Skip to content

Add IPv6 support for SecurityPolicy/NetworkPolicy#1394

Open
wenqiq wants to merge 1 commit intovmware-tanzu:mainfrom
wenqiq:topic/wenqi/securityPolicy-ipv6
Open

Add IPv6 support for SecurityPolicy/NetworkPolicy#1394
wenqiq wants to merge 1 commit intovmware-tanzu:mainfrom
wenqiq:topic/wenqi/securityPolicy-ipv6

Conversation

@wenqiq
Copy link
Copy Markdown
Contributor

@wenqiq wenqiq commented Mar 18, 2026

Add IPv6 support for SecurityPolicy and NetworkPolicy ipBlocks

Refactor IP arithmetic utilities in pkg/util/ip.go to use math/big
instead of uint32, enabling dual-stack (IPv4/IPv6) support for CIDR
range calculations including the except/exclusion logic. The previous
implementation was hardcoded to 32-bit IPv4 addresses, causing failures
when processing IPv6 CIDRs.

@codecov-commenter
Copy link
Copy Markdown

codecov-commenter commented Mar 18, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 89.47368% with 4 lines in your changes missing coverage. Please review.
✅ Project coverage is 76.81%. Comparing base (c3a71ec) to head (44036e2).
⚠️ Report is 1 commits behind head on main.

Files with missing lines Patch % Lines
pkg/util/ip.go 89.47% 2 Missing and 2 partials ⚠️
Additional details and impacted files

Impacted file tree graph

@@            Coverage Diff             @@
##             main    #1394      +/-   ##
==========================================
+ Coverage   76.75%   76.81%   +0.05%     
==========================================
  Files         151      151              
  Lines       21308    21329      +21     
==========================================
+ Hits        16356    16383      +27     
+ Misses       3783     3773      -10     
- Partials     1169     1173       +4
Flag Coverage Δ
unit-tests 76.81% <89.47%> (+0.05%) ⬆️
Files with missing lines Coverage Δ
pkg/util/ip.go 84.89% <89.47%> (-1.29%) ⬇️

... and 3 files with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@wenqiq
Support IPv6 for SecurityPolicy/NetworkPolicy
44036e2 
Signed-off-by: Wenqi Qiu <wenqi.qiu@broadcom.com>
@wenqiq wenqiq force-pushed the topic/wenqi/securityPolicy-ipv6 branch from 03550cd to 44036e2 Compare March 19, 2026 08:28
@wenqiq wenqiq changed the title [WIP]Add IPv6 support for SecurityPolicy/NetworkPolicy Add IPv6 support for SecurityPolicy/NetworkPolicy Mar 19, 2026
@wenqiq wenqiq marked this pull request as ready for review March 19, 2026 09:10
yanjunz97
yanjunz97 reviewed Mar 30, 2026
View reviewed changes
test/e2e/nsx_ipv6_policy_test.go
)

const (
NsIPv6Policy = "e2e-ipv6-policy"
Copy link
Copy Markdown
Contributor

@yanjunz97 yanjunz97 Mar 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

NsIPv6Policy = "e2e-ipv6-policy"+getRandomString()
Let's add a random suffix to avoid the ns failed to be deleted in previous e2e test blocking the following e2e tests.

test/e2e/nsx_ipv6_policy_test.go
defer deadlineCancel()

ns := NsIPv6Policy
setupNamespace(t, ns)
Copy link
Copy Markdown
Contributor

@yanjunz97 yanjunz97 Mar 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As all the tests share the same namespace, maybe we can create the namespace in test/e2e/e2e_namespaces.go and run the tests parallel here?

pkg/util/ip.go
return ip.To4() == nil
}

func CalculateIPFromCIDRs(IPAddresses []string) (int, error) {
Copy link
Copy Markdown
Contributor

@yanjunz97 yanjunz97 Mar 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This function may not fully support ipv6 as int is not large enough for all ipv6 subnet size. As this function is not used for security policy, may be we can leave a comment here to mention this and re-valuate it when nsx ipv6 support for subnet is ready.

pkg/util/ip.go
return ip
}

func calculateOffsetIP(ip net.IP, offset int) (net.IP, error) {
Copy link
Copy Markdown
Contributor

@yanjunz97 yanjunz97 Mar 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it looks like this function never returns error, maybe change (net.IP, error) -> net.IP?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@yanjunz97 yanjunz97 yanjunz97 left review comments

@timdengyun timdengyun Awaiting requested review from timdengyun

@heypnus heypnus Awaiting requested review from heypnus

@lxiaopei lxiaopei Awaiting requested review from lxiaopei

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@wenqiq @codecov-commenter @yanjunz97