Dns proxy port test

go.mod

@@ -21,7 +21,7 @@ require (
 	github.com/cilium/checkmate v1.0.3
 	github.com/cilium/coverbee v0.3.2
 	github.com/cilium/deepequal-gen v0.0.0-20231116094812-0d6c075c335f
-	github.com/cilium/dns v1.1.51-0.20240416134107-d47d0dd702a1
+	github.com/cilium/dns v1.1.51-0.20240425101412-2469d2c08d78
 	github.com/cilium/ebpf v0.14.0
 	github.com/cilium/endpointslice-controller v0.0.0-20240409203012-75cb5d61db1b
 	github.com/cilium/fake v0.6.1

pkg/endpoint/endpoint.go

@@ -720,6 +720,15 @@ func (e *Endpoint) GetNodeMAC() mac.MAC {
 	return e.nodeMAC
 }
 
+// ConntrackName returns the name suffix for the endpoint-specific bpf
+// conntrack map, which is a 5-digit endpoint ID, or "global" when the
+// global map should be used.
+func (e *Endpoint) ConntrackName() string {
+	e.unconditionalRLock()
+	defer e.runlock()
+	return e.ConntrackNameLocked()
+}
+
 // ConntrackNameLocked returns the name suffix for the endpoint-specific bpf
 // conntrack map, which is a 5-digit endpoint ID, or "global" when the
 // global map should be used.

pkg/fqdn/dnsproxy/proxy.go

@@ -32,11 +32,13 @@ import (
 	"github.com/cilium/cilium/pkg/lock"
 	"github.com/cilium/cilium/pkg/logging"
 	"github.com/cilium/cilium/pkg/logging/logfields"
+	"github.com/cilium/cilium/pkg/maps/ctmap"
 	"github.com/cilium/cilium/pkg/option"
 	"github.com/cilium/cilium/pkg/policy"
 	"github.com/cilium/cilium/pkg/proxy/accesslog"
 	"github.com/cilium/cilium/pkg/spanstat"
 	"github.com/cilium/cilium/pkg/time"
+	"github.com/cilium/cilium/pkg/u8proto"
 )
 
 const (
@@ -52,6 +54,8 @@ const (
 	// ProxyBindRetryInterval is how long to wait between attempts to bind to the
 	// proxy address:port
 	ProxyBindRetryInterval = ProxyBindTimeout / 5
+
+	DNSSourcePort = 1109
 )
 
 // DNSProxy is a L7 proxy for DNS traffic. It keeps a list of allowed DNS
@@ -932,9 +936,11 @@ func (p *DNSProxy) ServeDNS(w dns.ResponseWriter, request *dns.Msg) {
 		return
 	}
 
+	sourceID := ep.GetIdentity()
+
 	scopedLog = scopedLog.WithFields(logrus.Fields{
 		logfields.EndpointID: ep.StringID(),
-		logfields.Identity:   ep.GetIdentity(),
+		logfields.Identity:   sourceID,
 	})
 
 	targetServerIP, targetServerPortProto, targetServerAddrStr, err := p.lookupTargetDNSServer(w)
@@ -1017,7 +1023,7 @@ func (p *DNSProxy) ServeDNS(w dns.ResponseWriter, request *dns.Msg) {
 		Control: func(network, address string, c syscall.RawConn) error {
 			var soerr error
 			if err := c.Control(func(su uintptr) {
-				soerr = setSoMarks(int(su), ipFamily, ep.GetIdentity())
+				soerr = setSoMarks(int(su), ipFamily, sourceID)
 			}); err != nil {
 				return err
 			}
@@ -1032,8 +1038,43 @@ func (p *DNSProxy) ServeDNS(w dns.ResponseWriter, request *dns.Msg) {
 	// - the destination is known to be outside of the cluster, or
 	// - is the local host
 	if option.Config.DNSProxyEnableTransparentMode && !ep.IsHost() && !epAddr.IsLoopback() && ep.ID != uint16(identity.ReservedIdentityHost) && targetServerID.IsCluster() && targetServerID != identity.ReservedIdentityHost {
-		dialer.LocalAddr = w.RemoteAddr()
-		key = protocol + "-" + epIPPort + "-" + targetServerAddrStr
+		var proto u8proto.U8proto
+		switch addr := w.RemoteAddr().(type) {
+		case *net.UDPAddr:
+			udpAddr := *addr
+			udpAddr.Port = DNSSourcePort
+			dialer.LocalAddr = &udpAddr
+			proto = u8proto.UDP
+		case *net.TCPAddr:
+			tcpAddr := *addr
+			tcpAddr.Port = DNSSourcePort
+			dialer.LocalAddr = &tcpAddr
+			proto = u8proto.TCP
+		}
+		srcAddr := dialer.LocalAddr.String()
+		dstAddr := targetServerAddrStr
+		key = protocol + "-" + dialer.LocalAddr.String() + "-" + targetServerAddrStr
+
+		// inject a CT entry so that the response gets back to us
+		err := ctmap.Update(ep.ConntrackName(), srcAddr, dstAddr, proto, false,
+			func(entry *ctmap.CtEntry, exists bool) bool {
+				if !exists {
+					entry.SourceSecurityID = sourceID.Uint32()
+				}
+				if entry.Flags&ctmap.ProxyRedirect != 0 {
+					return false // no need to update
+				}
+				entry.Flags |= ctmap.ProxyRedirect
+				return true
+			})
+		if err != nil {
+			scopedLog.WithError(err).Error("Cannot insert CT entry for the request")
+			stat.Err = fmt.Errorf("Cannot insert CT entry for the request: %w", err)
+			stat.ProcessingTime.End(false)
+			p.NotifyOnDNSMsg(time.Now(), ep, epIPPort, targetServerID, targetServerAddrStr, request, protocol, false, &stat)
+			p.sendRefused(scopedLog, w, request)
+			return
+		}
 	}
 
 	conf := &dns.Client{

pkg/maps/ctmap/lookup.go

@@ -166,7 +166,7 @@ func Lookup(epname string, srcAddr, dstAddr string, proto u8proto.U8proto, ingre
 // 'epname' is a 5-digit representation of the endpoint ID if local maps
 // are to be used, or "global" if global maps should be used.
 func Update(epname string, srcAddr, dstAddr string, proto u8proto.U8proto, ingress bool,
-	updateFn func(*CtEntry) error) error {
+	updateFn func(*CtEntry, bool) bool) error {
 	isGlobal := epname == "global"
 
 	key, ipv4, err := createTupleKey(isGlobal, srcAddr, dstAddr, proto, ingress)
@@ -179,18 +179,20 @@ func Update(epname string, srcAddr, dstAddr string, proto u8proto.U8proto, ingre
 		return err
 	}
 
+	exists := false
+	var entry *CtEntry
 	v, err := m.Lookup(key)
 	if err != nil || v == nil {
-		return err
+		entry = &CtEntry{}
+	} else {
+		exists = true
+		entry = v.(*CtEntry)
 	}
 
-	entry := v.(*CtEntry)
-	err = updateFn(entry)
-	if err != nil {
-		return err
+	if updateFn(entry, exists) {
+		return m.Update(key, entry)
 	}
-
-	return m.Update(key, entry)
+	return nil
 }
 
 func getMapWithName(epname string, ipv4 bool, proto u8proto.U8proto) *bpf.Map {

vendor/modules.txt

@@ -206,7 +206,7 @@ github.com/cilium/coverbee/pkg/verifierlog
 ## explicit; go 1.20
 github.com/cilium/deepequal-gen
 github.com/cilium/deepequal-gen/generators
-# github.com/cilium/dns v1.1.51-0.20240416134107-d47d0dd702a1
+# github.com/cilium/dns v1.1.51-0.20240425101412-2469d2c08d78
 ## explicit; go 1.18
 github.com/cilium/dns
 # github.com/cilium/ebpf v0.14.0