in plugins/aws-appmesh/plugin/commands.go [147:208]
func (plugin *Plugin) setupEgressRules(
iptable *iptables.IPTables,
config *config.NetConfig,
egressIgnoredIPs string) error {
// Create new chains.
err := iptable.NewChain("nat", egressChain)
if err != nil {
return err
}
// Set up for outgoing traffic.
if config.IgnoredUID != "" {
err = iptable.Append("nat", egressChain, "-m", "owner", "--uid-owner", config.IgnoredUID, "-j", "RETURN")
if err != nil {
log.Errorf("Append rule for ignoredUID failed: %v", err)
return err
}
}
if config.IgnoredGID != "" {
err = iptable.Append("nat", egressChain, "-m", "owner", "--gid-owner", config.IgnoredGID, "-j", "RETURN")
if err != nil {
log.Errorf("Append rule for ignoredGID failed: %v", err)
return err
}
}
if config.EgressIgnoredPorts != "" {
err = iptable.Append("nat", egressChain, "-p", "tcp", "-m", "multiport", "--dports",
config.EgressIgnoredPorts, "-j", "RETURN")
if err != nil {
log.Errorf("Append rule for egressIgnoredPorts failed: %v", err)
return err
}
}
if egressIgnoredIPs != "" {
err = iptable.Append("nat", egressChain, "-p", "tcp", "-d", egressIgnoredIPs, "-j", "RETURN")
if err != nil {
log.Errorf("Append rule for egressIgnoredIPs failed: %v", err)
return err
}
}
// Redirect everything that is not ignored.
err = iptable.Append("nat", egressChain, "-p", "tcp", "-j", "REDIRECT", "--to", config.ProxyEgressPort)
if err != nil {
log.Errorf("Append rule to redirect traffic to proxyEgressPort failed: %v", err)
return err
}
// Apply egress chain to non local traffic.
err = iptable.Append("nat", "OUTPUT", "-p", "tcp", "-m", "addrtype", "!", "--dst-type",
"LOCAL", "-j", egressChain)
if err != nil {
log.Errorf("Append rule to jump from OUTPUT to egress chain failed: %v", err)
return err
}
return nil
}