iptables: always use restore format (istio#53066)

* iptables: always use restore format This has been the default and only used value for >5 years. Just make it the only option. This introduces some breakages to tests, which are now legitimately failing. I don't know why they didn't fail before. These are around the new iptables idempotency logic. There are a few bugs here: * NFLOG quoting was resulting in double quotes. This is due to a mismatch of iptables input vs iptables-save output (as indicated would be a risk on the PR). * We have some NFLOGs that are not on Istio chains which breaks the logic. We should have these! I removed them, but would loveto add them back * `-A PREROUTING -m conntrack --ctstate INVALID -j DROP` rule is not on Istio chain. We need to fix this. * add nflog back * move drop to its own chain * fixes * drop unused
MorrisLaw · Sep 25, 2024 · 9a85305 · 9a85305
1 parent 6f6f3d1
commit 9a85305
Showing 65 changed files with 1,399 additions and 1,302 deletions.
diff --git a/cni/pkg/iptables/iptables.go b/cni/pkg/iptables/iptables.go
@@ -53,10 +53,9 @@ const (
 )
 
 type Config struct {
-	RestoreFormat bool `json:"RESTORE_FORMAT"`
-	TraceLogging  bool `json:"IPTABLES_TRACE_LOGGING"`
-	EnableIPv6    bool `json:"ENABLE_INBOUND_IPV6"`
-	RedirectDNS   bool `json:"REDIRECT_DNS"`
+	TraceLogging bool `json:"IPTABLES_TRACE_LOGGING"`
+	EnableIPv6   bool `json:"ENABLE_INBOUND_IPV6"`
+	RedirectDNS  bool `json:"REDIRECT_DNS"`
 	// If true, TPROXY will be used for redirection. Else, REDIRECT will be used.
 	// Currently, this is treated as a feature flag, but may be promoted to a permanent feature if there is a need.
 	TPROXYRedirection bool `json:"TPROXY_REDIRECTION"`
@@ -72,10 +71,9 @@ type IptablesConfigurator struct {
 
 func ipbuildConfig(c *Config) *iptablesconfig.Config {
 	return &iptablesconfig.Config{
-		RestoreFormat: c.RestoreFormat,
-		TraceLogging:  c.TraceLogging,
-		EnableIPv6:    c.EnableIPv6,
-		RedirectDNS:   c.RedirectDNS,
+		TraceLogging: c.TraceLogging,
+		EnableIPv6:   c.EnableIPv6,
+		RedirectDNS:  c.RedirectDNS,
 	}
 }
 
@@ -86,9 +84,7 @@ func NewIptablesConfigurator(
 	nlDeps NetlinkDependencies,
 ) (*IptablesConfigurator, *IptablesConfigurator, error) {
 	if cfg == nil {
-		cfg = &Config{
-			RestoreFormat: true,
-		}
+		cfg = &Config{}
 	}
 
 	configurator := &IptablesConfigurator{
@@ -197,7 +193,7 @@ func (cfg *IptablesConfigurator) executeDeleteCommands() error {
 
 // Setup iptables rules for in-pod mode. Ideally this should be an idempotent function.
 // NOTE that this expects to be run from within the pod network namespace!
-func (cfg *IptablesConfigurator) CreateInpodRules(log *istiolog.Scope, hostProbeSNAT, hostProbeV6SNAT *netip.Addr) error {
+func (cfg *IptablesConfigurator) CreateInpodRules(log *istiolog.Scope, hostProbeSNAT, hostProbeV6SNAT netip.Addr) error {
 	// Append our rules here
 	builder := cfg.appendInpodRules(hostProbeSNAT, hostProbeV6SNAT)
 
@@ -218,7 +214,7 @@ func (cfg *IptablesConfigurator) CreateInpodRules(log *istiolog.Scope, hostProbe
 	return nil
 }
 
-func (cfg *IptablesConfigurator) appendInpodRules(hostProbeSNAT, hostProbeV6SNAT *netip.Addr) *builder.IptablesRuleBuilder {
+func (cfg *IptablesConfigurator) appendInpodRules(hostProbeSNAT, hostProbeV6SNAT netip.Addr) *builder.IptablesRuleBuilder {
 	redirectDNS := cfg.cfg.RedirectDNS
 
 	inpodMark := fmt.Sprintf("0x%x", InpodMark) + "/" + fmt.Sprintf("0x%x", InpodMask)
@@ -477,35 +473,15 @@ func (cfg *IptablesConfigurator) appendInpodRules(hostProbeSNAT, hostProbeV6SNAT
 func (cfg *IptablesConfigurator) executeCommands(log *istiolog.Scope, iptablesBuilder *builder.IptablesRuleBuilder) error {
 	var execErrs []error
 
-	if cfg.cfg.RestoreFormat {
-		// Execute iptables-restore
-		execErrs = append(execErrs, cfg.executeIptablesRestoreCommand(log, iptablesBuilder.BuildV4Restore(), &cfg.iptV))
-		// Execute ip6tables-restore
-		if cfg.cfg.EnableIPv6 {
-			execErrs = append(execErrs, cfg.executeIptablesRestoreCommand(log, iptablesBuilder.BuildV6Restore(), &cfg.ipt6V))
-		}
-	} else {
-		// Execute iptables commands
-		execErrs = append(execErrs,
-			cfg.executeIptablesCommands(&cfg.iptV, iptablesBuilder.BuildV4()))
-		// Execute ip6tables commands
-		if cfg.cfg.EnableIPv6 {
-			execErrs = append(execErrs,
-				cfg.executeIptablesCommands(&cfg.ipt6V, iptablesBuilder.BuildV6()))
-		}
+	// Execute iptables-restore
+	execErrs = append(execErrs, cfg.executeIptablesRestoreCommand(log, iptablesBuilder.BuildV4Restore(), &cfg.iptV))
+	// Execute ip6tables-restore
+	if cfg.cfg.EnableIPv6 {
+		execErrs = append(execErrs, cfg.executeIptablesRestoreCommand(log, iptablesBuilder.BuildV6Restore(), &cfg.ipt6V))
 	}
 	return errors.Join(execErrs...)
 }
 
-func (cfg *IptablesConfigurator) executeIptablesCommands(iptVer *dep.IptablesVersion, args [][]string) error {
-	var iptErrs []error
-	// TODO: pass log all the way through
-	for _, argSet := range args {
-		iptErrs = append(iptErrs, cfg.ext.Run(iptablesconstants.IPTables, iptVer, nil, argSet...))
-	}
-	return errors.Join(iptErrs...)
-}
-
 func (cfg *IptablesConfigurator) executeIptablesRestoreCommand(
 	log *istiolog.Scope,
 	data string,

diff --git a/cni/pkg/iptables/iptables_e2e_test.go b/cni/pkg/iptables/iptables_e2e_test.go
@@ -49,12 +49,12 @@ func TestIptablesCleanRoundTrip(t *testing.T) {
 	probeSNATipv4 := netip.MustParseAddr("169.254.7.127")
 	probeSNATipv6 := netip.MustParseAddr("e9ac:1e77:90ca:399f:4d6d:ece2:2f9b:3164")
 
-	cfg := &Config{RestoreFormat: true}
+	cfg := &Config{}
 	tt.config(cfg)
 
 	deps := &dep.RealDependencies{}
 	iptConfigurator, _, _ := NewIptablesConfigurator(cfg, deps, deps, EmptyNlDeps())
-	assert.NoError(t, iptConfigurator.CreateInpodRules(scopes.CNIAgent, &probeSNATipv4, &probeSNATipv6))
+	assert.NoError(t, iptConfigurator.CreateInpodRules(scopes.CNIAgent, probeSNATipv4, probeSNATipv6))
 
 	t.Log("starting cleanup")
 	// Cleanup, should work
@@ -63,7 +63,7 @@ func TestIptablesCleanRoundTrip(t *testing.T) {
 
 	t.Log("second run")
 	// Add again, should still work
-	assert.NoError(t, iptConfigurator.CreateInpodRules(scopes.CNIAgent, &probeSNATipv4, &probeSNATipv6))
+	assert.NoError(t, iptConfigurator.CreateInpodRules(scopes.CNIAgent, probeSNATipv4, probeSNATipv6))
 }
 
 func validateIptablesClean(t *testing.T) {
@@ -93,25 +93,6 @@ func setup(t *testing.T) {
 	})
 }
 
-//func runIptables(args ...string) error {
-//	c := iptablescmd.GetCommand(log.DefaultOptions())
-//	c.SetArgs(args)
-//	return c.Execute()
-//}
-//
-//func runIptablesClean(args ...string) error {
-//	c := iptablescmd.GetCommand(log.DefaultOptions())
-//	args = append(slices.Clone(args), "--cleanup-only")
-//	c.SetArgs(args)
-//	return c.Execute()
-//}
-//
-//func runIptablesOldClean(args ...string) error {
-//	c := cleancmd.GetCommand(log.DefaultOptions())
-//	c.SetArgs(args)
-//	return c.Execute()
-//}
-
 func iptablesSave(t *testing.T) string {
 	res, err := exec.Command("iptables-save").CombinedOutput()
 	assert.NoError(t, err)

diff --git a/cni/pkg/iptables/iptables_test.go b/cni/pkg/iptables/iptables_test.go
@@ -55,7 +55,7 @@ func TestIptables(t *testing.T) {
 				tt.config(cfg)
 				ext := &dep.DependenciesStub{}
 				iptConfigurator, _, _ := NewIptablesConfigurator(cfg, ext, ext, EmptyNlDeps())
-				err := iptConfigurator.CreateInpodRules(scopes.CNIAgent, &probeSNATipv4, &probeSNATipv6)
+				err := iptConfigurator.CreateInpodRules(scopes.CNIAgent, probeSNATipv4, probeSNATipv6)
 				if err != nil {
 					t.Fatal(err)
 				}
@@ -117,15 +117,15 @@ func TestInvokedTwiceIsIdempotent(t *testing.T) {
 	tt.config(cfg)
 	ext := &dep.DependenciesStub{}
 	iptConfigurator, _, _ := NewIptablesConfigurator(cfg, ext, ext, EmptyNlDeps())
-	err := iptConfigurator.CreateInpodRules(scopes.CNIAgent, &probeSNATipv4, &probeSNATipv6)
+	err := iptConfigurator.CreateInpodRules(scopes.CNIAgent, probeSNATipv4, probeSNATipv6)
 	if err != nil {
 		t.Fatal(err)
 	}
 	compareToGolden(t, false, tt.name, ext.ExecutedAll)
 
 	*ext = dep.DependenciesStub{}
 	// run another time to make sure we are idempotent
-	err = iptConfigurator.CreateInpodRules(scopes.CNIAgent, &probeSNATipv4, &probeSNATipv6)
+	err = iptConfigurator.CreateInpodRules(scopes.CNIAgent, probeSNATipv4, probeSNATipv6)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -151,7 +151,5 @@ func compareToGolden(t *testing.T, ipv6 bool, name string, actual []string) {
 }
 
 func constructTestConfig() *Config {
-	return &Config{
-		RestoreFormat: false,
-	}
+	return &Config{}
 }
diff --git a/cni/pkg/iptables/testdata/default.golden b/cni/pkg/iptables/testdata/default.golden
@@ -1,24 +1,30 @@
-iptables -t mangle -N ISTIO_PRERT
-iptables -t nat -N ISTIO_PRERT
-iptables -t nat -N ISTIO_OUTPUT
-iptables -t mangle -N ISTIO_OUTPUT
-iptables -t raw -N ISTIO_OUTPUT
-iptables -t raw -N ISTIO_PRERT
-iptables -t mangle -A PREROUTING -j ISTIO_PRERT
-iptables -t mangle -A OUTPUT -j ISTIO_OUTPUT
-iptables -t nat -A OUTPUT -j ISTIO_OUTPUT
-iptables -t raw -A PREROUTING -j ISTIO_PRERT
-iptables -t raw -A OUTPUT -j ISTIO_OUTPUT
-iptables -t nat -A PREROUTING -j ISTIO_PRERT
-iptables -t mangle -A ISTIO_PRERT -m mark --mark 0x539/0xfff -j CONNMARK --set-xmark 0x111/0xfff
-iptables -t nat -A ISTIO_PRERT -s 169.254.7.127 -p tcp -m tcp -j ACCEPT
-iptables -t nat -A ISTIO_OUTPUT -d 169.254.7.127 -p tcp -m tcp -j ACCEPT
-iptables -t nat -A ISTIO_PRERT ! -d 127.0.0.1/32 -p tcp ! --dport 15008 -m mark ! --mark 0x539/0xfff -j REDIRECT --to-ports 15006
-iptables -t mangle -A ISTIO_OUTPUT -m connmark --mark 0x111/0xfff -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff
-iptables -t nat -A ISTIO_OUTPUT ! -o lo -p udp -m mark ! --mark 0x539/0xfff -m udp --dport 53 -j REDIRECT --to-port 15053
-iptables -t nat -A ISTIO_OUTPUT ! -d 127.0.0.1/32 -p tcp --dport 53 -m mark ! --mark 0x539/0xfff -j REDIRECT --to-ports 15053
-iptables -t raw -A ISTIO_OUTPUT -p udp -m mark --mark 0x539/0xfff -m udp --dport 53 -j CT --zone 1
-iptables -t raw -A ISTIO_PRERT -p udp -m mark ! --mark 0x539/0xfff -m udp --sport 53 -j CT --zone 1
-iptables -t nat -A ISTIO_OUTPUT -p tcp -m mark --mark 0x111/0xfff -j ACCEPT
-iptables -t nat -A ISTIO_OUTPUT ! -d 127.0.0.1/32 -o lo -j ACCEPT
-iptables -t nat -A ISTIO_OUTPUT ! -d 127.0.0.1/32 -p tcp -m mark ! --mark 0x539/0xfff -j REDIRECT --to-ports 15001
+* mangle
+-N ISTIO_PRERT
+-N ISTIO_OUTPUT
+-A PREROUTING -j ISTIO_PRERT
+-A OUTPUT -j ISTIO_OUTPUT
+-A ISTIO_PRERT -m mark --mark 0x539/0xfff -j CONNMARK --set-xmark 0x111/0xfff
+-A ISTIO_OUTPUT -m connmark --mark 0x111/0xfff -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff
+COMMIT
+* nat
+-N ISTIO_PRERT
+-N ISTIO_OUTPUT
+-A OUTPUT -j ISTIO_OUTPUT
+-A PREROUTING -j ISTIO_PRERT
+-A ISTIO_PRERT -s 169.254.7.127 -p tcp -m tcp -j ACCEPT
+-A ISTIO_OUTPUT -d 169.254.7.127 -p tcp -m tcp -j ACCEPT
+-A ISTIO_PRERT ! -d 127.0.0.1/32 -p tcp ! --dport 15008 -m mark ! --mark 0x539/0xfff -j REDIRECT --to-ports 15006
+-A ISTIO_OUTPUT ! -o lo -p udp -m mark ! --mark 0x539/0xfff -m udp --dport 53 -j REDIRECT --to-port 15053
+-A ISTIO_OUTPUT ! -d 127.0.0.1/32 -p tcp --dport 53 -m mark ! --mark 0x539/0xfff -j REDIRECT --to-ports 15053
+-A ISTIO_OUTPUT -p tcp -m mark --mark 0x111/0xfff -j ACCEPT
+-A ISTIO_OUTPUT ! -d 127.0.0.1/32 -o lo -j ACCEPT
+-A ISTIO_OUTPUT ! -d 127.0.0.1/32 -p tcp -m mark ! --mark 0x539/0xfff -j REDIRECT --to-ports 15001
+COMMIT
+* raw
+-N ISTIO_OUTPUT
+-N ISTIO_PRERT
+-A PREROUTING -j ISTIO_PRERT
+-A OUTPUT -j ISTIO_OUTPUT
+-A ISTIO_OUTPUT -p udp -m mark --mark 0x539/0xfff -m udp --dport 53 -j CT --zone 1
+-A ISTIO_PRERT -p udp -m mark ! --mark 0x539/0xfff -m udp --sport 53 -j CT --zone 1
+COMMIT
diff --git a/cni/pkg/iptables/testdata/default_ipv6.golden b/cni/pkg/iptables/testdata/default_ipv6.golden
@@ -1,48 +1,60 @@
-iptables -t mangle -N ISTIO_PRERT
-iptables -t nat -N ISTIO_PRERT
-iptables -t nat -N ISTIO_OUTPUT
-iptables -t mangle -N ISTIO_OUTPUT
-iptables -t raw -N ISTIO_OUTPUT
-iptables -t raw -N ISTIO_PRERT
-iptables -t mangle -A PREROUTING -j ISTIO_PRERT
-iptables -t mangle -A OUTPUT -j ISTIO_OUTPUT
-iptables -t nat -A OUTPUT -j ISTIO_OUTPUT
-iptables -t raw -A PREROUTING -j ISTIO_PRERT
-iptables -t raw -A OUTPUT -j ISTIO_OUTPUT
-iptables -t nat -A PREROUTING -j ISTIO_PRERT
-iptables -t mangle -A ISTIO_PRERT -m mark --mark 0x539/0xfff -j CONNMARK --set-xmark 0x111/0xfff
-iptables -t nat -A ISTIO_PRERT -s 169.254.7.127 -p tcp -m tcp -j ACCEPT
-iptables -t nat -A ISTIO_OUTPUT -d 169.254.7.127 -p tcp -m tcp -j ACCEPT
-iptables -t nat -A ISTIO_PRERT ! -d 127.0.0.1/32 -p tcp ! --dport 15008 -m mark ! --mark 0x539/0xfff -j REDIRECT --to-ports 15006
-iptables -t mangle -A ISTIO_OUTPUT -m connmark --mark 0x111/0xfff -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff
-iptables -t nat -A ISTIO_OUTPUT ! -o lo -p udp -m mark ! --mark 0x539/0xfff -m udp --dport 53 -j REDIRECT --to-port 15053
-iptables -t nat -A ISTIO_OUTPUT ! -d 127.0.0.1/32 -p tcp --dport 53 -m mark ! --mark 0x539/0xfff -j REDIRECT --to-ports 15053
-iptables -t raw -A ISTIO_OUTPUT -p udp -m mark --mark 0x539/0xfff -m udp --dport 53 -j CT --zone 1
-iptables -t raw -A ISTIO_PRERT -p udp -m mark ! --mark 0x539/0xfff -m udp --sport 53 -j CT --zone 1
-iptables -t nat -A ISTIO_OUTPUT -p tcp -m mark --mark 0x111/0xfff -j ACCEPT
-iptables -t nat -A ISTIO_OUTPUT ! -d 127.0.0.1/32 -o lo -j ACCEPT
-iptables -t nat -A ISTIO_OUTPUT ! -d 127.0.0.1/32 -p tcp -m mark ! --mark 0x539/0xfff -j REDIRECT --to-ports 15001
-ip6tables -t mangle -N ISTIO_PRERT
-ip6tables -t nat -N ISTIO_PRERT
-ip6tables -t nat -N ISTIO_OUTPUT
-ip6tables -t mangle -N ISTIO_OUTPUT
-ip6tables -t raw -N ISTIO_OUTPUT
-ip6tables -t raw -N ISTIO_PRERT
-ip6tables -t mangle -A PREROUTING -j ISTIO_PRERT
-ip6tables -t mangle -A OUTPUT -j ISTIO_OUTPUT
-ip6tables -t nat -A OUTPUT -j ISTIO_OUTPUT
-ip6tables -t raw -A PREROUTING -j ISTIO_PRERT
-ip6tables -t raw -A OUTPUT -j ISTIO_OUTPUT
-ip6tables -t nat -A PREROUTING -j ISTIO_PRERT
-ip6tables -t mangle -A ISTIO_PRERT -m mark --mark 0x539/0xfff -j CONNMARK --set-xmark 0x111/0xfff
-ip6tables -t nat -A ISTIO_PRERT -s e9ac:1e77:90ca:399f:4d6d:ece2:2f9b:3164 -p tcp -m tcp -j ACCEPT
-ip6tables -t nat -A ISTIO_OUTPUT -d e9ac:1e77:90ca:399f:4d6d:ece2:2f9b:3164 -p tcp -m tcp -j ACCEPT
-ip6tables -t nat -A ISTIO_PRERT ! -d ::1/128 -p tcp ! --dport 15008 -m mark ! --mark 0x539/0xfff -j REDIRECT --to-ports 15006
-ip6tables -t mangle -A ISTIO_OUTPUT -m connmark --mark 0x111/0xfff -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff
-ip6tables -t nat -A ISTIO_OUTPUT ! -o lo -p udp -m mark ! --mark 0x539/0xfff -m udp --dport 53 -j REDIRECT --to-port 15053
-ip6tables -t nat -A ISTIO_OUTPUT ! -d ::1/128 -p tcp --dport 53 -m mark ! --mark 0x539/0xfff -j REDIRECT --to-ports 15053
-ip6tables -t raw -A ISTIO_OUTPUT -p udp -m mark --mark 0x539/0xfff -m udp --dport 53 -j CT --zone 1
-ip6tables -t raw -A ISTIO_PRERT -p udp -m mark ! --mark 0x539/0xfff -m udp --sport 53 -j CT --zone 1
-ip6tables -t nat -A ISTIO_OUTPUT -p tcp -m mark --mark 0x111/0xfff -j ACCEPT
-ip6tables -t nat -A ISTIO_OUTPUT ! -d ::1/128 -o lo -j ACCEPT
-ip6tables -t nat -A ISTIO_OUTPUT ! -d ::1/128 -p tcp -m mark ! --mark 0x539/0xfff -j REDIRECT --to-ports 15001
+* mangle
+-N ISTIO_PRERT
+-N ISTIO_OUTPUT
+-A PREROUTING -j ISTIO_PRERT
+-A OUTPUT -j ISTIO_OUTPUT
+-A ISTIO_PRERT -m mark --mark 0x539/0xfff -j CONNMARK --set-xmark 0x111/0xfff
+-A ISTIO_OUTPUT -m connmark --mark 0x111/0xfff -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff
+COMMIT
+* nat
+-N ISTIO_PRERT
+-N ISTIO_OUTPUT
+-A OUTPUT -j ISTIO_OUTPUT
+-A PREROUTING -j ISTIO_PRERT
+-A ISTIO_PRERT -s 169.254.7.127 -p tcp -m tcp -j ACCEPT
+-A ISTIO_OUTPUT -d 169.254.7.127 -p tcp -m tcp -j ACCEPT
+-A ISTIO_PRERT ! -d 127.0.0.1/32 -p tcp ! --dport 15008 -m mark ! --mark 0x539/0xfff -j REDIRECT --to-ports 15006
+-A ISTIO_OUTPUT ! -o lo -p udp -m mark ! --mark 0x539/0xfff -m udp --dport 53 -j REDIRECT --to-port 15053
+-A ISTIO_OUTPUT ! -d 127.0.0.1/32 -p tcp --dport 53 -m mark ! --mark 0x539/0xfff -j REDIRECT --to-ports 15053
+-A ISTIO_OUTPUT -p tcp -m mark --mark 0x111/0xfff -j ACCEPT
+-A ISTIO_OUTPUT ! -d 127.0.0.1/32 -o lo -j ACCEPT
+-A ISTIO_OUTPUT ! -d 127.0.0.1/32 -p tcp -m mark ! --mark 0x539/0xfff -j REDIRECT --to-ports 15001
+COMMIT
+* raw
+-N ISTIO_OUTPUT
+-N ISTIO_PRERT
+-A PREROUTING -j ISTIO_PRERT
+-A OUTPUT -j ISTIO_OUTPUT
+-A ISTIO_OUTPUT -p udp -m mark --mark 0x539/0xfff -m udp --dport 53 -j CT --zone 1
+-A ISTIO_PRERT -p udp -m mark ! --mark 0x539/0xfff -m udp --sport 53 -j CT --zone 1
+COMMIT
+* mangle
+-N ISTIO_PRERT
+-N ISTIO_OUTPUT
+-A PREROUTING -j ISTIO_PRERT
+-A OUTPUT -j ISTIO_OUTPUT
+-A ISTIO_PRERT -m mark --mark 0x539/0xfff -j CONNMARK --set-xmark 0x111/0xfff
+-A ISTIO_OUTPUT -m connmark --mark 0x111/0xfff -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff
+COMMIT
+* nat
+-N ISTIO_PRERT
+-N ISTIO_OUTPUT
+-A OUTPUT -j ISTIO_OUTPUT
+-A PREROUTING -j ISTIO_PRERT
+-A ISTIO_PRERT -s e9ac:1e77:90ca:399f:4d6d:ece2:2f9b:3164 -p tcp -m tcp -j ACCEPT
+-A ISTIO_OUTPUT -d e9ac:1e77:90ca:399f:4d6d:ece2:2f9b:3164 -p tcp -m tcp -j ACCEPT
+-A ISTIO_PRERT ! -d ::1/128 -p tcp ! --dport 15008 -m mark ! --mark 0x539/0xfff -j REDIRECT --to-ports 15006
+-A ISTIO_OUTPUT ! -o lo -p udp -m mark ! --mark 0x539/0xfff -m udp --dport 53 -j REDIRECT --to-port 15053
+-A ISTIO_OUTPUT ! -d ::1/128 -p tcp --dport 53 -m mark ! --mark 0x539/0xfff -j REDIRECT --to-ports 15053
+-A ISTIO_OUTPUT -p tcp -m mark --mark 0x111/0xfff -j ACCEPT
+-A ISTIO_OUTPUT ! -d ::1/128 -o lo -j ACCEPT
+-A ISTIO_OUTPUT ! -d ::1/128 -p tcp -m mark ! --mark 0x539/0xfff -j REDIRECT --to-ports 15001
+COMMIT
+* raw
+-N ISTIO_OUTPUT
+-N ISTIO_PRERT
+-A PREROUTING -j ISTIO_PRERT
+-A OUTPUT -j ISTIO_OUTPUT
+-A ISTIO_OUTPUT -p udp -m mark --mark 0x539/0xfff -m udp --dport 53 -j CT --zone 1
+-A ISTIO_PRERT -p udp -m mark ! --mark 0x539/0xfff -m udp --sport 53 -j CT --zone 1
+COMMIT
diff --git a/cni/pkg/iptables/testdata/hostprobe.golden b/cni/pkg/iptables/testdata/hostprobe.golden
@@ -1,3 +1,5 @@
-iptables -t nat -N ISTIO_POSTRT
-iptables -t nat -A POSTROUTING -j ISTIO_POSTRT
-iptables -t nat -A ISTIO_POSTRT -m owner --socket-exists -p tcp -m set --match-set istio-inpod-probes-v4 dst -j SNAT --to-source 169.254.7.127
+* nat
+-N ISTIO_POSTRT
+-A POSTROUTING -j ISTIO_POSTRT
+-A ISTIO_POSTRT -m owner --socket-exists -p tcp -m set --match-set istio-inpod-probes-v4 dst -j SNAT --to-source 169.254.7.127
+COMMIT
diff --git a/cni/pkg/iptables/testdata/hostprobe_ipv6.golden b/cni/pkg/iptables/testdata/hostprobe_ipv6.golden
@@ -1,6 +1,10 @@
-iptables -t nat -N ISTIO_POSTRT
-iptables -t nat -A POSTROUTING -j ISTIO_POSTRT
-iptables -t nat -A ISTIO_POSTRT -m owner --socket-exists -p tcp -m set --match-set istio-inpod-probes-v4 dst -j SNAT --to-source 169.254.7.127
-ip6tables -t nat -N ISTIO_POSTRT
-ip6tables -t nat -A POSTROUTING -j ISTIO_POSTRT
-ip6tables -t nat -A ISTIO_POSTRT -m owner --socket-exists -p tcp -m set --match-set istio-inpod-probes-v6 dst -j SNAT --to-source fd16:9254:7127:1337:ffff:ffff:ffff:ffff
+* nat
+-N ISTIO_POSTRT
+-A POSTROUTING -j ISTIO_POSTRT
+-A ISTIO_POSTRT -m owner --socket-exists -p tcp -m set --match-set istio-inpod-probes-v4 dst -j SNAT --to-source 169.254.7.127
+COMMIT
+* nat
+-N ISTIO_POSTRT
+-A POSTROUTING -j ISTIO_POSTRT
+-A ISTIO_POSTRT -m owner --socket-exists -p tcp -m set --match-set istio-inpod-probes-v6 dst -j SNAT --to-source fd16:9254:7127:1337:ffff:ffff:ffff:ffff
+COMMIT