func()

in pkg/mesh/istio.go [520:580]

• 31 lines of code
• 4 McCabe index (conditional complexity)

func (kr *KRun) runIptablesSetup(env []string) error {
	/*
	Injected default:
	  - -p
	    - "15001"
	    - -z
	    - "15006"
	    - -u
	    - "1337"
	    - -m
	    - REDIRECT
	    - -i
	    - '*'
	    - -x
	    - ""
	    - -b
	    - '*'
	    - -d
	    - 15090,15021,15020

	*/
	outRange := kr.Config("OUTBOUND_IP_RANGES_INCLUDE", "10.0.0.0/8")
	// Exclude ports from Envoy capture - hbone-h2, hbone-h2c
	excludePorts := kr.Config("OUTBOUND_PORTS_EXCLUDE", "15008,15009")
	if excludePorts != "15008,15009" {
		excludePorts = excludePorts + ",15008,15009"
	}

	cmd := exec.Command("/usr/local/bin/pilot-agent",
		"istio-iptables",
		// "-p", "15001", // outbound capture port, default value
		//"-z", "15006", - no inbound interception, default value
		"-u", "1337", // REQUIRED - code default is 128
		//"-m", "REDIRECT", // default value
		//"-i", "*", // OUTBOUND_IP_RANGES_INCLUDE
		"-i", outRange, // Alternative - only mesh traffic
		// "-b", "", // disable all inbound redirection, default
		// "-d", "15090,15021,15020", // exclude specific ports from inbound capture, if -b '*'
		"-o", excludePorts,
		//"-x", "", // exclude CIDR, default
	)
	cmd.Env = env
	cmd.Dir = "/"
	so := &bytes.Buffer{}
	se := &bytes.Buffer{}
	cmd.Stdout = so
	cmd.Stderr = se
	err := cmd.Start()
	if err != nil {
		log.Println("Error starting iptables", err, so.String(), "stderr:", se.String())
		return err
	} else {
		err = cmd.Wait()
		if err != nil {
			log.Println("Error starting iptables", err, so.String(), "stderr:", se.String())
			return err
		}
	}
	// TODO: make the stdout/stderr available in a debug endpoint
	return nil
}