feat: snat azuredns to node ip in podsubnet scenarios

[QxBytes]

Reason for Change:

Changes podsubnet windows and linux (including cilium case) to snat azure dns traffic to node ip. Currently vnet scale case snats to node ip but podsubnet cases do not. Queried for cx that have policies which rely on previous behavior and no cases are found.

Issue Fixed:

Requirements:

• uses conventional commit messages
• includes documentation
• adds unit tests
• relevant PR labels added

Notes:
Affects only dns traffic (short connections)
Tested:
1.6.24 cns (azure linux 2.0) upgrading to this version (1.7.x) (cns base image now azure linux 3.0)

• iptables nftables and iptables legacy rules show up
• nftable rules seem to take precedent but should not matter since both rules work

When cni adds the iptables rules they should use whatever the node maps the iptables command to

For following, nslookup google.com 168.63.129.16 succeeds, tcpdump/packet capture on node shows snat to the node ip instead of the primary ip
Podsubnet cilium linux
Podsubnet azure linux
Podsubnet azure windows
Vnetscale cilium linux
Vnetscale azure linux
Vnetscale azure windows

Mostly green run (this pr does not affect overlay): https://msazure.visualstudio.com/One/_build/results?buildId=131651989&view=results

[Copilot]

Pull Request Overview

This PR modifies SNAT (Source NAT) behavior for Azure DNS traffic in pod subnet scenarios to consistently use the node IP instead of the primary IP across different networking modes. This ensures consistency between VNet scale cases (which already SNAT to node IP) and pod subnet cases.

• Changes Linux iptables rules to SNAT Azure DNS traffic to host primary IP instead of NC primary IP
• Updates Windows NAT policy to remove explicit VirtualIP specification for DNS traffic
• Updates corresponding unit tests to reflect the new SNAT target IP addresses

Reviewed Changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
cns/restserver/internalapi_linux.go	Modified SNAT rules to use req.HostPrimaryIP instead of ncPrimaryIP for DNS traffic
cns/restserver/internalapi_linux_test.go	Updated test expectations to reflect new SNAT target IP (10.0.0.4 instead of 240.1.2.1)
cni/network/network_windows.go	Removed VirtualIP specification from Windows NAT policy for DNS traffic
cni/network/network_test.go	Updated Windows test expectations to match new NAT policy structure
cni/network/invoker_cns.go	Changed DNS SNAT rules to use snatHostIPJump instead of snatPrimaryIPJump
cni/network/invoker_cns_test.go	Updated test expectations for new SNAT target IP (10.0.0.3 instead of 10.0.1.20)

[QxBytes]

/azp run Azure Container Networking PR

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[timraymond]

Giving a weak approval on this. It looks reasonable to me, but I want a second pair of eyes on this, as I haven't worked directly on CNI changes lately.

[santhoshmprabhu]

@QxBytes The changes look okay, but didn't we decide to do this based on a config parameter?

[github-actions]

This pull request is stale because it has been open for 2 weeks with no activity. Remove stale label or comment or this will be closed in 7 days