Fix CNS Program iptables for delegated IPAM (#1499)

* rebase

* rebase

* rebase

* adding snat iptables rules using coreos lib

* fix iptables cmd not running

* docs

* added conflist back

* change chain name from SWIFT to SWIFT-POSTROUTING

* update go.mod

* split internalapi into linux and windows

* add imports

* fix iptables programming login

* fix iptables programming logic

* change program iptables rules logic

Author: nddq

azure-ipam/azilium.conflist

@@ -11,4 +11,4 @@
             "log-file": "/var/log/cilium-cni.log"
         }
     ]
-}
+}

cns/Dockerfile

@@ -10,7 +10,8 @@ COPY . .
 RUN CGO_ENABLED=0 go build -a -o /usr/local/bin/azure-cns -ldflags "-X main.version="$VERSION" -X "$CNS_AI_PATH"="$CNS_AI_ID"" -gcflags="-dwarflocationlists=true" cns/service/*.go
 RUN CGO_ENABLED=0 go build -a -o /usr/local/bin/azure-vnet-telemetry -ldflags "-X main.version="$VERSION"" -gcflags="-dwarflocationlists=true" cni/telemetry/service/*.go
 
-FROM scratch
+FROM mcr.microsoft.com/cbl-mariner/base/core:2.0
+RUN tdnf install -y iptables
 COPY --from=builder /etc/passwd /etc/passwd
 COPY --from=builder /etc/group /etc/group
 COPY --from=builder /usr/local/bin/azure-cns \

cns/restserver/internalapi.go

@@ -8,7 +8,6 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
-	"net"
 	"net/http"
 	"net/http/httptest"
 	"reflect"
@@ -21,8 +20,6 @@ import (
 	"github.com/Azure/azure-container-networking/cns/types"
 	"github.com/Azure/azure-container-networking/common"
 	"github.com/Azure/azure-container-networking/crd/nodenetworkconfig/api/v1alpha"
-	"github.com/Azure/azure-container-networking/iptables"
-	"github.com/Azure/azure-container-networking/network/networkutils"
 	"github.com/pkg/errors"
 )
 
@@ -364,64 +361,11 @@ func (service *HTTPRestService) CreateOrUpdateNetworkContainerInternal(req *cns.
 	}
 
 	if service.Options[common.OptProgramSNATIPTables] == true {
-		returnCode, returnMessage = service.programSNATIPTableRules(req)
+		returnCode, returnMessage = service.programSNATRules(req)
 		if returnCode != 0 {
 			logger.Errorf(returnMessage)
 		}
 	}
 
 	return returnCode
 }
-
-// nolint
-func (service *HTTPRestService) programSNATIPTableRules(req *cns.CreateNetworkContainerRequest) (types.ResponseCode, string) {
-	service.Lock()
-	defer service.Unlock()
-
-	if service.programmedIPtables { // check if iptables has already been programmed
-		logger.Printf("[Azure CNS] SNAT IPTables rules already programmed")
-		return types.Success, ""
-	}
-
-	ncPrimaryIP, ncIPNet, _ := net.ParseCIDR(req.IPConfiguration.IPSubnet.IPAddress + "/" + fmt.Sprintf("%d", req.IPConfiguration.IPSubnet.PrefixLength))
-
-	azureDNSUDPMatch := fmt.Sprintf(" -m addrtype ! --dst-type local -s %s -d %s -p %s --dport %d", ncIPNet.String(), networkutils.AzureDNS, iptables.UDP, iptables.DNSPort)
-	azureDNSTCPMatch := fmt.Sprintf(" -m addrtype ! --dst-type local -s %s -d %s -p %s --dport %d", ncIPNet.String(), networkutils.AzureDNS, iptables.TCP, iptables.DNSPort)
-	azureIMDSMatch := fmt.Sprintf(" -m addrtype ! --dst-type local -s %s -d %s -p %s --dport %d", ncIPNet.String(), networkutils.AzureIMDS, iptables.TCP, iptables.HTTPPort)
-
-	snatPrimaryIPJump := fmt.Sprintf("%s --to %s", iptables.Snat, ncPrimaryIP)
-	// we need to snat IMDS traffic to node IP, this sets up snat '--to'
-	snatHostIPJump := fmt.Sprintf("%s --to %s", iptables.Snat, req.HostPrimaryIP)
-
-	// Check if iptables rules exist already
-	if iptables.RuleExists(iptables.V4, iptables.Nat, iptables.Postrouting, "", iptables.Swift) &&
-		iptables.RuleExists(iptables.V4, iptables.Nat, iptables.Swift, azureDNSUDPMatch, snatPrimaryIPJump) &&
-		iptables.RuleExists(iptables.V4, iptables.Nat, iptables.Swift, azureDNSTCPMatch, snatPrimaryIPJump) &&
-		iptables.RuleExists(iptables.V4, iptables.Nat, iptables.Swift, azureIMDSMatch, snatHostIPJump) {
-
-		logger.Printf("[Azure CNS] SNAT IPTables rules already programmed")
-		service.programmedIPtables = true
-		return types.Success, ""
-	}
-
-	cmds := []iptables.IPTableEntry{
-		iptables.GetCreateChainCmd(iptables.V4, iptables.Nat, iptables.Swift),
-		iptables.GetAppendIptableRuleCmd(iptables.V4, iptables.Nat, iptables.Postrouting, "", iptables.Swift),
-		// add a snat rules to primary NC IP for DNS
-		iptables.GetInsertIptableRuleCmd(iptables.V4, iptables.Nat, iptables.Swift, azureDNSUDPMatch, snatPrimaryIPJump),
-		iptables.GetInsertIptableRuleCmd(iptables.V4, iptables.Nat, iptables.Swift, azureDNSTCPMatch, snatPrimaryIPJump),
-		// add a snat rule to node IP for IMDS http traffic
-		iptables.GetInsertIptableRuleCmd(iptables.V4, iptables.Nat, iptables.Swift, azureIMDSMatch, snatHostIPJump),
-	}
-
-	logger.Printf("Adding iptable rules...")
-	for _, cmd := range cmds {
-		err := iptables.RunCmd(cmd.Version, cmd.Params)
-		if err != nil {
-			return types.FailedToRunIPTableCmd, "failed to run iptable cmd: " + err.Error()
-		}
-		logger.Printf("Successfully run iptables rule %v", cmd)
-	}
-
-	return types.Success, ""
-}

cns/restserver/internalapi_linux.go

@@ -0,0 +1,95 @@
+package restserver
+
+import (
+	"fmt"
+	"net"
+	"strconv"
+
+	"github.com/Azure/azure-container-networking/cns"
+	"github.com/Azure/azure-container-networking/cns/logger"
+	"github.com/Azure/azure-container-networking/cns/types"
+	"github.com/Azure/azure-container-networking/iptables"
+	"github.com/Azure/azure-container-networking/network/networkutils"
+	goiptables "github.com/coreos/go-iptables/iptables"
+)
+
+const SWIFT = "SWIFT-POSTROUTING"
+
+// nolint
+func (service *HTTPRestService) programSNATRules(req *cns.CreateNetworkContainerRequest) (types.ResponseCode, string) {
+	service.Lock()
+	defer service.Unlock()
+
+	// Parse primary ip and ipnet from nnc
+	ncPrimaryIP, ncIPNet, _ := net.ParseCIDR(req.IPConfiguration.IPSubnet.IPAddress + "/" + fmt.Sprintf("%d", req.IPConfiguration.IPSubnet.PrefixLength))
+	ipt, err := goiptables.New()
+	if err != nil {
+		return types.UnexpectedError, fmt.Sprintf("[Azure CNS] Error. Failed to create iptables interface : %v", err)
+	}
+
+	chainExist, err := ipt.ChainExists(iptables.Nat, SWIFT)
+	if err != nil {
+		return types.UnexpectedError, fmt.Sprintf("[Azure CNS] Error. Failed to check for existence of SWIFT chain: %v", err)
+	}
+	if !chainExist { // create and append chain if it doesn't exist
+		logger.Printf("[Azure CNS] Creating SWIFT Chain ...")
+		err = ipt.NewChain(iptables.Nat, SWIFT)
+		if err != nil {
+			return types.FailedToRunIPTableCmd, "[Azure CNS] failed to create SWIFT chain : " + err.Error()
+		}
+		logger.Printf("[Azure CNS] Append SWIFT Chain to POSTROUTING ...")
+		err = ipt.Append(iptables.Nat, iptables.Postrouting, "-j", SWIFT)
+		if err != nil {
+			return types.FailedToRunIPTableCmd, "[Azure CNS] failed to append SWIFT chain : " + err.Error()
+		}
+	}
+
+	postroutingToSwiftJumpexist, err := ipt.Exists(iptables.Nat, iptables.Postrouting, "-j", SWIFT)
+	if err != nil {
+		return types.UnexpectedError, fmt.Sprintf("[Azure CNS] Error. Failed to check for existence of POSTROUTING to SWIFT chain jump: %v", err)
+	}
+	if !postroutingToSwiftJumpexist {
+		logger.Printf("[Azure CNS] Append SWIFT Chain to POSTROUTING ...")
+		err = ipt.Append(iptables.Nat, iptables.Postrouting, "-j", SWIFT)
+		if err != nil {
+			return types.FailedToRunIPTableCmd, "[Azure CNS] failed to append SWIFT chain : " + err.Error()
+		}
+	}
+
+	snatUDPRuleexist, err := ipt.Exists(iptables.Nat, SWIFT, "-m", "addrtype", "!", "--dst-type", "local", "-s", ncIPNet.String(), "-d", networkutils.AzureDNS, "-p", iptables.UDP, "--dport", strconv.Itoa(iptables.DNSPort), "-j", iptables.Snat, "--to", ncPrimaryIP.String())
+	if err != nil {
+		return types.UnexpectedError, fmt.Sprintf("[Azure CNS] Error. Failed to check for existence of SNAT UDP rule : %v", err)
+	}
+	if !snatUDPRuleexist {
+		logger.Printf("[Azure CNS] Inserting SNAT UDP rule ...")
+		err = ipt.Insert(iptables.Nat, SWIFT, 1, "-m", "addrtype", "!", "--dst-type", "local", "-s", ncIPNet.String(), "-d", networkutils.AzureDNS, "-p", iptables.UDP, "--dport", strconv.Itoa(iptables.DNSPort), "-j", iptables.Snat, "--to", ncPrimaryIP.String())
+		if err != nil {
+			return types.FailedToRunIPTableCmd, "[Azure CNS] failed to inset SNAT UDP rule : " + err.Error()
+		}
+	}
+
+	snatTCPRuleexist, err := ipt.Exists(iptables.Nat, SWIFT, "-m", "addrtype", "!", "--dst-type", "local", "-s", ncIPNet.String(), "-d", networkutils.AzureDNS, "-p", iptables.TCP, "--dport", strconv.Itoa(iptables.DNSPort), "-j", iptables.Snat, "--to", ncPrimaryIP.String())
+	if err != nil {
+		return types.UnexpectedError, fmt.Sprintf("[Azure CNS] Error. Failed to check for existence of SNAT TCP rule : %v", err)
+	}
+	if !snatTCPRuleexist {
+		logger.Printf("[Azure CNS] Inserting SNAT TCP rule ...")
+		err = ipt.Insert(iptables.Nat, SWIFT, 1, "-m", "addrtype", "!", "--dst-type", "local", "-s", ncIPNet.String(), "-d", networkutils.AzureDNS, "-p", iptables.TCP, "--dport", strconv.Itoa(iptables.DNSPort), "-j", iptables.Snat, "--to", ncPrimaryIP.String())
+		if err != nil {
+			return types.FailedToRunIPTableCmd, "[Azure CNS] failed to insert SNAT TCP rule : " + err.Error()
+		}
+	}
+
+	snatIMDSRuleexist, err := ipt.Exists(iptables.Nat, SWIFT, "-m", "addrtype", "!", "--dst-type", "local", "-s", ncIPNet.String(), "-d", networkutils.AzureIMDS, "-p", iptables.TCP, "--dport", strconv.Itoa(iptables.HTTPPort), "-j", iptables.Snat, "--to", req.HostPrimaryIP)
+	if err != nil {
+		return types.UnexpectedError, fmt.Sprintf("[Azure CNS] Error. Failed to check for existence of SNAT IMDS rule : %v", err)
+	}
+	if !snatIMDSRuleexist {
+		logger.Printf("[Azure CNS] Inserting SNAT IMDS rule ...")
+		err = ipt.Insert(iptables.Nat, SWIFT, 1, "-m", "addrtype", "!", "--dst-type", "local", "-s", ncIPNet.String(), "-d", networkutils.AzureIMDS, "-p", iptables.TCP, "--dport", strconv.Itoa(iptables.HTTPPort), "-j", iptables.Snat, "--to", req.HostPrimaryIP)
+		if err != nil {
+			return types.FailedToRunIPTableCmd, "[Azure CNS] failed to insert SNAT IMDS rule : " + err.Error()
+		}
+	}
+	return types.Success, ""
+}

cns/restserver/internalapi_windows.go

@@ -0,0 +1,11 @@
+package restserver
+
+import (
+	"github.com/Azure/azure-container-networking/cns"
+	"github.com/Azure/azure-container-networking/cns/types"
+)
+
+// nolint
+func (service *HTTPRestService) programSNATRules(req *cns.CreateNetworkContainerRequest) (types.ResponseCode, string) {
+	return types.Success, ""
+}

cns/restserver/restserver.go

@@ -58,8 +58,7 @@ type HTTPRestService struct {
 	state                    *httpRestServiceState
 	podsPendingIPAssignment  *bounded.TimedSet
 	sync.RWMutex
-	dncPartitionKey    string
-	programmedIPtables bool
+	dncPartitionKey string
 }
 
 type GetHTTPServiceDataResponse struct {

go.mod

@@ -55,6 +55,7 @@ require (
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/cespare/xxhash/v2 v2.1.2 // indirect
 	github.com/containerd/cgroups v1.0.1 // indirect
+	github.com/coreos/go-iptables v0.6.0
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/docker/docker v20.10.8+incompatible // indirect
 	github.com/docker/go-connections v0.4.0 // indirect

go.sum

@@ -241,6 +241,8 @@ github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc
 github.com/coreos/etcd v3.3.13+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
 github.com/coreos/go-iptables v0.4.5/go.mod h1:/mVI274lEDI2ns62jHCDnCyBF9Iwsmekav8Dbxlm1MU=
 github.com/coreos/go-iptables v0.5.0/go.mod h1:/mVI274lEDI2ns62jHCDnCyBF9Iwsmekav8Dbxlm1MU=
+github.com/coreos/go-iptables v0.6.0 h1:is9qnZMPYjLd8LYqmm/qlE+wwEgJIkTYdhV3rfZo4jk=
+github.com/coreos/go-iptables v0.6.0/go.mod h1:Qe8Bv2Xik5FyTXwgIbLAnv2sWSBmvWdFETJConOQ//Q=
 github.com/coreos/go-oidc v2.1.0+incompatible/go.mod h1:CgnwVTmzoESiwO9qyAFEMiHoZ1nMCKZlZ9V6mm3/LKc=
 github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
 github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=