aws · amogh09 · May 21, 2025 · May 20, 2025
@@ -73,10 +73,12 @@ const (
 	tcAddQdiscRootCommandString      = "tc qdisc add dev %s root handle 1: prio priomap 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2"
 	tcAddQdiscLatencyCommandString   = "tc qdisc add dev %s parent 1:1 handle 10: netem delay %dms %dms"
 	tcAddQdiscLossCommandString      = "tc qdisc add dev %s parent 1:1 handle 10: netem loss %d%%"
-	tcAllowlistIPCommandString       = "tc filter add dev %s protocol ip parent 1:0 prio 1 u32 match ip dst %s flowid 1:3"
-	tcAddFilterForIPCommandString    = "tc filter add dev %s protocol ip parent 1:0 prio 2 u32 match ip dst %s flowid 1:1"
+	tcAllowlistIPCommandString       = "tc filter add dev %s protocol all parent 1:0 prio 1 u32 match %s dst %s flowid 1:3"
+	tcAddFilterForIPCommandString    = "tc filter add dev %s protocol all parent 1:0 prio 2 u32 match %s dst %s flowid 1:1"
 	tcDeleteQdiscParentCommandString = "tc qdisc del dev %s parent 1:1 handle 10:"
 	tcDeleteQdiscRootCommandString   = "tc qdisc del dev %s root handle 1: prio"
+	ip4                              = "ip"  // For matching IPv4 packets in a tc filter
+	ip6                              = "ip6" // For matching IPv6 packets in a tc filter
 	allIPv4CIDR                      = "0.0.0.0/0"
 	allIPv6CIDR                      = "::/0"
 	dropTarget                       = "DROP"
@@ -1560,8 +1562,12 @@ func checkPacketLossFault(outputUnmarshalled []map[string]interface{}) (bool, er
 func (h *FaultHandler) addIPAddressesToFilter(
 	ctx context.Context, ipAddressList []*string, taskMetadata *state.TaskResponse,
 	nsenterPrefix, commandString, interfaceName string) error {
-	for _, ip := range ipAddressList {
-		commandComposed := nsenterPrefix + fmt.Sprintf(commandString, interfaceName, aws.ToString(ip))
+	for _, ipPtr := range ipAddressList {
+		ip := aws.ToString(ipPtr)
+		commandComposed := nsenterPrefix + fmt.Sprintf(commandString, interfaceName, ip4, ip)
+		if utils.IsIPv6(ip) || utils.IsIPv6CIDR(ip) {
+			commandComposed = nsenterPrefix + fmt.Sprintf(commandString, interfaceName, ip6, ip)
+		}
 		cmdList := strings.Split(commandComposed, " ")
 		cmdOutput, err := h.runExecCommand(ctx, cmdList)
 		if err != nil {

@@ -207,9 +207,9 @@ var (
 		"SourcesToFilter": ipSourcesToFilter,
 	}
 
-	ipSources = []string{"52.95.154.1", "52.95.154.2"}
+	ipSources = []string{"52.95.154.1", "52.95.154.2", "1:2:3:4::"}
 
-	ipSourcesToFilter = []string{"8.8.8.8"}
+	ipSourcesToFilter = []string{"8.8.8.8", "5:5:5:5::"}
 
 	startNetworkBlackHolePortTestPrefix = fmt.Sprintf(startFaultRequestType, types.BlackHolePortFaultType)
 	stopNetworkBlackHolePortTestPrefix  = fmt.Sprintf(stopFaultRequestType, types.BlackHolePortFaultType)
@@ -1825,8 +1825,8 @@ func generateStartNetworkLatencyTestCases() []networkFaultInjectionTestCase {
 					exec.EXPECT().CommandContext(gomock.Any(), gomock.Any(), gomock.Any()).Times(1).Return(mockCMD),
 					mockCMD.EXPECT().CombinedOutput().Times(1).Return([]byte(tcCommandEmptyOutput), nil),
 				)
-				exec.EXPECT().CommandContext(gomock.Any(), gomock.Any(), gomock.Any()).Times(5).Return(mockCMD)
-				mockCMD.EXPECT().CombinedOutput().Times(5).Return([]byte(tcCommandEmptyOutput), nil)
+				exec.EXPECT().CommandContext(gomock.Any(), gomock.Any(), gomock.Any()).Times(7).Return(mockCMD)
+				mockCMD.EXPECT().CombinedOutput().Times(7).Return([]byte(tcCommandEmptyOutput), nil)
 			},
 			expectedResponseJSON: happyFaultRunningResponse,
 		},
@@ -1886,8 +1886,8 @@ func generateStartNetworkLatencyTestCases() []networkFaultInjectionTestCase {
 					exec.EXPECT().CommandContext(gomock.Any(), gomock.Any(), gomock.Any()).Times(1).Return(mockCMD),
 					mockCMD.EXPECT().CombinedOutput().Times(1).Return([]byte(tcCommandEmptyOutput), nil),
 				)
-				exec.EXPECT().CommandContext(gomock.Any(), gomock.Any(), gomock.Any()).Times(4).Return(mockCMD)
-				mockCMD.EXPECT().CombinedOutput().Times(4).Return([]byte(tcCommandEmptyOutput), nil)
+				exec.EXPECT().CommandContext(gomock.Any(), gomock.Any(), gomock.Any()).Times(5).Return(mockCMD)
+				mockCMD.EXPECT().CombinedOutput().Times(5).Return([]byte(tcCommandEmptyOutput), nil)
 			},
 			expectedResponseJSON: happyFaultRunningResponse,
 		},
@@ -2413,8 +2413,8 @@ func generateStartNetworkPacketLossTestCases() []networkFaultInjectionTestCase {
 					exec.EXPECT().CommandContext(gomock.Any(), gomock.Any(), gomock.Any()).Times(1).Return(mockCMD),
 					mockCMD.EXPECT().CombinedOutput().Times(1).Return([]byte(tcCommandEmptyOutput), nil),
 				)
-				exec.EXPECT().CommandContext(gomock.Any(), gomock.Any(), gomock.Any()).Times(5).Return(mockCMD)
-				mockCMD.EXPECT().CombinedOutput().Times(5).Return([]byte(tcCommandEmptyOutput), nil)
+				exec.EXPECT().CommandContext(gomock.Any(), gomock.Any(), gomock.Any()).Times(7).Return(mockCMD)
+				mockCMD.EXPECT().CombinedOutput().Times(7).Return([]byte(tcCommandEmptyOutput), nil)
 			},
 			expectedResponseJSON: happyFaultRunningResponse,
 		},
@@ -2473,8 +2473,8 @@ func generateStartNetworkPacketLossTestCases() []networkFaultInjectionTestCase {
 					exec.EXPECT().CommandContext(gomock.Any(), gomock.Any(), gomock.Any()).Times(1).Return(mockCMD),
 					mockCMD.EXPECT().CombinedOutput().Times(1).Return([]byte(tcCommandEmptyOutput), nil),
 				)
-				exec.EXPECT().CommandContext(gomock.Any(), gomock.Any(), gomock.Any()).Times(4).Return(mockCMD)
-				mockCMD.EXPECT().CombinedOutput().Times(4).Return([]byte(tcCommandEmptyOutput), nil)
+				exec.EXPECT().CommandContext(gomock.Any(), gomock.Any(), gomock.Any()).Times(5).Return(mockCMD)
+				mockCMD.EXPECT().CombinedOutput().Times(5).Return([]byte(tcCommandEmptyOutput), nil)
 			},
 			expectedResponseJSON: happyFaultRunningResponse,
 		},

@@ -16,11 +16,8 @@ package types
 import (
 	"encoding/json"
 	"fmt"
-	"net"
 	"strconv"
 
-	"github.com/aws/amazon-ecs-agent/ecs-agent/logger"
-	"github.com/aws/amazon-ecs-agent/ecs-agent/logger/field"
 	"github.com/aws/amazon-ecs-agent/ecs-agent/tmds/utils"
 	"github.com/aws/aws-sdk-go-v2/aws"
 )
@@ -135,10 +132,10 @@ func (request NetworkLatencyRequest) ValidateRequest() error {
 	if len(request.Sources) == 0 {
 		return fmt.Errorf(MissingRequiredFieldError, "Sources")
 	}
-	if err := validateNetworkFaultRequestSources(request.Sources, "Sources"); err != nil {
+	if err := requireIPInRequestSources(request.Sources, "Sources"); err != nil {
 		return err
 	}
-	if err := validateNetworkFaultRequestSources(request.SourcesToFilter, "SourcesToFilter"); err != nil {
+	if err := requireIPInRequestSources(request.SourcesToFilter, "SourcesToFilter"); err != nil {
 		return err
 	}
 	return nil
@@ -174,10 +171,10 @@ func (request NetworkPacketLossRequest) ValidateRequest() error {
 	if len(request.Sources) == 0 {
 		return fmt.Errorf(MissingRequiredFieldError, "Sources")
 	}
-	if err := validateNetworkFaultRequestSources(request.Sources, "Sources"); err != nil {
+	if err := requireIPInRequestSources(request.Sources, "Sources"); err != nil {
 		return err
 	}
-	if err := validateNetworkFaultRequestSources(request.SourcesToFilter, "SourcesToFilter"); err != nil {
+	if err := requireIPInRequestSources(request.SourcesToFilter, "SourcesToFilter"); err != nil {
 		return err
 	}
 	return nil
@@ -203,37 +200,6 @@ func NewNetworkFaultInjectionErrorResponse(err string) NetworkFaultInjectionResp
 	}
 }
 
-// validateNetworkFaultRequestSources validates each source is IPv4 or IPv4 CIDR block.
-func validateNetworkFaultRequestSources(sources []*string, sourcesType string) error {
-	for _, element := range sources {
-		if err := validateNetworkFaultRequestSource(aws.ToString(element), sourcesType); err != nil {
-			return err
-		}
-	}
-	return nil
-}
-
-// validateNetworkFaultRequestSource validates the source is IPv4 or IPv4 CIDR block.
-func validateNetworkFaultRequestSource(source string, sourceType string) error {
-	ip := net.ParseIP(source)
-	if ip != nil && ip.To4() != nil {
-		return nil // IPv4 successful
-	}
-
-	_, ipnet, err := net.ParseCIDR(source)
-	if err == nil && ipnet.IP.To4() != nil {
-		return nil // IPv4 CIDR successful
-	}
-	if err != nil {
-		logger.Info("Failed to parse fault source as IPv4 CIDR block", logger.Fields{
-			"source":    source,
-			field.Error: err,
-		})
-	}
-
-	return fmt.Errorf(InvalidValueError, source, sourceType)
-}
-
 // requireIPInRequestSources requires each source is IPv4/IPv6 or IPv4/IPv6 CIDR block.
 func requireIPInRequestSources(sources []*string, sourcesType string) error {
 	for _, element := range sources {

@@ -43,35 +43,6 @@ func TestNetworkBlackholePortAddSourceToFilterIfNotAlready(t *testing.T) {
 	})
 }
 
-// Tests for validateNetworkFaultRequestSource function that parses IPv4 and IPv4 CIDR blocks.
-func TestValidateNetworkFaultRequestSources(t *testing.T) {
-	tcs := []struct {
-		Name          string
-		Input         string
-		ShouldSucceed bool
-	}{
-		{"Valid IPv4", "1.2.3.4", true},
-		{"Valid IPv4 CIDR", "1.2.3.4/10", true},
-		{"Valid IPv6", "2001:db8::1", false},
-		{"Valid full IPv6", "2001:0db8:0000:0000:0000:0000:0000:0001", false},
-		{"IPv6 CIDR", "::1/128", false},
-		{"Invalid input", "invalid", false},
-		{"IPv4 with invalid CIDR", "192.168.1.0/", false},
-		{"IPv6 with invalid CIDR", "2001:db8::/129", false},
-		{"Empty input", "", false},
-	}
-	for _, tc := range tcs {
-		t.Run(tc.Name, func(t *testing.T) {
-			err := validateNetworkFaultRequestSource(tc.Input, "input")
-			if tc.ShouldSucceed {
-				require.NoError(t, err)
-			} else {
-				require.EqualError(t, err, fmt.Sprintf("invalid value %s for parameter input", tc.Input))
-			}
-		})
-	}
-}
-
 func TestRequireIPInRequestSources(t *testing.T) {
 	tcs := []struct {
 		Name          string