Add kernel MCP tools

Implements MCP tools for inspecting kernel level networking
configurations:
- get-conntrack: retrieves connection tracking entries from a Kubernetes node.
- get-iptables: retrieves iptables/ip6tables rules from a Kubernetes node.
- get-nft: retrieves nftables configuration from a Kubernetes node.
- get-ip: executes 'ip' utility commands on a node.

Signed-off-by: Arnab Ghosh <arnabghosh89@gmail.com>

Author: arghosh93

cmd/ovnk-mcp-server/main.go

@@ -11,6 +11,7 @@ import (
 	"syscall"
 
 	mcp "github.com/modelcontextprotocol/go-sdk/mcp"
+	kernelmcp "github.com/ovn-kubernetes/ovn-kubernetes-mcp/pkg/kernel/mcp"
 	kubernetesmcp "github.com/ovn-kubernetes/ovn-kubernetes-mcp/pkg/kubernetes/mcp"
 )
 
@@ -36,6 +37,10 @@ func main() {
 		}
 		log.Println("Adding Kubernetes tools to OVN-K MCP server")
 		k8sMcpServer.AddTools(ovnkMcpServer)
+
+		kernelMcpServer := kernelmcp.NewMCPServer(k8sMcpServer)
+		log.Println("Adding Kernel tools to OVN-K MCP server")
+		kernelMcpServer.AddTools(ovnkMcpServer)
 	}
 
 	// Create a context that can be cancelled to shutdown the server.

pkg/kernel/mcp/conntrack.go

@@ -0,0 +1,92 @@
+package kernel
+
+import (
+	"context"
+	"fmt"
+	"strconv"
+	"strings"
+
+	"github.com/modelcontextprotocol/go-sdk/mcp"
+	"github.com/ovn-kubernetes/ovn-kubernetes-mcp/pkg/kernel/types"
+)
+
+const conntrackSystemFile = "/proc/net/nf_conntrack"
+
+// GetConntrack MCP handler for conntrack operations.
+// GetConntrack retrieves connection tracking entries from a Kubernetes node.
+// Falls back to /proc/net/nf_conntrack parsing when conntrack CLI unavailable.
+// TODO: Add support for conntrack event monitoring (-E flag).
+// TODO: Add support for -G (get specific entry) command.
+func (s *MCPServer) GetConntrack(ctx context.Context, req *mcp.CallToolRequest, in types.ListConntrackParams) (*mcp.CallToolResult, types.Result, error) {
+	conntrackCliAvailable := s.UtilityExists(ctx, req, in.Node, in.Image, "conntrack")
+	if err := ValidateConntrackCommand(in.Command, conntrackCliAvailable); err != nil {
+		return nil, types.Result{}, fmt.Errorf("error while getting list of conntrack entries: %w", err)
+	}
+
+	if !conntrackCliAvailable {
+		stdout, err := s.getConntrackFromFile(ctx, req, in.Node, in.Image, in.FilterParameters)
+		if err != nil {
+			return nil, types.Result{}, fmt.Errorf("error while getting list of conntrack entries: %w", err)
+		}
+		return nil, types.Result{Data: stdout}, nil
+	} else {
+		stdout, err := s.getConntrackUsingCLI(ctx, req, in.Node, in.Image, in.Command, in.FilterParameters)
+		if err != nil {
+			return nil, types.Result{}, fmt.Errorf("error while getting list of conntrack entries: %w", err)
+		}
+		return nil, types.Result{Data: stdout}, nil
+	}
+}
+
+// getConntrackUsingCLI executes conntrack CLI commands.
+func (s *MCPServer) getConntrackUsingCLI(ctx context.Context, req *mcp.CallToolRequest, node, image, command, filterParameters string) (string, error) {
+	cmd := newCommand("conntrack")
+	switch command {
+	case "-L":
+		cmd.add("-L")
+		cmd.add(strings.Fields(filterParameters)...)
+	case "-S":
+		cmd.add("-S")
+	case "-C":
+		cmd.add("-C")
+	default:
+		cmd.add("-L")
+		cmd.add(strings.Fields(filterParameters)...)
+	}
+	return s.executeCommand(ctx, req, node, image, cmd.build())
+}
+
+// getConntrackFromFile parses /proc/net/nf_conntrack directly.
+// TODO: Add filter support while getting conntrack entries from /proc/net/nf_conntrack.
+func (s *MCPServer) getConntrackFromFile(ctx context.Context, req *mcp.CallToolRequest, node, image, filterParameters string) (string, error) {
+	cmd := newCommand("cat")
+	cmd.add(conntrackSystemFile)
+	return s.executeCommand(ctx, req, node, image, cmd.build())
+}
+
+// ValidateConntrackCommand validates the command to be used to get list of conntrack entries.
+// It returns an error if conntrack CLI is not available and any other operation than list is being performed.
+func ValidateConntrackCommand(command string, cliAvailable bool) error {
+	if command == "" {
+		return nil
+	}
+	if !cliAvailable && strings.TrimSpace(command) != "-L" {
+		return fmt.Errorf("mentioned image does not have conntrack utility, only -L is supported with limited filters")
+	}
+	if _, err := strconv.Atoi(command); err == nil {
+		return fmt.Errorf("invalid command: %s", command)
+	}
+	validTables := map[string]bool{
+		"-L":      true,
+		"-S":      true,
+		"-C":      true,
+		"--dump":  true,
+		"--stats": true,
+		"--count": true,
+	}
+
+	if !validTables[strings.TrimSpace(command)] {
+		return fmt.Errorf("invalid command: %s", command)
+	}
+	return nil
+}

pkg/kernel/mcp/conntrack_test.go

@@ -0,0 +1,114 @@
+package kernel
+
+import (
+	"testing"
+)
+
+func TestValidateConntrackCommand(t *testing.T) {
+	tests := []struct {
+		name         string
+		command      string
+		cliAvailable bool
+		wantError    bool
+	}{
+		{
+			name:         "empty string with CLI available",
+			command:      "",
+			cliAvailable: true,
+			wantError:    false,
+		},
+		{
+			name:         "empty string without CLI",
+			command:      "",
+			cliAvailable: false,
+			wantError:    false,
+		},
+		{
+			name:         "numeric string with CLI available",
+			command:      "321",
+			cliAvailable: true,
+			wantError:    true,
+		},
+		{
+			name:         "numeric string without CLI",
+			command:      "321",
+			cliAvailable: false,
+			wantError:    true,
+		},
+		{
+			name:         "valid command -L with CLI available",
+			command:      "-L",
+			cliAvailable: true,
+			wantError:    false,
+		},
+		{
+			name:         "valid command -L without CLI",
+			command:      "-L",
+			cliAvailable: false,
+			wantError:    false,
+		},
+		{
+			name:         "valid command -S with CLI available",
+			command:      "-S",
+			cliAvailable: true,
+			wantError:    false,
+		},
+		{
+			name:         "valid command -S without CLI",
+			command:      "-S",
+			cliAvailable: false,
+			wantError:    true,
+		},
+		{
+			name:         "valid command -C with CLI available",
+			command:      "-C",
+			cliAvailable: true,
+			wantError:    false,
+		},
+		{
+			name:         "valid command -C without CLI",
+			command:      "-C",
+			cliAvailable: false,
+			wantError:    true,
+		},
+		{
+			name:         "invalid command with CLI available",
+			command:      "-E",
+			cliAvailable: true,
+			wantError:    true,
+		},
+		{
+			name:         "invalid command without CLI",
+			command:      "-E",
+			cliAvailable: false,
+			wantError:    true,
+		},
+		{
+			name:         "invalid command -D with CLI available",
+			command:      "-D",
+			cliAvailable: true,
+			wantError:    true,
+		},
+		{
+			name:         "lowercase -l with CLI available",
+			command:      "-l",
+			cliAvailable: true,
+			wantError:    true,
+		},
+		{
+			name:         "command with spaces",
+			command:      "-L ",
+			cliAvailable: true,
+			wantError:    false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			err := ValidateConntrackCommand(tt.command, tt.cliAvailable)
+			if (err != nil) != tt.wantError {
+				t.Errorf("ValidateConntrackCommand(%q, %v) error = %v, wantError %v", tt.command, tt.cliAvailable, err, tt.wantError)
+			}
+		})
+	}
+}

pkg/kernel/mcp/ip.go

@@ -0,0 +1,57 @@
+package kernel
+
+import (
+	"context"
+	"fmt"
+	"strconv"
+	"strings"
+
+	"github.com/modelcontextprotocol/go-sdk/mcp"
+	"github.com/ovn-kubernetes/ovn-kubernetes-mcp/pkg/kernel/types"
+)
+
+// GetIPCommandOutput MCP handler for ip utility operations.
+// GetIPCommandOutput executes 'ip' utility commands on a node.
+// Requires ip utility in the debug container image.
+func (s *MCPServer) GetIPCommandOutput(ctx context.Context, req *mcp.CallToolRequest, in types.ListIPParams) (*mcp.CallToolResult, types.Result, error) {
+	ipCliAvailable := s.UtilityExists(ctx, req, in.Node, in.Image, "ip")
+	if !ipCliAvailable {
+		return nil, types.Result{}, fmt.Errorf("error while getting ip data: mentioned image does not have ip utility")
+	}
+
+	if err := ValidateIPCommand(in.Command); err != nil {
+		return nil, types.Result{}, fmt.Errorf("error while getting ip data: %w", err)
+	}
+
+	cmd := newCommand("ip")
+	cmd.addIfNotEmpty(in.Options, in.Options)
+	cmd.add(strings.Fields(in.Command)...)
+	cmd.addIfNotEmpty(in.FilterParameters, strings.Fields(in.FilterParameters)...)
+
+	stdout, err := s.executeCommand(ctx, req, in.Node, in.Image, cmd.build())
+	if err != nil {
+		return nil, types.Result{}, fmt.Errorf("error while getting ip data: %w", err)
+	}
+	return nil, types.Result{Data: stdout}, nil
+}
+
+// ValidateIPCommand validates that the IP command is allowed.
+func ValidateIPCommand(ipCommand string) error {
+	if _, err := strconv.Atoi(ipCommand); err == nil {
+		return fmt.Errorf("invalid ip command: %s", ipCommand)
+	}
+	validIpCommand := map[string]bool{
+		"address show":   true,
+		"link show":      true,
+		"neighbour show": true,
+		"netns show":     true,
+		"route show":     true,
+		"rule show":      true,
+		"vrf show":       true,
+	}
+
+	if !validIpCommand[strings.TrimSpace(ipCommand)] {
+		return fmt.Errorf("invalid ip command: %s", ipCommand)
+	}
+	return nil
+}

pkg/kernel/mcp/ip_test.go

@@ -0,0 +1,113 @@
+package kernel
+
+import (
+	"testing"
+)
+
+func TestValidateIPCommand(t *testing.T) {
+	tests := []struct {
+		name      string
+		ipCommand string
+		wantError bool
+	}{
+		{
+			name:      "empty string",
+			ipCommand: "",
+			wantError: true,
+		},
+		{
+			name:      "numeric string",
+			ipCommand: "999",
+			wantError: true,
+		},
+		{
+			name:      "valid command - address show",
+			ipCommand: "address show",
+			wantError: false,
+		},
+		{
+			name:      "valid command - link show",
+			ipCommand: "link show",
+			wantError: false,
+		},
+		{
+			name:      "valid command - neighbour show",
+			ipCommand: "neighbour show",
+			wantError: false,
+		},
+		{
+			name:      "valid command - netns show",
+			ipCommand: "netns show",
+			wantError: false,
+		},
+		{
+			name:      "valid command - route show",
+			ipCommand: "route show",
+			wantError: false,
+		},
+		{
+			name:      "valid command - rule show",
+			ipCommand: "rule show",
+			wantError: false,
+		},
+		{
+			name:      "valid command - vrf show",
+			ipCommand: "vrf show",
+			wantError: false,
+		},
+		{
+			name:      "invalid command - addr show",
+			ipCommand: "addr show",
+			wantError: true,
+		},
+		{
+			name:      "invalid command - neighbor show",
+			ipCommand: "neighbor show",
+			wantError: true,
+		},
+		{
+			name:      "invalid command - address add",
+			ipCommand: "address add",
+			wantError: true,
+		},
+		{
+			name:      "invalid command - link set",
+			ipCommand: "link set",
+			wantError: true,
+		},
+		{
+			name:      "invalid command - route add",
+			ipCommand: "route add",
+			wantError: true,
+		},
+		{
+			name:      "invalid command - just address",
+			ipCommand: "address",
+			wantError: true,
+		},
+		{
+			name:      "invalid command - uppercase",
+			ipCommand: "ADDRESS SHOW",
+			wantError: true,
+		},
+		{
+			name:      "invalid command - extra spaces",
+			ipCommand: "address  show",
+			wantError: true,
+		},
+		{
+			name:      "valid command - with trailing space",
+			ipCommand: "address show ",
+			wantError: false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			err := ValidateIPCommand(tt.ipCommand)
+			if (err != nil) != tt.wantError {
+				t.Errorf("ValidateIPCommand(%q) error = %v, wantError %v", tt.ipCommand, err, tt.wantError)
+			}
+		})
+	}
+}