feat: update iptables monitor with ipv6 and bpf map reading capabilities

[QxBytes]

Reason for Change:

Adds two new capabilities to azure-iptables-monitor:

• Reads ipv6 iptables rules if present on the node. To accomodate ipv6, will now read config files from a new directory for allowed ipv6 iptables rules-- these config files are separate from the ipv4 iptables allowlist. The ipv6 directory has the same structure as the ipv4 one (ex: an allowlist pattern file for each ipv6 table). If there are either ipv4 or ipv6 rules that are unexpected, we send an event and set the ciliumnode label as before.
• Can read a pinned bpf map at a configurable location. The bpf map records how times on the node an iptables rule add request was blocked by a separate iptables block binary. If the number of blocks increases between intervals, we create a new event.

Issue Fixed:

See above

Requirements:

• uses conventional commit messages
• includes documentation
• adds unit tests
• relevant PR labels added

Notes:
Tested on a cilium dualstack cluster

• If ipv6 rules not in allowlist are found, confirmed user iptables rules true
• If ipv4 and ipv6 rules are all allowed, confirmed user iptables rules false
• If bpf map increases between intervals, confirmed event emitted
• Confirmed ipv6 uses an ipv6 client and shows ipv6 rules

[Copilot]

Pull Request Overview

This PR enhances the azure-iptables-monitor with IPv6 support and BPF map monitoring capabilities. The monitor can now detect unexpected iptables rules in both IPv4 and IPv6 tables, and can track blocked iptables rule attempts via a pinned BPF map.

Key changes:

• Adds IPv6 iptables monitoring with separate allowlist configuration directory
• Implements BPF map reading to track blocked iptables rule attempts and generate events when blocks increase
• Updates the Kubernetes label name to follow Azure conventions

Reviewed Changes

Copilot reviewed 4 out of 5 changed files in this pull request and generated 2 comments.

File	Description
iptables_monitor.go	Core implementation adding IPv6 support, BPF map monitoring, and label name update
iptables_monitor_test.go	Updates test to match new function signature with config path parameter
go.mod	Adds cilium/ebpf dependency for BPF map functionality
README.md	Documents new command-line flags and updated label name

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[QxBytes]

/azp run Azure Container Networking PR

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[santhoshmprabhu]

In the event description, let's add an explanation indicating that eBPF host routing is enabled. The user may not immediately have context on why iptables rules are being blocked. We could also link aka.ms/acnsperformance

[tamilmani1989]

can it be /azure-block-iptables/iptables_block_event_counter

[QxBytes]

The default uses the path specified here: https://github.com/Azure/azure-container-networking/blob/master/bpf-prog/azure-block-iptables/pkg/bpfprogram/program.go#L20 . In any case, the bpf map is on the vm and needs to be mounted to the container, and that mount can be at any location on the container. The mount location is specific to the container with the iptables monitor image. The mapPath is configurable as well if we need to change it later.

[tamilmani1989]

can we also specify how often the program check for increases?

[QxBytes]

The increases are checked based on -interval, unless you mean you would like a second configurable interval option for checking the map?

[tamilmani1989]

why NODE_NAME is required?

[QxBytes]

This is to create events for the current node the program is running on-- the field needs to be passed in for the program to know about it.