kumahq · bartsmykla · Jan 20, 2022 · Dec 9, 2021 · Dec 16, 2021 · Jan 14, 2022
@@ -3259,6 +3259,8 @@ _kumactl_install_transparent-proxy()
     two_word_flags+=("--redirect-outbound-port")
     local_nonpersistent_flags+=("--redirect-outbound-port")
     local_nonpersistent_flags+=("--redirect-outbound-port=")
+    flags+=("--skip-dns-conntrack-zone-split")
+    local_nonpersistent_flags+=("--skip-dns-conntrack-zone-split")
     flags+=("--skip-resolv-conf")
     local_nonpersistent_flags+=("--skip-resolv-conf")
     flags+=("--store-firewalld")

@@ -22,46 +22,48 @@ import (
 )
 
 type transparentProxyArgs struct {
-	DryRun                 bool
-	Verbose                bool
-	RedirectPortOutBound   string
-	RedirectInbound        bool
-	RedirectPortInBound    string
-	RedirectPortInBoundV6  string
-	ExcludeInboundPorts    string
-	ExcludeOutboundPorts   string
-	UID                    string
-	User                   string
-	RedirectDNS            bool
-	RedirectAllDNSTraffic  bool
-	AgentDNSListenerPort   string
-	DNSUpstreamTargetChain string
-	SkipResolvConf         bool
-	StoreFirewalld         bool
-	KumaCpIP               net.IP
+	DryRun                    bool
+	Verbose                   bool
+	RedirectPortOutBound      string
+	RedirectInbound           bool
+	RedirectPortInBound       string
+	RedirectPortInBoundV6     string
+	ExcludeInboundPorts       string
+	ExcludeOutboundPorts      string
+	UID                       string
+	User                      string
+	RedirectDNS               bool
+	RedirectAllDNSTraffic     bool
+	AgentDNSListenerPort      string
+	DNSUpstreamTargetChain    string
+	SkipResolvConf            bool
+	StoreFirewalld            bool
+	KumaCpIP                  net.IP
+	SkipDNSConntrackZoneSplit bool
 }
 
 var defaultCpIP = net.IPv4(0, 0, 0, 0)
 
 func newInstallTransparentProxy() *cobra.Command {
 	args := transparentProxyArgs{
-		DryRun:                 false,
-		Verbose:                false,
-		RedirectPortOutBound:   "15001",
-		RedirectInbound:        true,
-		RedirectPortInBound:    "15006",
-		RedirectPortInBoundV6:  "15010",
-		ExcludeInboundPorts:    "",
-		ExcludeOutboundPorts:   "",
-		UID:                    "",
-		User:                   "",
-		RedirectDNS:            false,
-		RedirectAllDNSTraffic:  false,
-		AgentDNSListenerPort:   "15053",
-		DNSUpstreamTargetChain: "RETURN",
-		SkipResolvConf:         false,
-		StoreFirewalld:         false,
-		KumaCpIP:               defaultCpIP,
+		DryRun:                    false,
+		Verbose:                   false,
+		RedirectPortOutBound:      "15001",
+		RedirectInbound:           true,
+		RedirectPortInBound:       "15006",
+		RedirectPortInBoundV6:     "15010",
+		ExcludeInboundPorts:       "",
+		ExcludeOutboundPorts:      "",
+		UID:                       "",
+		User:                      "",
+		RedirectDNS:               false,
+		RedirectAllDNSTraffic:     false,
+		AgentDNSListenerPort:      "15053",
+		DNSUpstreamTargetChain:    "RETURN",
+		SkipResolvConf:            false,
+		StoreFirewalld:            false,
+		KumaCpIP:                  defaultCpIP,
+		SkipDNSConntrackZoneSplit: false,
 	}
 	cmd := &cobra.Command{
 		Use:   "transparent-proxy",
@@ -175,6 +177,7 @@ runuser -u kuma-dp -- \
 	cmd.Flags().BoolVar(&args.SkipResolvConf, "skip-resolv-conf", args.SkipResolvConf, "skip modifying the host `/etc/resolv.conf`")
 	cmd.Flags().BoolVar(&args.StoreFirewalld, "store-firewalld", args.StoreFirewalld, "store the iptables changes with firewalld")
 	cmd.Flags().IPVar(&args.KumaCpIP, "kuma-cp-ip", args.KumaCpIP, "the IP address of the Kuma CP which exposes the DNS service on port 53.")
+	cmd.Flags().BoolVar(&args.SkipDNSConntrackZoneSplit, "skip-dns-conntrack-zone-split", args.SkipDNSConntrackZoneSplit, "skip applying conntrack zone splitting iptables rules")
 
 	return cmd
 }
@@ -217,20 +220,21 @@ func modifyIpTables(cmd *cobra.Command, args *transparentProxyArgs) error {
 		_, _ = cmd.OutOrStdout().Write([]byte("kumactl is about to apply the iptables rules that will enable transparent proxying on the machine. The SSH connection may drop. If that happens, just reconnect again.\n"))
 	}
 	output, err := tp.Setup(&config.TransparentProxyConfig{
-		DryRun:                 args.DryRun,
-		Verbose:                args.Verbose,
-		RedirectPortOutBound:   args.RedirectPortOutBound,
-		RedirectInBound:        args.RedirectInbound,
-		RedirectPortInBound:    args.RedirectPortInBound,
-		RedirectPortInBoundV6:  args.RedirectPortInBoundV6,
-		ExcludeInboundPorts:    args.ExcludeInboundPorts,
-		ExcludeOutboundPorts:   args.ExcludeOutboundPorts,
-		UID:                    uid,
-		GID:                    gid,
-		RedirectDNS:            args.RedirectDNS,
-		RedirectAllDNSTraffic:  args.RedirectAllDNSTraffic,
-		AgentDNSListenerPort:   args.AgentDNSListenerPort,
-		DNSUpstreamTargetChain: args.DNSUpstreamTargetChain,
+		DryRun:                    args.DryRun,
+		Verbose:                   args.Verbose,
+		RedirectPortOutBound:      args.RedirectPortOutBound,
+		RedirectInBound:           args.RedirectInbound,
+		RedirectPortInBound:       args.RedirectPortInBound,
+		RedirectPortInBoundV6:     args.RedirectPortInBoundV6,
+		ExcludeInboundPorts:       args.ExcludeInboundPorts,
+		ExcludeOutboundPorts:      args.ExcludeOutboundPorts,
+		UID:                       uid,
+		GID:                       gid,
+		RedirectDNS:               args.RedirectDNS,
+		RedirectAllDNSTraffic:     args.RedirectAllDNSTraffic,
+		AgentDNSListenerPort:      args.AgentDNSListenerPort,
+		DNSUpstreamTargetChain:    args.DNSUpstreamTargetChain,
+		SkipDNSConntrackZoneSplit: args.SkipDNSConntrackZoneSplit,
 	})
 	if err != nil {
 		return errors.Wrap(err, "failed to setup transparent proxy")

@@ -69,7 +69,7 @@ var _ = Describe("kumactl install tracing", func() {
 			},
 			goldenFile: "install-transparent-proxy.defaults.golden.txt",
 		}),
-		Entry("should generate defaults with user id and DNS redirected ", testCase{
+		Entry("should generate defaults with user id and DNS redirected", testCase{
 			extraArgs: []string{
 				"--kuma-dp-uid", "0",
 				"--kuma-cp-ip", "1.2.3.4",
@@ -80,6 +80,18 @@ var _ = Describe("kumactl install tracing", func() {
 			},
 			goldenFile: "install-transparent-proxy.dns.golden.txt",
 		}),
+		Entry("should generate defaults with user id and DNS redirected without conntrack zone splitting", testCase{
+			extraArgs: []string{
+				"--kuma-dp-uid", "0",
+				"--kuma-cp-ip", "1.2.3.4",
+				"--skip-resolv-conf",
+				"--redirect-all-dns-traffic",
+				"--redirect-dns-port", "12345",
+				"--redirect-dns-upstream-target-chain", "DOCKER_OUTPUT",
+				"--skip-dns-conntrack-zone-split",
+			},
+			goldenFile: "install-transparent-proxy.dns.golden.txt",
+		}),
 		Entry("should generate defaults with overrides", testCase{
 			extraArgs: []string{
 				"--kuma-dp-user", "root",

@@ -79,6 +79,7 @@ kumactl install transparent-proxy [flags]
       --redirect-inbound-port networking.transparentProxying.redirectPortInbound        inbound port redirected to Envoy, as specified in dataplane's networking.transparentProxying.redirectPortInbound (default "15006")
       --redirect-inbound-port-v6 networking.transparentProxying.redirectPortInboundV6   IPv6 inbound port redirected to Envoy, as specified in dataplane's networking.transparentProxying.redirectPortInboundV6 (default "15010")
       --redirect-outbound-port networking.transparentProxying.redirectPortOutbound      outbound port redirected to Envoy, as specified in dataplane's networking.transparentProxying.redirectPortOutbound (default "15001")
+      --skip-dns-conntrack-zone-split                                                   skip applying conntrack zone splitting iptables rules
       --skip-resolv-conf /etc/resolv.conf                                               skip modifying the host /etc/resolv.conf
       --store-firewalld                                                                 store the iptables changes with firewalld
       --verbose                                                                         verbose

@@ -284,6 +284,7 @@ func (i *KumaInjector) NewInitContainer(pod *kube_core.Pod) (kube_core.Container
 			Capabilities: &kube_core.Capabilities{
 				Add: []kube_core.Capability{
 					kube_core.Capability("NET_ADMIN"),
+					kube_core.Capability("NET_RAW"),
 				},
 			},
 		},

@@ -150,6 +150,7 @@ spec:
       capabilities:
         add:
         - NET_ADMIN
+        - NET_RAW
       runAsGroup: 0
       runAsUser: 0
   volumes:

@@ -158,6 +158,7 @@ spec:
       capabilities:
         add:
         - NET_ADMIN
+        - NET_RAW
       runAsGroup: 0
       runAsUser: 0
   volumes:

@@ -212,6 +212,7 @@ spec:
       capabilities:
         add:
         - NET_ADMIN
+        - NET_RAW
       runAsGroup: 0
       runAsUser: 0
   nodeSelector:

@@ -150,6 +150,7 @@ spec:
       capabilities:
         add:
         - NET_ADMIN
+        - NET_RAW
       runAsGroup: 0
       runAsUser: 0
   volumes:

@@ -143,6 +143,7 @@ spec:
       capabilities:
         add:
         - NET_ADMIN
+        - NET_RAW
       runAsGroup: 0
       runAsUser: 0
 status: {}
@@ -151,6 +151,7 @@ spec:
       capabilities:
         add:
         - NET_ADMIN
+        - NET_RAW
       runAsGroup: 0
       runAsUser: 0
   volumes:

@@ -150,6 +150,7 @@ spec:
       capabilities:
         add:
         - NET_ADMIN
+        - NET_RAW
       runAsGroup: 0
       runAsUser: 0
   volumes:

@@ -153,6 +153,7 @@ spec:
       capabilities:
         add:
         - NET_ADMIN
+        - NET_RAW
       runAsGroup: 0
       runAsUser: 0
   volumes:

@@ -152,6 +152,7 @@ spec:
       capabilities:
         add:
         - NET_ADMIN
+        - NET_RAW
       runAsGroup: 0
       runAsUser: 0
   volumes:

@@ -151,6 +151,7 @@ spec:
       capabilities:
         add:
         - NET_ADMIN
+        - NET_RAW
       runAsGroup: 0
       runAsUser: 0
   volumes:

@@ -150,6 +150,7 @@ spec:
       capabilities:
         add:
         - NET_ADMIN
+        - NET_RAW
       runAsGroup: 0
       runAsUser: 0
   volumes:

@@ -150,6 +150,7 @@ spec:
       capabilities:
         add:
         - NET_ADMIN
+        - NET_RAW
       runAsGroup: 0
       runAsUser: 0
   volumes:

@@ -162,6 +162,7 @@ spec:
       capabilities:
         add:
         - NET_ADMIN
+        - NET_RAW
       runAsGroup: 0
       runAsUser: 0
   volumes:

@@ -162,6 +162,7 @@ spec:
       capabilities:
         add:
         - NET_ADMIN
+        - NET_RAW
       runAsGroup: 0
       runAsUser: 0
   volumes:

@@ -162,6 +162,7 @@ spec:
       capabilities:
         add:
         - NET_ADMIN
+        - NET_RAW
       runAsGroup: 0
       runAsUser: 0
   volumes:

@@ -159,6 +159,7 @@ spec:
       capabilities:
         add:
         - NET_ADMIN
+        - NET_RAW
       runAsGroup: 0
       runAsUser: 0
   volumes:

@@ -159,6 +159,7 @@ spec:
       capabilities:
         add:
         - NET_ADMIN
+        - NET_RAW
       runAsGroup: 0
       runAsUser: 0
   volumes:

@@ -159,6 +159,7 @@ spec:
       capabilities:
         add:
         - NET_ADMIN
+        - NET_RAW
       runAsGroup: 0
       runAsUser: 0
   volumes:

@@ -162,6 +162,7 @@ spec:
       capabilities:
         add:
         - NET_ADMIN
+        - NET_RAW
       runAsGroup: 0
       runAsUser: 0
   volumes:

@@ -162,6 +162,7 @@ spec:
       capabilities:
         add:
         - NET_ADMIN
+        - NET_RAW
       runAsGroup: 0
       runAsUser: 0
   volumes:

@@ -167,6 +167,7 @@ spec:
       capabilities:
         add:
         - NET_ADMIN
+        - NET_RAW
       runAsGroup: 0
       runAsUser: 0
   volumes:

@@ -163,6 +163,7 @@ spec:
       capabilities:
         add:
         - NET_ADMIN
+        - NET_RAW
       runAsGroup: 0
       runAsUser: 0
   volumes:

@@ -174,6 +174,7 @@ spec:
       capabilities:
         add:
         - NET_ADMIN
+        - NET_RAW
       runAsGroup: 0
       runAsUser: 0
   volumes:

@@ -175,6 +175,7 @@ spec:
       capabilities:
         add:
         - NET_ADMIN
+        - NET_RAW
       runAsGroup: 0
       runAsUser: 0
   volumes:

@@ -174,6 +174,7 @@ spec:
       capabilities:
         add:
         - NET_ADMIN
+        - NET_RAW
       runAsGroup: 0
       runAsUser: 0
   volumes: