linkerd · pcalcado · Dec 19, 2017 · Dec 13, 2017 · Dec 18, 2017
diff --git a/cli/cmd/inject.go b/cli/cmd/inject.go
@@ -26,6 +26,7 @@ var (
 	inboundPort                   uint
 	outboundPort                  uint
 	ignoreInboundPorts            []uint
+	ignoreOutboundPorts           []uint
 	proxyControlPort              uint
 	proxyAPIPort                  uint
 	conduitCreatedByAnnotation    = "conduit.io/created-by"
@@ -205,21 +206,27 @@ func injectDaemonSet(bytes []byte) (interface{}, error) {
  */
 func injectPodTemplateSpec(t *v1.PodTemplateSpec) enhancedPodTemplateSpec {
 	f := false
-	skipPorts := append(ignoreInboundPorts, proxyControlPort)
-	skipPortsStr := make([]string, len(skipPorts))
-	for i, p := range skipPorts {
-		skipPortsStr[i] = strconv.Itoa(int(p))
+	inboundSkipPorts := append(ignoreInboundPorts, proxyControlPort)
+	inboundSkipPortsStr := make([]string, len(inboundSkipPorts))
+	for i, p := range inboundSkipPorts {
+		inboundSkipPortsStr[i] = strconv.Itoa(int(p))
+	}
+
+	outboundSkipPortsStr := make([]string, len(ignoreOutboundPorts))
+	for i, p := range ignoreOutboundPorts {
+		outboundSkipPortsStr[i] = strconv.Itoa(int(p))
 	}
 
 	initContainer := v1.Container{
 		Name:            "conduit-init",
 		Image:           fmt.Sprintf("%s:%s", initImage, version),
 		ImagePullPolicy: v1.PullPolicy(imagePullPolicy),
 		Args: []string{
-			"-p", fmt.Sprintf("%d", inboundPort),
-			"-o", fmt.Sprintf("%d", outboundPort),
-			"-i", fmt.Sprintf("%s", strings.Join(skipPortsStr, ",")),
-			"-u", fmt.Sprintf("%d", proxyUID),
+			"--incoming-proxy-port", fmt.Sprintf("%d", inboundPort),
+			"--outgoing-proxy-port", fmt.Sprintf("%d", outboundPort),
+			"--inbound-ports-to-ignore", fmt.Sprintf("%s", strings.Join(inboundSkipPortsStr, ",")),
+			"--outbound-ports-to-ignore", fmt.Sprintf("%s", strings.Join(outboundSkipPortsStr, ",")),
+			"--proxy-uid", fmt.Sprintf("%d", proxyUID),
 		},
 		SecurityContext: &v1.SecurityContext{
 			Capabilities: &v1.Capabilities{
@@ -363,6 +370,7 @@ func init() {
 	injectCmd.PersistentFlags().UintVar(&inboundPort, "inbound-port", 4143, "proxy port to use for inbound traffic")
 	injectCmd.PersistentFlags().UintVar(&outboundPort, "outbound-port", 4140, "proxy port to use for outbound traffic")
 	injectCmd.PersistentFlags().UintSliceVar(&ignoreInboundPorts, "skip-inbound-ports", nil, "ports that should skip the proxy and send directly to the applicaiton")
+	injectCmd.PersistentFlags().UintSliceVar(&ignoreOutboundPorts, "skip-outbound-ports", nil, "outbound ports that should skip the proxy")
 	injectCmd.PersistentFlags().UintVar(&proxyControlPort, "control-port", 4190, "proxy port to use for control")
 	injectCmd.PersistentFlags().UintVar(&proxyAPIPort, "api-port", 8086, "port where the Conduit controller is running")
 }
diff --git a/proxy-init/cmd/root.go b/proxy-init/cmd/root.go
@@ -13,7 +13,8 @@ var incomingProxyPort int
 var outgoingProxyPort int
 var proxyUserId int
 var portsToRedirect []int
-var portsToIgnore []int
+var inboundPortsToIgnore []int
+var outboundPortsToIgnore []int
 var simulateOnly bool
 
 var RootCmd = &cobra.Command{
@@ -42,7 +43,8 @@ func init() {
 	RootCmd.PersistentFlags().IntVarP(&outgoingProxyPort, "outgoing-proxy-port", "o", -1, "Port to redirect outgoing traffic")
 	RootCmd.PersistentFlags().BoolVar(&simulateOnly, "simulate", false, "Don't execute any command, just print what would be executed")
 	RootCmd.PersistentFlags().IntSliceVarP(&portsToRedirect, "ports-to-redirect", "r", make([]int, 0), "Port to redirect to proxy, if no port is specified then ALL ports are redirected")
-	RootCmd.PersistentFlags().IntSliceVarP(&portsToIgnore, "ports-to-ignore", "i", make([]int, 0), "Port to ignore and not redirect to proxy. This has higher precedence than any other parameters.")
+	RootCmd.PersistentFlags().IntSliceVar(&inboundPortsToIgnore, "inbound-ports-to-ignore", make([]int, 0), "Inbound ports to ignore and not redirect to proxy. This has higher precedence than any other parameters.")
+	RootCmd.PersistentFlags().IntSliceVar(&outboundPortsToIgnore, "outbound-ports-to-ignore", make([]int, 0), "Outbound ports to ignore and not redirect to proxy. This has higher precedence than any other parameters.")
 	RootCmd.PersistentFlags().IntVarP(&proxyUserId, "proxy-uid", "u", -1, "User ID that the proxy is running under. Any traffic coming from this user will be ignored to avoid infinite redirection loops.")
 }
 
@@ -66,7 +68,8 @@ func buildFirewallConfiguration() iptables.FirewallConfiguration {
 	}
 
 	firewallConfiguration.PortsToRedirectInbound = portsToRedirect
-	firewallConfiguration.PortsToIgnore = portsToIgnore
+	firewallConfiguration.InboundPortsToIgnore = inboundPortsToIgnore
+	firewallConfiguration.OutboundPortsToIgnore = outboundPortsToIgnore
 	firewallConfiguration.ProxyInboundPort = incomingProxyPort
 	firewallConfiguration.ProxyOutgoingPort = outgoingProxyPort
 	firewallConfiguration.ProxyUid = proxyUserId

diff --git a/proxy-init/integration_test/iptables/http_test.go b/proxy-init/integration_test/iptables/http_test.go
@@ -114,8 +114,13 @@ func TestPodWithSomePortsIgnored(t *testing.T) {
 	t.Run("doesnt redirect when through port that is ignored", func(t *testing.T) {
 		marksParallelIfConfigured(t)
 		response := expectSuccessfulGetRequestTo(t, podIgnoredSomePortsIp, ignoredContainerPort)
+
+		if response == "proxy" {
+			t.Fatalf("Expected connection through ignored port to directly hit service, but hit [%s]", response)
+		}
+
 		if !strings.Contains(response, ignoredContainerPort) {
-			t.Fatalf("Expected iptables to ignore connection to %s, got back %s", ignoredContainerPort, response)
+			t.Fatalf("Expected to be able to connect to %s without redirects, but got back %s", ignoredContainerPort, response)
 		}
 	})
 }
@@ -144,8 +149,8 @@ func TestPodMakesOutboundConnection(t *testing.T) {
 
 	t.Run("connecting to another pod from proxy container does not get redirected to proxy", func(t *testing.T) {
 		marksParallelIfConfigured(t)
-		targetPodIp := podWithNoRulesIp
 		targetPodName := podWithNoRulesName
+		targetPodIp := podWithNoRulesIp
 
 		response := makeCallFromContainerToAnother(t, proxyPodIp, proxyContainerPort, targetPodIp, notTheProxyContainerPort)
 

diff --git a/proxy-init/integration_test/iptables/iptablestest-lab.yaml b/proxy-init/integration_test/iptables/iptablestest-lab.yaml
@@ -167,7 +167,7 @@ spec:
       - name: conduit-init
         image: gcr.io/runconduit/proxy-init:latest
         imagePullPolicy: Never
-        args: ["-p", "8080",  "-o", "8080", "-u", "2102", "-i", "7070"]
+        args: ["-p", "8080",  "-o", "8080", "-u", "2102", "--inbound-ports-to-ignore", "7070"]
         securityContext:
           capabilities:
             add:

diff --git a/proxy-init/iptables/iptables.go b/proxy-init/iptables/iptables.go
@@ -23,7 +23,8 @@ var (
 type FirewallConfiguration struct {
 	Mode                   string
 	PortsToRedirectInbound []int
-	PortsToIgnore          []int
+	InboundPortsToIgnore   []int
+	OutboundPortsToIgnore  []int
 	ProxyInboundPort       int
 	ProxyOutgoingPort      int
 	ProxyUid               int
@@ -77,6 +78,7 @@ func addOutgoingTrafficRules(commands []*exec.Cmd, firewallConfiguration Firewal
 
 	commands = append(commands, makeCreateNewChain(ConduitOutputChainName, "redirect-common-chain"))
 
+	// Ingore traffic from the proxy
 	if firewallConfiguration.ProxyUid > 0 {
 		log.Printf("Ignoring uid %d", firewallConfiguration.ProxyUid)
 		commands = append(commands, makeIgnoreUserId(ConduitOutputChainName, firewallConfiguration.ProxyUid, "ignore-proxy-user-id"))
@@ -86,6 +88,8 @@ func addOutgoingTrafficRules(commands []*exec.Cmd, firewallConfiguration Firewal
 
 	// Ignore loopback
 	commands = append(commands, makeIgnoreLoopback(ConduitOutputChainName, "ignore-loopback"))
+	// Ignore ports
+	commands = addRulesForIgnoredPorts(firewallConfiguration.OutboundPortsToIgnore, ConduitOutputChainName, commands)
 
 	log.Printf("Redirecting all OUTPUT to %d", firewallConfiguration.ProxyOutgoingPort)
 	commands = append(commands, makeRedirectChainToPort(ConduitOutputChainName, firewallConfiguration.ProxyOutgoingPort, "redirect-all-outgoing-to-proxy-port"))
@@ -101,7 +105,7 @@ func addIncomingTrafficRules(commands []*exec.Cmd, firewallConfiguration Firewal
 	executeCommand(firewallConfiguration, makeDeleteChain(ConduitRedirectChainName))
 
 	commands = append(commands, makeCreateNewChain(ConduitRedirectChainName, "redirect-common-chain"))
-	commands = addRulesForIgnoredPorts(firewallConfiguration, ConduitRedirectChainName, commands)
+	commands = addRulesForIgnoredPorts(firewallConfiguration.InboundPortsToIgnore, ConduitRedirectChainName, commands)
 	commands = addRulesForInboundPortRedirect(firewallConfiguration, ConduitRedirectChainName, commands)
 
 	//Redirect all remaining inbound traffic to the proxy.
@@ -130,9 +134,9 @@ func addRulesForInboundPortRedirect(firewallConfiguration FirewallConfiguration,
 	return commands
 }
 
-func addRulesForIgnoredPorts(firewallConfiguration FirewallConfiguration, chainName string, commands []*exec.Cmd) []*exec.Cmd {
-	for _, ignoredPort := range firewallConfiguration.PortsToIgnore {
-		log.Printf("Will ignore port %d", ignoredPort)
+func addRulesForIgnoredPorts(portsToIgnore []int, chainName string, commands []*exec.Cmd) []*exec.Cmd {
+	for _, ignoredPort := range portsToIgnore {
+		log.Printf("Will ignore port %d on chain %s", ignoredPort, chainName)
 
 		commands = append(commands, makeIgnorePort(chainName, ignoredPort, fmt.Sprintf("ignore-port-%d", ignoredPort)))
 	}