feat(transparent-proxy): allow --kuma-dp-user to accept UIDs and de…

…precate `--kuma-dp-uid` flag (#10920) * Unembed `Executables` from `InitializedExecutables` Removing the embedding of the `Executables` struct from `InitializedExecutables` as it is unnecessary. The fields from `Executables` are not used directly in `InitializedExecutables`, and unembedding helps to reduce clutter and improve code clarity. * Add `IPFamilyMode` to `Config` and Remove `IPv6` Field Replaced the `IPv6` field in `Config` with the `IPFamilyMode` field. This change centralizes the processing of IP family modes within the `Config` struct, simplifying the configuration and usage. * Adjust Unit Tests for `kumactl install transparent-proxy` Updated the unit tests to align with recent changes in handling IPv4 and IPv6 rules generation. Removed the use of `subnetPlaceholder` and unified the IP address for inbound traffic in tests, as there is no different inbound redirection port for IPv6 now. * Move Owner UID/username processing to Config - Allow `--kuma-dp-user` flag in `kumactl install transparent-proxy` to accept both usernames and UIDs. - Deprecate `--kuma-dp-uid` flag in favor of the enhanced `--kuma-dp-user` flag. - Make `--kuma-dp-user` flag optional. If not specified, the system will attempt to use a default UID (`5678`) or the default username (`kuma-dp`). - Relocate the user processing logic (searching for the user) to the transparent proxy Config. Signed-off-by: Bart Smykla <[email protected]>
kumahq · Jul 17, 2024 · 71e682c · 71e682c
1 parent c6d1949
commit 71e682c
Show file tree

Hide file tree

Showing 98 changed files with 287 additions and 198 deletions.
diff --git a/UPGRADE.md b/UPGRADE.md
@@ -92,6 +92,26 @@ networking:
 
 Ensure to update your Dataplane resources to the new format to avoid any validation errors.
 
+#### Deprecation of `--kuma-dp-uid` Flag
+
+In this release, the `--kuma-dp-uid` flag used in the `kumactl install transparent-proxy` command has been deprecated. The functionality of specifying a user by UID is now included in the `--kuma-dp-user` flag, which accepts both usernames and UIDs.
+
+**New Usage Example:**
+
+Instead of using:
+```sh
+kumactl install transparent-proxy --kuma-dp-uid 1234
+```
+
+You should now use:
+```sh
+kumactl install transparent-proxy --kuma-dp-user 1234
+```
+
+If the `--kuma-dp-user` flag is not provided, the system will attempt to use the default UID (`5678`) or the default username (`kuma-dp`).
+
+Please update your scripts and configurations accordingly to accommodate this change.
+
 ## Upgrade to `2.8.x`
 
 ### MeshFaultInjection responseBandwidth.limit

diff --git a/app/cni/pkg/cni/injector_linux.go b/app/cni/pkg/cni/injector_linux.go
@@ -117,7 +117,9 @@ func mapToConfig(intermediateConfig *IntermediateConfig, logWriter *bufio.Writer
 		return nil, err
 	}
 
-	cfg.IPv6 = intermediateConfig.ipFamilyMode != "ipv4"
+	if err := cfg.IPFamilyMode.Set(intermediateConfig.ipFamilyMode); err != nil {
+		return nil, err
+	}
 
 	cfg.Redirect.Inbound.Enabled = !isGateway
 	if cfg.Redirect.Inbound.Enabled {

diff --git a/app/kumactl/cmd/completion/testdata/bash.golden b/app/kumactl/cmd/completion/testdata/bash.golden
@@ -5864,10 +5864,6 @@ _kumactl_install_transparent-proxy()
     local_nonpersistent_flags+=("--ip-family-mode=")
     flags+=("--iptables-logs")
     local_nonpersistent_flags+=("--iptables-logs")
-    flags+=("--kuma-dp-uid=")
-    two_word_flags+=("--kuma-dp-uid")
-    local_nonpersistent_flags+=("--kuma-dp-uid")
-    local_nonpersistent_flags+=("--kuma-dp-uid=")
     flags+=("--kuma-dp-user=")
     two_word_flags+=("--kuma-dp-user")
     local_nonpersistent_flags+=("--kuma-dp-user")

diff --git a/app/kumactl/cmd/install/install_transparent_proxy.go b/app/kumactl/cmd/install/install_transparent_proxy.go
@@ -5,7 +5,6 @@ package install
 
 import (
 	"fmt"
-	os_user "os/user"
 	"runtime"
 
 	"github.com/pkg/errors"
@@ -14,19 +13,16 @@ import (
 	"github.com/kumahq/kuma/pkg/transparentproxy"
 	"github.com/kumahq/kuma/pkg/transparentproxy/config"
 	"github.com/kumahq/kuma/pkg/transparentproxy/firewalld"
+	"github.com/kumahq/kuma/pkg/transparentproxy/iptables/consts"
 )
 
 type transparentProxyArgs struct {
 	RedirectPortOutBound           string
-	IpFamilyMode                   string
 	RedirectPortInBound            string
-	RedirectPortInBoundV6          string
 	ExcludeInboundPorts            string
 	ExcludeOutboundPorts           string
 	ExcludeOutboundTCPPortsForUIDs []string
 	ExcludeOutboundUDPPortsForUIDs []string
-	UID                            string
-	User                           string
 	AgentDNSListenerPort           string
 	SkipDNSConntrackZoneSplit      bool
 }
@@ -37,13 +33,10 @@ func newInstallTransparentProxy() *cobra.Command {
 	args := transparentProxyArgs{
 		RedirectPortOutBound:           "15001",
 		RedirectPortInBound:            "15006",
-		IpFamilyMode:                   "dualstack",
 		ExcludeInboundPorts:            "",
 		ExcludeOutboundPorts:           "",
 		ExcludeOutboundTCPPortsForUIDs: []string{},
 		ExcludeOutboundUDPPortsForUIDs: []string{},
-		UID:                            "",
-		User:                           "",
 		AgentDNSListenerPort:           "15053",
 		SkipDNSConntrackZoneSplit:      false,
 	}
@@ -57,7 +50,7 @@ Follow the following steps to use the Kuma data plane proxy in Transparent Proxy
 
  1) create a dedicated user for the Kuma data plane proxy, e.g. 'kuma-dp'
  2) run this command as a 'root' user to modify the host's iptables and /etc/resolv.conf
-    - supply the dedicated username with '--kuma-dp-uid'
+    - supply the dedicated username with '--kuma-dp-user'
     - all changes are easly revertible by issuing 'kumactl uninstall transparent-proxy'
     - by default the SSH port tcp/22 will not be redirected to Envoy, but everything else will.
       Use '--exclude-inbound-ports' to provide a comma separated list of ports that should also be excluded
@@ -99,19 +92,28 @@ runuser -u kuma-dp -- \
     --binary-path /usr/local/bin/envoy
 
 `,
-		PreRun: func(cmd *cobra.Command, _ []string) {
+		PreRunE: func(cmd *cobra.Command, _ []string) error {
 			cfg.RuntimeStdout = cmd.OutOrStdout()
 			cfg.RuntimeStderr = cmd.ErrOrStderr()
+
+			// Ensure the Set method is called manually if the --kuma-dp-user flag is not specified.
+			// The Set method contains logic to check for the existence of a user with the default
+			// UID "5678", and if that does not exist, it checks for the default username "kuma-dp".
+			// Since the cobra library does not call the Set method when --kuma-dp-user is not specified,
+			// we need to invoke it manually here to ensure the proper user is set.
+			if kumaDpUser := cmd.Flag("kuma-dp-user"); !kumaDpUser.Changed {
+				if err := cfg.Owner.Set(""); err != nil {
+					return err
+				}
+			}
+
+			return nil
 		},
 		RunE: func(cmd *cobra.Command, _ []string) error {
 			if !cfg.DryRun && runtime.GOOS != "linux" {
 				return errors.Errorf("transparent proxy will work only on Linux OSes")
 			}
 
-			if args.User == "" && args.UID == "" {
-				return errors.Errorf("--kuma-dp-user or --kuma-dp-uid should be supplied")
-			}
-
 			if cfg.Redirect.DNS.CaptureAll && cfg.Redirect.DNS.Enabled {
 				return errors.Errorf("one of --redirect-dns or --redirect-all-dns-traffic should be specified")
 			}
@@ -185,14 +187,14 @@ runuser -u kuma-dp -- \
 
 	cmd.Flags().BoolVar(&cfg.DryRun, "dry-run", cfg.DryRun, "dry run")
 	cmd.Flags().BoolVar(&cfg.Verbose, "verbose", cfg.Verbose, "verbose")
-	cmd.Flags().StringVar(&args.IpFamilyMode, "ip-family-mode", args.IpFamilyMode, "The IP family mode to enable traffic redirection for. Can be 'dualstack' or 'ipv4'")
+	cmd.Flags().Var(&cfg.IPFamilyMode, "ip-family-mode", "The IP family mode to enable traffic redirection for. Can be 'dualstack' or 'ipv4'")
 	cmd.Flags().StringVar(&args.RedirectPortOutBound, "redirect-outbound-port", args.RedirectPortOutBound, "outbound port redirected to Envoy, as specified in dataplane's `networking.transparentProxying.redirectPortOutbound`")
 	cmd.Flags().BoolVar(&cfg.Redirect.Inbound.Enabled, "redirect-inbound", cfg.Redirect.Inbound.Enabled, "redirect the inbound traffic to the Envoy. Should be disabled for Gateway data plane proxies.")
 	cmd.Flags().StringVar(&args.RedirectPortInBound, "redirect-inbound-port", args.RedirectPortInBound, "inbound port redirected to Envoy, as specified in dataplane's `networking.transparentProxying.redirectPortInbound`")
 	cmd.Flags().StringVar(&args.ExcludeInboundPorts, "exclude-inbound-ports", args.ExcludeInboundPorts, "a comma separated list of inbound ports to exclude from redirect to Envoy")
 	cmd.Flags().StringVar(&args.ExcludeOutboundPorts, "exclude-outbound-ports", args.ExcludeOutboundPorts, "a comma separated list of outbound ports to exclude from redirect to Envoy")
-	cmd.Flags().StringVar(&args.User, "kuma-dp-user", args.UID, "the user that will run kuma-dp")
-	cmd.Flags().StringVar(&args.UID, "kuma-dp-uid", args.UID, "the uid of the user that will run kuma-dp")
+	cmd.Flags().Var(&cfg.Owner, "kuma-dp-user", fmt.Sprintf("the username or UID of the user that will run kuma-dp. If not provided, the system will search for a user with the default UID ('%s') or the default username ('%s')", consts.OwnerDefaultUID, consts.OwnerDefaultUsername))
+	cmd.Flags().Var(&cfg.Owner, "kuma-dp-uid", "the uid of the user that will run kuma-dp")
 	cmd.Flags().BoolVar(&cfg.Redirect.DNS.Enabled, "redirect-dns", cfg.Redirect.DNS.Enabled, "redirect only DNS requests targeted to the servers listed in /etc/resolv.conf to a specified port")
 	cmd.Flags().BoolVar(&cfg.Redirect.DNS.CaptureAll, "redirect-all-dns-traffic", cfg.Redirect.DNS.CaptureAll, "redirect all DNS traffic to a specified port, unlike --redirect-dns this will not be limited to the dns servers identified in /etc/resolve.conf")
 	cmd.Flags().StringVar(&args.AgentDNSListenerPort, "redirect-dns-port", args.AgentDNSListenerPort, "the port where the DNS agent is listening")
@@ -226,36 +228,12 @@ runuser -u kuma-dp -- \
 	cmd.Flags().StringArrayVar(&cfg.Redirect.Outbound.ExcludePortsForIPs, "exclude-outbound-ips", []string{}, "specify IP addresses (IPv4 or IPv6, with or without CIDR notation) to be excluded from transparent proxy outbound redirection. Examples: '10.0.0.1', '192.168.0.0/24', 'fe80::1', 'fd00::/8'. This flag can be specified multiple times or with multiple addresses separated by commas to exclude multiple IP addresses or ranges.")
 
 	_ = cmd.Flags().MarkDeprecated("redirect-dns-upstream-target-chain", "This flag has no effect anymore. Will be removed in 2.9.x version")
+	_ = cmd.Flags().MarkDeprecated("kuma-dp-uid", "please use --kuma-dp-user, which accepts both UIDs and usernames")
 
 	return cmd
 }
 
-func findUidGid(uid, user string) (string, string, error) {
-	var u *os_user.User
-	var err error
-
-	if u, err = os_user.LookupId(uid); err != nil {
-		if user != "" {
-			if u, err = os_user.Lookup(user); err != nil {
-				return "", "", errors.Errorf("--kuma-dp-user or --kuma-dp-uid should refer to a valid user on the host")
-			}
-		} else {
-			u = &os_user.User{
-				Uid: uid,
-				Gid: uid,
-			}
-		}
-	}
-
-	return u.Uid, u.Gid, nil
-}
-
 func parseArgs(cfg *config.Config, args *transparentProxyArgs) error {
-	uid, _, err := findUidGid(args.UID, args.User)
-	if err != nil {
-		return errors.Wrapf(err, "unable to find the kuma-dp user")
-	}
-
 	redirectInboundPort, err := transparentproxy.ParseUint16(args.RedirectPortInBound)
 	if err != nil {
 		return errors.Wrap(err, "parsing inbound redirect port failed")
@@ -287,10 +265,6 @@ func parseArgs(cfg *config.Config, args *transparentProxyArgs) error {
 		}
 	}
 
-	cfg.IPv6 = args.IpFamilyMode != "ipv4"
-
-	cfg.Owner.UID = uid
-
 	cfg.Redirect.Inbound.Port = redirectInboundPort
 	cfg.Redirect.Inbound.ExcludePorts = excludeInboundPorts
 

diff --git a/app/kumactl/cmd/install/install_transparent_proxy_test.go b/app/kumactl/cmd/install/install_transparent_proxy_test.go
@@ -40,7 +40,7 @@ var _ = Context("kumactl install transparent proxy", func() {
 	DescribeTable("should install transparent proxy",
 		func(given testCase) {
 			// given
-			args := append([]string{"install", "transparent-proxy", "--dry-run"}, given.extraArgs...)
+			args := append([]string{"install", "transparent-proxy", "--dry-run", "--ip-family-mode", "ipv4"}, given.extraArgs...)
 			stdoutBuf, stderrBuf, rootCmd := test.DefaultTestingRootCmd(args...)
 
 			// when
@@ -64,12 +64,9 @@ var _ = Context("kumactl install transparent proxy", func() {
 			Expect(stdout).To(WithTransform(func(in string) string {
 				// Replace some stuff that are environment dependent with placeholders
 				out := regexp.MustCompile(`-o ([^ ]+)`).ReplaceAllString(in, "-o ifPlaceholder")
-				out = regexp.MustCompile(`-([sd]) ([^ ]+)`).ReplaceAllString(out, "-$1 subnetPlaceholder/mask")
 				out = regexp.MustCompile(`-m comment --comment ".*?" `).ReplaceAllString(out, "")
 				out = regexp.MustCompile(`(?m)^-I OUTPUT (\d+) -p udp --dport 53 -m owner --uid-owner (\d+) -j (\w+)$`).
 					ReplaceAllString(out, "-I OUTPUT $1 -p udp --dport 53 -m owner --uid-owner $2 -j dnsJumpTargetPlaceholder")
-				out = strings.ReplaceAll(out, "15006", "inboundPort")
-				out = strings.ReplaceAll(out, "15010", "inboundPort")
 				return out
 			}, matchers.MatchGoldenEqual("testdata", given.goldenFile)))
 		},
@@ -81,13 +78,13 @@ var _ = Context("kumactl install transparent proxy", func() {
 		}),
 		Entry("should generate defaults with user id", testCase{
 			extraArgs: []string{
-				"--kuma-dp-uid", "0",
+				"--kuma-dp-user", "0",
 			},
 			goldenFile: "install-transparent-proxy.defaults.golden.txt",
 		}),
 		Entry("should generate defaults with user id and DNS redirected when no conntrack module present", testCase{
 			extraArgs: []string{
-				"--kuma-dp-uid", "0",
+				"--kuma-dp-user", "0",
 				"--redirect-all-dns-traffic",
 				"--redirect-dns-port", "12345",
 			},
@@ -102,7 +99,7 @@ var _ = Context("kumactl install transparent proxy", func() {
 		}),
 		Entry("should generate defaults with user id and DNS redirected", testCase{
 			extraArgs: []string{
-				"--kuma-dp-uid", "0",
+				"--kuma-dp-user", "0",
 				"--redirect-all-dns-traffic",
 				"--redirect-dns-port", "12345",
 			},
@@ -116,7 +113,7 @@ var _ = Context("kumactl install transparent proxy", func() {
 		}),
 		Entry("should generate defaults with user id and DNS redirected without conntrack zone splitting and log deprecate", testCase{
 			extraArgs: []string{
-				"--kuma-dp-uid", "0",
+				"--kuma-dp-user", "0",
 				"--redirect-all-dns-traffic",
 				"--redirect-dns-port", "12345",
 				"--skip-dns-conntrack-zone-split",

diff --git a/app/kumactl/cmd/install/testdata/install-transparent-proxy.defaults.golden.txt b/app/kumactl/cmd/install/testdata/install-transparent-proxy.defaults.golden.txt
@@ -8,12 +8,12 @@
 -A PREROUTING -p tcp -j KUMA_MESH_INBOUND
 -A OUTPUT -p tcp -j KUMA_MESH_OUTBOUND
 -A KUMA_MESH_INBOUND -p tcp -j KUMA_MESH_INBOUND_REDIRECT
--A KUMA_MESH_OUTBOUND -s subnetPlaceholder/mask -o ifPlaceholder -j RETURN
--A KUMA_MESH_OUTBOUND -p tcp -o ifPlaceholder ! -d subnetPlaceholder/mask -m owner --uid-owner 0 -j KUMA_MESH_INBOUND_REDIRECT
+-A KUMA_MESH_OUTBOUND -s 127.0.0.6/32 -o ifPlaceholder -j RETURN
+-A KUMA_MESH_OUTBOUND -p tcp -o ifPlaceholder ! -d 127.0.0.1/32 -m owner --uid-owner 0 -j KUMA_MESH_INBOUND_REDIRECT
 -A KUMA_MESH_OUTBOUND -p tcp -o ifPlaceholder -m owner ! --uid-owner 0 -j RETURN
 -A KUMA_MESH_OUTBOUND -m owner --uid-owner 0 -j RETURN
--A KUMA_MESH_OUTBOUND -d subnetPlaceholder/mask -j RETURN
+-A KUMA_MESH_OUTBOUND -d 127.0.0.1/32 -j RETURN
 -A KUMA_MESH_OUTBOUND -j KUMA_MESH_OUTBOUND_REDIRECT
--A KUMA_MESH_INBOUND_REDIRECT -p tcp -j REDIRECT --to-ports inboundPort
+-A KUMA_MESH_INBOUND_REDIRECT -p tcp -j REDIRECT --to-ports 15006
 -A KUMA_MESH_OUTBOUND_REDIRECT -p tcp -j REDIRECT --to-ports 15001
 COMMIT
diff --git a/app/kumactl/cmd/install/testdata/install-transparent-proxy.dns.no-conntrack.golden.txt b/app/kumactl/cmd/install/testdata/install-transparent-proxy.dns.no-conntrack.golden.txt
@@ -10,13 +10,13 @@
 -I OUTPUT 2 -p udp --dport 53 -j REDIRECT --to-ports 12345
 -A OUTPUT -p tcp -j KUMA_MESH_OUTBOUND
 -A KUMA_MESH_INBOUND -p tcp -j KUMA_MESH_INBOUND_REDIRECT
--A KUMA_MESH_OUTBOUND -s subnetPlaceholder/mask -o ifPlaceholder -j RETURN
--A KUMA_MESH_OUTBOUND -p tcp ! --dport 53 -o ifPlaceholder ! -d subnetPlaceholder/mask -m owner --uid-owner 0 -j KUMA_MESH_INBOUND_REDIRECT
+-A KUMA_MESH_OUTBOUND -s 127.0.0.6/32 -o ifPlaceholder -j RETURN
+-A KUMA_MESH_OUTBOUND -p tcp ! --dport 53 -o ifPlaceholder ! -d 127.0.0.1/32 -m owner --uid-owner 0 -j KUMA_MESH_INBOUND_REDIRECT
 -A KUMA_MESH_OUTBOUND -p tcp ! --dport 53 -o ifPlaceholder -m owner ! --uid-owner 0 -j RETURN
 -A KUMA_MESH_OUTBOUND -m owner --uid-owner 0 -j RETURN
 -A KUMA_MESH_OUTBOUND -p tcp --dport 53 -j REDIRECT --to-ports 12345
--A KUMA_MESH_OUTBOUND -d subnetPlaceholder/mask -j RETURN
+-A KUMA_MESH_OUTBOUND -d 127.0.0.1/32 -j RETURN
 -A KUMA_MESH_OUTBOUND -j KUMA_MESH_OUTBOUND_REDIRECT
--A KUMA_MESH_INBOUND_REDIRECT -p tcp -j REDIRECT --to-ports inboundPort
+-A KUMA_MESH_INBOUND_REDIRECT -p tcp -j REDIRECT --to-ports 15006
 -A KUMA_MESH_OUTBOUND_REDIRECT -p tcp -j REDIRECT --to-ports 15001
 COMMIT
diff --git a/app/kumactl/cmd/install/testdata/install-transparent-proxy.excludedports.txt b/app/kumactl/cmd/install/testdata/install-transparent-proxy.excludedports.txt
@@ -11,12 +11,12 @@
 -I OUTPUT 3 -m multiport -p udp --dport 3900,3902,4000:6000 -m owner --uid-owner 303 -j RETURN
 -A OUTPUT -p tcp -j KUMA_MESH_OUTBOUND
 -A KUMA_MESH_INBOUND -p tcp -j KUMA_MESH_INBOUND_REDIRECT
--A KUMA_MESH_OUTBOUND -s subnetPlaceholder/mask -o ifPlaceholder -j RETURN
--A KUMA_MESH_OUTBOUND -p tcp -o ifPlaceholder ! -d subnetPlaceholder/mask -m owner --uid-owner 0 -j KUMA_MESH_INBOUND_REDIRECT
+-A KUMA_MESH_OUTBOUND -s 127.0.0.6/32 -o ifPlaceholder -j RETURN
+-A KUMA_MESH_OUTBOUND -p tcp -o ifPlaceholder ! -d 127.0.0.1/32 -m owner --uid-owner 0 -j KUMA_MESH_INBOUND_REDIRECT
 -A KUMA_MESH_OUTBOUND -p tcp -o ifPlaceholder -m owner ! --uid-owner 0 -j RETURN
 -A KUMA_MESH_OUTBOUND -m owner --uid-owner 0 -j RETURN
--A KUMA_MESH_OUTBOUND -d subnetPlaceholder/mask -j RETURN
+-A KUMA_MESH_OUTBOUND -d 127.0.0.1/32 -j RETURN
 -A KUMA_MESH_OUTBOUND -j KUMA_MESH_OUTBOUND_REDIRECT
--A KUMA_MESH_INBOUND_REDIRECT -p tcp -j REDIRECT --to-ports inboundPort
+-A KUMA_MESH_INBOUND_REDIRECT -p tcp -j REDIRECT --to-ports 15006
 -A KUMA_MESH_OUTBOUND_REDIRECT -p tcp -j REDIRECT --to-ports 15001
 COMMIT
diff --git a/app/kumactl/cmd/install/testdata/install-transparent-proxy.excludedports_allprotos.txt b/app/kumactl/cmd/install/testdata/install-transparent-proxy.excludedports_allprotos.txt
@@ -9,12 +9,12 @@
 -I OUTPUT 1 -m multiport -p tcp --dport 1:65535 -m owner --uid-owner 0 -j RETURN
 -A OUTPUT -p tcp -j KUMA_MESH_OUTBOUND
 -A KUMA_MESH_INBOUND -p tcp -j KUMA_MESH_INBOUND_REDIRECT
--A KUMA_MESH_OUTBOUND -s subnetPlaceholder/mask -o ifPlaceholder -j RETURN
--A KUMA_MESH_OUTBOUND -p tcp -o ifPlaceholder ! -d subnetPlaceholder/mask -m owner --uid-owner 0 -j KUMA_MESH_INBOUND_REDIRECT
+-A KUMA_MESH_OUTBOUND -s 127.0.0.6/32 -o ifPlaceholder -j RETURN
+-A KUMA_MESH_OUTBOUND -p tcp -o ifPlaceholder ! -d 127.0.0.1/32 -m owner --uid-owner 0 -j KUMA_MESH_INBOUND_REDIRECT
 -A KUMA_MESH_OUTBOUND -p tcp -o ifPlaceholder -m owner ! --uid-owner 0 -j RETURN
 -A KUMA_MESH_OUTBOUND -m owner --uid-owner 0 -j RETURN
--A KUMA_MESH_OUTBOUND -d subnetPlaceholder/mask -j RETURN
+-A KUMA_MESH_OUTBOUND -d 127.0.0.1/32 -j RETURN
 -A KUMA_MESH_OUTBOUND -j KUMA_MESH_OUTBOUND_REDIRECT
--A KUMA_MESH_INBOUND_REDIRECT -p tcp -j REDIRECT --to-ports inboundPort
+-A KUMA_MESH_INBOUND_REDIRECT -p tcp -j REDIRECT --to-ports 15006
 -A KUMA_MESH_OUTBOUND_REDIRECT -p tcp -j REDIRECT --to-ports 15001
 COMMIT
diff --git a/app/kumactl/cmd/install/testdata/install-transparent-proxy.excludedports_onlyuid.txt b/app/kumactl/cmd/install/testdata/install-transparent-proxy.excludedports_onlyuid.txt
@@ -10,12 +10,12 @@
 -I OUTPUT 2 -m multiport -p udp --dport 1:65535 -m owner --uid-owner 123 -j RETURN
 -A OUTPUT -p tcp -j KUMA_MESH_OUTBOUND
 -A KUMA_MESH_INBOUND -p tcp -j KUMA_MESH_INBOUND_REDIRECT
--A KUMA_MESH_OUTBOUND -s subnetPlaceholder/mask -o ifPlaceholder -j RETURN
--A KUMA_MESH_OUTBOUND -p tcp -o ifPlaceholder ! -d subnetPlaceholder/mask -m owner --uid-owner 0 -j KUMA_MESH_INBOUND_REDIRECT
+-A KUMA_MESH_OUTBOUND -s 127.0.0.6/32 -o ifPlaceholder -j RETURN
+-A KUMA_MESH_OUTBOUND -p tcp -o ifPlaceholder ! -d 127.0.0.1/32 -m owner --uid-owner 0 -j KUMA_MESH_INBOUND_REDIRECT
 -A KUMA_MESH_OUTBOUND -p tcp -o ifPlaceholder -m owner ! --uid-owner 0 -j RETURN
 -A KUMA_MESH_OUTBOUND -m owner --uid-owner 0 -j RETURN
--A KUMA_MESH_OUTBOUND -d subnetPlaceholder/mask -j RETURN
+-A KUMA_MESH_OUTBOUND -d 127.0.0.1/32 -j RETURN
 -A KUMA_MESH_OUTBOUND -j KUMA_MESH_OUTBOUND_REDIRECT
--A KUMA_MESH_INBOUND_REDIRECT -p tcp -j REDIRECT --to-ports inboundPort
+-A KUMA_MESH_INBOUND_REDIRECT -p tcp -j REDIRECT --to-ports 15006
 -A KUMA_MESH_OUTBOUND_REDIRECT -p tcp -j REDIRECT --to-ports 15001
 COMMIT
diff --git a/app/kumactl/cmd/install/testdata/install-transparent-proxy.excludedports_simpler.txt b/app/kumactl/cmd/install/testdata/install-transparent-proxy.excludedports_simpler.txt
@@ -11,12 +11,12 @@
 -I OUTPUT 3 -m multiport -p udp --dport 3900,3902,4000:6000 -m owner --uid-owner 303 -j RETURN
 -A OUTPUT -p tcp -j KUMA_MESH_OUTBOUND
 -A KUMA_MESH_INBOUND -p tcp -j KUMA_MESH_INBOUND_REDIRECT
--A KUMA_MESH_OUTBOUND -s subnetPlaceholder/mask -o ifPlaceholder -j RETURN
--A KUMA_MESH_OUTBOUND -p tcp -o ifPlaceholder ! -d subnetPlaceholder/mask -m owner --uid-owner 0 -j KUMA_MESH_INBOUND_REDIRECT
+-A KUMA_MESH_OUTBOUND -s 127.0.0.6/32 -o ifPlaceholder -j RETURN
+-A KUMA_MESH_OUTBOUND -p tcp -o ifPlaceholder ! -d 127.0.0.1/32 -m owner --uid-owner 0 -j KUMA_MESH_INBOUND_REDIRECT
 -A KUMA_MESH_OUTBOUND -p tcp -o ifPlaceholder -m owner ! --uid-owner 0 -j RETURN
 -A KUMA_MESH_OUTBOUND -m owner --uid-owner 0 -j RETURN
--A KUMA_MESH_OUTBOUND -d subnetPlaceholder/mask -j RETURN
+-A KUMA_MESH_OUTBOUND -d 127.0.0.1/32 -j RETURN
 -A KUMA_MESH_OUTBOUND -j KUMA_MESH_OUTBOUND_REDIRECT
--A KUMA_MESH_INBOUND_REDIRECT -p tcp -j REDIRECT --to-ports inboundPort
+-A KUMA_MESH_INBOUND_REDIRECT -p tcp -j REDIRECT --to-ports 15006
 -A KUMA_MESH_OUTBOUND_REDIRECT -p tcp -j REDIRECT --to-ports 15001
 COMMIT
diff --git a/app/kumactl/cmd/install/testdata/install-transparent-proxy.excludedports_wildcards.txt b/app/kumactl/cmd/install/testdata/install-transparent-proxy.excludedports_wildcards.txt
@@ -10,12 +10,12 @@
 -I OUTPUT 2 -m multiport -p udp --dport 1:65535 -m owner --uid-owner 0 -j RETURN
 -A OUTPUT -p tcp -j KUMA_MESH_OUTBOUND
 -A KUMA_MESH_INBOUND -p tcp -j KUMA_MESH_INBOUND_REDIRECT
--A KUMA_MESH_OUTBOUND -s subnetPlaceholder/mask -o ifPlaceholder -j RETURN
--A KUMA_MESH_OUTBOUND -p tcp -o ifPlaceholder ! -d subnetPlaceholder/mask -m owner --uid-owner 0 -j KUMA_MESH_INBOUND_REDIRECT
+-A KUMA_MESH_OUTBOUND -s 127.0.0.6/32 -o ifPlaceholder -j RETURN
+-A KUMA_MESH_OUTBOUND -p tcp -o ifPlaceholder ! -d 127.0.0.1/32 -m owner --uid-owner 0 -j KUMA_MESH_INBOUND_REDIRECT
 -A KUMA_MESH_OUTBOUND -p tcp -o ifPlaceholder -m owner ! --uid-owner 0 -j RETURN
 -A KUMA_MESH_OUTBOUND -m owner --uid-owner 0 -j RETURN
--A KUMA_MESH_OUTBOUND -d subnetPlaceholder/mask -j RETURN
+-A KUMA_MESH_OUTBOUND -d 127.0.0.1/32 -j RETURN
 -A KUMA_MESH_OUTBOUND -j KUMA_MESH_OUTBOUND_REDIRECT
--A KUMA_MESH_INBOUND_REDIRECT -p tcp -j REDIRECT --to-ports inboundPort
+-A KUMA_MESH_INBOUND_REDIRECT -p tcp -j REDIRECT --to-ports 15006
 -A KUMA_MESH_OUTBOUND_REDIRECT -p tcp -j REDIRECT --to-ports 15001
 COMMIT