feat: iptables block using LSM BPF

[santhoshmprabhu]

Reason for Change:

This PR introduces a binary that will block iptable rule installation in the host network namespace. We are doing this as a sub-feature for eBPF host routing in Cilium. This is relevant because any iptables rules in the host network namespace are skipped when Cilium eBPF host routing is enabled. Further, we allow certain processes, such as cilium-agent and ip-masq-agent to install rules, even if those rules may get bypassed. We account for this difference in behavior in our design.

The block covers both iptables netlink and iptables legacy. iptables netlink block targets the netlink_send LSM BPF hook, which gets invoked when a netlink message is sent (such as when installing iptables rules). If the message is an iptables rule installation, and the network namespace is host network namespace, and the parent of the calling process is not one of the allow-listed processes, we block that installation. The switch to parent is needed because cilium-agent, ip-masq-agent etc invoke the iptables binary as a child to do rule installation. In the legacy case, we block the setsockopt call with the IPT_SO_SET_REPLACE option, which is used for iptables rule installation.

Whenever we block a rule installation, we increment a counter in a map that is pinned at /sys/fs/bpf/block-iptables/event_counter. We can read the count from a CNS sidecar container and generate kube events, so that the customer has visibility into failing iptables rule installations.

The binary is meant for packaging into a systemd service. The service will be always running, but will only block rule installation depending on the contents of a config file. If the config file is missing, or is present and has contents, the service will not block iptables rules. If the config file is present but empty, the service will block. The idea is that any process/component that needs to stop the iptables block can append a unique value to the file, and remove it once it is done with the need for the service to stop.

The Makefile changes build the binary, we will separately make the changes needed for inclusion of the binary in the github release artifacts.

Validation steps completed

• Packaged this binary manually into a systemd service and applied on AKS nodes, validated that iptables rule installations are blocked when the config file is present and empty, and not blocked otherwise. On real AKS clusters, AgentBaker will be responsible to set up this systemd service.
• When the systemd service is running, validated that Cilium is able to install iptables rules.
• Verified that block counts increase when rule installation attempts are blocked.
• Verified that iptables rules can be installed from pods that are not running in hostNetwork mode.

Issue Fixed:

Requirements:

• uses conventional commit messages
• includes documentation
• adds unit tests
• relevant PR labels added

Notes:

[Copilot]

Pull Request Overview

This PR introduces a new eBPF-based binary called block-iptables that prevents iptables rule installation in the host network namespace, supporting Cilium's eBPF host routing feature. The binary monitors for iptables operations via both netlink and legacy interfaces, blocking installations except for allowed processes like cilium-agent and ip-masq-agent.

• Implements eBPF LSM hooks for both iptables netlink (netlink_send) and legacy (socket_setsockopt) interfaces
• Adds file-based configuration monitoring to dynamically enable/disable blocking based on allow-list presence
• Integrates build system support for the new binary with version management and archiving

Reviewed Changes

Copilot reviewed 4 out of 5 changed files in this pull request and generated 5 comments.

File	Description
bpf-prog/block-iptables/pkg/blockservice/gen.go	Go generate directive for eBPF code compilation
bpf-prog/block-iptables/cmd/block-iptables/main.go	Main application logic with file watching and BPF program lifecycle management
bpf-prog/block-iptables/bpf/src/block_iptables.bpf.c	eBPF program implementing LSM hooks for blocking iptables operations
Makefile	Build system integration for the new block-iptables binary

Comments suppressed due to low confidence (1)

bpf-prog/block-iptables/cmd/block-iptables/main.go:130

• The target name 'ip-masq-merger' should be 'azure-ip-masq-merger' to match the pattern used elsewhere in the Makefile and the actual binary name.

} 

[santhoshmprabhu]

/azp run Azure Container Networking PR

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[santhoshmprabhu]

/azp run Azure Container Networking PR

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[santhoshmprabhu]

/azp run Azure Container Networking PR

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).