Merge remote-tracking branch 'origin/master' into sanprabhu/iptables-block-binary

Author: santhoshmprabhu

.pipelines/cni/pipeline.yaml

@@ -24,7 +24,6 @@ stages:
               go version
               echo "##vso[task.setvariable variable=commitID;isOutput=true]$(echo $(make revision)-$(date "+%d%H%M"))"
               echo "##vso[task.setvariable variable=npmVersion;isOutput=true]$(make npm-version)"
-              echo "##vso[task.setvariable variable=cnsVersion;isOutput=true]$(CNS_VERSION)"
             name: "SetEnvVars"
             displayName: "Set Environment Variables"
             condition: always()
@@ -55,6 +54,14 @@ stages:
               arch: amd64
               name: cni
               os: windows
+            cns_linux_amd64:
+              arch: amd64
+              name: cns
+              os: linux
+            cns_windows_amd64:
+              arch: amd64
+              name: cns
+              os: windows
             ipv6_hp_bpf_linux_amd64:
               arch: amd64
               name: ipv6-hp-bpf
@@ -87,6 +94,10 @@ stages:
                 arch: arm64
                 name: cni
                 os: linux
+              cns_linux_arm64:
+                arch: arm64
+                name: cns
+                os: linux
               ipv6_hp_bpf_linux_arm64:
                 arch: arm64
                 name: ipv6-hp-bpf
@@ -151,6 +162,9 @@ stages:
             cni:
               name: cni
               platforms: linux/amd64 linux/arm64 windows/amd64
+            cns:
+              name: cns
+              platforms: linux/amd64 linux/arm64 windows/amd64
             ipv6-hp-bpf:
               name: ipv6-hp-bpf
               platforms: linux/amd64 linux/arm64

Makefile

@@ -30,21 +30,23 @@ EXE_EXT 	= .exe
 endif
 
 # Interrogate the git repo and set some variables
-REPO_ROOT				?= $(shell git rev-parse --show-toplevel)
-REVISION				?= $(shell git rev-parse --short HEAD)
-ACN_VERSION				?= $(shell git describe --exclude "azure-ip-masq-merger*" --exclude "azure-ipam*" --exclude "dropgz*" --exclude "zapai*" --exclude "ipv6-hp-bpf*" --exclude "block-iptables*" --tags --always)
-IPV6_HP_BPF_VERSION		?= $(notdir $(shell git describe --match "ipv6-hp-bpf*" --tags --always))
-BLOCK_IPTABLES_VERSION	?= $(notdir $(shell git describe --match "block-iptables*" --tags --always))
-AZURE_IPAM_VERSION		?= $(notdir $(shell git describe --match "azure-ipam*" --tags --always))
+REPO_ROOT							?= $(shell git rev-parse --show-toplevel)
+REVISION							?= $(shell git rev-parse --short HEAD)
+ACN_VERSION							?= $(shell git describe --exclude "azure-iptables-monitor*" --exclude "azure-ip-masq-merger*" --exclude "azure-ipam*" --exclude "dropgz*" --exclude "zapai*" --exclude "ipv6-hp-bpf*" --exclude "block-iptables*" --tags --always)
+IPV6_HP_BPF_VERSION					?= $(notdir $(shell git describe --match "ipv6-hp-bpf*" --tags --always))
+BLOCK_IPTABLES_VERSION  ?= $(notdir $(shell git describe --match "block-iptables*" --tags --always))
+AZURE_IPAM_VERSION					?= $(notdir $(shell git describe --match "azure-ipam*" --tags --always))
 AZURE_IP_MASQ_MERGER_VERSION		?= $(notdir $(shell git describe --match "azure-ip-masq-merger*" --tags --always))
-CNI_VERSION				?= $(ACN_VERSION)
-CNS_VERSION				?= $(ACN_VERSION)
-NPM_VERSION				?= $(ACN_VERSION)
-ZAPAI_VERSION			?= $(notdir $(shell git describe --match "zapai*" --tags --always))
+AZURE_IPTABLES_MONITOR_VERSION		?= $(notdir $(shell git describe --match "azure-iptables-monitor*" --tags --always))
+CNI_VERSION							?= $(ACN_VERSION)
+CNS_VERSION							?= $(ACN_VERSION)
+NPM_VERSION							?= $(ACN_VERSION)
+ZAPAI_VERSION						?= $(notdir $(shell git describe --match "zapai*" --tags --always))
 
 # Build directories.
 AZURE_IPAM_DIR = $(REPO_ROOT)/azure-ipam
 AZURE_IP_MASQ_MERGER_DIR = $(REPO_ROOT)/azure-ip-masq-merger
+AZURE_IPTABLES_MONITOR_DIR = $(REPO_ROOT)/azure-iptables-monitor
 IPV6_HP_BPF_DIR = $(REPO_ROOT)/bpf-prog/ipv6-hp-bpf
 BLOCK_IPTABLES_DIR = $(REPO_ROOT)/bpf-prog/block-iptables
 
@@ -60,6 +62,7 @@ OUTPUT_DIR = $(REPO_ROOT)/output
 BUILD_DIR = $(OUTPUT_DIR)/$(GOOS)_$(GOARCH)
 AZURE_IPAM_BUILD_DIR = $(BUILD_DIR)/azure-ipam
 AZURE_IP_MASQ_MERGER_BUILD_DIR = $(BUILD_DIR)/azure-ip-masq-merger
+AZURE_IPTABLES_MONITOR_BUILD_DIR = $(BUILD_DIR)/azure-iptables-monitor
 IPV6_HP_BPF_BUILD_DIR = $(BUILD_DIR)/bpf-prog/ipv6-hp-bpf
 BLOCK_IPTABLES_BUILD_DIR = $(BUILD_DIR)/bpf-prog/block-iptables
 IMAGE_DIR  = $(OUTPUT_DIR)/images
@@ -109,6 +112,7 @@ CNS_ARCHIVE_NAME = azure-cns-$(GOOS)-$(GOARCH)-$(CNS_VERSION).$(ARCHIVE_EXT)
 NPM_ARCHIVE_NAME = azure-npm-$(GOOS)-$(GOARCH)-$(NPM_VERSION).$(ARCHIVE_EXT)
 AZURE_IPAM_ARCHIVE_NAME = azure-ipam-$(GOOS)-$(GOARCH)-$(AZURE_IPAM_VERSION).$(ARCHIVE_EXT)
 AZURE_IP_MASQ_MERGER_ARCHIVE_NAME = azure-ip-masq-merger-$(GOOS)-$(GOARCH)-$(AZURE_IP_MASQ_MERGER_VERSION).$(ARCHIVE_EXT)
+AZURE_IPTABLES_MONITOR_ARCHIVE_NAME = azure-iptables-monitor-$(GOOS)-$(GOARCH)-$(AZURE_IPTABLES_MONITOR_VERSION).$(ARCHIVE_EXT)
 IPV6_HP_BPF_ARCHIVE_NAME = ipv6-hp-bpf-$(GOOS)-$(GOARCH)-$(IPV6_HP_BPF_VERSION).$(ARCHIVE_EXT)
 BLOCK_IPTABLES_ARCHIVE_NAME = block-iptables-$(GOOS)-$(GOARCH)-$(BLOCK_IPTABLES_VERSION).$(ARCHIVE_EXT)
 
@@ -127,8 +131,8 @@ all-binaries-platforms: ## Make all platform binaries
 
 # OS specific binaries/images
 ifeq ($(GOOS),linux)
-all-binaries: acncli azure-cni-plugin azure-cns azure-npm azure-ipam azure-ip-masq-merger ipv6-hp-bpf block-iptables
-all-images: npm-image cns-image cni-manager-image azure-ip-masq-merger-image ipv6-hp-bpf-image
+all-binaries: acncli azure-cni-plugin azure-cns azure-npm azure-ipam azure-ip-masq-merger azure-iptables-monitor ipv6-hp-bpf block-iptables
+all-images: npm-image cns-image cni-manager-image azure-ip-masq-merger-image azure-iptables-monitor-image ipv6-hp-bpf-image
 else
 all-binaries: azure-cni-plugin azure-cns azure-npm
 all-images:
@@ -144,6 +148,7 @@ azure-ipam: azure-ipam-binary azure-ipam-archive
 ipv6-hp-bpf: ipv6-hp-bpf-binary ipv6-hp-bpf-archive
 block-iptables: block-iptables-binary block-iptables-archive
 azure-ip-masq-merger: azure-ip-masq-merger-binary azure-ip-masq-merger-archive
+azure-iptables-monitor: azure-iptables-monitor-binary azure-iptables-monitor-archive
 
 
 ##@ Versioning
@@ -162,6 +167,9 @@ azure-ipam-version: ## prints the azure-ipam version
 azure-ip-masq-merger-version: ## prints the azure-ip-masq-merger version
 	@echo $(AZURE_IP_MASQ_MERGER_VERSION)
 
+azure-iptables-monitor-version: ## prints the azure-iptables-monitor version
+	@echo $(AZURE_IPTABLES_MONITOR_VERSION)
+
 ipv6-hp-bpf-version: ## prints the ipv6-hp-bpf version
 	@echo $(IPV6_HP_BPF_VERSION)
 
@@ -253,6 +261,10 @@ azure-npm-binary:
 azure-ip-masq-merger-binary:
 	cd $(AZURE_IP_MASQ_MERGER_DIR) && CGO_ENABLED=0 go build -v -o $(AZURE_IP_MASQ_MERGER_BUILD_DIR)/azure-ip-masq-merger$(EXE_EXT) -ldflags "-X main.version=$(AZURE_IP_MASQ_MERGER_VERSION)" -gcflags="-dwarflocationlists=true"
 
+# Build the azure-iptables-monitor binary.
+azure-iptables-monitor-binary:
+	cd $(AZURE_IPTABLES_MONITOR_DIR) && CGO_ENABLED=0 go build -v -o $(AZURE_IPTABLES_MONITOR_BUILD_DIR)/azure-iptables-monitor$(EXE_EXT) -ldflags "-X main.version=$(AZURE_IPTABLES_MONITOR_VERSION)" -gcflags="-dwarflocationlists=true"
+
 ##@ Containers
 
 ## Common variables for all containers.
@@ -291,26 +303,28 @@ CONTAINER_TRANSPORT = docker
 endif
 
 ## Image name definitions.
-ACNCLI_IMAGE				= acncli
-AZURE_IPAM_IMAGE			= azure-ipam
-IPV6_HP_BPF_IMAGE			= ipv6-hp-bpf
-CNI_IMAGE					= azure-cni
-CNS_IMAGE					= azure-cns
-NPM_IMAGE					= azure-npm
-AZURE_IP_MASQ_MERGER_IMAGE	= azure-ip-masq-merger
+ACNCLI_IMAGE					= acncli
+AZURE_IPAM_IMAGE				= azure-ipam
+IPV6_HP_BPF_IMAGE				= ipv6-hp-bpf
+CNI_IMAGE						= azure-cni
+CNS_IMAGE						= azure-cns
+NPM_IMAGE						= azure-npm
+AZURE_IP_MASQ_MERGER_IMAGE		= azure-ip-masq-merger
+AZURE_IPTABLES_MONITOR_IMAGE	= azure-iptables-monitor
 
 ## Image platform tags.
-ACNCLI_PLATFORM_TAG				?= $(subst /,-,$(PLATFORM))-$(ACN_VERSION)
-AZURE_IPAM_PLATFORM_TAG			?= $(subst /,-,$(PLATFORM))-$(AZURE_IPAM_VERSION)
-AZURE_IPAM_WINDOWS_PLATFORM_TAG	?= $(subst /,-,$(PLATFORM))-$(AZURE_IPAM_VERSION)-$(OS_SKU_WIN)
-IPV6_HP_BPF_IMAGE_PLATFORM_TAG	?= $(subst /,-,$(PLATFORM))-$(IPV6_HP_BPF_VERSION)
+ACNCLI_PLATFORM_TAG					?= $(subst /,-,$(PLATFORM))-$(ACN_VERSION)
+AZURE_IPAM_PLATFORM_TAG				?= $(subst /,-,$(PLATFORM))-$(AZURE_IPAM_VERSION)
+AZURE_IPAM_WINDOWS_PLATFORM_TAG		?= $(subst /,-,$(PLATFORM))-$(AZURE_IPAM_VERSION)-$(OS_SKU_WIN)
+IPV6_HP_BPF_IMAGE_PLATFORM_TAG		?= $(subst /,-,$(PLATFORM))-$(IPV6_HP_BPF_VERSION)
+CNI_PLATFORM_TAG					?= $(subst /,-,$(PLATFORM))-$(CNI_VERSION)
+CNI_WINDOWS_PLATFORM_TAG			?= $(subst /,-,$(PLATFORM))-$(CNI_VERSION)-$(OS_SKU_WIN)
+CNS_PLATFORM_TAG					?= $(subst /,-,$(PLATFORM))-$(CNS_VERSION)
+CNS_WINDOWS_PLATFORM_TAG			?= $(subst /,-,$(PLATFORM))-$(CNS_VERSION)-$(OS_SKU_WIN)
+NPM_PLATFORM_TAG					?= $(subst /,-,$(PLATFORM))-$(NPM_VERSION)
 BLOCK_IPTABLES_PLATFORM_TAG		?= $(subst /,-,$(PLATFORM))-$(BLOCK_IPTABLES_VERSION)
-CNI_PLATFORM_TAG				?= $(subst /,-,$(PLATFORM))-$(CNI_VERSION)
-CNI_WINDOWS_PLATFORM_TAG		?= $(subst /,-,$(PLATFORM))-$(CNI_VERSION)-$(OS_SKU_WIN)
-CNS_PLATFORM_TAG				?= $(subst /,-,$(PLATFORM))-$(CNS_VERSION)
-CNS_WINDOWS_PLATFORM_TAG		?= $(subst /,-,$(PLATFORM))-$(CNS_VERSION)-$(OS_SKU_WIN)
-NPM_PLATFORM_TAG				?= $(subst /,-,$(PLATFORM))-$(NPM_VERSION)
 AZURE_IP_MASQ_MERGER_PLATFORM_TAG	?= $(subst /,-,$(PLATFORM))-$(AZURE_IP_MASQ_MERGER_VERSION)
+AZURE_IPTABLES_MONITOR_PLATFORM_TAG	?= $(subst /,-,$(PLATFORM))-$(AZURE_IPTABLES_MONITOR_VERSION)
 
 
 qemu-user-static: ## Set up the host to run qemu multiplatform container builds.
@@ -448,6 +462,32 @@ azure-ip-masq-merger-image-pull: ## pull azure-ip-masq-merger container image.
 		IMAGE=$(AZURE_IP_MASQ_MERGER_IMAGE) \
 		TAG=$(AZURE_IP_MASQ_MERGER_PLATFORM_TAG)
 
+# azure-iptables-monitor
+azure-iptables-monitor-image-name: # util target to print the azure-iptables-monitor image name.
+	@echo $(AZURE_IPTABLES_MONITOR_IMAGE)
+
+azure-iptables-monitor-image-name-and-tag: # util target to print the azure-iptables-monitor image name and tag.
+	@echo $(IMAGE_REGISTRY)/$(AZURE_IPTABLES_MONITOR_IMAGE):$(AZURE_IPTABLES_MONITOR_PLATFORM_TAG)
+
+azure-iptables-monitor-image: ## build azure-iptables-monitor container image.
+	$(MAKE) container \
+		DOCKERFILE=azure-iptables-monitor/Dockerfile \
+		IMAGE=$(AZURE_IPTABLES_MONITOR_IMAGE) \
+		PLATFORM=$(PLATFORM) \
+		TAG=$(AZURE_IPTABLES_MONITOR_PLATFORM_TAG) \
+		TARGET=$(OS) \
+		OS=$(OS) \
+		ARCH=$(ARCH)
+
+azure-iptables-monitor-image-push: ## push azure-iptables-monitor container image.
+	$(MAKE) container-push \
+		IMAGE=$(AZURE_IPTABLES_MONITOR_IMAGE) \
+		TAG=$(AZURE_IPTABLES_MONITOR_PLATFORM_TAG)
+
+azure-iptables-monitor-image-pull: ## pull azure-iptables-monitor container image.
+	$(MAKE) container-pull \
+		IMAGE=$(AZURE_IPTABLES_MONITOR_IMAGE) \
+		TAG=$(AZURE_IPTABLES_MONITOR_PLATFORM_TAG)
 
 # ipv6-hp-bpf
 
@@ -641,6 +681,22 @@ azure-ip-masq-merger-skopeo-archive: ## export tar archive of azure-ip-masq-merg
 		IMAGE=$(AZURE_IP_MASQ_MERGER_IMAGE) \
 		TAG=$(AZURE_IP_MASQ_MERGER_VERSION)
 
+azure-iptables-monitor-manifest-build: ## build azure-iptables-monitor multiplat container manifest.
+	$(MAKE) manifest-build \
+		PLATFORMS="$(PLATFORMS)" \
+		IMAGE=$(AZURE_IPTABLES_MONITOR_IMAGE) \
+		TAG=$(AZURE_IPTABLES_MONITOR_VERSION)
+
+azure-iptables-monitor-manifest-push: ## push azure-iptables-monitor multiplat container manifest
+	$(MAKE) manifest-push \
+		IMAGE=$(AZURE_IPTABLES_MONITOR_IMAGE) \
+		TAG=$(AZURE_IPTABLES_MONITOR_VERSION)
+
+azure-iptables-monitor-skopeo-archive: ## export tar archive of azure-iptables-monitor multiplat container manifest.
+	$(MAKE) manifest-skopeo-archive \
+		IMAGE=$(AZURE_IPTABLES_MONITOR_IMAGE) \
+		TAG=$(AZURE_IPTABLES_MONITOR_VERSION)
+
 ipv6-hp-bpf-manifest-build: ## build ipv6-hp-bpf multiplat container manifest.
 	$(MAKE) manifest-build \
 		PLATFORMS="$(PLATFORMS)" \
@@ -799,6 +855,14 @@ ifeq ($(GOOS),linux)
 	cd $(AZURE_IP_MASQ_MERGER_BUILD_DIR) && $(ARCHIVE_CMD) $(AZURE_IP_MASQ_MERGER_ARCHIVE_NAME) azure-ip-masq-merger$(EXE_EXT)
 endif
 
+# Create a azure-iptables-monitor archive for the target platform.
+.PHONY: azure-iptables-monitor-archive
+azure-iptables-monitor-archive: azure-iptables-monitor-binary
+ifeq ($(GOOS),linux)
+	$(MKDIR) $(AZURE_IPTABLES_MONITOR_BUILD_DIR)
+	cd $(AZURE_IPTABLES_MONITOR_BUILD_DIR) && $(ARCHIVE_CMD) $(AZURE_IPTABLES_MONITOR_ARCHIVE_NAME) azure-iptables-monitor$(EXE_EXT)
+endif
+
 # Create a ipv6-hp-bpf archive for the target platform.
 .PHONY: ipv6-hp-bpf-archive
 ipv6-hp-bpf-archive: ipv6-hp-bpf-binary
@@ -843,6 +907,7 @@ workspace: ## Set up the Go workspace.
 	go work use .
 	go work use ./azure-ipam
 	go work use ./azure-ip-masq-merger
+	go work use ./azure-iptables-monitor
 	go work use ./build/tools
 	go work use ./dropgz
 	go work use ./zapai
@@ -855,7 +920,7 @@ RESTART_CASE ?= false
 # CNI type is a key to direct the types of state validation done on a cluster.
 CNI_TYPE ?= cilium
 
-test-all: test-azure-ipam test-azure-ip-masq-merger test-main ## run all unit tests.
+test-all: test-azure-ipam test-azure-ip-masq-merger test-azure-iptables-monitor test-main ## run all unit tests.
 
 test-main: 
 	go test -mod=readonly -buildvcs=false -tags "unit" --skip 'TestE2E*' -race -covermode atomic -coverprofile=coverage-main.out $(COVER_PKG)/...
@@ -895,6 +960,9 @@ test-azure-ipam: ## run the unit test for azure-ipam
 test-azure-ip-masq-merger: ## run the unit test for azure-ip-masq-merger
 	cd $(AZURE_IP_MASQ_MERGER_DIR) && go test -race -covermode atomic -coverprofile=../coverage-azure-ip-masq-merger.out && go tool cover -func=../coverage-azure-ip-masq-merger.out
 
+test-azure-iptables-monitor: ## run the unit test for azure-iptables-monitor
+	cd $(AZURE_IPTABLES_MONITOR_DIR) && go test -race -covermode atomic -coverprofile=../coverage-azure-iptables-monitor.out && go tool cover -func=../coverage-azure-iptables-monitor.out
+
 kind:
 	kind create cluster --config ./test/kind/kind.yaml
 

azure-iptables-monitor/Dockerfile

@@ -0,0 +1,28 @@
+ARG ARCH
+
+# mcr.microsoft.com/azurelinux/base/core:3.0
+FROM mcr.microsoft.com/azurelinux/base/core@sha256:9948138108a3d69f1dae62104599ac03132225c3b7a5ac57b85a214629c8567d AS mariner-core
+
+# mcr.microsoft.com/azurelinux/distroless/minimal:3.0
+FROM mcr.microsoft.com/azurelinux/distroless/minimal@sha256:0801b80a0927309572b9adc99bd1813bc680473175f6e8175cd4124d95dbd50c AS mariner-distroless
+
+# skopeo inspect docker://mcr.microsoft.com/oss/go/microsoft/golang:1.23.2-azurelinux3.0 --format "{{.Name}}@{{.Digest}}"
+FROM --platform=linux/${ARCH} mcr.microsoft.com/oss/go/microsoft/golang@sha256:f1f0cbd464ae4cd9d41176d47f1f9fe16a6965425871f817587314e3a04576ec AS go
+
+
+FROM go AS azure-iptables-monitor
+ARG OS
+ARG VERSION
+WORKDIR /azure-iptables-monitor
+COPY ./azure-iptables-monitor .
+RUN GOOS=$OS CGO_ENABLED=0 go build -a -o /go/bin/iptables-monitor -trimpath -ldflags "-X main.version="$VERSION"" -gcflags="-dwarflocationlists=true" .
+
+FROM mariner-core AS iptables
+RUN tdnf install -y iptables
+
+FROM mariner-distroless AS linux
+COPY --from=iptables /usr/sbin/*tables* /usr/sbin/
+COPY --from=iptables /usr/lib /usr/lib
+COPY --from=azure-iptables-monitor /go/bin/iptables-monitor azure-iptables-monitor
+
+ENTRYPOINT ["/azure-iptables-monitor"]

azure-iptables-monitor/README.md

@@ -0,0 +1,64 @@
+# azure-iptables-monitor
+
+`azure-iptables-monitor` is a utility for monitoring iptables rules on Kubernetes nodes and labeling a ciliumnode resource based on whether the corresponding node contains user-defined iptables rules.
+
+## Description
+
+The goal of this program is to periodically scan iptables rules across all tables (nat, mangle, filter, raw, security) and determine if any rules exist that don't match expected patterns. When unexpected rules are found, the ciliumnode resource is labeled to indicate the presence of user-defined iptables rules.
+
+## Usage
+
+Follow the steps below to build and run the program:
+
+1. Build the binary using `make`:
+    ```bash
+    make azure-iptables-monitor
+    ```
+    or make an image:
+    ```bash
+    make azure-iptables-monitor-image
+    ```
+
+2. Deploy or copy the binary to your node(s).
+
+3. Prepare your allowed pattern files in the input directory. Each file should be named after an iptables table (`nat`, `mangle`, `filter`, `raw`, `security`) or `global` and contain regex patterns that match expected iptables rules. You may want to mount a configmap for this purpose.
+
+4. Start the program with:
+    ```bash
+    ./azure-iptables-monitor --input=/etc/config/ --interval=300
+    ```
+    - The `--input` flag specifies the directory containing allowed regex pattern files. Default: `/etc/config/`
+    - The `--interval` flag specifies how often to check iptables rules in seconds. Default: `300`
+    - The `--events` flag enables Kubernetes event creation for rule violations. Default: `false`
+    - The program must be in a k8s environment and `NODE_NAME` must be a set environment variable with the current node.
+
+5. The program will set the `user-iptables-rules` label to `true` on the specified ciliumnode resource if unexpected rules are found, or `false` if all rules match expected patterns. Proper RBAC is required for patching (patch for ciliumnodes, create for events, get for nodes).
+
+
+## Pattern File Format
+
+Each pattern file should contain one regex pattern per line:
+```
+^-A INPUT -i lo -j ACCEPT$
+^-A FORWARD -j DOCKER.*
+^-A POSTROUTING -s 10\.0\.0\.0/8 -j MASQUERADE$
+```
+
+- `global`: Patterns that can match rules in any iptables table
+- `nat`, `mangle`, `filter`, `raw`, `security`: Patterns specific to each iptables table
+- Empty lines are ignored
+- Each line should be a valid Go regex pattern
+
+## Debugging
+
+Logs are output to standard error. Increase verbosity with the `-v` flag:
+```bash
+./azure-iptables-monitor -v 3
+```
+
+## Development
+
+To run tests at the repository level:
+```bash
+make test-azure-iptables-monitor
+```