Skip to content

feat: snat azure dns traffic to node ip in cns linux #3930

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Sep 24, 2025
Merged

feat: snat azure dns traffic to node ip in cns linux #3930

merged 3 commits into from
Sep 24, 2025

Conversation

QxBytes
Copy link
Contributor

@QxBytes QxBytes commented Aug 13, 2025
edited
Loading

Reason for Change:

Changes the ip CNS-added IPTables rules SNAT to from the primary ip to node ip for linux podsubnet scenarios (both azure and cilium cases). CNI-added iptables rules are not modified and windows behavior remains the same (will be modified in a future PR).

Issue Fixed:

Requirements:

Notes:
Tested:

  • Podsubnet linux upgrade from 1.7.3 --> this version --> downgrade to 1.7.3 and dns snat is as expected
  • Podsubnet linux cilium ugprade from 1.7.3 --> this version --> downgrade to 1.7.3 and dns snat is as expected

@QxBytes QxBytes self-assigned this Aug 13, 2025
@QxBytes QxBytes added cns Related to CNS. cilium Related to Cilium. labels Aug 13, 2025
@QxBytes QxBytes requested a review from Copilot August 13, 2025 23:30
Copilot

This comment was marked as outdated.

Sign in to view

@QxBytes QxBytes requested a review from Copilot August 13, 2025 23:52
Copilot
Copilot AI reviewed Aug 13, 2025
View reviewed changes
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR modifies SNAT behavior for Azure DNS traffic in Linux podsubnet scenarios by changing the source IP from the primary subnet IP to the node IP, and removes conflicting iptables-legacy rules to prevent conflicts with iptables-nftables.

  • Changes SNAT target from subnet primary IP to node IP for Azure DNS traffic
  • Removes jump to SWIFT-POSTROUTING in iptables-legacy to avoid rule conflicts
  • Adds support for iptables-legacy client interface to handle cleanup operations

Reviewed Changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
cns/restserver/restserver.go Adds iptablesLegacyClient interface and getter method
cns/restserver/internalapi_windows.go Implements unsupported legacy iptables for Windows
cns/restserver/internalapi_linux_test.go Updates tests to verify node IP usage and legacy rule deletion
cns/restserver/internalapi_linux.go Implements legacy iptables deletion and changes SNAT target to node IP
cns/fakes/iptablesfake.go Adds mock implementation for legacy iptables testing

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
You can also share your feedback on Copilot code review for a chance to win a $100 gift card. Take the survey.

@QxBytes QxBytes force-pushed the alew/snat-podsubnet-azure-dns-node-ip-081325 branch from 9578ca5 to 8524b50 Compare August 14, 2025 15:39
@QxBytes QxBytes marked this pull request as ready for review August 14, 2025 16:50
@QxBytes QxBytes requested a review from a team as a code owner August 14, 2025 16:50
santhoshmprabhu
santhoshmprabhu reviewed Aug 18, 2025
View reviewed changes
@QxBytes QxBytes force-pushed the alew/snat-podsubnet-azure-dns-node-ip-081325 branch 2 times, most recently from b1a7451 to b8e0df6 Compare August 18, 2025 21:40
tamilmani1989
tamilmani1989 previously approved these changes Aug 18, 2025
View reviewed changes
@QxBytes
Copy link
Contributor Author

QxBytes commented Aug 18, 2025

/azp run Azure Container Networking PR

@Azure Azure deleted a comment from azure-pipelines bot Aug 18, 2025
@azure-pipelines Azure Pipelines
Copy link

Azure Pipelines successfully started running 1 pipeline(s).

@QxBytes QxBytes enabled auto-merge August 18, 2025 23:04
@QxBytes QxBytes added this pull request to the merge queue Aug 18, 2025
@QxBytes QxBytes removed this pull request from the merge queue due to a manual request Aug 18, 2025
@QxBytes QxBytes mentioned this pull request Aug 21, 2025
Merged
4 tasks
@github-actions GitHub Actions
Copy link

github-actions bot commented Sep 6, 2025

This pull request is stale because it has been open for 2 weeks with no activity. Remove stale label or comment or this will be closed in 7 days

@github-actions github-actions bot added the stale Stale due to inactivity. label Sep 6, 2025
@github-actions GitHub Actions
Copy link

Pull request closed due to inactivity.

@github-actions github-actions bot closed this Sep 14, 2025
@github-actions github-actions bot deleted the alew/snat-podsubnet-azure-dns-node-ip-081325 branch September 14, 2025 00:01
@QxBytes
snat azure dns traffic in linux podsubnet azure and cilium scenarios …
697a557 
…to node ip

todo: snat windows podsubnet azure scenario to node ip
vnetscale scenarios (cilium and azure) already snat to node ip
roll out after cns iptables reconciliation goes in
cni still writes snat to primary ip but it is superseded by cns' rules
@QxBytes
add logic to delete jump to swift postrouting in legacy and fix uts
2b3c807
@QxBytes
address linter
8b45da6
@QxBytes QxBytes restored the alew/snat-podsubnet-azure-dns-node-ip-081325 branch September 22, 2025 21:14
@QxBytes QxBytes reopened this Sep 22, 2025
@QxBytes QxBytes force-pushed the alew/snat-podsubnet-azure-dns-node-ip-081325 branch from b8e0df6 to 8b45da6 Compare September 22, 2025 21:16
@QxBytes QxBytes removed do-not-merge stale Stale due to inactivity. labels Sep 22, 2025
@QxBytes
Copy link
Contributor Author

QxBytes commented Sep 22, 2025

/azp run Azure Container Networking PR

@azure-pipelines Azure Pipelines
Copy link

Azure Pipelines successfully started running 1 pipeline(s).

@QxBytes QxBytes changed the title feat: snat azure dns traffic to node ip and remove jump to swift postrouting in iptables legacy feat: snat azure dns traffic to node ip in cns linux Sep 23, 2025
@QxBytes QxBytes added this pull request to the merge queue Sep 23, 2025
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to failed status checks Sep 23, 2025
@QxBytes QxBytes added this pull request to the merge queue Sep 24, 2025
Merged via the queue into master with commit a0d1a66 Sep 24, 2025
13 of 14 checks passed
@QxBytes QxBytes deleted the alew/snat-podsubnet-azure-dns-node-ip-081325 branch September 24, 2025 06:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

@tamilmani1989 tamilmani1989 tamilmani1989 approved these changes

@santhoshmprabhu santhoshmprabhu santhoshmprabhu approved these changes

@ramiro-gamarra ramiro-gamarra Awaiting requested review from ramiro-gamarra ramiro-gamarra is a code owner automatically assigned from Azure/acn-cns-reviewers

Assignees

@QxBytes QxBytes

Labels
cilium Related to Cilium. cns Related to CNS.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@QxBytes @tamilmani1989 @santhoshmprabhu