WIP: IPv6 support for Silk CNI and VXLAN policy agent

jobs/silk-cni/spec

@@ -86,13 +86,21 @@ properties:
       - 169.254.0.2:9001
       - 169.254.0.2:9002
 
+  host_tcp_services_ipv6:
+    description: "List of IPv6 TCP addresses running on the BOSH VM that should be accessible from containers.  The address must not be in the 127.0.0.0/8 range.  The network plugin will install an iptables INPUT rule for each service."
+    default: []
+
   host_udp_services:
     description: "List of UDP addresses running on the BOSH VM that should be accessible from containers.  The address must not be in the 127.0.0.0/8 range.  The network plugin will install an iptables INPUT rule for each service."
     default: []
     example: |
       - 169.254.0.2:9001
       - 169.254.0.2:9002
 
+  host_udp_services_ipv6:
+    description: "List of IPv6 UDP addresses running on the BOSH VM that should be accessible from containers.  The address must not be in the 127.0.0.0/8 range.  The network plugin will install an iptables INPUT rule for each service."
+    default: []
+
   deny_networks.always:
     default: []
     description: |
@@ -117,6 +125,30 @@ properties:
       Use with extreme caution and at your own risk.
       These rules apply during the staging process.
 
+  deny_networks_ipv6.always:
+    default: []
+    description: |
+      List of IPv6 CIDR blocks to which all containers will be denied access, regardless of security groups.
+      This can severely impact the network connectivity of applications.
+      Use with extreme caution and at your own risk.
+      These rules apply to all containers.
+
+  deny_networks_ipv6.running:
+    default: []
+    description: |
+      List of IPv6 CIDR blocks to which all containers will be denied access, regardless of security groups.
+      This can severely impact the network connectivity of applications.
+      Use with extreme caution and at your own risk.
+      These rules apply to running scheduled containers: apps and tasks.
+
+  deny_networks_ipv6.staging:
+    default: []
+    description: |
+      List of IPv6 CIDR blocks to which all containers will be denied access, regardless of security groups.
+      This can severely impact the network connectivity of applications.
+      Use with extreme caution and at your own risk.
+      These rules apply during the staging process.
+
   outbound_connections.limit:
     default: false
     description: "EXPERIMENTAL: Enables outbound connections count limiting per port on destination host per container."

jobs/silk-cni/templates/cni-wrapper-plugin.conflist.erb

@@ -85,11 +85,18 @@
       'dns_servers' => p('dns_servers'),
       'host_tcp_services' => p('host_tcp_services'),
       'host_udp_services' => p('host_udp_services'),
+      'host_tcp_services_ipv6' => p('host_tcp_services_ipv6'),
+      'host_udp_services_ipv6' => p('host_udp_services_ipv6'),
       'deny_networks' => {
         'always' => p('deny_networks.always'),
         'running' => p('deny_networks.running'),
         'staging' => p('deny_networks.staging'),
       },
+      'deny_networks_ipv6' => {
+        'always' => p('deny_networks_ipv6.always'),
+        'running' => p('deny_networks_ipv6.running'),
+        'staging' => p('deny_networks_ipv6.staging'),
+      },
       'delegate' => {
         'cniVersion' => '1.0.0',
         'name' => 'silk',

jobs/silk-daemon/templates/client-config.json.erb

@@ -7,6 +7,8 @@
     return network
   end
 
+  ipv6prefix = '2600:1f18:27b3:881e:53b7::/80'
+
   def subnet_prefix_length
     size = link('cf_network').p('subnet_prefix_length')
     if size < 1 || size > 30
@@ -60,7 +62,8 @@
     'log_prefix' => 'cfnetworking',
     'log_level' => p('logging.level'),
     'vxlan_interface_name' => p('temporary_vxlan_interface', ''),
-    'single_ip_only' => p('single_ip_only')
+    'single_ip_only' => p('single_ip_only'),
+    'ipv6_prefix' => ipv6prefix
   }
 
   JSON.pretty_generate(toRender)

src/code.cloudfoundry.org/cni-wrapper-plugin/lib/lib.go

@@ -43,7 +43,10 @@ type WrapperConfig struct {
 	DNSServers                      []string               `json:"dns_servers"`
 	HostTCPServices                 []string               `json:"host_tcp_services"`
 	HostUDPServices                 []string               `json:"host_udp_services"`
+	HostTCPServicesIPv6             []string               `json:"host_tcp_services_ipv6"`
+	HostUDPServicesIPv6             []string               `json:"host_udp_services_ipv6"`
 	DenyNetworks                    DenyNetworksConfig     `json:"deny_networks"`
+	DenyNetworksIPv6                DenyNetworksConfig     `json:"deny_networks_ipv6"`
 	UnderlayIPs                     []string               `json:"underlay_ips"`
 	TemporaryUnderlayInterfaceNames []string               `json:"temporary_underlay_interface_names"`
 	IPTablesASGLogging              bool                   `json:"iptables_asg_logging"`
@@ -118,6 +121,7 @@ func LoadWrapperConfig(bytes []byte) (*WrapperConfig, error) {
 type PluginController struct {
 	Delegator Delegator
 	IPTables  rules.IPTablesAdapter
+	IP6Tables rules.IPTablesAdapter
 }
 
 func getDelegateParams(netconf map[string]interface{}) (string, []byte, error) {