Added Host NC communication support in Linux

cni/network/network_linux.go

@@ -54,6 +54,8 @@ func setEndpointOptions(cnsNwConfig *cns.GetNetworkContainerResponse, epInfo *ne
 		epInfo.Data[network.VlanIDKey] = cnsNwConfig.MultiTenancyInfo.ID
 		epInfo.Data[network.LocalIPKey] = cnsNwConfig.LocalIPConfiguration.IPSubnet.IPAddress + "/" + strconv.Itoa(int(cnsNwConfig.LocalIPConfiguration.IPSubnet.PrefixLength))
 		epInfo.Data[network.SnatBridgeIPKey] = cnsNwConfig.LocalIPConfiguration.GatewayIPAddress + "/" + strconv.Itoa(int(cnsNwConfig.LocalIPConfiguration.IPSubnet.PrefixLength))
+		epInfo.AllowInboundFromHostToNC = cnsNwConfig.AllowHostToNCCommunication
+		epInfo.AllowInboundFromNCToHost = cnsNwConfig.AllowNCToHostCommunication
 	}
 
 	epInfo.Data[network.OptVethName] = vethName

cns/NetworkContainerContract.go

@@ -57,6 +57,7 @@ type CreateNetworkContainerRequest struct {
 	CnetAddressSpace           []IPSubnet // To setup SNAT (should include service endpoint vips).
 	Routes                     []Route
 	AllowHostToNCCommunication bool
+	AllowNCToHostCommunication bool
 }
 
 // ConfigureContainerNetworkingRequest - specifies request to attach/detach container to network.
@@ -137,6 +138,7 @@ type GetNetworkContainerResponse struct {
 	LocalIPConfiguration       IPConfiguration
 	Response                   Response
 	AllowHostToNCCommunication bool
+	AllowNCToHostCommunication bool
 }
 
 // DeleteNetworkContainerRequest specifies the details about the request to delete a specifc network container.

cns/restserver/restserver.go

@@ -1208,6 +1208,7 @@ func (service *HTTPRestService) getNetworkContainerResponse(req cns.GetNetworkCo
 		PrimaryInterfaceIdentifier: savedReq.PrimaryInterfaceIdentifier,
 		LocalIPConfiguration:       savedReq.LocalIPConfiguration,
 		AllowHostToNCCommunication: savedReq.AllowHostToNCCommunication,
+		AllowNCToHostCommunication: savedReq.AllowNCToHostCommunication,
 	}
 
 	return getNetworkContainerResponse

iptables/iptables.go

@@ -0,0 +1,127 @@
+package iptables
+
+// This package contains wrapper functions to program iptables rules
+
+import (
+	"fmt"
+
+	"github.com/Azure/azure-container-networking/log"
+	"github.com/Azure/azure-container-networking/platform"
+)
+
+// cni iptable chains
+const (
+	CNIInputChain  = "AZURECNIINPUT"
+	CNIOutputChain = "AZURECNIOUTPUT"
+)
+
+// standard iptable chains
+const (
+	Input       = "INPUT"
+	Output      = "OUTPUT"
+	Forward     = "FORWARD"
+	Prerouting  = "PREROUTING"
+	Postrouting = "POSTROUTING"
+)
+
+// Standard Table names
+const (
+	Filter = "filter"
+	Nat    = "nat"
+)
+
+// target
+const (
+	Accept     = "ACCEPT"
+	Drop       = "DROP"
+	Masquerade = "MASQUERADE"
+)
+
+// actions
+const (
+	Insert = "I"
+	Append = "A"
+	Delete = "D"
+)
+
+// states
+const (
+	Established = "ESTABLISHED"
+	Related     = "RELATED"
+)
+
+const (
+	iptables    = "iptables"
+	lockTimeout = 60
+)
+
+// Run iptables command
+func runCmd(params string) error {
+	cmd := fmt.Sprintf("%s -w %d %s", iptables, lockTimeout, params)
+	if _, err := platform.ExecuteCommand(cmd); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// check if iptable chain alreay exists
+func ChainExists(tableName, chainName string) bool {
+	params := fmt.Sprintf("-t %s -L %s", tableName, chainName)
+	if err := runCmd(params); err != nil {
+		return false
+	}
+
+	return true
+}
+
+// create new iptable chain under specified table name
+func CreateChain(tableName, chainName string) error {
+	var err error
+
+	if !ChainExists(tableName, chainName) {
+		params := fmt.Sprintf("-t %s -N %s", tableName, chainName)
+		err = runCmd(params)
+	} else {
+		log.Printf("%s Chain exists in table %s", chainName, tableName)
+	}
+
+	return err
+}
+
+// check if iptable rule alreay exists
+func RuleExists(tableName, chainName, match, target string) bool {
+	params := fmt.Sprintf("-t %s -C %s %s -j %s", tableName, chainName, match, target)
+	if err := runCmd(params); err != nil {
+		return false
+	}
+	return true
+}
+
+// Insert iptable rule at beginning of iptable chain
+func InsertIptableRule(tableName, chainName, match, target string) error {
+	if RuleExists(tableName, chainName, match, target) {
+		log.Printf("Rule already exists")
+		return nil
+	}
+
+	params := fmt.Sprintf("-t %s -I %s 1 %s -j %s", tableName, chainName, match, target)
+	return runCmd(params)
+}
+
+// Append iptable rule at end of iptable chain
+func AppendIptableRule(tableName, chainName, match, target string) error {
+	if RuleExists(tableName, chainName, match, target) {
+		log.Printf("Rule already exists")
+		return nil
+	}
+
+	params := fmt.Sprintf("-t %s -A %s %s -j %s", tableName, chainName, match, target)
+	return runCmd(params)
+}
+
+// Delete matched iptable rule
+func DeleteIptableRule(tableName, chainName, match, target string) error {
+	params := fmt.Sprintf("-t %s -D %s %s -j %s", tableName, chainName, match, target)
+	return runCmd(params)
+}

network/bridge_endpointclient_linux.go

@@ -75,8 +75,7 @@ func (client *LinuxBridgeEndpointClient) AddEndpointRules(epInfo *EndpointInfo)
 
 		if client.mode != opModeTunnel {
 			log.Printf("[net] Adding static arp for IP address %v and MAC %v in VM", ipAddr.String(), client.containerMac.String())
-			netlink.AddOrRemoveStaticArp(netlink.ADD, client.bridgeName, ipAddr.IP, client.containerMac)
-			if err != nil {
+			if err := netlink.AddOrRemoveStaticArp(netlink.ADD, client.bridgeName, ipAddr.IP, client.containerMac); err != nil {
 				log.Printf("Failed setting arp in vm: %v", err)
 			}
 		}

network/endpoint.go

@@ -17,50 +17,55 @@ const (
 
 // Endpoint represents a container network interface.
 type endpoint struct {
-	Id                    string
-	HnsId                 string `json:",omitempty"`
-	SandboxKey            string
-	IfName                string
-	HostIfName            string
-	MacAddress            net.HardwareAddr
-	InfraVnetIP           net.IPNet
-	IPAddresses           []net.IPNet
-	Gateways              []net.IP
-	DNS                   DNSInfo
-	Routes                []RouteInfo
-	VlanID                int
-	EnableSnatOnHost      bool
-	EnableInfraVnet       bool
-	EnableMultitenancy    bool
-	NetworkNameSpace      string `json:",omitempty"`
-	ContainerID           string
-	PODName               string `json:",omitempty"`
-	PODNameSpace          string `json:",omitempty"`
-	InfraVnetAddressSpace string `json:",omitempty"`
+	Id                       string
+	HnsId                    string `json:",omitempty"`
+	SandboxKey               string
+	IfName                   string
+	HostIfName               string
+	MacAddress               net.HardwareAddr
+	InfraVnetIP              net.IPNet
+	LocalIP                  string
+	IPAddresses              []net.IPNet
+	Gateways                 []net.IP
+	DNS                      DNSInfo
+	Routes                   []RouteInfo
+	VlanID                   int
+	EnableSnatOnHost         bool
+	EnableInfraVnet          bool
+	EnableMultitenancy       bool
+	AllowInboundFromHostToNC bool
+	AllowInboundFromNCToHost bool
+	NetworkNameSpace         string `json:",omitempty"`
+	ContainerID              string
+	PODName                  string `json:",omitempty"`
+	PODNameSpace             string `json:",omitempty"`
+	InfraVnetAddressSpace    string `json:",omitempty"`
 }
 
 // EndpointInfo contains read-only information about an endpoint.
 type EndpointInfo struct {
-	Id                    string
-	ContainerID           string
-	NetNsPath             string
-	IfName                string
-	SandboxKey            string
-	IfIndex               int
-	MacAddress            net.HardwareAddr
-	DNS                   DNSInfo
-	IPAddresses           []net.IPNet
-	InfraVnetIP           net.IPNet
-	Routes                []RouteInfo
-	Policies              []policy.Policy
-	Gateways              []net.IP
-	EnableSnatOnHost      bool
-	EnableInfraVnet       bool
-	EnableMultiTenancy    bool
-	PODName               string
-	PODNameSpace          string
-	Data                  map[string]interface{}
-	InfraVnetAddressSpace string
+	Id                       string
+	ContainerID              string
+	NetNsPath                string
+	IfName                   string
+	SandboxKey               string
+	IfIndex                  int
+	MacAddress               net.HardwareAddr
+	DNS                      DNSInfo
+	IPAddresses              []net.IPNet
+	InfraVnetIP              net.IPNet
+	Routes                   []RouteInfo
+	Policies                 []policy.Policy
+	Gateways                 []net.IP
+	EnableSnatOnHost         bool
+	EnableInfraVnet          bool
+	EnableMultiTenancy       bool
+	AllowInboundFromHostToNC bool
+	AllowInboundFromNCToHost bool
+	PODName                  string
+	PODNameSpace             string
+	Data                     map[string]interface{}
+	InfraVnetAddressSpace    string
 	SkipHotAttachEp       bool
 }
 
@@ -183,22 +188,24 @@ func podNameMatches(source string, actualValue string, doExactMatch bool) bool {
 // GetInfo returns information about the endpoint.
 func (ep *endpoint) getInfo() *EndpointInfo {
 	info := &EndpointInfo{
-		Id:                 ep.Id,
-		IPAddresses:        ep.IPAddresses,
-		InfraVnetIP:        ep.InfraVnetIP,
-		Data:               make(map[string]interface{}),
-		MacAddress:         ep.MacAddress,
-		SandboxKey:         ep.SandboxKey,
-		IfIndex:            0, // Azure CNI supports only one interface
-		DNS:                ep.DNS,
-		EnableSnatOnHost:   ep.EnableSnatOnHost,
-		EnableInfraVnet:    ep.EnableInfraVnet,
-		EnableMultiTenancy: ep.EnableMultitenancy,
-		IfName:             ep.IfName,
-		ContainerID:        ep.ContainerID,
-		NetNsPath:          ep.NetworkNameSpace,
-		PODName:            ep.PODName,
-		PODNameSpace:       ep.PODNameSpace,
+		Id:                       ep.Id,
+		IPAddresses:              ep.IPAddresses,
+		InfraVnetIP:              ep.InfraVnetIP,
+		Data:                     make(map[string]interface{}),
+		MacAddress:               ep.MacAddress,
+		SandboxKey:               ep.SandboxKey,
+		IfIndex:                  0, // Azure CNI supports only one interface
+		DNS:                      ep.DNS,
+		EnableSnatOnHost:         ep.EnableSnatOnHost,
+		EnableInfraVnet:          ep.EnableInfraVnet,
+		EnableMultiTenancy:       ep.EnableMultitenancy,
+		AllowInboundFromHostToNC: ep.AllowInboundFromHostToNC,
+		AllowInboundFromNCToHost: ep.AllowInboundFromNCToHost,
+		IfName:       ep.IfName,
+		ContainerID:  ep.ContainerID,
+		NetNsPath:    ep.NetworkNameSpace,
+		PODName:      ep.PODName,
+		PODNameSpace: ep.PODNameSpace,
 	}
 
 	for _, route := range ep.Routes {