feat: iptables block using LSM BPF (#3871)

* feat: iptables block using LSM BPF

* feat: makefile changes

* chore: cleanup

* Update bpf-prog/block-iptables/bpf/src/block_iptables.bpf.c

Co-authored-by: Copilot <[email protected]>
Signed-off-by: Santhosh  Prabhu  <[email protected]>

* chore: fix const

* fix: dockerfiles, bug

* test: add test for bpf attach/detach

* feat: add event tracking

* feat: add event counting

* chore: dockerfiles

* fix: nolint for generated code

* fix: nolint for generated code

* fix: golangci skip

* fix:skip directory with generated code

* chore:skip block iptales generated code

* chore: fix

* fix: run go generate first

* fix: use installed go

* fix: install bpf libraries

* fix: remove file

* fix: roll back linter changes

* fix: add code generation to tests

* chore: switch to dual license

* fix: run generate before lint

* fix: install libs

* fix: fix linting, address some comments

* fix: address comments, fix lint

* fix: missed change

* fix: compile only on linux

* fix: compile only on linux

* fix: address comments

* fix: address comments

* chore: dockerfiles

* fix: address comments

* chore:dockerfiles

* fix: address comments

* chore: dockerfiles

* fix: address comments

---------

Signed-off-by: Santhosh  Prabhu  <[email protected]>
Co-authored-by: Copilot <[email protected]>

Author: santhoshmprabhu

.github/workflows/golangci.yaml

@@ -11,13 +11,33 @@ on:
     types:
       - checks_requested
 jobs:
+  generate:
+    name: Generate BPF Handling Code
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+
+      - name: Run go generate
+        run: make bpf-lib && go generate ./...
+
+      - name: Upload generated code
+        uses: actions/upload-artifact@v4
+        with:
+          name: generated-bpf-program-code
+          path: ./bpf-prog/block-iptables/pkg/blockservice
   golangci:
     strategy:
       fail-fast: false
       matrix:
         go-version: ['1.22.x', '1.23.x']
         os: [ubuntu-latest, windows-latest]
     name: Lint
+    needs: generate
     runs-on: ${{ matrix.os }}
     steps:
     - uses: actions/setup-go@v5
@@ -26,6 +46,11 @@ jobs:
     - uses: actions/checkout@v4
       with:
         fetch-depth: 0
+    - name: Download generated code
+      uses: actions/download-artifact@v4
+      with:
+        name: generated-bpf-program-code
+        path: ./bpf-prog/block-iptables/pkg/blockservice
     - name: golangci-lint
       uses: golangci/golangci-lint-action@v6
       with:

.pipelines/build/dockerfiles/cns.Dockerfile

@@ -11,11 +11,11 @@ ENTRYPOINT ["azure-cns.exe"]
 EXPOSE 10090
 
 # mcr.microsoft.com/azurelinux/base/core:3.0
-FROM --platform=linux/${ARCH} mcr.microsoft.com/azurelinux/base/core@sha256:c09a4e011a092a45b5c46ac5633253eb1e1106df028912b89cbe225d9061ef0b AS build-helper
+FROM --platform=linux/${ARCH} mcr.microsoft.com/azurelinux/base/core@sha256:e9bb4e5a79123f2ae29dc601f68adf63a636a455c4259423712b06b798cb201e AS build-helper
 RUN tdnf install -y iptables
 
 # mcr.microsoft.com/azurelinux/distroless/minimal:3.0
-FROM --platform=linux/${ARCH} mcr.microsoft.com/azurelinux/distroless/minimal@sha256:c37100f358ee19e62c60673c54fb43b83d43b2c305846e44b23b2e032e9caf30 AS linux
+FROM --platform=linux/${ARCH} mcr.microsoft.com/azurelinux/distroless/minimal@sha256:be0e4c34aaa7b369ff84907fa0a743f5d5904fa2d5b7da2e768ad8df285d4213 AS linux
 ARG ARTIFACT_DIR .
 
 COPY --from=build-helper /usr/sbin/*tables* /usr/sbin/

.pipelines/pipeline.yaml

@@ -75,7 +75,7 @@ stages:
             name: "$(BUILD_POOL_NAME_DEFAULT)"
           steps:
             - script: |
-                make ipv6-hp-bpf-lib
+                make bpf-lib
                 make all-binaries-platforms
               name: "BuildAllPlatformBinaries"
               displayName: "Build all platform binaries"

.pipelines/templates/run-unit-tests.yaml

@@ -14,6 +14,8 @@ stages:
           - script: |
               set -e
               make tools
+              make bpf-lib
+              go generate ./...
 
               # run test, echo exit status code to fd 3, pipe output from test to tee, which splits output to stdout and go-junit-report (which converts test output to report.xml),
               # stdout from tee is redirected to fd 4. Take output written to fd 3 (which is the exit code of test), redirect to stdout, pipe to read from stdout then exit with that status code.

Makefile

@@ -33,8 +33,9 @@ endif
 # Interrogate the git repo and set some variables
 REPO_ROOT							?= $(shell git rev-parse --show-toplevel)
 REVISION							?= $(shell git rev-parse --short HEAD)
-ACN_VERSION							?= $(shell git describe --exclude "azure-iptables-monitor*" --exclude "azure-ip-masq-merger*" --exclude "azure-ipam*" --exclude "dropgz*" --exclude "zapai*" --exclude "ipv6-hp-bpf*" --tags --always)
+ACN_VERSION							?= $(shell git describe --exclude "azure-iptables-monitor*" --exclude "azure-ip-masq-merger*" --exclude "azure-ipam*" --exclude "dropgz*" --exclude "zapai*" --exclude "ipv6-hp-bpf*" --exclude "block-iptables*" --tags --always)
 IPV6_HP_BPF_VERSION					?= $(notdir $(shell git describe --match "ipv6-hp-bpf*" --tags --always))
+BLOCK_IPTABLES_VERSION  ?= $(notdir $(shell git describe --match "block-iptables*" --tags --always))
 AZURE_IPAM_VERSION					?= $(notdir $(shell git describe --match "azure-ipam*" --tags --always))
 AZURE_IP_MASQ_MERGER_VERSION		?= $(notdir $(shell git describe --match "azure-ip-masq-merger*" --tags --always))
 AZURE_IPTABLES_MONITOR_VERSION		?= $(notdir $(shell git describe --match "azure-iptables-monitor*" --tags --always))
@@ -48,6 +49,7 @@ AZURE_IPAM_DIR = $(REPO_ROOT)/azure-ipam
 AZURE_IP_MASQ_MERGER_DIR = $(REPO_ROOT)/azure-ip-masq-merger
 AZURE_IPTABLES_MONITOR_DIR = $(REPO_ROOT)/azure-iptables-monitor
 IPV6_HP_BPF_DIR = $(REPO_ROOT)/bpf-prog/ipv6-hp-bpf
+BLOCK_IPTABLES_DIR = $(REPO_ROOT)/bpf-prog/block-iptables
 
 CNI_NET_DIR = $(REPO_ROOT)/cni/network/plugin
 CNI_IPAM_DIR = $(REPO_ROOT)/cni/ipam/plugin
@@ -63,6 +65,7 @@ AZURE_IPAM_BUILD_DIR = $(BUILD_DIR)/azure-ipam
 AZURE_IP_MASQ_MERGER_BUILD_DIR = $(BUILD_DIR)/azure-ip-masq-merger
 AZURE_IPTABLES_MONITOR_BUILD_DIR = $(BUILD_DIR)/azure-iptables-monitor
 IPV6_HP_BPF_BUILD_DIR = $(BUILD_DIR)/bpf-prog/ipv6-hp-bpf
+BLOCK_IPTABLES_BUILD_DIR = $(BUILD_DIR)/bpf-prog/block-iptables
 IMAGE_DIR  = $(OUTPUT_DIR)/images
 
 CNI_BUILD_DIR = $(BUILD_DIR)/cni
@@ -112,6 +115,7 @@ AZURE_IPAM_ARCHIVE_NAME = azure-ipam-$(GOOS)-$(GOARCH)-$(AZURE_IPAM_VERSION).$(A
 AZURE_IP_MASQ_MERGER_ARCHIVE_NAME = azure-ip-masq-merger-$(GOOS)-$(GOARCH)-$(AZURE_IP_MASQ_MERGER_VERSION).$(ARCHIVE_EXT)
 AZURE_IPTABLES_MONITOR_ARCHIVE_NAME = azure-iptables-monitor-$(GOOS)-$(GOARCH)-$(AZURE_IPTABLES_MONITOR_VERSION).$(ARCHIVE_EXT)
 IPV6_HP_BPF_ARCHIVE_NAME = ipv6-hp-bpf-$(GOOS)-$(GOARCH)-$(IPV6_HP_BPF_VERSION).$(ARCHIVE_EXT)
+BLOCK_IPTABLES_ARCHIVE_NAME = block-iptables-$(GOOS)-$(GOARCH)-$(BLOCK_IPTABLES_VERSION).$(ARCHIVE_EXT)
 
 # Image info file names.
 CNI_IMAGE_INFO_FILE			= azure-cni-$(CNI_VERSION).txt
@@ -128,7 +132,7 @@ all-binaries-platforms: ## Make all platform binaries
 
 # OS specific binaries/images
 ifeq ($(GOOS),linux)
-all-binaries: acncli azure-cni-plugin azure-cns azure-npm azure-ipam azure-ip-masq-merger azure-iptables-monitor ipv6-hp-bpf
+all-binaries: acncli azure-cni-plugin azure-cns azure-npm azure-ipam azure-ip-masq-merger azure-iptables-monitor ipv6-hp-bpf block-iptables
 all-images: npm-image cns-image cni-manager-image azure-ip-masq-merger-image azure-iptables-monitor-image ipv6-hp-bpf-image
 else
 all-binaries: azure-cni-plugin azure-cns azure-npm
@@ -143,6 +147,7 @@ acncli: acncli-binary acncli-archive
 azure-npm: azure-npm-binary npm-archive
 azure-ipam: azure-ipam-binary azure-ipam-archive
 ipv6-hp-bpf: ipv6-hp-bpf-binary ipv6-hp-bpf-archive
+block-iptables: block-iptables-binary block-iptables-archive
 azure-ip-masq-merger: azure-ip-masq-merger-binary azure-ip-masq-merger-archive
 azure-iptables-monitor: azure-iptables-monitor-binary azure-iptables-monitor-archive
 
@@ -169,6 +174,9 @@ azure-iptables-monitor-version: ## prints the azure-iptables-monitor version
 ipv6-hp-bpf-version: ## prints the ipv6-hp-bpf version
 	@echo $(IPV6_HP_BPF_VERSION)
 
+block-iptables-version: ## prints the block-iptables version
+	@echo $(BLOCK_IPTABLES_VERSION)
+
 cni-version: ## prints the cni version
 	@echo $(CNI_VERSION)
 
@@ -192,8 +200,8 @@ ipv6-hp-bpf-binary:
 	cd $(IPV6_HP_BPF_DIR) && CGO_ENABLED=0 go generate ./...
 	cd $(IPV6_HP_BPF_DIR)/cmd/ipv6-hp-bpf && CGO_ENABLED=0 go build -v -o $(IPV6_HP_BPF_BUILD_DIR)/ipv6-hp-bpf$(EXE_EXT) -ldflags "-X main.version=$(IPV6_HP_BPF_VERSION) $(LD_BUILD_FLAGS)" -gcflags="-dwarflocationlists=true"
 
-# Libraries for ipv6-hp-bpf
-ipv6-hp-bpf-lib:
+# Libraries for bpf
+bpf-lib:
 ifeq ($(GOARCH),amd64)
 	sudo apt-get update && sudo apt-get install -y llvm clang linux-libc-dev linux-headers-generic libbpf-dev libc6-dev nftables iproute2 gcc-multilib
 	for dir in /usr/include/x86_64-linux-gnu/*; do sudo ln -sfn "$$dir" /usr/include/$$(basename "$$dir"); done
@@ -202,6 +210,11 @@ else ifeq ($(GOARCH),arm64)
 	for dir in /usr/include/aarch64-linux-gnu/*; do sudo ln -sfn "$$dir" /usr/include/$$(basename "$$dir"); done
 endif
 
+# Build the block-iptables binary.
+block-iptables-binary:
+	cd $(BLOCK_IPTABLES_DIR) && CGO_ENABLED=0 go generate ./...
+	cd $(BLOCK_IPTABLES_DIR)/cmd/block-iptables && CGO_ENABLED=0 go build -v -o $(BLOCK_IPTABLES_BUILD_DIR)/block-iptables$(EXE_EXT) -ldflags "-X main.version=$(BLOCK_IPTABLES_VERSION)" -gcflags="-dwarflocationlists=true"
+
 # Build the Azure CNI network binary.
 azure-vnet-binary:
 	cd $(CNI_NET_DIR) && CGO_ENABLED=0 go build -v -o $(CNI_BUILD_DIR)/azure-vnet$(EXE_EXT) -ldflags "-X main.version=$(CNI_VERSION) $(LD_BUILD_FLAGS)" -gcflags="-dwarflocationlists=true"
@@ -848,6 +861,14 @@ ifeq ($(GOOS),linux)
 	cd $(IPV6_HP_BPF_BUILD_DIR) && $(ARCHIVE_CMD) $(IPV6_HP_BPF_ARCHIVE_NAME) ipv6-hp-bpf$(EXE_EXT)
 endif
 
+# Create a block-iptables archive for the target platform.
+.PHONY: block-iptables-archive
+block-iptables-archive: block-iptables-binary
+ifeq ($(GOOS),linux)
+	$(MKDIR) $(BLOCK_IPTABLES_BUILD_DIR)
+	cd $(BLOCK_IPTABLES_BUILD_DIR) && $(ARCHIVE_CMD) $(BLOCK_IPTABLES_ARCHIVE_NAME) block-iptables$(EXE_EXT)
+endif
+
 ##@ Utils
 
 clean: ## Clean build artifacts.