feat: include iptables block binary in iptables monitor image

Makefile

@@ -35,10 +35,10 @@ REPO_ROOT							?= $(shell git rev-parse --show-toplevel)
 REVISION							?= $(shell git rev-parse --short HEAD)
 ACN_VERSION							?= $(shell git describe --exclude "azure-iptables-monitor*" --exclude "azure-ip-masq-merger*" --exclude "azure-ipam*" --exclude "dropgz*" --exclude "zapai*" --exclude "ipv6-hp-bpf*" --exclude "azure-block-iptables*" --tags --always)
 IPV6_HP_BPF_VERSION					?= $(notdir $(shell git describe --match "ipv6-hp-bpf*" --tags --always))
-AZURE_BLOCK_IPTABLES_VERSION  ?= $(notdir $(shell git describe --match "azure-block-iptables*" --tags --always))
+AZURE_BLOCK_IPTABLES_VERSION		?= $(notdir $(shell git describe --match "azure-block-iptables*" --tags --always))
 AZURE_IPAM_VERSION					?= $(notdir $(shell git describe --match "azure-ipam*" --tags --always))
 AZURE_IP_MASQ_MERGER_VERSION		?= $(notdir $(shell git describe --match "azure-ip-masq-merger*" --tags --always))
-AZURE_IPTABLES_MONITOR_VERSION		?= $(notdir $(shell git describe --match "azure-iptables-monitor*" --tags --always))
+AZURE_IPTABLES_MONITOR_VERSION		?= $(notdir $(shell git describe --match "azure-block-iptables*" --match "azure-iptables-monitor*" --tags --always))
 CNI_VERSION							?= $(ACN_VERSION)
 CNS_VERSION							?= $(ACN_VERSION)
 NPM_VERSION							?= $(ACN_VERSION)
@@ -467,7 +467,8 @@ azure-iptables-monitor-image: ## build azure-iptables-monitor container image.
 		TAG=$(AZURE_IPTABLES_MONITOR_PLATFORM_TAG) \
 		TARGET=$(OS) \
 		OS=$(OS) \
-		ARCH=$(ARCH)
+		ARCH=$(ARCH) \
+		EXTRA_BUILD_ARGS="--build-arg AZURE_BLOCK_IPTABLES_VERSION=$(AZURE_BLOCK_IPTABLES_VERSION)"
 
 azure-iptables-monitor-image-push: ## push azure-iptables-monitor container image.
 	$(MAKE) container-push \

azure-iptables-monitor/Dockerfile

@@ -17,12 +17,40 @@ WORKDIR /azure-iptables-monitor
 COPY ./azure-iptables-monitor .
 RUN GOOS=$OS CGO_ENABLED=0 go build -a -o /go/bin/iptables-monitor -trimpath -ldflags "-s -w -X main.version="$VERSION"" -gcflags="-dwarflocationlists=true" .
 
+FROM go AS azure-block-iptables
+ARG OS
+ARG AZURE_BLOCK_IPTABLES_VERSION
+ARG ARCH
+WORKDIR /azure-container-networking
+COPY ./bpf-prog/azure-block-iptables ./bpf-prog/azure-block-iptables
+COPY ./go.mod ./go.sum ./
+# Install BPF development dependencies for Azure Linux (mariner)
+RUN tdnf install -y llvm clang libbpf-devel gcc binutils glibc
+# Set up C include path for BPF
+ENV C_INCLUDE_PATH=/usr/include/bpf
+# Set up architecture-specific symlinks for cross-compilation support
+RUN if [ "$ARCH" = "amd64" ]; then \
+        ARCH_DIR=x86_64-linux-gnu; \
+    elif [ "$ARCH" = "arm64" ]; then \
+        ARCH_DIR=aarch64-linux-gnu; \
+    fi && \
+    for dir in /usr/include/"$ARCH_DIR"/*; do \
+        if [ -d "$dir" ]; then \
+            ln -sfn "$dir" /usr/include/$(basename "$dir"); \
+        elif [ -f "$dir" ]; then \
+            ln -Tsfn "$dir" /usr/include/$(basename "$dir"); \
+        fi \
+    done || true
+RUN GOOS=$OS CGO_ENABLED=0 go generate ./bpf-prog/azure-block-iptables/...
+RUN GOOS=$OS CGO_ENABLED=0 go build -a -o /go/bin/azure-block-iptables -trimpath -ldflags "-s -w -X main.version="$AZURE_BLOCK_IPTABLES_VERSION"" -gcflags="-dwarflocationlists=true" ./bpf-prog/azure-block-iptables/cmd/azure-block-iptables
+
 FROM mariner-core AS iptables
 RUN tdnf install -y iptables
 
 FROM mariner-distroless AS linux
 COPY --from=iptables /usr/sbin/*tables* /usr/sbin/
 COPY --from=iptables /usr/lib /usr/lib
 COPY --from=azure-iptables-monitor /go/bin/iptables-monitor azure-iptables-monitor
+COPY --from=azure-block-iptables /go/bin/azure-block-iptables azure-block-iptables
 
 ENTRYPOINT ["/azure-iptables-monitor"]