feat: add cns iptables reconciliation #3885
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
QxBytes
force-pushed
the
alew/add-cns-reconciliation
branch
from
a00472e to
f4af45b
Compare
Contributor
There was a problem hiding this comment.
Pull Request Overview
This PR adds iptables reconciliation functionality to CNS, enabling it to restore iptables rules to the expected state during startup and handle migration from legacy SWIFT chains to SWIFT-POSTROUTING chains. The changes ensure CNS can recover from external iptables modifications and properly sequence rule execution.
- Adds iptables reconciliation during CNS bootup to restore expected SNAT rules
- Implements migration logic to transition from legacy SWIFT chain to SWIFT-POSTROUTING chain with proper priority ordering
- Enhances the iptables mock implementation to support new operations needed for testing
Reviewed Changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| cns/restserver/util.go | Adds reconciliation logic during CNS startup to reprogram SNAT rules for all containers |
| cns/restserver/restserver.go | Extends iptables interface with List, ClearChain, and Delete methods |
| cns/restserver/internalapi_linux.go | Implements comprehensive iptables reconciliation and migration logic from SWIFT to SWIFT-POSTROUTING |
| cns/restserver/internalapi_linux_test.go | Adds extensive tests covering migration scenarios and rule reconciliation |
| cns/fakes/iptablesfake.go | Enhances mock implementation with proper iptables simulation and tracking |
Comments suppressed due to low confidence (1)
cns/fakes/iptablesfake.go:192
- [nitpick] The method name 'ClearChainCallCount' is ambiguous - it could mean either getting the count or clearing the count. Consider renaming to 'GetClearChainCallCount' to clearly indicate it's a getter method.
func (c *IPTablesMock) ClearChainCallCount() int {
santhoshmprabhu
previously approved these changes
Aug 4, 2025
Contributor
|
I think we could consider eliminating that blip from clearing the chain, but not a big deal. |
santhoshmprabhu
approved these changes
Aug 6, 2025
rbtr
approved these changes
Aug 6, 2025
Collaborator
|
/azp run Azure Container Networking PR |
|
Azure Pipelines successfully started running 1 pipeline(s). |
github-merge-queue
bot
removed this pull request from the merge queue due to no response for status checks
NihaNallappagari
pushed a commit
to NihaNallappagari/azure-container-networking
that referenced
this pull request
Sep 4, 2025
* add iptables reconciliation to cns * add test to check if test case flushes chain * rename chain variable to reflect its value * address linter * nolint logger usage for now * address lll linter * remove code from startup as reconcile nnc always runs on cns startup
sivakami-projects
pushed a commit
that referenced
this pull request
Oct 23, 2025
* add iptables reconciliation to cns * add test to check if test case flushes chain * rename chain variable to reflect its value * address linter * nolint logger usage for now * address lll linter * remove code from startup as reconcile nnc always runs on cns startup
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Reason for Change:
CNS currently programs snat iptables rules only on NNC update/create. This PR makes it so that it also does so during cns bootup. Additionally, CNS will now attempt to "reconcile" the iptables on the node to what it expects. This allows us to "rollback" future updates to CNS iptables rules to match the expected state each time CNS reboots or restarts.
It is currently possible for CNI to add iptables rules to the node using chain "SWIFT". We want to jump to the cns-controlled chain "SWIFT-POSTROUTING" before we jump to the chain "SWIFT". The first piece of logic is to migrate to that:
Case 1: CNI already added a jump to SWIFT chain in nat POSTROUTING chain and it is at a higher priority than any SWIFT-POSTROUTING jump we may have added: We find the position of the SWIFT jump rule, and insert our SWIFT-POSTROUTING jump at that position, pushing the SWIFT jump rule to a lower priority
becomes
or
becomes
Case 2: The SWIFT-POSTROUTING jump rule exists before the SWIFT jump rule, or exists without any SWIFT jump rule: We do not modify the nat POSTROUTING chain
or
stays the same
Case 3: The nat POSTROUTING chain does not contain a SWIFT jump rule nor a SWIFT-POSTROUTING rule: We append the SWIFT-POSTROUTING jump rule to the nat POSTROUTING chain
becomes
Now, packets will go to the nat SWIFT-POSTROUTING chain first. We then take a look at the SWIFT-POSTROUTING chain.
Case 1: The nat SWIFT-POSTROUTING chain does not contain every single rule we expect exactly, or the # of rules in the SWIFT-POSTROUTING chain does not match how many rules we expect: Flush the chain and reinstall the iptables rules we expect.
Case 2: The nat SWIFT-POSTROUTING chain contains every single rule we expect exactly, and the # of rules matches how many rules we expect: We do not modify or flush the SWIFT-POSTROUTING chain
Issue Fixed:
Requirements:
Notes:
-N ...for custom chains or-P ...for built in chains (not shown iniptables -nvL -t nat). Feel free to check-- the library callsiptables -t <table> -S <chain>under the hood.iptables -nvL -t natthe first rule that shows up in a chain is at index 1.