-A ISTIO_PRERT ! -d 127.0.0.1/32 -p tcp -i lo -j ACCEPT
-A ISTIO_PRERT -p tcp -m tcp --dport 15008 -m mark ! --mark 0x539/0xfff -j TPROXY --on-port 15008 --tproxy-mark 0x111/0xfff
-A ISTIO_PRERT -p tcp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ISTIO_PRERT ! -d 127.0.0.1/32 -p tcp -m mark ! --mark 0x539/0xfff -j TPROXY --on-port 15006 --tproxy-mark 0x111/0xfff

-A ISTIO_PRERT ! -d 127.0.0.1/32 -p tcp -i lo -j ACCEPT
-A ISTIO_PRERT -p tcp -m tcp --dport 15008 -m mark ! --mark 0x539/0xfff -j TPROXY --on-port 15008 --tproxy-mark 0x111/0xfff
-A ISTIO_PRERT -p tcp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ISTIO_PRERT ! -d 127.0.0.1/32 -p tcp -m mark ! --mark 0x539/0xfff -j TPROXY --on-port 15006 --tproxy-mark 0x111/0xfff

		},
		{
			name: "tproxy",
			annotations: map[string]string{
				annotation.SidecarStatus.Name:           "true",
				annotation.SidecarInterceptionMode.Name: redirectModeTPROXY,
			},
			proxyEnv: []corev1.EnvVar{},
			golden:   filepath.Join(env.IstioSrc, "cni/pkg/plugin/testdata/tproxy.txt.golden"),
		},
		{
			name:        "DNS",

			"-p", iptablesconstants.TCP,
			"-i", "lo",
			"-j", "ACCEPT")
		// CLI: -A ISTIO_PRERT -p tcp -m tcp --dport <INPORT> -m mark ! --mark 0x539/0xfff -j TPROXY --on-port <INPORT> --on-ip 127.0.0.1 --tproxy-mark 0x111/0xfff
		//
		// DESC: Anything heading to <INPORT> that does not have the mark, TPROXY to ztunnel inbound port <INPORT>
		iptablesBuilder.AppendRule(
			iptableslog.UndefinedCommand, ChainInpodPrerouting, iptablesconstants.MANGLE,

	}
	for _, family := range families {
		// Equiv:
		// ip rule add fwmark 0x111/0xfff pref 32764 lookup 100
		//
		// Adds in-pod rules for marking packets with the istio-specific TPROXY mark.
		// A very similar mechanism is used for sidecar TPROXY.
		//
		// TODO largely identical/copied from tools/istio-iptables/pkg/capture/run_linux.go
		inpodMarkRule := netlink.NewRule()
		inpodMarkRule.Family = family

	ExcludeNamespaces        = "exclude-namespaces"
	AmbientEnabled           = "ambient-enabled"
	AmbientDNSCapture        = "ambient-dns-capture"
	AmbientIPv6              = "ambient-ipv6"
	AmbientTPROXYRedirection = "ambient-tproxy-redirection"

	// Repair
	RepairEnabled            = "repair-enabled"
	RepairDeletePods         = "repair-delete-pods"
	RepairRepairPods         = "repair-repair-pods"
	RepairLabelPods          = "repair-label-pods"

		name        string
		config      func(cfg *Config)
		ingressMode bool
	}{
		{
			name: "default",
			config: func(cfg *Config) {
				cfg.RedirectDNS = true
			},
		},
		{
			name: "tproxy",
			config: func(cfg *Config) {
				cfg.TPROXYRedirection = true
				cfg.RedirectDNS = true
			},
		},
		{
			name: "ingress",
			config: func(cfg *Config) {
			},
			ingressMode: true,
		},
	}

	AmbientEnabled bool

	// Whether ambient DNS capture is enabled
	AmbientDNSCapture bool

	// Whether ipv6 is enabled for ambient capture
	AmbientIPv6 bool

	// Feature flag to determined whether TPROXY is used for redirection.
	AmbientTPROXYRedirection bool
}

// RepairConfig struct defines the Istio CNI race repair configuration
type RepairConfig struct {
	// Whether to enable CNI race repair
	Enabled bool

        - "sidecar.istio.io/status" exists

### Redirect API

The annotation based control is currently only supported in 'sidecar' mode. See plugin/redirect.go for details.

- redirectMode allows TPROXY may to be set, required envoy has extra permissions. Default is redirect.
- includeIPCidr, excludeIPCidr
- includeInboudPorts, excludeInboundPorts
- includeOutboutPorts, excludeOutboundPorts
- excludeInterfaces