fix(netfault): replace root qdisc instead of add to support pre-existing qdiscs

Network attacks using tc (delay, loss, corruption, bandwidth) failed
on hosts where the kernel had already attached a root qdisc to the
target interface (e.g. `mq` on GKE COS, EKS, AKS, RHCOS). `tc qdisc
add ... root` returned `NLM_F_REPLACE needed to override` and the
attack could not start.

Switch the root qdisc command to `tc qdisc replace ... root` on apply.
On revert we still `qdisc del root`; the kernel then re-attaches its
default qdisc (`mq` on multi-queue devices, `noqueue` on veth,
otherwise the configured `net.core.default_qdisc`), so common cloud
node setups are restored to their pre-attack state automatically.

Add a preflight that runs `tc qdisc show` once per Apply, parses all
root qdiscs into a map, and emits a warning for each affected
interface whose root qdisc is not in the kernel-auto-restored
allowlist (mq, noqueue, pfifo_fast, fq_codel, fq). Callers surface
the warnings via the new `Apply` return value.

Refactor the Opts interface to opt in to subsystem behavior via three
optional providers, mirroring the existing iptablesScriptProvider:

  - tcCommandProvider (tcCommands + tcRootQdiscInterfaces)
  - ipCommandProvider (ipCommands)
  - iptablesScriptProvider (iptablesScripts)

Each opts type now only implements the providers for the subsystems
it actually uses, removing six `return nil, nil` stubs across
blackhole, delay, loss, corruption, bandwidth, and tcp_reset.
generateAndRunCommands and Apply discover behavior via type
assertions, the same pattern already used for iptables scripts.

Breaking changes:
- `netfault.Apply` now returns `([]string, error)`. The string slice
  contains preflight warnings to surface to the user.
- The `Opts` interface no longer requires `ipCommands` or `tcCommands`.
  External Opts implementations that returned `nil, nil` from these
  methods can simply remove them; external callers that consumed those
  methods need a type assertion first.

Author: joshiste

go/action_kit_commons/CHANGELOG.md

@@ -1,5 +1,24 @@
 # Changelog
 
+## 1.8.0
+
+- netfault: use `tc qdisc replace` (instead of `add`) for the root qdisc in
+  delay/loss/corruption/bandwidth attacks so they no longer fail on hosts
+  with a pre-existing root qdisc (e.g. `mq` on GKE COS / EKS / AKS).
+- netfault: add preflight check that warns when an interface has a
+  user-installed root qdisc (anything other than `mq`, `noqueue`,
+  `pfifo_fast`, `fq_codel`, `fq`); the kernel default will be restored
+  after revert in that case.
+- **Breaking:** `netfault.Apply` now returns `([]string, error)` — the
+  string slice contains preflight warnings to surface to the user.
+- **Breaking:** The `Opts` interface no longer requires `ipCommands` or
+  `tcCommands`. Subsystem behavior is now opt-in via two new optional
+  interfaces: `tcCommandProvider` (`tcCommands` + `tcRootQdiscInterfaces`)
+  and `ipCommandProvider` (`ipCommands`), mirroring the existing
+  `iptablesScriptProvider`. External `Opts` implementations that returned
+  `nil, nil` from these methods can simply remove them; external callers
+  that consumed those methods need a type assertion first.
+
 ## 1.6.1
 
 - Add UseMangleChain to TcpResetOpts to enable tcp reset on istio

go/action_kit_commons/network/netfault/bandwidth.go

@@ -46,8 +46,8 @@ func (o *LimitBandwidthOpts) doesConflictWith(opts Opts) bool {
 	return false
 }
 
-func (o *LimitBandwidthOpts) ipCommands(_ family, _ mode) ([]string, error) {
-	return nil, nil
+func (o *LimitBandwidthOpts) tcRootQdiscInterfaces() []string {
+	return o.Interfaces
 }
 
 func (o *LimitBandwidthOpts) tcCommands(mode mode) ([]string, error) {
@@ -63,7 +63,7 @@ func (o *LimitBandwidthOpts) tcCommands(mode mode) ([]string, error) {
 
 	filter := optimizeFilter(o.Filter)
 	for _, ifc := range o.Interfaces {
-		cmds = append(cmds, fmt.Sprintf("qdisc %s dev %s root handle 1: htb default 30", mode, ifc))
+		cmds = append(cmds, fmt.Sprintf("qdisc %s dev %s root handle 1: htb default 30", rootQdiscVerb(mode), ifc))
 		cmds = append(cmds, fmt.Sprintf("class %s dev %s parent 1: classid %s htb rate %s", mode, ifc, handleInclude, o.Bandwidth))
 
 		filterCmds, err := tcCommandsForFilter(mode, filter, ifc)

go/action_kit_commons/network/netfault/bandwidth_test.go

@@ -61,7 +61,7 @@ func TestLimitBandwidthOpts_TcCommands(t *testing.T) {
 				Bandwidth:  "100mbit",
 				Interfaces: []string{"eth0"},
 			},
-			wantAdd: []byte(`qdisc add dev eth0 root handle 1: htb default 30
+			wantAdd: []byte(`qdisc replace dev eth0 root handle 1: htb default 30
 class add dev eth0 parent 1: classid 1:3 htb rate 100mbit
 filter add dev eth0 protocol ip parent 1: prio 1 u32 match ip src 192.168.2.1/32 match ip sport 80 0xffff flowid 1:1
 filter add dev eth0 protocol ip parent 1: prio 2 u32 match ip dst 192.168.2.1/32 match ip dport 80 0xffff flowid 1:1

go/action_kit_commons/network/netfault/blackhole.go

@@ -83,10 +83,6 @@ func (o *BlackholeOpts) ipCommands(family family, mode mode) ([]string, error) {
 	return cmds, nil
 }
 
-func (o *BlackholeOpts) tcCommands(_ mode) ([]string, error) {
-	return nil, nil
-}
-
 func (o *BlackholeOpts) String() string {
 	var sb strings.Builder
 	sb.WriteString("blocking traffic ")

go/action_kit_commons/network/netfault/delay.go

@@ -59,8 +59,8 @@ func (o *DelayOpts) doesConflictWith(opts Opts) bool {
 	return false
 }
 
-func (o *DelayOpts) ipCommands(_ family, _ mode) ([]string, error) {
-	return nil, nil
+func (o *DelayOpts) tcRootQdiscInterfaces() []string {
+	return o.Interfaces
 }
 
 const steadybitDelayFwMark uint32 = 0x1
@@ -174,7 +174,7 @@ func (o *DelayOpts) tcCommands(mode mode) ([]string, error) {
 
 	filter := optimizeFilter(o.Filter)
 	for _, ifc := range o.Interfaces {
-		cmds = append(cmds, fmt.Sprintf("qdisc %s dev %s root handle 1: prio priomap 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0", mode, ifc))
+		cmds = append(cmds, fmt.Sprintf("qdisc %s dev %s root handle 1: prio priomap 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0", rootQdiscVerb(mode), ifc))
 		cmds = append(cmds, fmt.Sprintf("qdisc %s dev %s parent %s handle 30: netem delay %dms %dms", mode, ifc, handleInclude, o.Delay.Milliseconds(), o.Jitter.Milliseconds()))
 
 		if o.TcpPshOnly {

go/action_kit_commons/network/netfault/delay_test.go

@@ -55,7 +55,7 @@ func TestDelayOpts_TcCommands(t *testing.T) {
 				Jitter:     10 * time.Millisecond,
 				Interfaces: []string{"eth0"},
 			},
-			wantAdd: []byte(`qdisc add dev eth0 root handle 1: prio priomap 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
+			wantAdd: []byte(`qdisc replace dev eth0 root handle 1: prio priomap 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
 qdisc add dev eth0 parent 1:3 handle 30: netem delay 100ms 10ms
 filter add dev eth0 protocol ip parent 1: prio 1 u32 match ip src 192.168.2.1/32 match ip sport 80 0xffff flowid 1:1
 filter add dev eth0 protocol ip parent 1: prio 2 u32 match ip dst 192.168.2.1/32 match ip dport 80 0xffff flowid 1:1
@@ -112,7 +112,7 @@ qdisc del dev eth0 root handle 1: prio priomap 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
 				Interfaces: []string{"eth0"},
 				TcpPshOnly: true,
 			},
-			wantAdd: []byte(`qdisc add dev eth0 root handle 1: prio priomap 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
+			wantAdd: []byte(`qdisc replace dev eth0 root handle 1: prio priomap 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
 qdisc add dev eth0 parent 1:3 handle 30: netem delay 100ms 10ms
 filter add dev eth0 protocol ip parent 1: prio 1 handle 0x1 fw flowid 1:3
 filter add dev eth0 protocol ipv6 parent 1: prio 2 handle 0x1 fw flowid 1:3
@@ -141,7 +141,7 @@ qdisc del dev eth0 root handle 1: prio priomap 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
 				Jitter:     10 * time.Millisecond,
 				Interfaces: []string{"eth0"},
 			},
-			wantAdd: []byte(`qdisc add dev eth0 root handle 1: prio priomap 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
+			wantAdd: []byte(`qdisc replace dev eth0 root handle 1: prio priomap 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
 qdisc add dev eth0 parent 1:3 handle 30: netem delay 100ms 10ms
 filter add dev eth0 protocol ip parent 1: prio 1 u32 match ip src 192.168.2.1/32 match ip sport 80 0xffff flowid 1:1
 filter add dev eth0 protocol ip parent 1: prio 2 u32 match ip dst 192.168.2.1/32 match ip dport 80 0xffff flowid 1:1

go/action_kit_commons/network/netfault/netfault.go

@@ -42,31 +42,43 @@ type CommandRunner interface {
 	id() string
 }
 
-func Apply(ctx context.Context, runner CommandRunner, opts Opts) error {
-	return generateAndRunCommands(ctx, runner, opts, modeAdd)
+// Apply installs the attack. The returned warnings describe pre-existing
+// root qdiscs that the kernel will not auto-restore on Revert.
+func Apply(ctx context.Context, runner CommandRunner, opts Opts) ([]string, error) {
+	var interfaces []string
+	if p, ok := opts.(tcCommandProvider); ok {
+		interfaces = p.tcRootQdiscInterfaces()
+	}
+	warnings := preflightWarnings(ctx, runner, interfaces)
+	if err := generateAndRunCommands(ctx, runner, opts, modeAdd); err != nil {
+		return warnings, err
+	}
+	return warnings, nil
 }
 
 func Revert(ctx context.Context, runner CommandRunner, opts Opts) error {
 	return generateAndRunCommands(ctx, runner, opts, modeDelete)
 }
 
 func generateAndRunCommands(ctx context.Context, runner CommandRunner, opts Opts, mode mode) error {
-	ipCommandsV4, err := opts.ipCommands(familyV4, mode)
-	if err != nil {
-		return err
-	}
+	var ipCommandsV4, ipCommandsV6, tcCommands []string
+	var err error
 
-	var ipCommandsV6 []string
-	if ipv6Supported() {
-		ipCommandsV6, err = opts.ipCommands(familyV6, mode)
-		if err != nil {
+	if p, ok := opts.(ipCommandProvider); ok {
+		if ipCommandsV4, err = p.ipCommands(familyV4, mode); err != nil {
 			return err
 		}
+		if ipv6Supported() {
+			if ipCommandsV6, err = p.ipCommands(familyV6, mode); err != nil {
+				return err
+			}
+		}
 	}
 
-	tcCommands, err := opts.tcCommands(mode)
-	if err != nil {
-		return err
+	if p, ok := opts.(tcCommandProvider); ok {
+		if tcCommands, err = p.tcCommands(mode); err != nil {
+			return err
+		}
 	}
 
 	if log.Debug().Enabled() {

go/action_kit_commons/network/netfault/netfault_test.go

@@ -14,23 +14,6 @@ import (
 	"github.com/stretchr/testify/assert"
 )
 
-type fakeRunner struct {
-	calls []struct {
-		args []string
-		cmds []string
-	}
-}
-
-func (f *fakeRunner) run(_ context.Context, args []string, cmds []string) (string, error) {
-	f.calls = append(f.calls, struct {
-		args []string
-		cmds []string
-	}{args: args, cmds: cmds})
-	return "", nil
-}
-
-func (f *fakeRunner) id() string { return "testns" }
-
 func TestApply_Order_IptablesBeforeTcWhenTcpPshOnly(t *testing.T) {
 	// Disable ipv6 for the test to avoid ip6tables invocation
 	ipv6Supported = func() bool { return false }
@@ -45,7 +28,7 @@ func TestApply_Order_IptablesBeforeTcWhenTcpPshOnly(t *testing.T) {
 	}
 
 	r := &fakeRunner{}
-	err := Apply(context.Background(), r, opts)
+	_, err := Apply(context.Background(), r, opts)
 	assert.NoError(t, err)
 
 	iptablesIdx := -1
@@ -54,7 +37,7 @@ func TestApply_Order_IptablesBeforeTcWhenTcpPshOnly(t *testing.T) {
 		if len(c.args) > 0 && c.args[0] == "iptables-restore" {
 			iptablesIdx = i
 		}
-		if len(c.args) > 0 && c.args[0] == "tc" && len(c.cmds) > 0 && strings.HasPrefix(c.cmds[0], "qdisc add") {
+		if len(c.args) > 0 && c.args[0] == "tc" && len(c.cmds) > 0 && strings.HasPrefix(c.cmds[0], "qdisc replace") {
 			tcBatchIdx = i
 		}
 	}
@@ -67,6 +50,92 @@ func TestApply_Order_IptablesBeforeTcWhenTcpPshOnly(t *testing.T) {
 	}
 }
 
+func TestApply_ReturnsPreflightWarnings(t *testing.T) {
+	ipv6Supported = func() bool { return false }
+	defer func() { ipv6Supported = defaultIpv6Supported }()
+
+	tests := []struct {
+		name         string
+		interfaces   []string
+		tcOutput     string
+		wantWarnings int
+		wantSubstr   string
+	}{
+		{
+			name:         "kernel default (mq) — no warning",
+			interfaces:   []string{"eth0"},
+			tcOutput:     `qdisc mq 8002: dev eth0 root`,
+			wantWarnings: 0,
+		},
+		{
+			name:         "user-installed (htb) — warning",
+			interfaces:   []string{"eth0"},
+			tcOutput:     `qdisc htb 1: dev eth0 root refcnt 2 r2q 10 default 0x30`,
+			wantWarnings: 1,
+			wantSubstr:   `"htb"`,
+		},
+		{
+			name:       "two interfaces, one user-installed",
+			interfaces: []string{"eth0", "eth1"},
+			tcOutput: `qdisc mq 0: dev eth0 root
+qdisc cake 8001: dev eth1 root refcnt 2 bandwidth 1Gbit`,
+			wantWarnings: 1,
+			wantSubstr:   `"cake"`,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			opts := &DelayOpts{
+				Filter:     Filter{Include: []network.NetWithPortRange{mustParseNetWithPortRange("0.0.0.0/0", "*")}},
+				Delay:      100 * time.Millisecond,
+				Interfaces: tt.interfaces,
+			}
+
+			// Unique netNsId per subtest so activeNetfault state does not leak.
+			r := &fakeRunner{netNsId: tt.name, stdout: tt.tcOutput}
+			warnings, err := Apply(context.Background(), r, opts)
+			assert.NoError(t, err)
+			assert.Len(t, warnings, tt.wantWarnings)
+			if tt.wantWarnings > 0 && tt.wantSubstr != "" {
+				assert.Contains(t, warnings[0], tt.wantSubstr)
+			}
+		})
+	}
+}
+
+// TestOptsProviderMatrix locks down which subsystem providers each Opts type
+// implements. Generated commands flow through type assertions in
+// generateAndRunCommands, so accidentally adding tcCommands to BlackholeOpts
+// (or any similar mistake) would silently start hitting a different code
+// path without any other test failing.
+func TestOptsProviderMatrix(t *testing.T) {
+	cases := []struct {
+		name        string
+		opts        Opts
+		hasIp       bool
+		hasTc       bool
+		hasIptables bool
+	}{
+		{"BlackholeOpts", &BlackholeOpts{}, true, false, false},
+		{"DelayOpts", &DelayOpts{}, false, true, true},
+		{"PackageLossOpts", &PackageLossOpts{}, false, true, false},
+		{"CorruptPackagesOpts", &CorruptPackagesOpts{}, false, true, false},
+		{"LimitBandwidthOpts", &LimitBandwidthOpts{}, false, true, false},
+		{"TcpResetOpts", &TcpResetOpts{}, false, false, true},
+	}
+	for _, tt := range cases {
+		t.Run(tt.name, func(t *testing.T) {
+			_, isIp := tt.opts.(ipCommandProvider)
+			_, isTc := tt.opts.(tcCommandProvider)
+			_, isIptables := tt.opts.(iptablesScriptProvider)
+			assert.Equal(t, tt.hasIp, isIp, "ipCommandProvider")
+			assert.Equal(t, tt.hasTc, isTc, "tcCommandProvider")
+			assert.Equal(t, tt.hasIptables, isIptables, "iptablesScriptProvider")
+		})
+	}
+}
+
 func TestDelayOpts_IptablesScripts_FilterByFamily(t *testing.T) {
 	opts := &DelayOpts{
 		Filter: Filter{

go/action_kit_commons/network/netfault/packageCorruption.go

@@ -45,16 +45,16 @@ func (o *CorruptPackagesOpts) doesConflictWith(opts Opts) bool {
 	return false
 }
 
-func (o *CorruptPackagesOpts) ipCommands(_ family, _ mode) ([]string, error) {
-	return nil, nil
+func (o *CorruptPackagesOpts) tcRootQdiscInterfaces() []string {
+	return o.Interfaces
 }
 
 func (o *CorruptPackagesOpts) tcCommands(mode mode) ([]string, error) {
 	var cmds []string
 
 	filter := optimizeFilter(o.Filter)
 	for _, ifc := range o.Interfaces {
-		cmds = append(cmds, fmt.Sprintf("qdisc %s dev %s root handle 1: prio priomap 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0", mode, ifc))
+		cmds = append(cmds, fmt.Sprintf("qdisc %s dev %s root handle 1: prio priomap 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0", rootQdiscVerb(mode), ifc))
 		cmds = append(cmds, fmt.Sprintf("qdisc %s dev %s parent %s handle 30: netem corrupt %d%%", mode, ifc, handleInclude, o.Corruption))
 
 		filterCmds, err := tcCommandsForFilter(mode, filter, ifc)

go/action_kit_commons/network/netfault/packageCorruption_test.go

@@ -38,7 +38,7 @@ func TestCorruptPackagesOpts_TcCommands(t *testing.T) {
 				Corruption: 90,
 				Interfaces: []string{"eth0"},
 			},
-			wantAdd: []byte(`qdisc add dev eth0 root handle 1: prio priomap 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
+			wantAdd: []byte(`qdisc replace dev eth0 root handle 1: prio priomap 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
 qdisc add dev eth0 parent 1:3 handle 30: netem corrupt 90%
 filter add dev eth0 protocol ip parent 1: prio 1 u32 match ip src 192.168.2.1/32 match ip sport 80 0xffff flowid 1:1
 filter add dev eth0 protocol ip parent 1: prio 2 u32 match ip dst 192.168.2.1/32 match ip dport 80 0xffff flowid 1:1