From fc4c8e788dd4b05f9ea3111ebe0e5d8515c2decb Mon Sep 17 00:00:00 2001
From: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Date: Sun, 31 Mar 2024 21:26:13 +0900
Subject: [PATCH] annotations: add `nerdctl/bypass4netns-ignore-subnets`
 (`[]string`)

For experiments of additional `bypass4netns --ignore`

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
---
 pkg/annotations/annotations.go |  6 +++++-
 pkg/bypass4netnsutil/bypass.go | 20 +++++++++++++++-----
 pkg/ocihook/ocihook.go         |  4 ++--
 3 files changed, 22 insertions(+), 8 deletions(-)

diff --git a/pkg/annotations/annotations.go b/pkg/annotations/annotations.go
index 751d231541f..e89648d7abb 100644
--- a/pkg/annotations/annotations.go
+++ b/pkg/annotations/annotations.go
@@ -25,10 +25,14 @@ const (
 	// Boolean value which can be parsed with strconv.ParseBool() is required.
 	// (like "nerdctl/bypass4netns=true" or "nerdctl/bypass4netns=false")
 	Bypass4netns = Prefix + "bypass4netns"
+
+	// Bypass4netnsIgnoreSubnets is a JSON of []string that is appended to
+	// the `bypass4netns --ignore` list.
+	Bypass4netnsIgnoreSubnets = Bypass4netns + "-ignore-subnets"
 )
 
 var ShellCompletions = []string{
 	Bypass4netns + "=true",
 	Bypass4netns + "=false",
-	// Other annotations should not be set via CLI
+	Bypass4netnsIgnoreSubnets + "=",
 }
diff --git a/pkg/bypass4netnsutil/bypass.go b/pkg/bypass4netnsutil/bypass.go
index 6dfb4db3c86..08853500558 100644
--- a/pkg/bypass4netnsutil/bypass.go
+++ b/pkg/bypass4netnsutil/bypass.go
@@ -18,31 +18,41 @@ package bypass4netnsutil
 
 import (
 	"context"
+	"encoding/json"
 	"fmt"
 	"net"
 	"path/filepath"
 
 	"github.com/containerd/containerd/errdefs"
 	gocni "github.com/containerd/go-cni"
+	"github.com/containerd/nerdctl/v2/pkg/annotations"
 	b4nnapi "github.com/rootless-containers/bypass4netns/pkg/api"
 	"github.com/rootless-containers/bypass4netns/pkg/api/daemon/client"
 	rlkclient "github.com/rootless-containers/rootlesskit/v2/pkg/api/client"
 )
 
-func NewBypass4netnsCNIBypassManager(client client.Client, rlkClient rlkclient.Client) (*Bypass4netnsCNIBypassManager, error) {
+func NewBypass4netnsCNIBypassManager(client client.Client, rlkClient rlkclient.Client, annotationsMap map[string]string) (*Bypass4netnsCNIBypassManager, error) {
 	if client == nil || rlkClient == nil {
 		return nil, errdefs.ErrInvalidArgument
 	}
+	var ignoreSubnets []string
+	if v := annotationsMap[annotations.Bypass4netnsIgnoreSubnets]; v != "" {
+		if err := json.Unmarshal([]byte(v), &ignoreSubnets); err != nil {
+			return nil, fmt.Errorf("failed to unmarshal annotation %q: %q: %w", annotations.Bypass4netnsIgnoreSubnets, v, err)
+		}
+	}
 	pm := &Bypass4netnsCNIBypassManager{
-		Client:    client,
-		rlkClient: rlkClient,
+		Client:        client,
+		rlkClient:     rlkClient,
+		ignoreSubnets: ignoreSubnets,
 	}
 	return pm, nil
 }
 
 type Bypass4netnsCNIBypassManager struct {
 	client.Client
-	rlkClient rlkclient.Client
+	rlkClient     rlkclient.Client
+	ignoreSubnets []string
 }
 
 func (b4nnm *Bypass4netnsCNIBypassManager) StartBypass(ctx context.Context, ports []gocni.PortMapping, id, stateDir string) error {
@@ -73,7 +83,7 @@ func (b4nnm *Bypass4netnsCNIBypassManager) StartBypass(ctx context.Context, port
 		PidFilePath: pidFilePath,
 		LogFilePath: logFilePath,
 		// "auto" can detect CNI CIDRs automatically
-		IgnoreSubnets: []string{"127.0.0.0/8", rlkCIDR, "auto"},
+		IgnoreSubnets: append([]string{"127.0.0.0/8", rlkCIDR, "auto"}, b4nnm.ignoreSubnets...),
 	}
 	portMap := []b4nnapi.PortSpec{}
 	for _, p := range ports {
diff --git a/pkg/ocihook/ocihook.go b/pkg/ocihook/ocihook.go
index 243d9a9af9a..7ce72386910 100644
--- a/pkg/ocihook/ocihook.go
+++ b/pkg/ocihook/ocihook.go
@@ -449,7 +449,7 @@ func applyNetworkSettings(opts *handlerOpts) error {
 
 	if rootlessutil.IsRootlessChild() {
 		if b4nnEnabled {
-			bm, err := bypass4netnsutil.NewBypass4netnsCNIBypassManager(opts.bypassClient, opts.rootlessKitClient)
+			bm, err := bypass4netnsutil.NewBypass4netnsCNIBypassManager(opts.bypassClient, opts.rootlessKitClient, opts.state.Annotations)
 			if err != nil {
 				return err
 			}
@@ -493,7 +493,7 @@ func onPostStop(opts *handlerOpts) error {
 		}
 		if rootlessutil.IsRootlessChild() {
 			if b4nnEnabled {
-				bm, err := bypass4netnsutil.NewBypass4netnsCNIBypassManager(opts.bypassClient, opts.rootlessKitClient)
+				bm, err := bypass4netnsutil.NewBypass4netnsCNIBypassManager(opts.bypassClient, opts.rootlessKitClient, opts.state.Annotations)
 				if err != nil {
 					return err
 				}