fix: restrict host routes to InfraNIC in stateless CNI SwiftV2 (#4404)

* fix: restrict host routes and iptables to InfraNIC in stateless CNI SwiftV2

Guard handleCommonOptions to skip RoutesKey and IPTablesKey for
non-InfraNIC types (DelegatedVMNIC, NodeNetworkInterfaceFrontendNIC).
Host gateway routes are not reachable from secondary NICs on different
subnets. Empty NICType is treated as InfraNIC for legacy compatibility.

Add unit tests verifying routes and iptables are skipped for delegated
NICs and applied for InfraNIC.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* refactor: remove unrelated sort test from ENETUNREACH fix

The EndpointCreate sort test belongs with the separate sort PR
(fix/sort-epinfos-infra-first), not this PR which focuses solely on
preventing host routes from being applied to delegated NICs.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* refactor: move host options guard from handleCommonOptions to createEpInfo

Move the NICType check from handleCommonOptions (network_linux.go) to
createEpInfo (cni/network/network.go) so that non-infra NICs never
receive RoutesKey/IPTablesKey/SNATIPKey options in the first place.

This is cleaner than guarding downstream — the bad data is prevented
at the source rather than being copied and then ignored. Only InfraNIC
or legacy (empty NICType) endpoints get the options from
shallowCopyIpamAddConfigOptions(). handleCommonOptions is reverted to
its original unconditional behavior since it will never be called with
infra-only options for non-infra NICs.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

---------

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: behzad-mir

cni/network/network.go

@@ -736,6 +736,15 @@ func (plugin *NetPlugin) createEpInfo(opt *createEpInfoOpt) (*network.EndpointIn
 		endpointID = plugin.nm.GetEndpointIDByNicType(opt.args.ContainerID, ifName, opt.ifInfo.NICType)
 	}
 
+	// Only copy options (RoutesKey, IPTablesKey, SNATIPKey) for InfraNIC or legacy (empty NICType).
+	// These options are infra-only host-namespace constructs set by setHostOptions and are not
+	// applicable to delegated/secondary NICs on either Linux or Windows.
+	// For non-infra NICs, options remains nil so handleCommonOptions becomes a no-op.
+	var options map[string]interface{}
+	if opt.ifInfo.NICType == cns.InfraNIC || opt.ifInfo.NICType == "" {
+		options = opt.ipamAddConfig.shallowCopyIpamAddConfigOptions()
+	}
+
 	endpointInfo := network.EndpointInfo{
 		NetworkID:                     opt.networkID,
 		Mode:                          opt.ipamAddConfig.nwCfg.Mode,
@@ -744,7 +753,7 @@ func (plugin *NetPlugin) createEpInfo(opt *createEpInfoOpt) (*network.EndpointIn
 		BridgeName:                    opt.ipamAddConfig.nwCfg.Bridge,
 		NetworkPolicies:               networkPolicies, // nw and ep policies separated to avoid possible conflicts
 		NetNs:                         opt.ipamAddConfig.args.Netns,
-		Options:                       opt.ipamAddConfig.shallowCopyIpamAddConfigOptions(),
+		Options:                       options,
 		DisableHairpinOnHostInterface: opt.ipamAddConfig.nwCfg.DisableHairpinOnHostInterface,
 		IsIPv6Enabled:                 opt.ipv6Enabled, // present infra only
 

cni/network/network_linux_test.go

@@ -472,9 +472,7 @@ func TestPluginLinuxAdd(t *testing.T) {
 							},
 							Suffix: "myDomain",
 						},
-						Options: map[string]interface{}{
-							"testflag": "copy",
-						},
+						Options: nil,
 						// matches with cns ip configuration
 						IPAddresses: []net.IPNet{
 							{

network/endpoint.go

@@ -107,7 +107,7 @@ type EndpointInfo struct {
 	Subnets                       []SubnetInfo
 	BridgeName                    string
 	NetNs                         string // used in windows
-	Options                       map[string]interface{}
+	Options                       map[string]interface{} // populated only for InfraNIC; nil for non-infra NICs
 	DisableHairpinOnHostInterface bool
 	IsIPv6Enabled                 bool
 	HostSubnetPrefix              string // can be used later to add an external interface

network/network_linux_test.go

@@ -0,0 +1,105 @@
+package network
+
+import (
+	"net"
+	"testing"
+
+	"github.com/Azure/azure-container-networking/iptables"
+	"github.com/Azure/azure-container-networking/netio"
+	"github.com/Azure/azure-container-networking/netlink"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+// mockIPTablesClientWithRunCmd extends mock to track RunCmd calls.
+type mockIPTablesClientWithRunCmd struct {
+	mockIPTablesClient
+	runCmdCalls []string
+}
+
+func (c *mockIPTablesClientWithRunCmd) RunCmd(version, params string) error {
+	c.runCmdCalls = append(c.runCmdCalls, version+" "+params)
+	return nil
+}
+
+func TestHandleCommonOptions_AppliesRoutes(t *testing.T) {
+	routeCalled := false
+	nl := netlink.NewMockNetlink(false, "")
+	nl.SetAddRouteValidationFn(func(_ *netlink.Route) error {
+		routeCalled = true
+		return nil
+	})
+
+	nm := &networkManager{
+		netlink:        nl,
+		netio:          netio.NewMockNetIO(false, 0),
+		iptablesClient: &mockIPTablesClient{},
+	}
+
+	nwInfo := &EndpointInfo{
+		Options: map[string]interface{}{
+			RoutesKey: []RouteInfo{
+				{
+					Dst: net.IPNet{IP: net.ParseIP("10.1.0.0"), Mask: net.CIDRMask(16, 32)},
+					Gw:  net.ParseIP("10.0.0.1"),
+				},
+			},
+		},
+	}
+
+	err := nm.handleCommonOptions("eth0", nwInfo)
+	require.NoError(t, err)
+	assert.True(t, routeCalled, "expected route to be added when RoutesKey is present in options")
+}
+
+func TestHandleCommonOptions_AppliesIPTables(t *testing.T) {
+	iptc := &mockIPTablesClientWithRunCmd{}
+
+	nm := &networkManager{
+		netlink:        netlink.NewMockNetlink(false, ""),
+		netio:          netio.NewMockNetIO(false, 0),
+		iptablesClient: iptc,
+	}
+
+	nwInfo := &EndpointInfo{
+		Options: map[string]interface{}{
+			IPTablesKey: []iptables.IPTableEntry{
+				{Version: iptables.V4, Params: "-A FORWARD -j ACCEPT"},
+			},
+		},
+	}
+
+	err := nm.handleCommonOptions("eth0", nwInfo)
+	require.NoError(t, err)
+	assert.NotEmpty(t, iptc.runCmdCalls, "expected iptables RunCmd to be called when IPTablesKey is present")
+}
+
+func TestHandleCommonOptions_NoOptionsNoError(t *testing.T) {
+	nm := &networkManager{
+		netlink:        netlink.NewMockNetlink(false, ""),
+		netio:          netio.NewMockNetIO(false, 0),
+		iptablesClient: &mockIPTablesClient{},
+	}
+
+	nwInfo := &EndpointInfo{
+		Options: map[string]interface{}{},
+	}
+
+	err := nm.handleCommonOptions("eth0", nwInfo)
+	require.NoError(t, err)
+}
+
+func TestHandleCommonOptions_NilOptionsNoError(t *testing.T) {
+	nm := &networkManager{
+		netlink:        netlink.NewMockNetlink(false, ""),
+		netio:          netio.NewMockNetIO(false, 0),
+		iptablesClient: &mockIPTablesClient{},
+	}
+
+	nwInfo := &EndpointInfo{
+		Options: nil,
+	}
+
+	err := nm.handleCommonOptions("eth0", nwInfo)
+	require.NoError(t, err)
+}