Allow IPv6 for network blackhole port fault API

[xxx0624]

Summary

This change is to allow drop packets for both IPv6 and IPv4 in the network blackhole port API in TMDS.

For IPv4 only or dual stack tasks, we will make IPv6 updates on a best effort basis. For IPv6 only tasks, both IPv4 and IPv6 updates are required.

Implementation details

1. Allow IPv6 in SourcesToFiler field in the request body
2. One additional chain will be injected to IPv6 table beside the same one for IPv4 table when the start fault API call is made. Any failure about IPv6 table update will impact IPv6 only tasks.
3. The additional chain for IPv6 table will be removed when the stop fault API call is made. Any failure about IPv6 table update will impact IPv6 only tasks.
4. For status check API, no major changes and we will check if the chain of IPv4 table exists.

Testing

New tests cover the changes:

yes

manual testing

1. Launch a FIS enabled task with a patched AMI which has this change
2. Use ecs exec to enter the container to start up a simple http server listens to port 8080 and local ipv6 addr

sh-5.2# python3 -m http.server 8000 --bind ::
Serving HTTP on :: port 8000 (http://[::]:8000/) ...
::1 - - [09/May/2025 19:05:59] "GET / HTTP/1.1" 200 -
::1 - - [09/May/2025 19:08:59] "GET / HTTP/1.1" 200 -
...

6. Use ecs exec to inject network blackhole port fault and see how it behaves

// We can see it drops packet for port 8000
sh-5.2# curl -X POST $ECS_AGENT_URI/fault/v1/network-blackhole-port/status -d '{"Port":8000,"Protocol":"tcp","TrafficType":"egress"}'                                                                                                                                                           
{"Status":"not-running"}
sh-5.2# 
sh-5.2# curl -X POST $ECS_AGENT_URI/fault/v1/network-blackhole-port/start -d '{"Port":8000,"Protocol":"tcp","TrafficType":"egress"}'                                                                                                                                                             
{"Status":"running"}
sh-5.2# 
sh-5.2# curl -X POST $ECS_AGENT_URI/fault/v1/network-blackhole-port/status -d '{"Port":8000,"Protocol":"tcp","TrafficType":"egress"}'                                                                                                                                                            
{"Status":"running"}
sh-5.2# 
sh-5.2# curl [::1]:8000
^C
sh-5.2# curl [::1]:8000 -m 5
curl: (28) Connection timed out after 5002 milliseconds
sh-5.2# curl -X POST $ECS_AGENT_URI/fault/v1/network-blackhole-port/stop -d '{"Port":8000,"Protocol":"tcp","TrafficType":"egress"}'
{"Status":"stopped"}
sh-5.2# 
sh-5.2# curl -X POST $ECS_AGENT_URI/fault/v1/network-blackhole-port/status -d '{"Port":8000,"Protocol":"tcp","TrafficType":"egress"}'
{"Status":"not-running"}
sh-5.2# 
sh-5.2# curl -s -o /dev/null -w "%{http_code}" [::1]:8000 -m 5
200
sh-5.2# 

// We can see it's not blocking local IPv6 address 
sh-5.2# curl -X POST $ECS_AGENT_URI/fault/v1/network-blackhole-port/start -d '{"Port":8000,"Protocol":"tcp","TrafficType":"egress","SourcesToFilter":["::1"]}'                                                                                                                                 
{"Status":"running"}
sh-5.2# 
sh-5.2# curl -X POST $ECS_AGENT_URI/fault/v1/network-blackhole-port/status -d '{"Port":8000,"Protocol":"tcp","TrafficType":"egress"}'
{"Status":"running"}
sh-5.2# 
sh-5.2# curl -s -o /dev/null -w "%{http_code}" [::1]:8000 -m 5
200
sh-5.2# 
// And we can see the expected iptables change
[root@ip-10-0-129-206 ~]# <enter task ns> iptables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
egress-tcp-8000  all  --  0.0.0.0/0            0.0.0.0/0           

Chain egress-tcp-8000 (1 references)
target     prot opt source               destination         
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:8000
[root@ip-10-0-129-206 ~]# <enter task ns> ip6tables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
egress-tcp-8000  all      ::/0                 ::/0                

Chain egress-tcp-8000 (1 references)
target     prot opt source               destination         
ACCEPT     tcp      ::/0                 ::1                  tcp dpt:8000
DROP       tcp      ::/0                 ::/0                 tcp dpt:8000
[root@ip-10-0-129-206 ~]#

Description for the changelog

• Feature - expand the network blackhole port to allow drop packets for IPv6.

Additional Information

Does this PR include breaking model changes? If so, Have you added transformation functions?

No

Does this PR include the addition of new environment variables in the README?

No

Licensing

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[tshan2001]

nit: is this variable necessary? Can we pass in isIPv6OnlyTask(taskMetadata) directly on line 181?

[xxx0624]

Yes, I can do that in a follow up change.

[xxx0624]

Updated in a new rev.

[mye956]

nit(non-blocking): might be helpful to provide a reason why we can just rely on checking the Ipv4 route tables to see if a BHP fault is running.

[xxx0624]

Yes, I will add that in a new rev.

[xxx0624]

Updated in a new rev.

[amogh09]

Why do we want parsedIP.To4() == nil and not parsedIP.To16() != nil?

[xxx0624]

To16 func will return non-empty value for IPv4 addr - https://go.dev/play/p/sBjowEPblpW

[amogh09]

wow