Add traffic permissions integration tests.

[erichaberkorn]

Description

Add integration tests for TCP traffic permissions.

PR Checklist

• updated test coverage
• external facing docs updated
• appropriate backport labels added
• not a security concern

[erichaberkorn]

I don't particularly like this, but it's hard to do much better without making a breaking change that impacts tons and tons of tests.

[erichaberkorn]

@ishustava It feels weird to me that configuring a traffic permission with default allow only swaps to default deny for a single port rather than all port. Should we change this behavior to swap all ports to default deny?

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

2 Ignored Deployments

Name	Status	Preview	Comments	Updated (UTC)
consul	⬜️ Ignored (Inspect)	Visit Preview		Oct 4, 2023 4:02pm
consul-ui-staging	⬜️ Ignored (Inspect)			Oct 4, 2023 4:02pm

[jmurret]

Should this be trafficpermissions?

[jmurret]

👍 LGTM. Can you add the comment in code that I mentioned? Once it is merged, I will reference it in the ticket that I create.

[jmurret]

Can we add a note for something like:

On Mac M1s when TProxy is enabled, consul-dataplane that are spawned from this image (only used in consul-container integration tests) will terminate with the below error. It is related to tproxy-startup.sh calling iptables SDK which then calls the underly iptables. We are investigating how this works on M1s with consul-envoy images which do not have this problem. For the time being tproxy tests on Mac M1s will fail locally but pass in CI.

Error setting up traffic redirection rules: failed to run command: /sbin/iptables -t nat -N CONSUL_PROXY_INBOUND, err: exit status 1, output: iptables: Failed to initialize nft: Protocol not supported