6 files changed, 94 insertions, 25 deletions

diff --git a/config-model-api/src/main/java/com/yahoo/config/model/api/ModelContext.java b/config-model-api/src/main/java/com/yahoo/config/model/api/ModelContext.java
index b5db9f5eddd..9d7ae9759c3 100644
--- a/config-model-api/src/main/java/com/yahoo/config/model/api/ModelContext.java
+++ b/config-model-api/src/main/java/com/yahoo/config/model/api/ModelContext.java
@@ -59,6 +59,8 @@ public interface ModelContext {
         boolean useAdaptiveDispatch();
         // TODO: Remove when 7.61 is the oldest model in use
         default boolean enableMetricsProxyContainer() { return false; }
+        // TODO: Remove temporary default implementation
+        default Optional<TlsSecrets> tlsSecrets() { return Optional.empty(); }
     }
 
 }
diff --git a/config-model-api/src/main/java/com/yahoo/config/model/api/TlsSecrets.java b/config-model-api/src/main/java/com/yahoo/config/model/api/TlsSecrets.java
new file mode 100644
index 00000000000..3cb4cedcbac
--- /dev/null
+++ b/config-model-api/src/main/java/com/yahoo/config/model/api/TlsSecrets.java
@@ -0,0 +1,30 @@
+// Copyright 2019 Oath Inc. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+package com.yahoo.config.model.api;
+
+ public class TlsSecrets {
+    public static final TlsSecrets MISSING = new TlsSecrets();
+
+     private final String certificate;
+    private final String key;
+
+     private TlsSecrets() {
+        this(null,null);
+    }
+
+     public TlsSecrets(String certificate, String key) {
+        this.certificate = certificate;
+        this.key = key;
+    }
+
+     public String certificate() {
+        return certificate;
+    }
+
+     public String key() {
+        return key;
+    }
+
+     public boolean isMissing() {
+        return this == MISSING;
+    }
+}
diff --git a/flags/src/main/java/com/yahoo/vespa/flags/Flags.java b/flags/src/main/java/com/yahoo/vespa/flags/Flags.java
index 66c8da86403..1b7ed1fb21e 100644
--- a/flags/src/main/java/com/yahoo/vespa/flags/Flags.java
+++ b/flags/src/main/java/com/yahoo/vespa/flags/Flags.java
@@ -69,6 +69,12 @@ public class Flags {
             "Takes effect on next node agent tick. Change is orchestrated, but does NOT require container restart",
             HOSTNAME, APPLICATION_ID);
 
+    public static final UnboundBooleanFlag SUPPORT_DHCPV6_IN_AWS = defineFeatureFlag(
+            "support-dhcpv6-in-aws", true,
+            "Whether to open up for DHCPv6 traffic in AWS. Old behavior is false.",
+            "Takes effect on next tick in host-admin, except FirewallTask which requires a restart of host-admin",
+            HOSTNAME);
+
     public static final UnboundStringFlag TLS_INSECURE_MIXED_MODE = defineStringFlag(
             "tls-insecure-mixed-mode", "tls_client_mixed_server",
             "TLS insecure mixed mode. Allowed values: ['plaintext_client_mixed_server', 'tls_client_mixed_server', 'tls_client_tls_server']",
diff --git a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/task/util/network/IPVersion.java b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/task/util/network/IPVersion.java
index de80d4dca18..4cc825dacd6 100644
--- a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/task/util/network/IPVersion.java
+++ b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/task/util/network/IPVersion.java
@@ -15,52 +15,53 @@ import java.util.regex.Pattern;
  */
 public enum IPVersion {
 
-    IPv6(6, "ip6tables", "ip -6", "ipv6-icmp", "/128", "icmp6-port-unreachable", "ip6tables-restore"),
-    IPv4(4, "iptables", "ip", "icmp", "/32", "icmp-port-unreachable", "iptables-restore");
+    IPv6(6, "ip6tables", "ip -6", "ipv6-icmp", 128, "icmp6-port-unreachable", "ip6tables-restore", "fe80::/10"),
+    IPv4(4, "iptables", "ip", "icmp", 32, "icmp-port-unreachable", "iptables-restore", "169.254.0.0/16");
 
     private static final Pattern cidrNotationPattern = Pattern.compile("/\\d+$");
 
     IPVersion(int version, String iptablesCmd, String ipCmd,
-              String icmpProtocol, String singleHostCidr, String icmpPortUnreachable,
-              String iptablesRestore) {
+              String icmpProtocol, int size, String icmpPortUnreachable,
+              String iptablesRestore, String linkLocalCidr) {
         this.version = version;
         this.ipCmd = ipCmd;
         this.iptablesCmd = iptablesCmd;
         this.icmpProtocol = icmpProtocol;
-        this.singleHostCidr = singleHostCidr;
+        this.size = size;
         this.icmpPortUnreachable = icmpPortUnreachable;
         this.iptablesRestore = iptablesRestore;
+        this.linkLocalCidr = linkLocalCidr;
     }
 
     private final int version;
     private final String iptablesCmd;
     private final String ipCmd;
     private final String icmpProtocol;
-    private final String singleHostCidr;
+    private final int size;
     private final String icmpPortUnreachable;
     private final String iptablesRestore;
+    private final String linkLocalCidr;
 
-    public int version() {
-        return version;
-    }
-    public String versionString() {
-        return String.valueOf(version);
-    }
-    public String iptablesCmd() {
-        return iptablesCmd;
-    }
-    public String iptablesRestore() {
-        return iptablesRestore;
-    }
-    public String ipCmd() {
-        return ipCmd;
-    }
-    public String icmpProtocol() {
-        return icmpProtocol;
-    }
-    public String singleHostCidr() { return singleHostCidr; }
+    /** The ID of the IP version, either IPv4 or IPv6. */
+    public String id() { return "IPv" + version; }
+
+    /** The IP version, either 4 or 6 */
+    public int version() { return version; }
+
+    public String versionString() { return String.valueOf(version); }
+    public String iptablesCmd() { return iptablesCmd; }
+    public String iptablesRestore() { return iptablesRestore;}
+    public String ipCmd() { return ipCmd; }
+    public String icmpProtocol() { return icmpProtocol; }
+    public String singleHostCidr() { return "/" + size; }
     public String icmpPortUnreachable() { return icmpPortUnreachable; }
 
+    /** The address size (in bits) of the IP version: 32 or 128. */
+    public int addressSize() { return size; }
+
+    /** Both IPv4 and IPv6 have exactly one link-local address space: 169.254.0.0/16 or fe80::/10. */
+    public String linkLocalAddressCidr() { return linkLocalCidr; }
+
     public boolean match(InetAddress address) {
         return this == IPVersion.get(address);
     }
diff --git a/searchlib/src/vespa/searchlib/queryeval/intermediate_blueprints.cpp b/searchlib/src/vespa/searchlib/queryeval/intermediate_blueprints.cpp
index 0a11203c390..bf7b659dea7 100644
--- a/searchlib/src/vespa/searchlib/queryeval/intermediate_blueprints.cpp
+++ b/searchlib/src/vespa/searchlib/queryeval/intermediate_blueprints.cpp
@@ -68,6 +68,20 @@ void optimize_source_blenders(IntermediateBlueprint &self, size_t begin_idx) {
     }
 }
 
+void
+need_normal_features_for_children(const IntermediateBlueprint &blueprint, fef::MatchData &md)
+{
+    for (size_t i = 0; i < blueprint.childCnt(); ++i) {
+        const Blueprint::State &cs = blueprint.getChild(i).getState();
+        for (size_t j = 0; j < cs.numFields(); ++j) {
+            auto *tfmd = cs.field(j).resolve(md);
+            if (tfmd != nullptr) {
+                tfmd->setNeedNormalFeatures(true);
+            }
+        }
+    }
+}
+
 } // namespace search::queryeval::<unnamed>
 
 //-----------------------------------------------------------------------------
@@ -375,6 +389,13 @@ NearBlueprint::inheritStrict(size_t i) const
 }
 
 SearchIterator::UP
+NearBlueprint::createSearch(fef::MatchData &md, bool strict) const
+{
+    need_normal_features_for_children(*this, md);
+    return IntermediateBlueprint::createSearch(md, strict);
+}
+
+SearchIterator::UP
 NearBlueprint::createIntermediateSearch(const MultiSearch::Children &subSearches,
                                         bool strict, search::fef::MatchData &md) const
 {
@@ -416,6 +437,13 @@ ONearBlueprint::inheritStrict(size_t i) const
 }
 
 SearchIterator::UP
+ONearBlueprint::createSearch(fef::MatchData &md, bool strict) const
+{
+    need_normal_features_for_children(*this, md);
+    return IntermediateBlueprint::createSearch(md, strict);
+}
+
+SearchIterator::UP
 ONearBlueprint::createIntermediateSearch(const MultiSearch::Children &subSearches,
                                          bool strict, search::fef::MatchData &md) const
 {
diff --git a/searchlib/src/vespa/searchlib/queryeval/intermediate_blueprints.h b/searchlib/src/vespa/searchlib/queryeval/intermediate_blueprints.h
index 440794c25d8..a217c8f303d 100644
--- a/searchlib/src/vespa/searchlib/queryeval/intermediate_blueprints.h
+++ b/searchlib/src/vespa/searchlib/queryeval/intermediate_blueprints.h
@@ -102,6 +102,7 @@ public:
     bool should_optimize_children() const override { return false; }
     void sort(std::vector<Blueprint*> &children) const override;
     bool inheritStrict(size_t i) const override;
+    SearchIteratorUP createSearch(fef::MatchData &md, bool strict) const override;
     SearchIterator::UP
     createIntermediateSearch(const MultiSearch::Children &subSearches,
                              bool strict, fef::MatchData &md) const override;
@@ -122,6 +123,7 @@ public:
     bool should_optimize_children() const override { return false; }
     void sort(std::vector<Blueprint*> &children) const override;
     bool inheritStrict(size_t i) const override;
+    SearchIteratorUP createSearch(fef::MatchData &md, bool strict) const override;
     SearchIterator::UP
     createIntermediateSearch(const MultiSearch::Children &subSearches,
                              bool strict, fef::MatchData &md) const override;