Add kernel MCP tools

Implements MCP tools for inspecting kernel level networking
configurations:
- get-conntrack: retrieves connection tracking entries from a Kubernetes node.
- get-iptables: retrieves iptables/ip6tables rules from a Kubernetes node.
- get-nft: retrieves nftables configuration from a Kubernetes node.
- get-ip: executes 'ip' utility commands on a node.

Signed-off-by: Arnab Ghosh <arnabghosh89@gmail.com>

Author: arghosh93

cmd/ovnk-mcp-server/main.go

@@ -11,6 +11,7 @@ import (
 	"syscall"
 
 	mcp "github.com/modelcontextprotocol/go-sdk/mcp"
+	kernelmcp "github.com/ovn-kubernetes/ovn-kubernetes-mcp/pkg/kernel/mcp"
 	kubernetesmcp "github.com/ovn-kubernetes/ovn-kubernetes-mcp/pkg/kubernetes/mcp"
 )
 
@@ -36,6 +37,13 @@ func main() {
 		}
 		log.Println("Adding Kubernetes tools to OVN-K MCP server")
 		k8sMcpServer.AddTools(ovnkMcpServer)
+
+		kernelMcpServer, err := kernelmcp.NewMCPServer(serverCfg.Kubernetes)
+		if err != nil {
+			log.Fatalf("Failed to create kernel MCP server: %v", err)
+		}
+		log.Println("Adding Kernel tools to OVN-K MCP server")
+		kernelMcpServer.AddTools(ovnkMcpServer)
 	}
 
 	// Create a context that can be cancelled to shutdown the server.

pkg/kernel/mcp/conntrack.go

@@ -0,0 +1,119 @@
+package kernel
+
+import (
+	"context"
+	"fmt"
+	"strconv"
+	"strings"
+
+	"github.com/ovn-kubernetes/ovn-kubernetes-mcp/pkg/kernel/types"
+)
+
+const conntrackSystemFile = "/proc/net/nf_conntrack"
+
+// GetConntrack retrieves connection tracking entries from a Kubernetes node. Falls back to /proc/net/nf_conntrack parsing when conntrack CLI unavailable.
+// TODO: Add support for conntrack event monitoring (-E flag)
+// TODO: Add support for -G (get specific entry) command
+func (c *KernelMCPServerClientSet) GetConntrack(ctx context.Context, in types.ListConntrackParams) (string, error) {
+	conntrack_cli_available := c.UtilityExists(ctx, in.Node, in.Image, "conntrack")
+	if err := ValidateConntrackCommand(in.Command, conntrack_cli_available); err != nil {
+		return "", err
+	}
+	if !conntrack_cli_available {
+		stdout, err := c.getConntrackFromFile(ctx, in.Node, in.Image, in.FilterParameters)
+		if err != nil {
+			return "", err
+		}
+		return stdout, nil
+	} else {
+		stdout, err := c.getConntrackUsingCLI(ctx, in.Node, in.Image, in.Command, in.FilterParameters)
+		if err != nil {
+			return "", err
+		}
+		return stdout, nil
+	}
+}
+
+// getConntrackUsingCLI executes conntrack CLI commands
+func (c *KernelMCPServerClientSet) getConntrackUsingCLI(ctx context.Context, node, image, command, filterParameters string) (string, error) {
+	cmd := newCommand("conntrack")
+	switch command {
+	case "-L":
+		cmd.add("-L", filterParameters)
+	case "-S":
+		cmd.add("-S")
+	case "-C":
+		cmd.add("-C")
+	default:
+		cmd.add("-L")
+	}
+	return c.executeCommand(ctx, node, image, cmd.build())
+}
+
+// getConntrackFromFile parses /proc/net/nf_conntrack directly
+func (c *KernelMCPServerClientSet) getConntrackFromFile(ctx context.Context, node, image, filterParameters string) (string, error) {
+	var regex string
+	cmd := newCommand("cat")
+	if filterParameters != "" {
+		regex = filterParametersToRegex(filterParameters)
+	}
+	if regex != "" {
+		cmd.add(conntrackSystemFile, "|", "grep", "-E", regex)
+	} else {
+		cmd.add(conntrackSystemFile)
+	}
+	return c.executeCommand(ctx, node, image, cmd.build())
+}
+
+// filterParametersToRegex converts conntrack filter params to grep regex
+func filterParametersToRegex(filterParameters string) string {
+	afterSplit := strings.Split(filterParameters, " ")
+	var src, dst, protocol, src_port, dst_port string
+	for i, item := range afterSplit {
+		if item == "-s" {
+			src = afterSplit[i+1]
+			splitSrc := strings.Split(src, ".")
+			src = "src=" + strings.Join(splitSrc, "\\.")
+		}
+		if item == "-d" {
+			dst = afterSplit[i+1]
+			splitDst := strings.Split(dst, ".")
+			dst = "dst=" + strings.Join(splitDst, "\\.")
+		}
+		if item == "-p" {
+			protocol = afterSplit[i+1]
+		}
+		if item == "--sport" {
+			src_port = "sport=" + afterSplit[i+1]
+		}
+		if item == "--dport" {
+			dst_port = "dport=" + afterSplit[i+1]
+		}
+	}
+	return "^.*\\b" + protocol + "\\b.*\\b" + src + "\\s+" + dst + "\\s+" + src_port + "\\s+" + dst_port + "\\b"
+}
+
+// ValidateConntrackCommand validates the command to be used to get list of conntrack entries.
+// It returns an error if conntrack CLI is not available and any other operation than list is being performed.
+func ValidateConntrackCommand(command string, cliAvailable bool) error {
+	if command == "" {
+		return nil
+	}
+
+	if !cliAvailable && command != "-L" {
+		return fmt.Errorf("mentioned image does not have conntrack utility, only -L is supported with limited filters")
+	}
+	if _, err := strconv.Atoi(command); err == nil {
+		return nil
+	}
+	validTables := map[string]bool{
+		"-L": true,
+		"-S": true,
+		"-C": true,
+	}
+
+	if !validTables[command] {
+		return fmt.Errorf("invalid command: %s", command)
+	}
+	return nil
+}

pkg/kernel/mcp/ip.go

@@ -0,0 +1,52 @@
+package kernel
+
+import (
+	"context"
+	"fmt"
+	"strconv"
+	"strings"
+
+	"github.com/ovn-kubernetes/ovn-kubernetes-mcp/pkg/kernel/types"
+)
+
+// GetIPCommandOutput executes 'ip' utility commands on a node. Requires ip utility in the debug container image.
+func (c *KernelMCPServerClientSet) GetIPCommandOutput(ctx context.Context, in types.ListIPParams) (string, error) {
+	ip_cli_available := c.UtilityExists(ctx, in.Node, in.Image, "ip")
+	if !ip_cli_available {
+		return "", fmt.Errorf("mentioned image does not have ip utility")
+	}
+	if err := ValidateIPCommand(in.Command); err != nil {
+		return "", err
+	}
+
+	cmd := newCommand("ip")
+	cmd.addIfNotEmpty(in.Options, in.Options)
+	cmd.add(strings.Fields(in.Command)...)
+	cmd.addIfNotEmpty(in.SubCommand, strings.Fields(in.SubCommand)...)
+	return c.executeCommand(ctx, in.Node, in.Image, cmd.build())
+}
+
+// ValidateIPCommand validates that the IP command is allowed.
+func ValidateIPCommand(ipCommand string) error {
+	if ipCommand == "" {
+		return nil
+	}
+
+	if _, err := strconv.Atoi(ipCommand); err == nil {
+		return nil
+	}
+	validIpCommand := map[string]bool{
+		"address show":   true,
+		"link show":      true,
+		"neighbour show": true,
+		"netns show":     true,
+		"route show":     true,
+		"rule show":      true,
+		"vrf show":       true,
+	}
+
+	if !validIpCommand[ipCommand] {
+		return fmt.Errorf("invalid ip command: %s", ipCommand)
+	}
+	return nil
+}

pkg/kernel/mcp/iptables.go

@@ -0,0 +1,88 @@
+package kernel
+
+import (
+	"context"
+	"fmt"
+	"strconv"
+	"strings"
+
+	"github.com/ovn-kubernetes/ovn-kubernetes-mcp/pkg/kernel/types"
+)
+
+// GetIptables retrieves iptables/ip6tables rules from a Kubernetes node. Automatically detects IPv6 and uses ip6tables when needed.
+func (c *KernelMCPServerClientSet) GetIptables(ctx context.Context, in types.ListIPTablesParams) (string, error) {
+	iptables_cli_available := c.UtilityExists(ctx, in.Node, in.Image, "iptables")
+	if !iptables_cli_available {
+		return "", fmt.Errorf("mentioned image does not have iptables utility")
+	}
+	if err := ValidateTableName(in.Table); err != nil {
+		return "", err
+	}
+
+	if err := ValidateIptablesCommand(in.Command); err != nil {
+		return "", err
+	}
+	cmd := newCommand(iptablesCommand(in.FilterParameters))
+	// Defaults to 'filter' table when not specified
+	cmd.addIf(in.Table == "", "-t", "filter")
+	cmd.addIfNotEmpty(in.Table, "-t", in.Table)
+	// Defaults to -L (list) when command not specified
+	cmd.addIf(in.Command == "", "-L")
+	cmd.addIfNotEmpty(in.Command, in.Command)
+	// FilterParameters are invalid with -S command
+	cmd.addIf(in.FilterParameters != "" && in.Command != "-S", in.FilterParameters)
+	return c.executeCommand(ctx, in.Node, in.Image, cmd.build())
+}
+
+// iptablesCommand determines whether to use iptables or ip6tables.
+func iptablesCommand(filterParameters string) string {
+	for _, item := range strings.Split(filterParameters, " ") {
+		if item == "--ipv6" || strings.Contains(item, "6") {
+			return "ip6tables"
+		}
+	}
+	return "iptables"
+}
+
+// ValidateTableName validates iptables table name
+func ValidateTableName(table string) error {
+	if table == "" {
+		return nil
+	}
+
+	if _, err := strconv.Atoi(table); err == nil {
+		return nil
+	}
+	validTables := map[string]bool{
+		"filter":   true,
+		"nat":      true,
+		"mangle":   true,
+		"raw":      true,
+		"security": true,
+	}
+
+	if !validTables[table] {
+		return fmt.Errorf("invalid table name: %s", table)
+	}
+	return nil
+}
+
+// ValidateIptablesCommand only allow list operation.
+func ValidateIptablesCommand(command string) error {
+	if command == "" {
+		return nil
+	}
+
+	if _, err := strconv.Atoi(command); err == nil {
+		return nil
+	}
+	validCommand := map[string]bool{
+		"-L": true,
+		"-S": true,
+	}
+
+	if !validCommand[command] {
+		return fmt.Errorf("invalid iptables command: %s", command)
+	}
+	return nil
+}