Use localhost TCP redirection to the proxy (#34)

* add rules to redirect localhost TCP traffic to the proxy

* add params for nftables init script

* bump to latest release

* simplify rules and enforce precedence

* alternative approach

* update table name in the list and also avoid redirection for Envoy admin port

* bump version in preparation for future release

Author: mattbates

internal/const/const.go

@@ -38,6 +38,6 @@ const (
 const (
 	DebugUIContainerName = "spiffe-enable-ui"
 	DebugUIPort          = 8000
-	DefaultDebugUIImage  = "ghcr.io/cofide/spiffe-enable-ui:v0.2.3"
+	DefaultDebugUIImage  = "ghcr.io/cofide/spiffe-enable-ui:v0.3.0"
 	EnvVarUIImage        = "SPIFFE_ENABLE_UI_IMAGE"
 )

internal/helper/config.go

@@ -16,7 +16,7 @@ import (
 // Images
 var (
 	SPIFFEHelperImage = "ghcr.io/spiffe/spiffe-helper:0.10.1"
-	InitHelperImage   = "ghcr.io/cofide/spiffe-enable-init:v0.2.3"
+	InitHelperImage   = "ghcr.io/cofide/spiffe-enable-init:v0.3.0"
 )
 
 // Constants

internal/proxy/config.go

@@ -25,8 +25,16 @@ const (
 	EnvoyConfigContentEnvVar     = "ENVOY_CONFIG_CONTENT"
 	EnvoyConfigInitContainerName = "inject-envoy-config"
 	EnvoyPort                    = 10000
+	EnvoyUID                     = 101
+	DNSProxyPort                 = 15053
 )
 
+type NftablesParams struct {
+	EnvoyUID     int
+	EnvoyPort    int
+	DNSProxyPort int
+}
+
 const nftablesSetupScript = `
 if ! command -v nft &> /dev/null; then
     echo "nftables (nft) is not installed"
@@ -36,19 +44,24 @@ fi
 # These nftables rules intercept DNS requests (UDP+TCP)
 # and redirect to a DNS proxy provided by Envoy
 cat <<EOF > /tmp/dns_redirect.nft
-table inet envoy_dns_interception {
-    chain redirect_dns_output {
+table inet envoy_proxy {
+	chain envoy_output {
         type nat hook output priority dstnat; policy accept;
 
-        # Rule to accept DNS from skuid 101 (Envoy) - UDP
-        meta skuid == 101 udp dport 53 counter accept comment "Accept Envoy UDP DNS"
+        # Skip Envoy's own traffic
+        meta skuid == {{.EnvoyUID}} return
+
+        # DNS redirection
+        udp dport 53 counter redirect to :{{.DNSProxyPort}} comment "DNS UDP to Envoy"
+        tcp dport 53 counter redirect to :{{.DNSProxyPort}} comment "DNS TCP to Envoy"
 
-        # Rule to accept DNS from skuid 101 (Envoy) - TCP
-        meta skuid == 101 tcp dport 53 counter accept comment "Accept Envoy TCP DNS"
+        # Skip traffic already going to Envoy port
+        tcp dport {{.EnvoyPort}} return
+        tcp dport 9901 return
 
-        # Rules to redirect DNS
-        meta skuid != 101 udp dport 53 counter redirect to :15053 comment "Webhook: UDP DNS to Envoy"
-        meta skuid != 101 tcp dport 53 counter redirect to :15053 comment "Webhook: TCP DNS to Envoy"
+        # Redirect loopback TCP traffic (using tcp dport range to match all TCP)
+        ip daddr 127.0.0.1/8 tcp dport 1-65535 counter redirect to :{{.EnvoyPort}} comment "Loopback IPv4 to Envoy"
+        ip6 daddr ::1/128 tcp dport 1-65535 counter redirect to :{{.EnvoyPort}} comment "Loopback IPv6 to Envoy"
     }
 }
 EOF
@@ -58,7 +71,7 @@ nft -f /tmp/dns_redirect.nft
 echo "nftables DNS redirection rules applied."
 
 echo "Applied rules:"
-nft list table inet envoy_dns_interception
+nft list table inet envoy_proxy
 `
 
 type EnvoyConfigParams struct {
@@ -162,13 +175,19 @@ func NewEnvoy(params EnvoyConfigParams) (*Envoy, error) {
 		},
 	}
 
+	nftTablesParams := NftablesParams{
+		EnvoyUID:     EnvoyUID,
+		EnvoyPort:    EnvoyPort,
+		DNSProxyPort: DNSProxyPort,
+	}
+
 	tmpl, err := template.New("initScript").Parse(nftablesSetupScript)
 	if err != nil {
 		return nil, fmt.Errorf("failed to parse nftables init script template: %w", err)
 	}
 
 	var renderedScript bytes.Buffer
-	if err := tmpl.Execute(&renderedScript, params); err != nil {
+	if err := tmpl.Execute(&renderedScript, nftTablesParams); err != nil {
 		return nil, fmt.Errorf("failed to render nftables init script template with params: %w", err)
 	}