[Bug?] Iptables rule to redirect calls to itself

[hochuenw-dd]

Hi team, I'm trying to understand this iptables rule in linkerd-init.

Redirect calls originating from the proxy destined for an app container e.g. app -> proxy(outbound) -> proxy(inbound) -> app

So it does something like -A PROXY_INIT_OUTPUT -m owner --uid-owner 2102 -o lo ! -d 127.0.0.1/32 -j PROXY_INIT_REDIRECT
My understanding is that when the pod calls itself using the pod ip, packets should be redirected. Packets will be redirected to the local outbound proxy and then the local inbound proxy and then the local app again.

But there is another rule that is doing something like -A PROXY_INIT_OUTPUT -o lo -j RETURN,

My understanding is in kubernetes, when you use the pod IP to call itself, it will not be redirected to the proxy. (to verify, pod ip is in the output of ip route show table local. ) So app -> proxy(outbound) wont happen in this case.
It only looks right to me if we change -A PROXY_INIT_OUTPUT -o lo -j RETURN to -A PROXY_INIT_OUTPUT -d 127.0.0.1/32 -j RETURN

Is this a bug? Did I miss anything?

[olix0r]

My understanding is that when the pod calls itself using the pod ip, packets should be redirected. Packets will be redirected to the local outbound proxy and then the local inbound proxy and then the local app again.
...
My understanding is in kubernetes, when you use the pod IP to call itself, it will not be redirected to the proxy.

@hochuenw-dd I think you're understanding this correctly, but I think it's working as intended. If the packet isn't actually leaving the pod, there's not much value the proxy adds, though there is added latency, etc. Is there a use case where you need the proxy to intercept effectively local communication? We may be open to changing the behavior, but it would need some careful consideration.

[hochuenw-dd]

Hi @olix0r , thanks so much the reply.

I'm still trying to understand the current state in Linkerd for this.
If the intention is do not redirect the packet if it's not leaving the pod, when will this rule be used?
-A PROXY_INIT_OUTPUT -m owner --uid-owner 2102 -o lo ! -d 127.0.0.1/32 -j PROXY_INIT_REDIRECT.
I feel like this is a useless rule (because iiuc, when the leaving packet from linkerd-proxy goes through loopback interface, the destination address is always 127.0.0.1/32).

For reference, this is added by #1863, note the first sentence implies something different

When requests from a pod send requests to itself, the proxy properly redirects traffic from the originating container in the pod through the outbound listener of the proxy.

Does it sound right we can just remove this rule?

Thanks