lds: Add "transparent" option to support iptables TPROXY in listeners#522
Merged
htuch merged 3 commits intoenvoyproxy:masterfrom Mar 6, 2018
rlenglet:lds-transparent-option
Merged
lds: Add "transparent" option to support iptables TPROXY in listeners#522htuch merged 3 commits intoenvoyproxy:masterfrom rlenglet:lds-transparent-option
htuch merged 3 commits intoenvoyproxy:masterfrom
rlenglet:lds-transparent-option
Conversation
Signed-off-by: Romain Lenglet <romain@covalent.io>
kyessenov
reviewed
Mar 5, 2018
envoy/api/v2/lds.proto
Outdated
|
|
||
| // Whether the listener should be set as a transparent socket. When this flag is set to true, | ||
| // connections can be redirected to the listener using an *iptables* *TPROXY* target, in which | ||
| // case the original source and destination addresses and ports are preserved on acccepted |
Signed-off-by: Romain Lenglet <romain@covalent.io>
htuch
reviewed
Mar 6, 2018
envoy/api/v2/lds.proto
Outdated
| // connections can be redirected to the listener using an *iptables* *TPROXY* target, in which | ||
| // case the original source and destination addresses and ports are preserved on accepted | ||
| // connections. Requires Envoy to run with the *CAP_NET_ADMIN* capability. Defaults to false. | ||
| google.protobuf.BoolValue transparent = 10; |
Member
There was a problem hiding this comment.
This should just be bool if the default is false. Can you add details to the commit message on the motivation for this feature? Thanks.
Signed-off-by: Romain Lenglet <romain@covalent.io>
30 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add a "transparent" option to Listener to set the SOL_IP/IP_TRANSPARENT option on listen sockets, which allows using Envoy with the iptables TPROXY target.
Unlike the iptables REDIRECT target, TPROXY allows preserving both the source and destination IP addresses and ports of accepted connections.
API changes for: envoyproxy/envoy#2719
Signed-off-by: Romain Lenglet romain@covalent.io