feat: snat azure dns traffic to node ip in cns linux #3930
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters
There was a problem hiding this comment.
Pull Request Overview
This PR modifies SNAT behavior for Azure DNS traffic in Linux podsubnet scenarios by changing the source IP from the primary subnet IP to the node IP, and removes conflicting iptables-legacy rules to prevent conflicts with iptables-nftables.
- Changes SNAT target from subnet primary IP to node IP for Azure DNS traffic
- Removes jump to SWIFT-POSTROUTING in iptables-legacy to avoid rule conflicts
- Adds support for iptables-legacy client interface to handle cleanup operations
Reviewed Changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| cns/restserver/restserver.go | Adds iptablesLegacyClient interface and getter method |
| cns/restserver/internalapi_windows.go | Implements unsupported legacy iptables for Windows |
| cns/restserver/internalapi_linux_test.go | Updates tests to verify node IP usage and legacy rule deletion |
| cns/restserver/internalapi_linux.go | Implements legacy iptables deletion and changes SNAT target to node IP |
| cns/fakes/iptablesfake.go | Adds mock implementation for legacy iptables testing |
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
You can also share your feedback on Copilot code review for a chance to win a $100 gift card. Take the survey.
QxBytes force-pushed the alew/snat-podsubnet-azure-dns-node-ip-081325 branch from 9578ca5 to 8524b50 Compare QxBytes force-pushed the alew/snat-podsubnet-azure-dns-node-ip-081325 branch 2 times, most recently from b1a7451 to b8e0df6 Compare 
tamilmani1989 previously approved these changes Aug 18, 2025
santhoshmprabhu previously approved these changes Aug 18, 2025
| /azp run Azure Container Networking PR |
| Azure Pipelines successfully started running 1 pipeline(s). |
4 tasks
| This pull request is stale because it has been open for 2 weeks with no activity. Remove stale label or comment or this will be closed in 7 days |
| Pull request closed due to inactivity. |
github-actions bot deleted the alew/snat-podsubnet-azure-dns-node-ip-081325 branch 
…to node ip todo: snat windows podsubnet azure scenario to node ip vnetscale scenarios (cilium and azure) already snat to node ip roll out after cns iptables reconciliation goes in cni still writes snat to primary ip but it is superseded by cns' rules
QxBytes dismissed stale reviews from santhoshmprabhu and tamilmani1989 via 8b45da6 QxBytes force-pushed the alew/snat-podsubnet-azure-dns-node-ip-081325 branch from b8e0df6 to 8b45da6 Compare | /azp run Azure Container Networking PR |
| Azure Pipelines successfully started running 1 pipeline(s). |
tamilmani1989 approved these changes Sep 23, 2025
QxBytes changed the title santhoshmprabhu approved these changes Sep 23, 2025
github-merge-queue bot removed this pull request from the merge queue due to failed status checks sivakami-projects pushed a commit that referenced this pull request Oct 23, 2025
* snat azure dns traffic in linux podsubnet azure and cilium scenarios to node ip todo: snat windows podsubnet azure scenario to node ip vnetscale scenarios (cilium and azure) already snat to node ip roll out after cns iptables reconciliation goes in cni still writes snat to primary ip but it is superseded by cns' rules * add logic to delete jump to swift postrouting in legacy and fix uts * address linter
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Add this suggestion to a batch that can be applied as a single commit. This suggestion is invalid because no changes were made to the code. Suggestions cannot be applied while the pull request is closed. Suggestions cannot be applied while viewing a subset of changes. Only one suggestion per line can be applied in a batch. Add this suggestion to a batch that can be applied as a single commit. Applying suggestions on deleted lines is not supported. You must change the existing code in this line in order to create a valid suggestion. Outdated suggestions cannot be applied. This suggestion has been applied or marked resolved. Suggestions cannot be applied from pending reviews. Suggestions cannot be applied on multi-line comments. Suggestions cannot be applied while the pull request is queued to merge. Suggestion cannot be applied right now. Please check back later.
Reason for Change:
Changes the ip CNS-added IPTables rules SNAT to from the primary ip to node ip for linux podsubnet scenarios (both azure and cilium cases). CNI-added iptables rules are not modified and windows behavior remains the same (will be modified in a future PR).
Issue Fixed:
Requirements:
Notes:
Tested: