Allow IPv6 for network blackhole port fault API

[xxx0624]

Summary

This change is to allow drop packets for both IPv6 and IPv4 in the network blackhole port API in TMDS.

Implementation details

1. Allow IPv6 in SourcesToFiler field in the request body
2. One additional chain will be injected to IPv6 table beside the same one for IPv4 table when the start fault API call is made. Any failure about IPv6 table update will impact IPv6 only tasks.
3. The additional chain for IPv6 table will be removed when the stop fault API call is made. Any failure about IPv6 table update will impact IPv6 only tasks.
4. For status check API, no major changes and we will check if the chain of IPv4 table exists.

Testing

New tests cover the changes:

yes

manual testing

1. Launch a FIS enabled task with a patched AMI which has this change
2. Use ecs exec to enter the container to start up a simple http server listens to port 8080 and local ipv6 addr

sh-5.2# python3 -m http.server 8000 --bind ::
Serving HTTP on :: port 8000 (http://[::]:8000/) ...
::1 - - [09/May/2025 19:05:59] "GET / HTTP/1.1" 200 -
::1 - - [09/May/2025 19:08:59] "GET / HTTP/1.1" 200 -
...

6. Use ecs exec to inject network blackhole port fault and see how it behaves

// We can see it drops packet for port 8000
sh-5.2# curl -X POST $ECS_AGENT_URI/fault/v1/network-blackhole-port/status -d '{"Port":8000,"Protocol":"tcp","TrafficType":"egress"}'                                                                                                                                                           
{"Status":"not-running"}
sh-5.2# 
sh-5.2# curl -X POST $ECS_AGENT_URI/fault/v1/network-blackhole-port/start -d '{"Port":8000,"Protocol":"tcp","TrafficType":"egress"}'                                                                                                                                                             
{"Status":"running"}
sh-5.2# 
sh-5.2# curl -X POST $ECS_AGENT_URI/fault/v1/network-blackhole-port/status -d '{"Port":8000,"Protocol":"tcp","TrafficType":"egress"}'                                                                                                                                                            
{"Status":"running"}
sh-5.2# 
sh-5.2# curl [::1]:8000
^C
sh-5.2# curl [::1]:8000 -m 5
curl: (28) Connection timed out after 5002 milliseconds
sh-5.2# curl -X POST $ECS_AGENT_URI/fault/v1/network-blackhole-port/stop -d '{"Port":8000,"Protocol":"tcp","TrafficType":"egress"}'
{"Status":"stopped"}
sh-5.2# 
sh-5.2# curl -X POST $ECS_AGENT_URI/fault/v1/network-blackhole-port/status -d '{"Port":8000,"Protocol":"tcp","TrafficType":"egress"}'
{"Status":"not-running"}
sh-5.2# 
sh-5.2# curl -s -o /dev/null -w "%{http_code}" [::1]:8000 -m 5
200
sh-5.2# 

// We can see it's not blocking local IPv6 address 
sh-5.2# curl -X POST $ECS_AGENT_URI/fault/v1/network-blackhole-port/start -d '{"Port":8000,"Protocol":"tcp","TrafficType":"egress","SourcesToFilter":["::1"]}'                                                                                                                                 
{"Status":"running"}
sh-5.2# 
sh-5.2# curl -X POST $ECS_AGENT_URI/fault/v1/network-blackhole-port/status -d '{"Port":8000,"Protocol":"tcp","TrafficType":"egress"}'
{"Status":"running"}
sh-5.2# 
sh-5.2# curl -s -o /dev/null -w "%{http_code}" [::1]:8000 -m 5
200
sh-5.2# 
// And we can see the expected iptables change
[root@ip-10-0-129-206 ~]# <enter task ns> iptables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
egress-tcp-8000  all  --  0.0.0.0/0            0.0.0.0/0           

Chain egress-tcp-8000 (1 references)
target     prot opt source               destination         
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:8000
[root@ip-10-0-129-206 ~]# <enter task ns> ip6tables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
egress-tcp-8000  all      ::/0                 ::/0                

Chain egress-tcp-8000 (1 references)
target     prot opt source               destination         
ACCEPT     tcp      ::/0                 ::1                  tcp dpt:8000
DROP       tcp      ::/0                 ::/0                 tcp dpt:8000
[root@ip-10-0-129-206 ~]#

Description for the changelog

• Feature - expand the network blackhole port to allow drop packets for IPv6.

Additional Information

Does this PR include breaking model changes? If so, Have you added transformation functions?

No

Does this PR include the addition of new environment variables in the README?

No

Licensing

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[tshan2001]

nit: is this variable necessary? Can we pass in isIPv6OnlyTask(taskMetadata) directly on line 181?

[mye956]

nit(non-blocking): might be helpful to provide a reason why we can just rely on checking the Ipv4 route tables to see if a BHP fault is running.

[mye956]

Q: Are we still using this function anywhere?