Skip to content

Commit

Permalink
feat: add upstream docker output to tproxy
Browse files Browse the repository at this point in the history
Signed-off-by: Bart Smykla <[email protected]>
  • Loading branch information
bartsmykla committed Jan 14, 2023
1 parent 5215990 commit 9e30f57
Show file tree
Hide file tree
Showing 4 changed files with 32 additions and 10 deletions.
24 changes: 19 additions & 5 deletions pkg/transparentproxy/config/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -69,11 +69,14 @@ type TrafficFlow struct {
}

type DNS struct {
Enabled bool
CaptureAll bool
Port uint16
ConntrackZoneSplit bool
ResolvConfigPath string
Enabled bool
CaptureAll bool
Port uint16
// The iptables chain where the upstream DNS requests should be directed to.
// It is only applied for IP V4. Use with care. (default "RETURN")
UpstreamTargetChain string
ConntrackZoneSplit bool
ResolvConfigPath string
}

type VNet struct {
Expand Down Expand Up @@ -153,6 +156,13 @@ func (c Config) ShouldRedirectDNS() bool {
return c.Redirect.DNS.Enabled
}

// ShouldFallbackDNSToUpstreamChain is just a convenience function which can be used in
// iptables conditional command generations instead of inlining anonymous functions
// i.e. AppendIf(ShouldFallbackDNSToUpstreamChain, Match(...), Jump(Drop()))
func (c Config) ShouldFallbackDNSToUpstreamChain() bool {
return c.Redirect.DNS.UpstreamTargetChain != ""
}

// ShouldCaptureAllDNS is just a convenience function which can be used in
// iptables conditional command generations instead of inlining anonymous functions
// i.e. AppendIf(ShouldCaptureAllDNS, Match(...), Jump(Drop()))
Expand Down Expand Up @@ -309,6 +319,10 @@ func MergeConfigWithDefaults(cfg Config) Config {
result.Redirect.DNS.ResolvConfigPath = cfg.Redirect.DNS.ResolvConfigPath
}

if cfg.Redirect.DNS.UpstreamTargetChain != "" {
result.Redirect.DNS.UpstreamTargetChain = cfg.Redirect.DNS.UpstreamTargetChain
}

if cfg.Redirect.DNS.Port != 0 {
result.Redirect.DNS.Port = cfg.Redirect.DNS.Port
}
Expand Down
8 changes: 7 additions & 1 deletion pkg/transparentproxy/iptables/builder/builder_nat.go
Original file line number Diff line number Diff line change
Expand Up @@ -225,13 +225,19 @@ func addOutputRules(cfg config.Config, dnsServers []string, nat *table.NatTable)
}

if cfg.ShouldRedirectDNS() {
jumpTarget := Return()
if cfg.ShouldFallbackDNSToUpstreamChain() {
jumpTarget = ToUserDefinedChain(cfg.Redirect.DNS.UpstreamTargetChain)
}

nat.Output().Insert(
rulePosition,
Protocol(Udp(DestinationPort(DNSPort))),
Match(Owner(Uid(uid))),
Jump(Return()),
Jump(jumpTarget),
)
rulePosition++

if cfg.ShouldCaptureAllDNS() {
nat.Output().Insert(
rulePosition,
Expand Down
9 changes: 5 additions & 4 deletions pkg/transparentproxy/transparentproxy_experimental.go
Original file line number Diff line number Diff line change
Expand Up @@ -161,10 +161,11 @@ func (tp *ExperimentalTransparentProxy) Setup(tpConfig *config.TransparentProxyC
ExcludePortsForUIDs: excludePortsForUIDs,
},
DNS: config.DNS{
Enabled: tpConfig.RedirectDNS,
CaptureAll: tpConfig.RedirectAllDNSTraffic,
Port: agentDNSListenerPort,
ConntrackZoneSplit: !tpConfig.SkipDNSConntrackZoneSplit,
Enabled: tpConfig.RedirectDNS,
CaptureAll: tpConfig.RedirectAllDNSTraffic,
Port: agentDNSListenerPort,
UpstreamTargetChain: tpConfig.DNSUpstreamTargetChain,
ConntrackZoneSplit: !tpConfig.SkipDNSConntrackZoneSplit,
},
VNet: config.VNet{
Networks: tpConfig.VnetNetworks,
Expand Down
1 change: 1 addition & 0 deletions test/framework/universal_app.go
Original file line number Diff line number Diff line change
Expand Up @@ -490,6 +490,7 @@ func (s *UniversalApp) setupTransparent(cpIp string, builtindns bool, experiment
if builtindns {
args = append(args,
"--redirect-dns",
"--redirect-dns-upstream-target-chain", "DOCKER_OUTPUT",
)
}

Expand Down

0 comments on commit 9e30f57

Please sign in to comment.