change egress ipv6 cidr from fd00::/8 to fd00::ac:00/118 and update R…

…EADME.md
aws · May 2, 2023 · 5cdee7d · 5cdee7d
1 parent 36e44ac
commit 5cdee7d
Show file tree

Hide file tree

Showing 5 changed files with 17 additions and 7 deletions.
diff --git a/README.md b/README.md
@@ -105,13 +105,23 @@ The following environment variables are available, and all of them are optional.
 
 ---
 
+#### `ENABLE_V6_EGRESS` (v1.13.0+)
+
+Type: Boolean as a String
+
+Default: `false`
+
+Specifies whether PODs in v4 cluster support IPv6 egress. If env is set to `true`, range fd00::ac:00/118 is reserved for PODs IPv6 egress.
+
+---
+
 #### `AWS_MANAGE_ENIS_NON_SCHEDULABLE` (v1.12.6+)
 
 Type: Boolean as a String
 
 Default: `false`
 
-Specifies whether IPAMD should allocate or deallocate ENIs on a non-schedulable node. 
+Specifies whether IPAMD should allocate or deallocate ENIs on a non-schedulable node.
 
 ---
 

diff --git a/cmd/aws-vpc-cni/main.go b/cmd/aws-vpc-cni/main.go
@@ -57,7 +57,7 @@ import (
 
 const (
 	egressPluginIpamSubnetV4     = "169.254.172.0/22"
-	egressPluginIpamSubnetV6     = "fd00::/8"
+	egressPluginIpamSubnetV6     = "fd00::ac:00/118"
 	egressPluginIpamDstV4        = "0.0.0.0/0"
 	egressPluginIpamDstV6        = "::/0"
 	egressPluginIpamDataDirV4    = "/run/cni/v6pd/egress-v4-ipam"

diff --git a/cmd/egress-cni-plugin/main_test.go b/cmd/egress-cni-plugin/main_test.go
@@ -175,7 +175,7 @@ func TestCmdAddV6(t *testing.T) {
 				"name":"aws-cni",
 				"enabled":"true",
 				"nodeIP": "2600::",
-				"ipam": {"type":"host-local","ranges":[[{"subnet": "fd00::/8"}]],"routes":[{"dst":"::/0"}],"dataDir":"/run/cni/v4pd/egress-v6-ipam"},
+				"ipam": {"type":"host-local","ranges":[[{"subnet": "fd00::ac:00/118"}]],"routes":[{"dst":"::/0"}],"dataDir":"/run/cni/v4pd/egress-v6-ipam"},
 				"pluginLogFile":"egress-plugin.log",
 				"pluginLogLevel":"DEBUG",
 				"podSGEnforcingMode":"strict",
@@ -243,7 +243,7 @@ func TestCmdDelV6(t *testing.T) {
 				"name":"aws-cni",
 				"enabled":"true",
 				"nodeIP": "2600::",
-				"ipam": {"type":"host-local","ranges":[[{"subnet": "fd00::/8"}]],"routes":[{"dst":"::/0"}],"dataDir":"/run/cni/v4pd/egress-v6-ipam"},
+				"ipam": {"type":"host-local","ranges":[[{"subnet": "fd00::ac:00/118"}]],"routes":[{"dst":"::/0"}],"dataDir":"/run/cni/v4pd/egress-v6-ipam"},
 				"pluginLogFile":"egress-plugin.log",
 				"pluginLogLevel":"DEBUG",
 				"podSGEnforcingMode":"strict",

diff --git a/pkg/networkutils/network.go b/pkg/networkutils/network.go
@@ -250,7 +250,7 @@ func (n *linuxNetwork) setupRuleToBlockNodeLocalAccess(protocol iptables.Protoco
 	iptableCmd := "iptables"
 	if protocol == iptables.ProtocolIPv6 {
 		ipVersion = "v6"
-		localIpCidr = "fd00::/8"
+		localIpCidr = "fd00::ac:00/118"
 		iptableCmd = "ip6tables"
 	}
 

diff --git a/pkg/networkutils/network_test.go b/pkg/networkutils/network_test.go
@@ -250,7 +250,7 @@ func TestSetupHostNetworkNodePortEnabledAndSNATDisabled(t *testing.T) {
 		"filter": {
 			"FORWARD": [][]string{
 				{
-					"-d", "fd00::/8", "-m", "conntrack", "--ctstate", "NEW", "-m", "comment",
+					"-d", "fd00::ac:00/118", "-m", "conntrack", "--ctstate", "NEW", "-m", "comment",
 					"--comment", "Block Node Local Pod access via IPv6", "-j", "REJECT",
 				},
 			},
@@ -725,7 +725,7 @@ func TestUpdateHostIptablesRules(t *testing.T) {
 			"filter": {
 				"FORWARD": [][]string{
 					{
-						"-d", "fd00::/8", "-m", "conntrack", "--ctstate", "NEW", "-m", "comment",
+						"-d", "fd00::ac:00/118", "-m", "conntrack", "--ctstate", "NEW", "-m", "comment",
 						"--comment", "Block Node Local Pod access via IPv6", "-j", "REJECT",
 					},
 				},