Skip to content

[transparent-proxy] remove redundant TCP DNS port matchers from iptables rules #14576

New issue
New issue
Open
Open
[transparent-proxy] remove redundant TCP DNS port matchers from iptables rules#14576
Labels
kind/improvementImprovement on an existing featuretriage/acceptedThe issue was reviewed and is complete enough to start working on it
@bartsmykla

Description

@bartsmykla
bartsmykla
opened on Oct 2, 2025

Description

Follow-up to: #14557

After that change, TCP packets on DNS port 53 are no longer redirected, but some rules still include redundant ! --dport 53 matchers. These can be safely removed to simplify the ruleset.

For example, this rule:

-A KUMA_MESH_OUTBOUND -p tcp ! --dport 53 -o eth0 -m owner ! --uid-owner 0 -j RETURN

can now be reduced to:

-A KUMA_MESH_OUTBOUND -p tcp -o eth0 -m owner ! --uid-owner 0 -j RETURN

Cleaning up these unnecessary TCP DNS port matchers will make the rules clearer and easier to maintain.

Metadata

Metadata

Assignees

No one assigned

    Labels

    kind/improvementImprovement on an existing featuretriage/acceptedThe issue was reviewed and is complete enough to start working on it

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions