virtcontainers: plumb iptable set/get from sandbox to agent

Introduce get/set iptable handling. We add a sandbox API for getting and setting the IPTables within the guest. This routes it from sandbox interface, through kata-agent, ultimately making requests to the guest agent. Signed-off-by: Eric Ernst <eric_ernst@apple.com>
2025-07-31 23:36:12 +00:00 · 2022-04-25 05:07:14 -07:00 · 2022-04-25 05:07:14 -07:00 · 0136be22ca
commit 0136be22ca
parent bd50d463b2
7 changed files with 75 additions and 3 deletions
--- a/src/runtime/virtcontainers/agent.go
+++ b/src/runtime/virtcontainers/agent.go
@ -190,9 +190,15 @@ type agent interface {
 	// getAgentMetrics get metrics of agent and guest through agent
 	getAgentMetrics(context.Context, *grpc.GetMetricsRequest) (*grpc.Metrics, error)

-	//getGuestVolumeStats get the filesystem stats of a volume specified by the volume mount path on the guest.
+	// getGuestVolumeStats get the filesystem stats of a volume specified by the volume mount path on the guest.
 	getGuestVolumeStats(ctx context.Context, volumeGuestPath string) ([]byte, error)

 	// resizeGuestVolume resizes a volume specified by the volume mount path on the guest.
 	resizeGuestVolume(ctx context.Context, volumeGuestPath string, size uint64) error
+
+	// getIPTables obtains the iptables from the guest
+	getIPTables(ctx context.Context, isIPv6 bool) ([]byte, error)
+
+	// setIPTables sets the iptables from the guest
+	setIPTables(ctx context.Context, isIPv6 bool, data []byte) error
 }
--- a/src/runtime/virtcontainers/interfaces.go
+++ b/src/runtime/virtcontainers/interfaces.go
@ -79,6 +79,9 @@ type VCSandbox interface {

 	GuestVolumeStats(ctx context.Context, volumePath string) ([]byte, error)
 	ResizeGuestVolume(ctx context.Context, volumePath string, size uint64) error
+
+	GetIPTables(ctx context.Context, isIPv6 bool) ([]byte, error)
+	SetIPTables(ctx context.Context, isIPv6 bool, data []byte) error
 }

 // VCContainer is the Container interface
--- a/src/runtime/virtcontainers/kata_agent.go
+++ b/src/runtime/virtcontainers/kata_agent.go
@ -141,6 +141,8 @@ const (
 	grpcAddSwapRequest           = "grpc.AddSwapRequest"
 	grpcVolumeStatsRequest       = "grpc.VolumeStatsRequest"
 	grpcResizeVolumeRequest      = "grpc.ResizeVolumeRequest"
+	grpcGetIPTablesRequest       = "grpc.GetIPTablesRequest"
+	grpcSetIPTablesRequest       = "grpc.SetIPTablesRequest"
 )

 // newKataAgent returns an agent from an agent type.
@ -1976,6 +1978,12 @@ func (k *kataAgent) installReqFunc(c *kataclient.AgentClient) {
 	k.reqHandlers[grpcResizeVolumeRequest] = func(ctx context.Context, req interface{}) (interface{}, error) {
 		return k.client.AgentServiceClient.ResizeVolume(ctx, req.(*grpc.ResizeVolumeRequest))
 	}
+	k.reqHandlers[grpcGetIPTablesRequest] = func(ctx context.Context, req interface{}) (interface{}, error) {
+		return k.client.AgentServiceClient.GetIPTables(ctx, req.(*grpc.GetIPTablesRequest))
+	}
+	k.reqHandlers[grpcSetIPTablesRequest] = func(ctx context.Context, req interface{}) (interface{}, error) {
+		return k.client.AgentServiceClient.SetIPTables(ctx, req.(*grpc.SetIPTablesRequest))
+	}
 }

 func (k *kataAgent) getReqContext(ctx context.Context, reqName string) (newCtx context.Context, cancel context.CancelFunc) {
@ -2194,6 +2202,26 @@ func (k *kataAgent) getAgentMetrics(ctx context.Context, req *grpc.GetMetricsReq
 	return resp.(*grpc.Metrics), nil
 }

+func (k *kataAgent) getIPTables(ctx context.Context, isIPv6 bool) ([]byte, error) {
+	resp, err := k.sendReq(ctx, &grpc.GetIPTablesRequest{IsIpv6: isIPv6})
+	if err != nil {
+		return nil, err
+	}
+	return resp.(*grpc.GetIPTablesResponse).Data, nil
+}
+
+func (k *kataAgent) setIPTables(ctx context.Context, isIPv6 bool, data []byte) error {
+	_, err := k.sendReq(ctx, &grpc.SetIPTablesRequest{
+		IsIpv6: isIPv6,
+		Data:   data,
+	})
+	if err != nil {
+		k.Logger().WithError(err).Errorf("setIPTables request to agent failed")
+	}
+
+	return err
+}
+
 func (k *kataAgent) getGuestVolumeStats(ctx context.Context, volumeGuestPath string) ([]byte, error) {
 	result, err := k.sendReq(ctx, &grpc.VolumeStatsRequest{VolumeGuestPath: volumeGuestPath})
 	if err != nil {
--- a/src/runtime/virtcontainers/mock_agent.go
+++ b/src/runtime/virtcontainers/mock_agent.go
@ -249,3 +249,11 @@ func (n *mockAgent) getGuestVolumeStats(ctx context.Context, volumeGuestPath str
 func (n *mockAgent) resizeGuestVolume(ctx context.Context, volumeGuestPath string, size uint64) error {
 	return nil
 }
+
+func (k *mockAgent) getIPTables(ctx context.Context, isIPv6 bool) ([]byte, error) {
+	return nil, nil
+}
+
+func (k *mockAgent) setIPTables(ctx context.Context, isIPv6 bool, data []byte) error {
+	return nil
+}
--- a/src/runtime/virtcontainers/pkg/mock/mock.go
+++ b/src/runtime/virtcontainers/pkg/mock/mock.go
@ -12,12 +12,13 @@ import (
 	"net/url"
 	"os"

+	"path"
+	"strings"
+
 	"github.com/containerd/ttrpc"
 	gpb "github.com/gogo/protobuf/types"
 	aTypes "github.com/kata-containers/kata-containers/src/runtime/virtcontainers/pkg/agent/protocols"
 	pb "github.com/kata-containers/kata-containers/src/runtime/virtcontainers/pkg/agent/protocols/grpc"
-	"path"
-	"strings"
 )

 const VSockPrefix = "mock://"
@ -239,3 +240,11 @@ func (p *HybridVSockTTRPCMockImp) GetVolumeStats(ctx context.Context, req *pb.Vo
 func (p *HybridVSockTTRPCMockImp) ResizeVolume(ctx context.Context, req *pb.ResizeVolumeRequest) (*gpb.Empty, error) {
 	return &gpb.Empty{}, nil
 }
+
+func (p *HybridVSockTTRPCMockImp) GetIPTables(ctx context.Context, req *pb.GetIPTablesRequest) (*pb.GetIPTablesResponse, error) {
+	return &pb.GetIPTablesResponse{}, nil
+}
+
+func (p *HybridVSockTTRPCMockImp) SetIPTables(ctx context.Context, req *pb.SetIPTablesRequest) (*pb.SetIPTablesResponse, error) {
+	return &pb.SetIPTablesResponse{}, nil
+}
--- a/src/runtime/virtcontainers/pkg/vcmock/sandbox.go
+++ b/src/runtime/virtcontainers/pkg/vcmock/sandbox.go
@ -261,3 +261,11 @@ func (s *Sandbox) GuestVolumeStats(ctx context.Context, path string) ([]byte, er
 func (s *Sandbox) ResizeGuestVolume(ctx context.Context, path string, size uint64) error {
 	return nil
 }
+
+func (s *Sandbox) GetIPTables(ctx context.Context, isIPv6 bool) ([]byte, error) {
+	return nil, nil
+}
+
+func (s *Sandbox) SetIPTables(ctx context.Context, isIPv6 bool, data []byte) error {
+	return nil
+}
--- a/src/runtime/virtcontainers/sandbox.go
+++ b/src/runtime/virtcontainers/sandbox.go
@ -2254,6 +2254,16 @@ func (s *Sandbox) GetAgentURL() (string, error) {
 	return s.agent.getAgentURL()
 }

+// GetIPTables will obtain the iptables from the guest
+func (s *Sandbox) GetIPTables(ctx context.Context, isIPv6 bool) ([]byte, error) {
+	return s.agent.getIPTables(ctx, isIPv6)
+}
+
+// SetIPTables will set the iptables in the guest
+func (s *Sandbox) SetIPTables(ctx context.Context, isIPv6 bool, data []byte) error {
+	return s.agent.setIPTables(ctx, isIPv6, data)
+}
+
 // GuestVolumeStats return the filesystem stat of a given volume in the guest.
 func (s *Sandbox) GuestVolumeStats(ctx context.Context, volumePath string) ([]byte, error) {
 	guestMountPath, err := s.guestMountPath(volumePath)