Skip to content

feat: update iptables monitor with ipv6 and bpf map reading capabilities #3948

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 13 commits into from
Aug 27, 2025
Merged

feat: update iptables monitor with ipv6 and bpf map reading capabilities #3948

merged 13 commits into from
Aug 27, 2025

Conversation

@QxBytes
Copy link
Contributor

@QxBytes QxBytes commented Aug 19, 2025
edited
Loading

Reason for Change:

Adds two new capabilities to azure-iptables-monitor:

  • Reads ipv6 iptables rules if present on the node. To accomodate ipv6, will now read config files from a new directory for allowed ipv6 iptables rules-- these config files are separate from the ipv4 iptables allowlist. The ipv6 directory has the same structure as the ipv4 one (ex: an allowlist pattern file for each ipv6 table). If there are either ipv4 or ipv6 rules that are unexpected, we send an event and set the ciliumnode label as before.
  • Can read a pinned bpf map at a configurable location. The bpf map records how times on the node an iptables rule add request was blocked by a separate iptables block binary. If the number of blocks increases between intervals, we create a new event.

Issue Fixed:

See above

Requirements:

Notes:
Tested on a cilium dualstack cluster

  • If ipv6 rules not in allowlist are found, confirmed user iptables rules true
  • If ipv4 and ipv6 rules are all allowed, confirmed user iptables rules false
  • If bpf map increases between intervals, confirmed event emitted
  • Confirmed ipv6 uses an ipv6 client and shows ipv6 rules
@QxBytes QxBytes self-assigned this Aug 19, 2025
@QxBytes QxBytes added the cilium Related to Cilium. label Aug 19, 2025
@QxBytes QxBytes requested a review from Copilot August 19, 2025 19:08
Copilot AI reviewed Aug 19, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR enhances the azure-iptables-monitor with IPv6 support and BPF map monitoring capabilities. The monitor can now detect unexpected iptables rules in both IPv4 and IPv6 tables, and can track blocked iptables rule attempts via a pinned BPF map.

Key changes:

  • Adds IPv6 iptables monitoring with separate allowlist configuration directory
  • Implements BPF map reading to track blocked iptables rule attempts and generate events when blocks increase
  • Updates the Kubernetes label name to follow Azure conventions

Reviewed Changes

Copilot reviewed 4 out of 5 changed files in this pull request and generated 2 comments.

File Description
iptables_monitor.go Core implementation adding IPv6 support, BPF map monitoring, and label name update
iptables_monitor_test.go Updates test to match new function signature with config path parameter
go.mod Adds cilium/ebpf dependency for BPF map functionality
README.md Documents new command-line flags and updated label name

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
@QxBytes
Copy link
Contributor Author

QxBytes commented Aug 19, 2025

/azp run Azure Container Networking PR
@azure-pipelines
Copy link

Azure Pipelines successfully started running 1 pipeline(s).
@QxBytes QxBytes marked this pull request as ready for review August 19, 2025 21:27
santhoshmprabhu
santhoshmprabhu reviewed Aug 20, 2025
View reviewed changes
Copy link
Contributor

@santhoshmprabhu santhoshmprabhu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In the event description, let's add an explanation indicating that eBPF host routing is enabled. The user may not immediately have context on why iptables rules are being blocked. We could also link aka.ms/acnsperformance
tamilmani1989
tamilmani1989 reviewed Aug 20, 2025
View reviewed changes
@QxBytes QxBytes force-pushed the alew/azure-iptables-monitor-2 branch from 2e541d7 to cd2c3e4 Compare August 20, 2025 18:48
santhoshmprabhu
santhoshmprabhu reviewed Aug 20, 2025
View reviewed changes
@QxBytes QxBytes force-pushed the alew/azure-iptables-monitor-2 branch from cd2c3e4 to 9e10260 Compare August 20, 2025 20:36
@QxBytes QxBytes force-pushed the alew/azure-iptables-monitor-2 branch from 9e10260 to dcce911 Compare August 20, 2025 22:55
@QxBytes QxBytes requested a review from camrynl as a code owner August 26, 2025 18:10
@QxBytes QxBytes force-pushed the alew/azure-iptables-monitor-2 branch from d73254f to e3bc5f6 Compare August 26, 2025 18:32
@QxBytes
Copy link
Contributor Author

QxBytes commented Aug 26, 2025

/azp run Azure Container Networking PR
@azure-pipelines
Copy link

Azure Pipelines successfully started running 1 pipeline(s).
@QxBytes QxBytes enabled auto-merge August 27, 2025 00:32
@QxBytes QxBytes added this pull request to the merge queue Aug 27, 2025
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to failed status checks Aug 27, 2025
@QxBytes QxBytes added this pull request to the merge queue Aug 27, 2025
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to failed status checks Aug 27, 2025
@QxBytes QxBytes added this pull request to the merge queue Aug 27, 2025
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to failed status checks Aug 27, 2025
@QxBytes QxBytes added this pull request to the merge queue Aug 27, 2025
Merged via the queue into master with commit 11ac589 Aug 27, 2025
16 checks passed
@QxBytes QxBytes deleted the alew/azure-iptables-monitor-2 branch August 27, 2025 19:07
NihaNallappagari pushed a commit to NihaNallappagari/azure-container-networking that referenced this pull request Sep 4, 2025
@QxBytes @NihaNallappagari
feat: update iptables monitor with ipv6 and bpf map reading capabilit…
6ede789 
…ies (Azure#3948) * update label * add ip6tables * update readme * update logging * add ability to read bpf map to iptables monitor * modify log * display iptables rules block count only when check map enabled * update readme * remove unused function (noop) * address linter * update azure-iptables-monitor/iptables_monitor.go Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Signed-off-by: Alexander <39818795+QxBytes@users.noreply.github.com> * adjust event description * adjust pinned path --------- Signed-off-by: Alexander <39818795+QxBytes@users.noreply.github.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
sivakami-projects pushed a commit that referenced this pull request Oct 23, 2025
@QxBytes
feat: update iptables monitor with ipv6 and bpf map reading capabilit…
c48c3a8 
…ies (#3948) * update label * add ip6tables * update readme * update logging * add ability to read bpf map to iptables monitor * modify log * display iptables rules block count only when check map enabled * update readme * remove unused function (noop) * address linter * update azure-iptables-monitor/iptables_monitor.go Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Signed-off-by: Alexander <39818795+QxBytes@users.noreply.github.com> * adjust event description * adjust pinned path --------- Signed-off-by: Alexander <39818795+QxBytes@users.noreply.github.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

cilium Related to Cilium.

3 participants

@QxBytes @tamilmani1989 @santhoshmprabhu