kumahq · lukidzi · Feb 4, 2026
@@ -0,0 +1,114 @@
+resources:
+- name: self_transparentproxy_no_destination_inbound
+  resource:
+    '@type': type.googleapis.com/envoy.config.cluster.v3.Cluster
+    altStatName: self_transparentproxy_no_destination_inbound
+    connectTimeout: 5s
+    name: self_transparentproxy_no_destination_inbound
+    type: STATIC
+- name: self_transparentproxy_passthrough_inbound_ipv4
+  resource:
+    '@type': type.googleapis.com/envoy.config.cluster.v3.Cluster
+    connectTimeout: 5s
+    lbPolicy: CLUSTER_PROVIDED
+    name: self_transparentproxy_passthrough_inbound_ipv4
+    type: ORIGINAL_DST
+    upstreamBindConfig:
+      sourceAddress:
+        address: 127.0.0.6
+        portValue: 0
+- name: self_transparentproxy_passthrough_inbound_ipv6
+  resource:
+    '@type': type.googleapis.com/envoy.config.cluster.v3.Cluster
+    connectTimeout: 5s
+    lbPolicy: CLUSTER_PROVIDED
+    name: self_transparentproxy_passthrough_inbound_ipv6
+    type: ORIGINAL_DST
+    upstreamBindConfig:
+      sourceAddress:
+        address: ::6
+        portValue: 0
+- name: self_transparentproxy_passthrough_outbound_ipv4
+  resource:
+    '@type': type.googleapis.com/envoy.config.cluster.v3.Cluster
+    connectTimeout: 5s
+    lbPolicy: CLUSTER_PROVIDED
+    name: self_transparentproxy_passthrough_outbound_ipv4
+    type: ORIGINAL_DST
+- name: self_transparentproxy_passthrough_outbound_ipv6
+  resource:
+    '@type': type.googleapis.com/envoy.config.cluster.v3.Cluster
+    connectTimeout: 5s
+    lbPolicy: CLUSTER_PROVIDED
+    name: self_transparentproxy_passthrough_outbound_ipv6
+    type: ORIGINAL_DST
+- name: self_transparentproxy_passthrough_inbound_ipv4
+  resource:
+    '@type': type.googleapis.com/envoy.config.listener.v3.Listener
+    address:
+      socketAddress:
+        address: 0.0.0.0
+        portValue: 15006
+    enableReusePort: false
+    filterChains:
+    - filters:
+      - name: envoy.filters.network.tcp_proxy
+        typedConfig:
+          '@type': type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy
+          cluster: self_transparentproxy_passthrough_inbound_ipv4
+          statPrefix: self_transparentproxy_passthrough_inbound_ipv4
+    name: self_transparentproxy_passthrough_inbound_ipv4
+    trafficDirection: INBOUND
+    useOriginalDst: true
+- name: self_transparentproxy_passthrough_inbound_ipv6
+  resource:
+    '@type': type.googleapis.com/envoy.config.listener.v3.Listener
+    address:
+      socketAddress:
+        address: '::'
+        portValue: 15006
+    enableReusePort: false
+    filterChains:
+    - filters:
+      - name: envoy.filters.network.tcp_proxy
+        typedConfig:
+          '@type': type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy
+          cluster: self_transparentproxy_passthrough_inbound_ipv6
+          statPrefix: self_transparentproxy_passthrough_inbound_ipv6
+    name: self_transparentproxy_passthrough_inbound_ipv6
+    trafficDirection: INBOUND
+    useOriginalDst: true
+- name: self_transparentproxy_passthrough_outbound_ipv4
+  resource:
+    '@type': type.googleapis.com/envoy.config.listener.v3.Listener
+    address:
+      socketAddress:
+        address: 0.0.0.0
+        portValue: 15001
+    filterChains:
+    - filters:
+      - name: envoy.filters.network.tcp_proxy
+        typedConfig:
+          '@type': type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy
+          cluster: self_transparentproxy_passthrough_outbound_ipv4
+          statPrefix: self_transparentproxy_passthrough_outbound_ipv4
+    name: self_transparentproxy_passthrough_outbound_ipv4
+    trafficDirection: OUTBOUND
+    useOriginalDst: true
+- name: self_transparentproxy_passthrough_outbound_ipv6
+  resource:
+    '@type': type.googleapis.com/envoy.config.listener.v3.Listener
+    address:
+      socketAddress:
+        address: '::'
+        portValue: 15001
+    filterChains:
+    - filters:
+      - name: envoy.filters.network.tcp_proxy
+        typedConfig:
+          '@type': type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy
+          cluster: self_transparentproxy_passthrough_outbound_ipv6
+          statPrefix: self_transparentproxy_passthrough_outbound_ipv6
+    name: self_transparentproxy_passthrough_outbound_ipv6
+    trafficDirection: OUTBOUND
+    useOriginalDst: true
@@ -134,7 +134,7 @@ func CreateInboundPassthroughListener(
 		WithOverwriteName(listenerName).
 		Configure(envoy_listeners.OriginalDstForwarder())
 
-	if useStrictInboundPorts {
+	if useStrictInboundPorts && len(proxy.Dataplane.Spec.Networking.Inbound) > 0 {
 		for _, inbound := range proxy.Dataplane.Spec.Networking.Inbound {
 			// if service doesn't have any port we don't need to expose listener
 			if inbound.Port == mesh_proto.TCPPortReserved {

@@ -274,5 +274,40 @@ var _ = Describe("TransparentProxyGenerator", func() {
 			tlsMode:          mesh_proto.CertificateAuthorityBackend_PERMISSIVE.Enum(),
 			expected:         "08.envoy.golden.yaml",
 		}),
+		Entry("transparent_proxying=true,unified_naming=true,inbound_filter,strict,gateway", testCase{
+			proxy: &model.Proxy{
+				Metadata: &model.DataplaneMetadata{Features: map[string]bool{
+					types.FeatureUnifiedResourceNaming: true,
+					types.FeatureStrictInboundPorts:    true,
+				}},
+				Id: *model.BuildProxyId("", "side-car"),
+				Dataplane: &core_mesh.DataplaneResource{
+					Meta: &test_model.ResourceMeta{
+						Version: "v1",
+					},
+					Spec: &mesh_proto.Dataplane{
+						Networking: &mesh_proto.Dataplane_Networking{
+							Gateway: &mesh_proto.Dataplane_Networking_Gateway{
+								Tags: map[string]string{
+									"app": "test-gateway",
+								},
+								Type: mesh_proto.Dataplane_Networking_Gateway_DELEGATED,
+							},
+							TransparentProxying: &mesh_proto.Dataplane_Networking_TransparentProxying{
+								IpFamilyMode:         mesh_proto.Dataplane_Networking_TransparentProxying_DualStack,
+								RedirectPortOutbound: 15001,
+								RedirectPortInbound:  15006,
+							},
+						},
+					},
+				},
+				APIVersion:        envoy_common.APIV3,
+				Policies:          model.MatchedPolicies{},
+				InternalAddresses: DummyInternalAddresses,
+			},
+			meshServicesMode: mesh_proto.Mesh_MeshServices_Exclusive,
+			tlsMode:          mesh_proto.CertificateAuthorityBackend_STRICT.Enum(),
+			expected:         "09.envoy.golden.yaml",
+		}),
 	)
 })