feat: Add SNAT bridge to Native, decouple SNAT bridge (#1506)

* Native Endpoint Client Add Endpoints

* AddEndpointRules, ConfigureContainerInterfacesAndRoutes

* Changed interface names, log statements

nw.extIf.Name > eth0 (eth0)
eth0.vlanid > eth0.X (eth0.1)
%s%s hostIfName > vnet (A1veth0)
%s%s-2 contIfName > container (B1veth0)

* Renaming, using lib to set ns

* Namespace "path" is /var/run/netns/<NS>

* Loopback set up, Remove auto kernel subnet route

* Cannot set link to up if it's in another NS

* Multiple containers on same VNET NS

* Delete Endpoint routes on Delete

* Minimizing netns usage

* Moving NS Exec Code

* Further minimized netns.Set usage

* Moved helper methods down, drafted tests

* Removed DevName from Route Info, more tests

* Test existing vnet ns, delete endpoint

* NetNS interface for testing

* Separated tests by namespace

* Endpoints delete if they cannot be moved into NS

* Namespace netns tests

* Added Native Client to deleteEndpointImpl

* Deletion of Endpoints Impl and Tests

* Cleaned code (Tests ok)

* Moved mock/netns to package (Tests ok)

* Fixing Netns (wip)

Moved netnsinterface to consumer package (network).
Removed "Netns" from "NewNetns" and "NewMockNetns" as it is unambiguous.
Changed uintptr to int and casted the int to uintptr when needed later.

* Using errors.Wrap for error context (wip)

* Removed sentence case (wip)

* Removing variable predeclaration

* Removed NewNativeEndpointClient

Directly instantiating struct because nothing special happens in NewNativeEndpointClient

* Removed generics from ExecuteInNS

* Removed uintptr from mocknetns, tests compile

Forgot to remove uintptr from mocknetns

* Fix tests, lint

* Fixes from linter

Works on VMSS

* Replacing references to ethX with vlan veth

* Removed unnecessary log

* Removed unnecessary mac, fix tests

* Mockns method name enum

* Unable to use GetNetworkInterfaceByName due to NS

If I use GetNetworkInterface, I need to be in the vnet NS, but that means I will need to call ExecuteInNS, which causes tests to fail.

* Fixes from linter

* Assume if NS exists, vlan veth exists

Tests ok

* Fixes for Linter

* Snat refactor

* Fix delete tests

* Fix delete tests bug

* More snat refactor

* Breaking, prepping for Native Snat

Delete native endpoint snat route linux to remove errors and in theory, ovs should work fine again.

* Go mod tidy for linting

Hopefully this fixes the windows lint error

* Add fields to native endpoint client for snat

* Using New() func to create Native Client

Creation of the native endpoint client is too complicated to directly instantiate.

* Snat defaults

* Insert SNAT entry points

* Native Snat error handling

* Breaking, decouple ovsctl from snat

Proposed Solution implementation
Moved ovsctlClient.AddPortOnOVSBridge to ovs_endpoint_snatroute_linux.go. Removed ovsctlclient from NewSnatClient. Removed ovsctlClient from testing file.

* Delete unecessary ovssnat files

* No lint on vishvananda netns

Maybe this will fix the windows linter?

* Build linux only for netns package

Maybe this fixes the linter error?

* Remove nolint to see if linter fails

* Breaking, removed bridgeName

bridgeName refers to the OVS Switch I believe

* If native uses snat bridge, should also get IP

* Breaking, Decouple or Wrap snat route

* Check to see if snat triggered

* Snat behaviors specific to ovs/native

* Pass the pointer

Add/Delete ok

* Renaming to make consts public

* Breaking, moving ovs specific parts of snat to ovs

* Remove enable infra vnet (Tests ok)

Tested:
Allow Host to NC only
Allow NC to Host only
Allow both
Wget
Ping between containers

Warning: Enable snat is still hard coded to true!!!

* Move add port to after exists() check

* Moved netns interface to caller, generalized tests

Tests ok, Native ok

* Typos

* Reordered if statement, unwrapped arp

Tests ok, ping ok, wget ok

* Linted, wrapping errors

* Go fumpt entire network package

* Code markers removed, clean (Tests ok)

OVS & Native:
-	Ping between two containers same VM, no packets on bridge
-	Ping between two containers diff VM, no packets on bridge
-	Ping other container not in vnet, no packets on bridge
-	Ping snat to container, packets on bridge
-	Ping container to snat, packets on bridge
-	Tcpdump confirmed on azSnatBr
-	Deletion of containers deletes appropriate interfaces

* Renamed veth, fixed logs

* Made deleteEndpoints logic clearer, renamed error

* Renamed eth0 to primaryHostIfName, vlanEth to vlanIf

* Deleted debug log

* Corrected merge (hardware addr) (Tests ok)

* Renamed vlan veth to hostExtIf_vlanID, Disabled RA

eth0.2 makes disable RA look for a folder eth0 and then another sub folder "2". ("eth0/2") However, it should look for a folder named "eth0.2" literally. To solve this, we change the naming scheme to use an underscore instead. (Tests ok)

* Renamed Native to TransparentVlan

Confirmed basic functionality on VM with correct mode

* Make file updated

* Create azure-windows-multitenancy-transparent-vlan.conflist

* Unified snat err format

* Rename to transparent-vlan

* Route table support added to local netlink

* Moved SNAT to end of function

* Defer deleting vlan interface on failure

Author: QxBytes

Makefile

@@ -48,6 +48,7 @@ CNM_BUILD_DIR = $(BUILD_DIR)/cnm
 CNI_BUILD_DIR = $(BUILD_DIR)/cni
 ACNCLI_BUILD_DIR = $(BUILD_DIR)/acncli
 CNI_MULTITENANCY_BUILD_DIR = $(BUILD_DIR)/cni-multitenancy
+CNI_MULTITENANCY_TRANSPARENT_VLAN_BUILD_DIR = $(BUILD_DIR)/cni-multitenancy-transparent-vlan
 CNI_SWIFT_BUILD_DIR = $(BUILD_DIR)/cni-swift
 CNI_OVERLAY_BUILD_DIR = $(BUILD_DIR)/cni-overlay
 CNI_BAREMETAL_BUILD_DIR = $(BUILD_DIR)/cni-baremetal
@@ -77,6 +78,7 @@ CNM_ARCHIVE_NAME = azure-vnet-cnm-$(GOOS)-$(GOARCH)-$(VERSION).$(ARCHIVE_EXT)
 CNI_ARCHIVE_NAME = azure-vnet-cni-$(GOOS)-$(GOARCH)-$(VERSION).$(ARCHIVE_EXT)
 ACNCLI_ARCHIVE_NAME = acncli-$(GOOS)-$(GOARCH)-$(VERSION).$(ARCHIVE_EXT)
 CNI_MULTITENANCY_ARCHIVE_NAME = azure-vnet-cni-multitenancy-$(GOOS)-$(GOARCH)-$(VERSION).$(ARCHIVE_EXT)
+CNI_MULTITENANCY_TRANSPARENT_VLAN_ARCHIVE_NAME = azure-vnet-cni-multitenancy-transparent-vlan-$(GOOS)-$(GOARCH)-$(VERSION).$(ARCHIVE_EXT)
 CNI_SWIFT_ARCHIVE_NAME = azure-vnet-cni-swift-$(GOOS)-$(GOARCH)-$(VERSION).$(ARCHIVE_EXT)
 CNI_OVERLAY_ARCHIVE_NAME = azure-vnet-cni-overlay-$(GOOS)-$(GOARCH)-$(VERSION).$(ARCHIVE_EXT)
 CNI_BAREMETAL_ARCHIVE_NAME = azure-vnet-cni-baremetal-$(GOOS)-$(GOARCH)-$(VERSION).$(ARCHIVE_EXT)
@@ -439,6 +441,15 @@ ifeq ($(GOOS),linux)
 endif
 	cd $(CNI_MULTITENANCY_BUILD_DIR) && $(ARCHIVE_CMD) $(CNI_MULTITENANCY_ARCHIVE_NAME) azure-vnet$(EXE_EXT) azure-vnet-ipam$(EXE_EXT) azure-vnet-telemetry$(EXE_EXT) 10-azure.conflist azure-vnet-telemetry.config
 
+	$(MKDIR) $(CNI_MULTITENANCY_TRANSPARENT_VLAN_BUILD_DIR)
+	cp cni/azure-$(GOOS)-multitenancy-transparent-vlan.conflist $(CNI_MULTITENANCY_TRANSPARENT_VLAN_BUILD_DIR)/10-azure.conflist
+	cp $(CNI_BUILD_DIR)/azure-vnet$(EXE_EXT) $(CNI_BUILD_DIR)/azure-vnet-ipam$(EXE_EXT) $(CNI_MULTITENANCY_TRANSPARENT_VLAN_BUILD_DIR)
+ifeq ($(GOOS),linux)
+	cp telemetry/azure-vnet-telemetry.config $(CNI_MULTITENANCY_TRANSPARENT_VLAN_BUILD_DIR)/azure-vnet-telemetry.config
+	cp $(CNI_BUILD_DIR)/azure-vnet-telemetry$(EXE_EXT) $(CNI_MULTITENANCY_TRANSPARENT_VLAN_BUILD_DIR)
+endif
+	cd $(CNI_MULTITENANCY_TRANSPARENT_VLAN_BUILD_DIR) && $(ARCHIVE_CMD) $(CNI_MULTITENANCY_TRANSPARENT_VLAN_ARCHIVE_NAME) azure-vnet$(EXE_EXT) azure-vnet-ipam$(EXE_EXT) azure-vnet-telemetry$(EXE_EXT) 10-azure.conflist azure-vnet-telemetry.config
+
 	$(MKDIR) $(CNI_SWIFT_BUILD_DIR)
 	cp cni/azure-$(GOOS)-swift.conflist $(CNI_SWIFT_BUILD_DIR)/10-azure.conflist
 	cp telemetry/azure-vnet-telemetry.config $(CNI_SWIFT_BUILD_DIR)/azure-vnet-telemetry.config

cni/azure-linux-multitenancy-transparent-vlan.conflist

@@ -0,0 +1,29 @@
+{
+   "cniVersion":"0.3.0",
+   "name":"azure",
+   "plugins":[
+      {
+         "type":"azure-vnet",
+         "mode":"transparent-vlan",
+         "bridge":"azure0",
+         "multiTenancy":true,
+         "infraVnetAddressSpace":"",
+         "podNamespaceForDualNetwork":[],
+         "enableExactMatchForPodName": false,
+         "enableSnatOnHost":true,
+         "ipam":{
+            "type":"azure-cns"
+         },
+         "dns":{
+            "nameservers":[]
+        }
+      },
+      {
+         "type":"portmap",
+         "capabilities":{
+            "portMappings":true
+         },
+         "snat":true
+      }
+   ]
+}

cni/azure-windows-multitenancy-transparent-vlan.conflist

@@ -0,0 +1,52 @@
+{
+    "cniVersion": "0.3.0",
+    "name": "azure",
+    "plugins": [
+        {
+            "type": "azure-vnet",
+            "mode": "transparent-vlan",
+            "bridge": "azure0",
+            "multiTenancy":true,
+            "enableSnatOnHost":true,
+            "enableExactMatchForPodName": true,
+            "capabilities": {
+                "portMappings": true
+            },
+            "ipam": {
+                "type": "azure-cns"
+            },
+            "dns": {
+                "Nameservers": [
+                    "10.0.0.10",
+                    "168.63.129.16"
+                ],
+                "Search": [
+                    "svc.cluster.local"
+                ]
+            },
+            "AdditionalArgs": [
+                {
+                    "Name": "EndpointPolicy",
+                    "Value": {
+                        "Type": "OutBoundNAT",
+                        "ExceptionList": [
+                            "10.240.0.0/16",
+                            "10.0.0.0/8"
+                        ]
+                    }
+                },
+                {
+                    "Name": "EndpointPolicy",
+                    "Value": {
+                        "Type": "ROUTE",
+                        "DestinationPrefix": "10.0.0.0/8",
+                        "NeedEncap": true
+                    }
+                }
+            ],
+             "windowsSettings": {
+                 "hnsTimeoutDurationInSeconds" : 120
+             }
+        }
+    ]
+}

network/endpoint.go

@@ -93,6 +93,7 @@ type RouteInfo struct {
 	DevName  string
 	Scope    int
 	Priority int
+	Table    int
 }
 
 type apipaClient interface {

network/endpoint_linux.go

@@ -13,7 +13,6 @@ import (
 	"github.com/Azure/azure-container-networking/log"
 	"github.com/Azure/azure-container-networking/netio"
 	"github.com/Azure/azure-container-networking/netlink"
-	"github.com/Azure/azure-container-networking/netns"
 	"github.com/Azure/azure-container-networking/network/networkutils"
 	"github.com/Azure/azure-container-networking/ovsctl"
 	"github.com/Azure/azure-container-networking/platform"
@@ -90,25 +89,12 @@ func (nw *network) newEndpointImpl(_ apipaClient, nl netlink.NetlinkInterface, p
 	}
 
 	if vlanid != 0 {
-		if nw.Mode == opModeNative {
-			log.Printf("Native client")
-			vlanVethName := fmt.Sprintf("%s.%d", nw.extIf.Name, vlanid)
-			vnetNSName := fmt.Sprintf("az_ns_%d", vlanid)
-
-			epClient = &NativeEndpointClient{
-				primaryHostIfName: nw.extIf.Name,
-				vlanIfName:        vlanVethName,
-				vnetVethName:      hostIfName,
-				containerVethName: contIfName,
-				vnetNSName:        vnetNSName,
-				nw:                nw,
-				vlanID:            vlanid,
-				netnsClient:       netns.New(),
-				netlink:           nl,
-				netioshim:         &netio.NetIO{},
-				plClient:          plc,
-				netUtilsClient:    networkutils.NewNetworkUtils(nl, plc),
+		if nw.Mode == opModeTransparentVlan {
+			log.Printf("Transparent vlan client")
+			if _, ok := epInfo.Data[SnatBridgeIPKey]; ok {
+				nw.SnatBridgeIP = epInfo.Data[SnatBridgeIPKey].(string)
 			}
+			epClient = NewTransparentVlanEndpointClient(nw, epInfo, hostIfName, contIfName, vlanid, localIP, nl, plc)
 		} else {
 			log.Printf("OVS client")
 			if _, ok := epInfo.Data[SnatBridgeIPKey]; ok {
@@ -261,25 +247,10 @@ func (nw *network) deleteEndpointImpl(nl netlink.NetlinkInterface, plc platform.
 	// entering the container netns and hence works both for CNI and CNM.
 	if ep.VlanID != 0 {
 		epInfo := ep.getInfo()
-		if nw.Mode == opModeNative {
-			log.Printf("Native client")
-			vlanVethName := fmt.Sprintf("%s.%d", nw.extIf.Name, ep.VlanID)
-			vnetNSName := fmt.Sprintf("az_ns_%d", ep.VlanID)
-
-			epClient = &NativeEndpointClient{
-				primaryHostIfName: nw.extIf.Name,
-				vlanIfName:        vlanVethName,
-				vnetVethName:      ep.HostIfName,
-				containerVethName: "",
-				vnetNSName:        vnetNSName,
-				nw:                nw,
-				vlanID:            ep.VlanID,
-				netnsClient:       netns.New(),
-				netlink:           nl,
-				netioshim:         &netio.NetIO{},
-				plClient:          plc,
-				netUtilsClient:    networkutils.NewNetworkUtils(nl, plc),
-			}
+		if nw.Mode == opModeTransparentVlan {
+			log.Printf("Transparent vlan client")
+			epClient = NewTransparentVlanEndpointClient(nw, epInfo, ep.HostIfName, "", ep.VlanID, ep.LocalIP, nl, plc)
+
 		} else {
 			epClient = NewOVSEndpointClient(nw, epInfo, ep.HostIfName, "", ep.VlanID, ep.LocalIP, nl, ovsctl.NewOvsctl(), plc)
 		}
@@ -330,6 +301,7 @@ func addRoutes(nl netlink.NetlinkInterface, netioshim netio.NetIOInterface, inte
 			Priority:  route.Priority,
 			Protocol:  route.Protocol,
 			Scope:     route.Scope,
+			Table:     route.Table,
 		}
 
 		if err := nl.AddIPRoute(nlRoute); err != nil {

network/endpoint_snatroute_linux.go

@@ -0,0 +1,100 @@
+package network
+
+import (
+	"fmt"
+
+	"github.com/Azure/azure-container-networking/log"
+	"github.com/Azure/azure-container-networking/netlink"
+	"github.com/Azure/azure-container-networking/network/networkutils"
+	"github.com/Azure/azure-container-networking/network/snat"
+	"github.com/Azure/azure-container-networking/platform"
+	"github.com/pkg/errors"
+)
+
+func GetSnatHostIfName(epInfo *EndpointInfo) string {
+	return fmt.Sprintf("%s%s", snatVethInterfacePrefix, epInfo.Id[:7])
+}
+
+func GetSnatContIfName(epInfo *EndpointInfo) string {
+	return fmt.Sprintf("%s%s-2", snatVethInterfacePrefix, epInfo.Id[:7])
+}
+
+func AddSnatEndpoint(snatClient *snat.Client) error {
+	if err := snatClient.CreateSnatEndpoint(); err != nil {
+		return errors.Wrap(err, "failed to add snat endpoint")
+	}
+	return nil
+}
+
+func AddSnatEndpointRules(snatClient *snat.Client, hostToNC, ncToHost bool, nl netlink.NetlinkInterface, plc platform.ExecClient) error {
+	// Allow specific Private IPs via Snat Bridge
+	if err := snatClient.AllowIPAddressesOnSnatBridge(); err != nil {
+		return errors.Wrap(err, "failed to allow ip addresses on snat bridge")
+	}
+
+	// Block Private IPs via Snat Bridge
+	if err := snatClient.BlockIPAddressesOnSnatBridge(); err != nil {
+		return errors.Wrap(err, "failed to block ip addresses on snat bridge")
+	}
+	nuc := networkutils.NewNetworkUtils(nl, plc)
+	if err := nuc.EnableIPForwarding(snat.SnatBridgeName); err != nil {
+		return errors.Wrap(err, "failed to enable ip forwarding")
+	}
+
+	if hostToNC {
+		if err := snatClient.AllowInboundFromHostToNC(); err != nil {
+			return errors.Wrap(err, "failed to allow inbound from host to nc")
+		}
+	}
+
+	if ncToHost {
+		if err := snatClient.AllowInboundFromNCToHost(); err != nil {
+			return errors.Wrap(err, "failed to allow inbound from nc to host")
+		}
+	}
+	return nil
+}
+
+func MoveSnatEndpointToContainerNS(snatClient *snat.Client, netnsPath string, nsID uintptr) error {
+	if err := snatClient.MoveSnatEndpointToContainerNS(netnsPath, nsID); err != nil {
+		return errors.Wrap(err, "failed to move snat endpoint to container ns")
+	}
+	return nil
+}
+
+func SetupSnatContainerInterface(snatClient *snat.Client) error {
+	if err := snatClient.SetupSnatContainerInterface(); err != nil {
+		return errors.Wrap(err, "failed to setup snat container interface")
+	}
+	return nil
+}
+
+func ConfigureSnatContainerInterface(snatClient *snat.Client) error {
+	if err := snatClient.ConfigureSnatContainerInterface(); err != nil {
+		return errors.Wrap(err, "failed to configure snat container interface")
+	}
+	return nil
+}
+
+func DeleteSnatEndpoint(snatClient *snat.Client) error {
+	if err := snatClient.DeleteSnatEndpoint(); err != nil {
+		return errors.Wrap(err, "failed to delete snat endpoint")
+	}
+	return nil
+}
+
+func DeleteSnatEndpointRules(snatClient *snat.Client, hostToNC, ncToHost bool) {
+	if hostToNC {
+		err := snatClient.DeleteInboundFromHostToNC()
+		if err != nil {
+			log.Errorf("failed to delete inbound from host to nc rules")
+		}
+	}
+
+	if ncToHost {
+		err := snatClient.DeleteInboundFromNCToHost()
+		if err != nil {
+			log.Errorf("failed to delete inbound from nc to host rules")
+		}
+	}
+}

network/network.go

@@ -15,11 +15,11 @@ import (
 
 const (
 	// Operational modes.
-	opModeBridge      = "bridge"
-	opModeTunnel      = "tunnel"
-	opModeTransparent = "transparent"
-	opModeNative      = "native"
-	opModeDefault     = opModeTunnel
+	opModeBridge          = "bridge"
+	opModeTunnel          = "tunnel"
+	opModeTransparent     = "transparent"
+	opModeTransparentVlan = "transparent-vlan"
+	opModeDefault         = opModeTunnel
 )
 
 const (

network/network_linux.go

@@ -88,8 +88,8 @@ func (nm *networkManager) newNetworkImpl(nwInfo *NetworkInfo, extIf *externalInt
 				return nil, fmt.Errorf("Ipv6 forwarding failed: %w", err)
 			}
 		}
-	case opModeNative:
-		log.Printf("Native mode")
+	case opModeTransparentVlan:
+		log.Printf("Transparent vlan mode")
 		ifName = extIf.Name
 	default:
 		return nil, errNetworkModeInvalid