Added EB rule for ip addresses in conflist for linux (#505)

* Added EB rule for ip addresses in conflist for linux

* Made methods more generic and removed line from endpoint struct

* Adding log statement

* Fixed syntax error

* Made review2 changes

* Made review3 changes

* Made method lowercase

Author: pjohnst5

cni/azure-linux.conflist

@@ -6,6 +6,7 @@
          "type":"azure-vnet",
          "mode":"bridge",
          "bridge":"azure0",
+         "ipsToRouteViaHost":["169.254.20.10"],
          "ipam":{
             "type":"azure-vnet-ipam"
          }

cni/netconfig.go

@@ -52,6 +52,7 @@ type NetworkConfig struct {
 	LogTarget                     string   `json:"logTarget,omitempty"`
 	InfraVnetAddressSpace         string   `json:"infraVnetAddressSpace,omitempty"`
 	PodNamespaceForDualNetwork    []string `json:"podNamespaceForDualNetwork,omitempty"`
+	IPsToRouteViaHost             []string `json:"ipsToRouteViaHost,omitempty"`
 	MultiTenancy                  bool     `json:"multiTenancy,omitempty"`
 	EnableSnatOnHost              bool     `json:"enableSnatOnHost,omitempty"`
 	EnableExactMatchForPodName    bool     `json:"enableExactMatchForPodName,omitempty"`

cni/network/network.go

@@ -527,6 +527,7 @@ func (plugin *netPlugin) Add(args *cniSkel.CmdArgs) error {
 		Data:               make(map[string]interface{}),
 		DNS:                epDNSInfo,
 		Policies:           policies,
+		IPsToRouteViaHost:  nwCfg.IPsToRouteViaHost,
 		EnableSnatOnHost:   nwCfg.EnableSnatOnHost,
 		EnableMultiTenancy: nwCfg.MultiTenancy,
 		EnableInfraVnet:    enableInfraVnet,

ebtables/ebtables.go

@@ -11,6 +11,7 @@ import (
 	"strings"
 
 	"github.com/Azure/azure-container-networking/log"
+	"github.com/Azure/azure-container-networking/platform"
 )
 
 const (
@@ -51,6 +52,68 @@ func SetArpReply(ipAddress net.IP, macAddress net.HardwareAddr, action string) e
 	return executeShellCommand(command)
 }
 
+// SetBrouteAccept sets an EB rule.
+func SetBrouteAccept(ipAddress, action string) error {
+	command := fmt.Sprintf(
+		"ebtables -t broute %s BROUTING --ip-dst %s -p IPv4 -j redirect --redirect-target ACCEPT",
+		action, ipAddress)
+	_, err := platform.ExecuteCommand(command)
+
+	return err
+}
+
+// GetEbtableRules gets EB rules for a table and chain.
+func GetEbtableRules(tableName, chainName string) ([]string, error) {
+	var (
+		inChain bool
+		rules   []string
+	)
+
+	command := fmt.Sprintf(
+		"ebtables -t %s -L %s --Lmac2",
+		tableName, chainName)
+	out, err := platform.ExecuteCommand(command)
+	if err != nil {
+		return nil, err
+	}
+
+	// Splits lines and finds rules.
+	lines := strings.Split(out, "\n")
+	chainTitle := fmt.Sprintf("Bridge chain: %s", chainName)
+
+	for _, line := range lines {
+		if strings.HasPrefix(line, chainTitle) {
+			inChain = true
+			continue
+		}
+		if inChain {
+			if strings.HasPrefix(line, "-") {
+				rules = append(rules, strings.TrimSpace(line))
+			} else {
+				break
+			}
+		}
+	}
+
+	return rules, nil
+}
+
+// EbTableRuleExists checks if eb rule exists in table and chain.
+func EbTableRuleExists(tableName, chainName, matchSet string) (bool, error) {
+	rules, err := GetEbtableRules(tableName, chainName)
+	if err != nil {
+		return false, err
+	}
+
+	for _, rule := range rules {
+		if rule == matchSet {
+			return true, nil
+		}
+	}
+
+	return false, nil
+}
+
 // SetDnatForArpReplies sets a MAC DNAT rule for ARP replies received on an interface.
 func SetDnatForArpReplies(interfaceName string, action string) error {
 	command := fmt.Sprintf(

network/bridge_endpointclient_linux.go

@@ -1,6 +1,7 @@
 package network
 
 import (
+	"fmt"
 	"net"
 
 	"github.com/Azure/azure-container-networking/ebtables"
@@ -81,6 +82,8 @@ func (client *LinuxBridgeEndpointClient) AddEndpointRules(epInfo *EndpointInfo)
 		}
 	}
 
+	addRuleToRouteViaHost(epInfo)
+
 	log.Printf("[net] Setting hairpin for hostveth %v", client.hostVethName)
 	if err := netlink.SetLinkHairpin(client.hostVethName, true); err != nil {
 		log.Printf("Setting up hairpin failed for interface %v error %v", client.hostVethName, err)
@@ -174,3 +177,33 @@ func (client *LinuxBridgeEndpointClient) DeleteEndpoints(ep *endpoint) error {
 
 	return nil
 }
+
+func addRuleToRouteViaHost(epInfo *EndpointInfo) error {
+	for _, ipAddr := range epInfo.IPsToRouteViaHost {
+		tableName := "broute"
+		chainName := "BROUTING"
+		rule := fmt.Sprintf("-p IPv4 --ip-dst %s -j redirect", ipAddr)
+
+		// Check if EB rule exists
+		log.Printf("[net] Checking if EB rule %s already exists in table %s chain %s", rule, tableName, chainName)
+		exists, err := ebtables.EbTableRuleExists(tableName, chainName, rule)
+		if err != nil {
+			log.Printf("[net] Failed to check if EB table rule exists: %v", err)
+			return err
+		}
+
+		if exists {
+			// EB rule already exists.
+			log.Printf("[net] EB rule %s already exists in table %s chain %s.", rule, tableName, chainName)
+		} else {
+			// Add EB rule to route via host.
+			log.Printf("[net] Adding EB rule to route via host for IP address %v", ipAddr)
+			if err := ebtables.SetBrouteAccept(ipAddr, ebtables.Append); err != nil {
+				log.Printf("[net] Failed to add EB rule to route via host: %v", err)
+				return err
+			}
+		}
+	}
+
+	return nil
+}

network/endpoint.go

@@ -55,6 +55,7 @@ type EndpointInfo struct {
 	MacAddress               net.HardwareAddr
 	DNS                      DNSInfo
 	IPAddresses              []net.IPNet
+	IPsToRouteViaHost        []string
 	InfraVnetIP              net.IPNet
 	Routes                   []RouteInfo
 	Policies                 []policy.Policy