service-mesh: simplify iptables

service-mesh/config.go

@@ -156,14 +156,6 @@ func (c ProxyConfig) ToEnvoyConfig() ([]byte, error) {
 		ClusterDiscoveryType: &envoyConfigClusterV3.Cluster_Type{Type: envoyConfigClusterV3.Cluster_ORIGINAL_DST},
 		DnsLookupFamily:      envoyConfigClusterV3.Cluster_V4_ONLY,
 		LbPolicy:             envoyConfigClusterV3.Cluster_CLUSTER_PROVIDED,
-		UpstreamBindConfig: &envoyCoreV3.BindConfig{
-			SourceAddress: &envoyCoreV3.SocketAddress{
-				Address: "127.0.0.6",
-				PortSpecifier: &envoyCoreV3.SocketAddress_PortValue{
-					PortValue: 0,
-				},
-			},
-		},
 	}
 
 	listeners = append(listeners, ingrListenerClientAuth)

service-mesh/iptables.go

@@ -65,15 +65,15 @@ func IngressIPTableRules(ingressEntries []ingressConfigEntry) error {
 
 	for _, entry := range ingressEntries {
 		if entry.disableClientCertificate {
-			if err := iptablesExec.AppendUnique("mangle", "EDG_IN_REDIRECT", "!", "-d", "127.0.0.1/32", "-p", "tcp", "--dport", fmt.Sprintf("%d", entry.listenPort), "-j", "TPROXY", "--on-port", fmt.Sprintf("%d", 15007)); err != nil {
+			if err := iptablesExec.AppendUnique("mangle", "EDG_IN_REDIRECT", "-p", "tcp", "--dport", fmt.Sprintf("%d", entry.listenPort), "-j", "TPROXY", "--on-port", fmt.Sprintf("%d", 15007)); err != nil {
 				return fmt.Errorf("failed to append dport exception to EDG_IN_REDIRECT chain: %w", err)
 			}
 		}
 	}
 
 	// Route all traffic not destined for 127.0.0.1 to the envoy proxy on its
 	// port that requires client authentication.
-	if err := iptablesExec.AppendUnique("mangle", "EDG_IN_REDIRECT", "!", "-d", "127.0.0.1/32", "-p", "tcp", "-j", "TPROXY", "--on-port", fmt.Sprintf("%d", EnvoyIngressPort)); err != nil {
+	if err := iptablesExec.AppendUnique("mangle", "EDG_IN_REDIRECT", "-p", "tcp", "-j", "TPROXY", "--on-port", fmt.Sprintf("%d", EnvoyIngressPort)); err != nil {
 		return fmt.Errorf("failed to append EDG_IN_REDIRECT chain to TPROXY chain: %w", err)
 	}