4444,55555",
 		},
 	},
 	IPV6: false,

test/transparentproxy/install/testdata/alpine-3-with-multiple-flags.ip6tables-nft.golden

@@ -25,8 +25,13 @@ COMMIT
 -A OUTPUT -p udp -m comment --comment "kuma/mesh/transparent/proxy/return early for DNS traffic from kuma-dp" -m udp --dport 53 -m owner --uid-owner 5678 -j RETURN
 -A OUTPUT -p udp -m comment --comment "kuma/mesh/transparent/proxy/redirect all DNS requests to the kuma-dp DNS proxy (listening on port 15053)" -m udp --dport 53 -j REDIRECT --to-ports 15053
 -A OUTPUT -p tcp -m comment --comment "kuma/mesh/transparent/proxy/redirect outbound TCP traffic to our custom chain for processing" -j KUMA_MESH_OUTBOUND
+-A KUMA_MESH_INBOUND -p tcp -m comment --comment "kuma/mesh/transparent/proxy/exclude inbound traffic from port 4444 from redirection" -m tcp --dport 4444 -j RETURN
+-A KUMA_MESH_INBOUND -p tcp -m comment --comment "kuma/mesh/transparent/proxy/exclude inbound traffic from port 55555 from redirection" -m tcp --dport 55555 -j RETURN
 -A KUMA_MESH_INBOUND -p tcp -m comment --comment "kuma/mesh/transparent/proxy/redirect all inbound traffic to the custom chain for processing" -j KUMA_MESH_INBOUND_REDIRECT
 -A KUMA_MESH_INBOUND_REDIRECT -p tcp -m comment --comment "kuma/mesh/transparent/proxy/redirect TCP traffic to envoy (port 15006)" -j REDIRECT --to-ports 15006
+-A KUMA_MESH_OUTBOUND -p tcp -m comment --comment "kuma/mesh/transparent/proxy/exclude outbound traffic from port 1 from redirection" -m tcp --dport 1 -j RETURN
+-A KUMA_MESH_OUTBOUND -p tcp -m comment --comment "kuma/mesh/transparent/proxy/exclude outbound traffic from port 22 from redirection" -m tcp --dport 22 -j RETURN
+-A KUMA_MESH_OUTBOUND -p tcp -m comment --comment "kuma/mesh/transparent/proxy/exclude outbound traffic from port 333 from redirection" -m tcp --dport 333 -j RETURN
 -A KUMA_MESH_OUTBOUND -s ::6/128 -o ifPlaceholder -m comment --comment "kuma/mesh/transparent/proxy/prevent traffic loops by ensuring traffic from the sidecar proxy (using ::6/128) to loopback interface is not redirected again" -j RETURN
 -A KUMA_MESH_OUTBOUND ! -d ::1/128 -o ifPlaceholder -p tcp -m comment --comment "kuma/mesh/transparent/proxy/redirect outbound TCP traffic (except to DNS port 53) destined for loopback interface, but not targeting address ::1/128, and owned by UID 5678 (kuma-dp user) to KUMA_MESH_INBOUND_REDIRECT chain for proper handling" -m tcp ! --dport 53 -m owner --uid-owner 5678 -j KUMA_MESH_INBOUND_REDIRECT
 -A KUMA_MESH_OUTBOUND -o ifPlaceholder -p tcp -m comment --comment "kuma/mesh/transparent/proxy/return outbound TCP traffic (except to DNS port 53) destined for loopback interface, owned by any UID other than 5678 (kuma-dp user)" -m tcp ! --dport 53 -m owner ! --uid-owner 5678 -j RETURN

test/transparentproxy/install/testdata/alpine-3-with-multiple-flags.ip6tables.golden

@@ -25,8 +25,13 @@ COMMIT
 -A OUTPUT -p udp -m comment --comment "kuma/mesh/transparent/proxy/return early for DNS traffic from kuma-dp" -m udp --dport 53 -m owner --uid-owner 5678 -j RETURN
 -A OUTPUT -p udp -m comment --comment "kuma/mesh/transparent/proxy/redirect all DNS requests to the kuma-dp DNS proxy (listening on port 15053)" -m udp --dport 53 -j REDIRECT --to-ports 15053
 -A OUTPUT -p tcp -m comment --comment "kuma/mesh/transparent/proxy/redirect outbound TCP traffic to our custom chain for processing" -j KUMA_MESH_OUTBOUND
+-A KUMA_MESH_INBOUND -p tcp -m comment --comment "kuma/mesh/transparent/proxy/exclude inbound traffic from port 4444 from redirection" -m tcp --dport 4444 -j RETURN
+-A KUMA_MESH_INBOUND -p tcp -m comment --comment "kuma/mesh/transparent/proxy/exclude inbound traffic from port 55555 from redirection" -m tcp --dport 55555 -j RETURN
 -A KUMA_MESH_INBOUND -p tcp -m comment --comment "kuma/mesh/transparent/proxy/redirect all inbound traffic to the custom chain for processing" -j KUMA_MESH_INBOUND_REDIRECT
 -A KUMA_MESH_INBOUND_REDIRECT -p tcp -m comment --comment "kuma/mesh/transparent/proxy/redirect TCP traffic to envoy (port 15006)" -j REDIRECT --to-ports 15006
+-A KUMA_MESH_OUTBOUND -p tcp -m comment --comment "kuma/mesh/transparent/proxy/exclude outbound traffic from port 1 from redirection" -m tcp --dport 1 -j RETURN
+-A KUMA_MESH_OUTBOUND -p tcp -m comment --comment "kuma/mesh/transparent/proxy/exclude outbound traffic from port 22 from redirection" -m tcp --dport 22 -j RETURN
+-A KUMA_MESH_OUTBOUND -p tcp -m comment --comment "kuma/mesh/transparent/proxy/exclude outbound traffic from port 333 from redirection" -m tcp --dport 333 -j RETURN
 -A KUMA_MESH_OUTBOUND -s ::6/128 -o ifPlaceholder -m comment --comment "kuma/mesh/transparent/proxy/prevent traffic loops by ensuring traffic from the sidecar proxy (using ::6/128) to loopback interface is not redirected again" -j RETURN
 -A KUMA_MESH_OUTBOUND ! -d ::1/128 -o ifPlaceholder -p tcp -m comment --comment "kuma/mesh/transparent/proxy/redirect outbound TCP traffic (except to DNS port 53) destined for loopback interface, but not targeting address ::1/128, and owned by UID 5678 (kuma-dp user) to KUMA_MESH_INBOUND_REDIRECT chain for proper handling" -m tcp ! --dport 53 -m owner --uid-owner 5678 -j KUMA_MESH_INBOUND_REDIRECT
 -A KUMA_MESH_OUTBOUND -o ifPlaceholder -p tcp -m comment --comment "kuma/mesh/transparent/proxy/return outbound TCP traffic (except to DNS port 53) destined for loopback interface, owned by any UID other than 5678 (kuma-dp user)" -m tcp ! --dport 53 -m owner ! --uid-owner 5678 -j RETURN

test/transparentproxy/install/testdata/alpine-3-with-multiple-flags.iptables-nft.golden

@@ -27,8 +27,13 @@ COMMIT
 -A OUTPUT -p udp -m comment --comment "kuma/mesh/transparent/proxy/return early for DNS traffic from kuma-dp" -m udp --dport 53 -m owner --uid-owner 5678 -j RETURN
 -A OUTPUT -p udp -m comment --comment "kuma/mesh/transparent/proxy/redirect all DNS requests to the kuma-dp DNS proxy (listening on port 15053)" -m udp --dport 53 -j REDIRECT --to-ports 15053
 -A OUTPUT -p tcp -m comment --comment "kuma/mesh/transparent/proxy/redirect outbound TCP traffic to our custom chain for processing" -j KUMA_MESH_OUTBOUND
+-A KUMA_MESH_INBOUND -p tcp -m comment --comment "kuma/mesh/transparent/proxy/exclude inbound traffic from port 4444 from redirection" -m tcp --dport 4444 -j RETURN
+-A KUMA_MESH_INBOUND -p tcp -m comment --comment "kuma/mesh/transparent/proxy/exclude inbound traffic from port 55555 from redirection" -m tcp --dport 55555 -j RETURN
 -A KUMA_MESH_INBOUND -p tcp -m comment --comment "kuma/mesh/transparent/proxy/redirect all inbound traffic to the custom chain for processing" -j KUMA_MESH_INBOUND_REDIRECT
 -A KUMA_MESH_INBOUND_REDIRECT -p tcp -m comment --comment "kuma/mesh/transparent/proxy/redirect TCP traffic to envoy (port 15006)" -j REDIRECT --to-ports 15006
+-A KUMA_MESH_OUTBOUND -p tcp -m comment --comment "kuma/mesh/transparent/proxy/exclude outbound traffic from port 1 from redirection" -m tcp --dport 1 -j RETURN
+-A KUMA_MESH_OUTBOUND -p tcp -m comment --comment "kuma/mesh/transparent/proxy/exclude outbound traffic from port 22 from redirection" -m tcp --dport 22 -j RETURN
+-A KUMA_MESH_OUTBOUND -p tcp -m comment --comment "kuma/mesh/transparent/proxy/exclude outbound traffic from port 333 from redirection" -m tcp --dport 333 -j RETURN
 -A KUMA_MESH_OUTBOUND -s 127.0.0.6/32 -o ifPlaceholder -m comment --comment "kuma/mesh/transparent/proxy/prevent traffic loops by ensuring traffic from the sidecar proxy (using 127.0.0.6/32) to loopback interface is not redirected again" -j RETURN
 -A KUMA_MESH_OUTBOUND ! -d 127.0.0.1/32 -o ifPlaceholder -p tcp -m comment --comment "kuma/mesh/transparent/proxy/redirect outbound TCP traffic (except to DNS port 53) destined for loopback interface, but not targeting address 127.0.0.1/32, and owned by UID 5678 (kuma-dp user) to KUMA_MESH_INBOUND_REDIRECT chain for proper handling" -m tcp ! --dport 53 -m owner --uid-owner 5678 -j KUMA_MESH_INBOUND_REDIRECT
 -A KUMA_MESH_OUTBOUND -o ifPlaceholder -p tcp -m comment --comment "kuma/mesh/transparent/proxy/return outbound TCP traffic (except to DNS port 53) destined for loopback interface, owned by any UID other than 5678 (kuma-dp user)" -m tcp ! --dport 53 -m owner ! --uid-owner 5678 -j RETURN

test/transparentproxy/install/testdata/alpine-3-with-multiple-flags.iptables.golden

@@ -27,8 +27,13 @@ COMMIT
 -A OUTPUT -p udp -m comment --comment "kuma/mesh/transparent/proxy/return early for DNS traffic from kuma-dp" -m udp --dport 53 -m owner --uid-owner 5678 -j RETURN
 -A OUTPUT -p udp -m comment --comment "kuma/mesh/transparent/proxy/redirect all DNS requests to the kuma-dp DNS proxy (listening on port 15053)" -m udp --dport 53 -j REDIRECT --to-ports 15053
 -A OUTPUT -p tcp -m comment --comment "kuma/mesh/transparent/proxy/redirect outbound TCP traffic to our custom chain for processing" -j KUMA_MESH_OUTBOUND
+-A KUMA_MESH_INBOUND -p tcp -m comment --comment "kuma/mesh/transparent/proxy/exclude inbound traffic from port 4444 from redirection" -m tcp --dport 4444 -j RETURN
+-A KUMA_MESH_INBOUND -p tcp -m comment --comment "kuma/mesh/transparent/proxy/exclude inbound traffic from port 55555 from redirection" -m tcp --dport 55555 -j RETURN
 -A KUMA_MESH_INBOUND -p tcp -m comment --comment "kuma/mesh/transparent/proxy/redirect all inbound traffic to the custom chain for processing" -j KUMA_MESH_INBOUND_REDIRECT
 -A KUMA_MESH_INBOUND_REDIRECT -p tcp -m comment --comment "kuma/mesh/transparent/proxy/redirect TCP traffic to envoy (port 15006)" -j REDIRECT --to-ports 15006
+-A KUMA_MESH_OUTBOUND -p tcp -m comment --comment "kuma/mesh/transparent/proxy/exclude outbound traffic from port 1 from redirection" -m tcp --dport 1 -j RETURN
+-A KUMA_MESH_OUTBOUND -p tcp -m comment --comment "kuma/mesh/transparent/proxy/exclude outbound traffic from port 22 from redirection" -m tcp --dport 22 -j RETURN
+-A KUMA_MESH_OUTBOUND -p tcp -m comment --comment "kuma/mesh/transparent/proxy/exclude outbound traffic from port 333 from redirection" -m tcp --dport 333 -j RETURN
 -A KUMA_MESH_OUTBOUND -s 127.0.0.6/32 -o ifPlaceholder -m comment --comment "kuma/mesh/transparent/proxy/prevent traffic loops by ensuring traffic from the sidecar proxy (using 127.0.0.6/32) to loopback interface is not redirected again" -j RETURN
 -A KUMA_MESH_OUTBOUND ! -d 127.0.0.1/32 -o ifPlaceholder -p tcp -m comment --comment "kuma/mesh/transparent/proxy/redirect outbound TCP traffic (except to DNS port 53) destined for loopback interface, but not targeting address 127.0.0.1/32, and owned by UID 5678 (kuma-dp user) to KUMA_MESH_INBOUND_REDIRECT chain for proper handling" -m tcp ! --dport 53 -m owner --uid-owner 5678 -j KUMA_MESH_INBOUND_REDIRECT
 -A KUMA_MESH_OUTBOUND -o ifPlaceholder -p tcp -m comment --comment "kuma/mesh/transparent/proxy/return outbound TCP traffic (except to DNS port 53) destined for loopback interface, owned by any UID other than 5678 (kuma-dp user)" -m tcp ! --dport 53 -m owner ! --uid-owner 5678 -j RETURN

test/transparentproxy/install/testdata/amazon-linux-2-with-multiple-flags.ip6tables-legacy.golden

@@ -32,8 +32,13 @@ COMMIT
 -A OUTPUT -p udp -m comment --comment "kuma/mesh/transparent/proxy/return early for DNS traffic from kuma-dp" -m udp --dport 53 -m owner --uid-owner 5678 -j RETURN
 -A OUTPUT -p udp -m comment --comment "kuma/mesh/transparent/proxy/redirect all DNS requests to the kuma-dp DNS proxy (listening on port 15053)" -m udp --dport 53 -j REDIRECT --to-ports 15053
 -A OUTPUT -p tcp -m comment --comment "kuma/mesh/transparent/proxy/redirect outbound TCP traffic to our custom chain for processing" -j KUMA_MESH_OUTBOUND
+-A KUMA_MESH_INBOUND -p tcp -m comment --comment "kuma/mesh/transparent/proxy/exclude inbound traffic from port 4444 from redirection" -m tcp --dport 4444 -j RETURN
+-A KUMA_MESH_INBOUND -p tcp -m comment --comment "kuma/mesh/transparent/proxy/exclude inbound traffic from port 55555 from redirection" -m tcp --dport 55555 -j RETURN
 -A KUMA_MESH_INBOUND -p tcp -m comment --comment "kuma/mesh/transparent/proxy/redirect all inbound traffic to the custom chain for processing" -j KUMA_MESH_INBOUND_REDIRECT
 -A KUMA_MESH_INBOUND_REDIRECT -p tcp -m comment --comment "kuma/mesh/transparent/proxy/redirect TCP traffic to envoy (port 15006)" -j REDIRECT --to-ports 15006
+-A KUMA_MESH_OUTBOUND -p tcp -m comment --comment "kuma/mesh/transparent/proxy/exclude outbound traffic from port 1 from redirection" -m tcp --dport 1 -j RETURN
+-A KUMA_MESH_OUTBOUND -p tcp -m comment --comment "kuma/mesh/transparent/proxy/exclude outbound traffic from port 22 from redirection" -m tcp --dport 22 -j RETURN
+-A KUMA_MESH_OUTBOUND -p tcp -m comment --comment "kuma/mesh/transparent/proxy/exclude outbound traffic from port 333 from redirection" -m tcp --dport 333 -j RETURN
 -A KUMA_MESH_OUTBOUND -s ::6/128 -o ifPlaceholder -m comment --comment "kuma/mesh/transparent/proxy/prevent traffic loops by ensuring traffic from the sidecar proxy (using ::6/128) to loopback interface is not redirected again" -j RETURN
 -A KUMA_MESH_OUTBOUND ! -d ::1/128 -o ifPlaceholder -p tcp -m comment --comment "kuma/mesh/transparent/proxy/redirect outbound TCP traffic (except to DNS port 53) destined for loopback interface, but not targeting address ::1/128, and owned by UID 5678 (kuma-dp user) to KUMA_MESH_INBOUND_REDIRECT chain for proper handling" -m tcp ! --dport 53 -m owner --uid-owner 5678 -j KUMA_MESH_INBOUND_REDIRECT
 -A KUMA_MESH_OUTBOUND -o ifPlaceholder -p tcp -m comment --comment "kuma/mesh/transparent/proxy/return outbound TCP traffic (except to DNS port 53) destined for loopback interface, owned by any UID other than 5678 (kuma-dp user)" -m tcp ! --dport 53 -m owner ! --uid-owner 5678 -j RETURN

test/transparentproxy/install/testdata/amazon-linux-2-with-multiple-flags.ip6tables.golden

@@ -32,8 +32,13 @@ COMMIT
 -A OUTPUT -p udp -m comment --comment "kuma/mesh/transparent/proxy/return early for DNS traffic from kuma-dp" -m udp --dport 53 -m owner --uid-owner 5678 -j RETURN
 -A OUTPUT -p udp -m comment --comment "kuma/mesh/transparent/proxy/redirect all DNS requests to the kuma-dp DNS proxy (listening on port 15053)" -m udp --dport 53 -j REDIRECT --to-ports 15053
 -A OUTPUT -p tcp -m comment --comment "kuma/mesh/transparent/proxy/redirect outbound TCP traffic to our custom chain for processing" -j KUMA_MESH_OUTBOUND
+-A KUMA_MESH_INBOUND -p tcp -m comment --comment "kuma/mesh/transparent/proxy/exclude inbound traffic from port 4444 from redirection" -m tcp --dport 4444 -j RETURN
+-A KUMA_MESH_INBOUND -p tcp -m comment --comment "kuma/mesh/transparent/proxy/exclude inbound traffic from port 55555 from redirection" -m tcp --dport 55555 -j RETURN
 -A KUMA_MESH_INBOUND -p tcp -m comment --comment "kuma/mesh/transparent/proxy/redirect all inbound traffic to the custom chain for processing" -j KUMA_MESH_INBOUND_REDIRECT
 -A KUMA_MESH_INBOUND_REDIRECT -p tcp -m comment --comment "kuma/mesh/transparent/proxy/redirect TCP traffic to envoy (port 15006)" -j REDIRECT --to-ports 15006
+-A KUMA_MESH_OUTBOUND -p tcp -m comment --comment "kuma/mesh/transparent/proxy/exclude outbound traffic from port 1 from redirection" -m tcp --dport 1 -j RETURN
+-A KUMA_MESH_OUTBOUND -p tcp -m comment --comment "kuma/mesh/transparent/proxy/exclude outbound traffic from port 22 from redirection" -m tcp --dport 22 -j RETURN
+-A KUMA_MESH_OUTBOUND -p tcp -m comment --comment "kuma/mesh/transparent/proxy/exclude outbound traffic from port 333 from redirection" -m tcp --dport 333 -j RETURN
 -A KUMA_MESH_OUTBOUND -s ::6/128 -o ifPlaceholder -m comment --comment "kuma/mesh/transparent/proxy/prevent traffic loops by ensuring traffic from the sidecar proxy (using ::6/128) to loopback interface is not redirected again" -j RETURN
 -A KUMA_MESH_OUTBOUND ! -d ::1/128 -o ifPlaceholder -p tcp -m comment --comment "kuma/mesh/transparent/proxy/redirect outbound TCP traffic (except to DNS port 53) destined for loopback interface, but not targeting address ::1/128, and owned by UID 5678 (kuma-dp user) to KUMA_MESH_INBOUND_REDIRECT chain for proper handling" -m tcp ! --dport 53 -m owner --uid-owner 5678 -j KUMA_MESH_INBOUND_REDIRECT
 -A KUMA_MESH_OUTBOUND -o ifPlaceholder -p tcp -m comment --comment "kuma/mesh/transparent/proxy/return outbound TCP traffic (except to DNS port 53) destined for loopback interface, owned by any UID other than 5678 (kuma-dp user)" -m tcp ! --dport 53 -m owner ! --uid-owner 5678 -j RETURN

test/transparentproxy/install/testdata/amazon-linux-2-with-multiple-flags.iptables-legacy.golden

@@ -34,8 +34,13 @@ COMMIT
 -A OUTPUT -p udp -m comment --comment "kuma/mesh/transparent/proxy/return early for DNS traffic from kuma-dp" -m udp --dport 53 -m owner --uid-owner 5678 -j RETURN
 -A OUTPUT -p udp -m comment --comment "kuma/mesh/transparent/proxy/redirect all DNS requests to the kuma-dp DNS proxy (listening on port 15053)" -m udp --dport 53 -j REDIRECT --to-ports 15053
 -A OUTPUT -p tcp -m comment --comment "kuma/mesh/transparent/proxy/redirect outbound TCP traffic to our custom chain for processing" -j KUMA_MESH_OUTBOUND
+-A KUMA_MESH_INBOUND -p tcp -m comment --comment "kuma/mesh/transparent/proxy/exclude inbound traffic from port 4444 from redirection" -m tcp --dport 4444 -j RETURN
+-A KUMA_MESH_INBOUND -p tcp -m comment --comment "kuma/mesh/transparent/proxy/exclude inbound traffic from port 55555 from redirection" -m tcp --dport 55555 -j RETURN
 -A KUMA_MESH_INBOUND -p tcp -m comment --comment "kuma/mesh/transparent/proxy/redirect all inbound traffic to the custom chain for processing" -j KUMA_MESH_INBOUND_REDIRECT
 -A KUMA_MESH_INBOUND_REDIRECT -p tcp -m comment --comment "kuma/mesh/transparent/proxy/redirect TCP traffic to envoy (port 15006)" -j REDIRECT --to-ports 15006
+-A KUMA_MESH_OUTBOUND -p tcp -m comment --comment "kuma/mesh/transparent/proxy/exclude outbound traffic from port 1 from redirection" -m tcp --dport 1 -j RETURN
+-A KUMA_MESH_OUTBOUND -p tcp -m comment --comment "kuma/mesh/transparent/proxy/exclude outbound traffic from port 22 from redirection" -m tcp --dport 22 -j RETURN
+-A KUMA_MESH_OUTBOUND -p tcp -m comment --comment "kuma/mesh/transparent/proxy/exclude outbound traffic from port 333 from redirection" -m tcp --dport 333 -j RETURN
 -A KUMA_MESH_OUTBOUND -s 127.0.0.6/32 -o ifPlaceholder -m comment --comment "kuma/mesh/transparent/proxy/prevent traffic loops by ensuring traffic from the sidecar proxy (using 127.0.0.6/32) to loopback interface is not redirected again" -j RETURN
 -A KUMA_MESH_OUTBOUND ! -d 127.0.0.1/32 -o ifPlaceholder -p tcp -m comment --comment "kuma/mesh/transparent/proxy/redirect outbound TCP traffic (except to DNS port 53) destined for loopback interface, but not targeting address 127.0.0.1/32, and owned by UID 5678 (kuma-dp user) to KUMA_MESH_INBOUND_REDIRECT chain for proper handling" -m tcp ! --dport 53 -m owner --uid-owner 5678 -j KUMA_MESH_INBOUND_REDIRECT
 -A KUMA_MESH_OUTBOUND -o ifPlaceholder -p tcp -m comment --comment "kuma/mesh/transparent/proxy/return outbound TCP traffic (except to DNS port 53) destined for loopback interface, owned by any UID other than 5678 (kuma-dp user)" -m tcp ! --dport 53 -m owner ! --uid-owner 5678 -j RETURN