diff --git a/.github/buildomat/jobs/deploy.sh b/.github/buildomat/jobs/deploy.sh index 8b8796810c2..0eb7a6c7168 100644 --- a/.github/buildomat/jobs/deploy.sh +++ b/.github/buildomat/jobs/deploy.sh @@ -2,7 +2,7 @@ #: #: name = "helios / deploy" #: variety = "basic" -#: target = "lab-netdev" +#: target = "lab-opte-0.19" #: output_rules = [ #: "%/var/svc/log/system-illumos-sled-agent:default.log", #: "%/zone/oxz_nexus/root/var/svc/log/system-illumos-nexus:default.log", diff --git a/Cargo.lock b/Cargo.lock index c9ef405ee7f..03627c6eaaa 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -2676,7 +2676,7 @@ dependencies = [ [[package]] name = "illumos-sys-hdrs" version = "0.1.0" -source = "git+https://github.com/oxidecomputer/opte?rev=23fdf5856f10f23e2d26865d2d7e2d3bc537bca3#23fdf5856f10f23e2d26865d2d7e2d3bc537bca3" +source = "git+https://github.com/oxidecomputer/opte?rev=f501445f5a6c275c79f08a876fff6a861df31d46#f501445f5a6c275c79f08a876fff6a861df31d46" [[package]] name = "impl-trait-for-tuples" @@ -2955,7 +2955,7 @@ checksum = "f9b7d56ba4a8344d6be9729995e6b06f928af29998cdf79fe390cbf6b1fee838" [[package]] name = "kstat-macro" version = "0.1.0" -source = "git+https://github.com/oxidecomputer/opte?rev=23fdf5856f10f23e2d26865d2d7e2d3bc537bca3#23fdf5856f10f23e2d26865d2d7e2d3bc537bca3" +source = "git+https://github.com/oxidecomputer/opte?rev=f501445f5a6c275c79f08a876fff6a861df31d46#f501445f5a6c275c79f08a876fff6a861df31d46" dependencies = [ "quote", "syn", @@ -4093,7 +4093,7 @@ dependencies = [ [[package]] name = "opte" version = "0.1.0" -source = "git+https://github.com/oxidecomputer/opte?rev=23fdf5856f10f23e2d26865d2d7e2d3bc537bca3#23fdf5856f10f23e2d26865d2d7e2d3bc537bca3" +source = "git+https://github.com/oxidecomputer/opte?rev=f501445f5a6c275c79f08a876fff6a861df31d46#f501445f5a6c275c79f08a876fff6a861df31d46" dependencies = [ "cfg-if 0.1.10", "dyn-clone", @@ -4104,13 +4104,14 @@ dependencies = [ "postcard", "serde", "smoltcp", + "version_check", "zerocopy 0.6.1", ] [[package]] name = "opte-api" version = "0.1.0" -source = "git+https://github.com/oxidecomputer/opte?rev=23fdf5856f10f23e2d26865d2d7e2d3bc537bca3#23fdf5856f10f23e2d26865d2d7e2d3bc537bca3" +source = "git+https://github.com/oxidecomputer/opte?rev=f501445f5a6c275c79f08a876fff6a861df31d46#f501445f5a6c275c79f08a876fff6a861df31d46" dependencies = [ "cfg-if 0.1.10", "illumos-sys-hdrs", @@ -4122,7 +4123,7 @@ dependencies = [ [[package]] name = "opte-ioctl" version = "0.1.0" -source = "git+https://github.com/oxidecomputer/opte?rev=23fdf5856f10f23e2d26865d2d7e2d3bc537bca3#23fdf5856f10f23e2d26865d2d7e2d3bc537bca3" +source = "git+https://github.com/oxidecomputer/opte?rev=f501445f5a6c275c79f08a876fff6a861df31d46#f501445f5a6c275c79f08a876fff6a861df31d46" dependencies = [ "libc", "libnet", @@ -4184,7 +4185,7 @@ dependencies = [ [[package]] name = "oxide-vpc" version = "0.1.0" -source = "git+https://github.com/oxidecomputer/opte?rev=23fdf5856f10f23e2d26865d2d7e2d3bc537bca3#23fdf5856f10f23e2d26865d2d7e2d3bc537bca3" +source = "git+https://github.com/oxidecomputer/opte?rev=f501445f5a6c275c79f08a876fff6a861df31d46#f501445f5a6c275c79f08a876fff6a861df31d46" dependencies = [ "cfg-if 0.1.10", "illumos-sys-hdrs", diff --git a/Cargo.toml b/Cargo.toml index 8415fbdb16d..efa5e5ba03f 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -169,7 +169,7 @@ omicron-package = { path = "package" } omicron-sled-agent = { path = "sled-agent" } omicron-test-utils = { path = "test-utils" } omicron-zone-package = "0.5.1" -oxide-vpc = { git = "https://github.com/oxidecomputer/opte", rev = "23fdf5856f10f23e2d26865d2d7e2d3bc537bca3", features = [ "api", "std" ] } +oxide-vpc = { git = "https://github.com/oxidecomputer/opte", rev = "f501445f5a6c275c79f08a876fff6a861df31d46", features = [ "api", "std" ] } once_cell = "1.17.0" openapi-lint = { git = "https://github.com/oxidecomputer/openapi-lint", branch = "main" } openapiv3 = "1.0" @@ -177,7 +177,7 @@ openapiv3 = "1.0" openssl = "0.10" openssl-sys = "0.9" openssl-probe = "0.1.2" -opte-ioctl = { git = "https://github.com/oxidecomputer/opte", rev = "23fdf5856f10f23e2d26865d2d7e2d3bc537bca3" } +opte-ioctl = { git = "https://github.com/oxidecomputer/opte", rev = "f501445f5a6c275c79f08a876fff6a861df31d46" } oso = "0.26" oximeter = { path = "oximeter/oximeter" } oximeter-client = { path = "oximeter-client" } diff --git a/nexus/defaults/src/lib.rs b/nexus/defaults/src/lib.rs index 3474804cfa0..be1ce2193cd 100644 --- a/nexus/defaults/src/lib.rs +++ b/nexus/defaults/src/lib.rs @@ -58,16 +58,6 @@ lazy_static! { "action": "allow", "priority": 65534, "description": "allow inbound ICMP traffic from anywhere" - }, - { - "name": "allow-rdp", - "status": "enabled", - "direction": "inbound", - "targets": [ { "type": "vpc", "value": "default" } ], - "filters": { "ports": [ "3389" ], "protocols": [ "TCP" ] }, - "action": "allow", - "priority": 65534, - "description": "allow inbound TCP connections on port 3389 from anywhere" } ] }"#).unwrap(); diff --git a/nexus/tests/integration_tests/vpc_firewall.rs b/nexus/tests/integration_tests/vpc_firewall.rs index ebd2a0b98ce..fcc1b58b06d 100644 --- a/nexus/tests/integration_tests/vpc_firewall.rs +++ b/nexus/tests/integration_tests/vpc_firewall.rs @@ -234,33 +234,6 @@ fn is_default_firewall_rules( priority: VpcFirewallRulePriority(65534), vpc_id: Uuid::new_v4(), }, - VpcFirewallRule { - identity: IdentityMetadata { - id: "dd166833-cd79-4279-beb0-186cadb982ce".parse().unwrap(), - name: "allow-rdp".parse().unwrap(), - description: - "allow inbound TCP connections on port 3389 from anywhere" - .to_string(), - time_created: "2021-11-16T00:24:06.027404Z".parse().unwrap(), - time_modified: "2021-11-16T00:24:06.027404Z".parse().unwrap(), - }, - status: VpcFirewallRuleStatus::Enabled, - direction: VpcFirewallRuleDirection::Inbound, - targets: vec![VpcFirewallRuleTarget::Vpc( - vpc_name.parse().unwrap(), - )], - filters: VpcFirewallRuleFilter { - hosts: None, - protocols: Some(vec![VpcFirewallRuleProtocol::Tcp]), - ports: Some(vec![L4PortRange { - first: L4Port::try_from(3389).unwrap(), - last: L4Port::try_from(3389).unwrap(), - }]), - }, - action: VpcFirewallRuleAction::Allow, - priority: VpcFirewallRulePriority(65534), - vpc_id: Uuid::new_v4(), - }, VpcFirewallRule { identity: IdentityMetadata { id: "4cb76726-4cb6-4bc2-8d32-71c36e3881d4".parse().unwrap(), diff --git a/sled-agent/src/opte/illumos/firewall_rules.rs b/sled-agent/src/opte/illumos/firewall_rules.rs index c3332f5d9bb..4a1cd8011b4 100644 --- a/sled-agent/src/opte/illumos/firewall_rules.rs +++ b/sled-agent/src/opte/illumos/firewall_rules.rs @@ -12,10 +12,10 @@ use omicron_common::api::external::VpcFirewallRuleAction; use omicron_common::api::external::VpcFirewallRuleDirection; use omicron_common::api::external::VpcFirewallRuleProtocol; use omicron_common::api::external::VpcFirewallRuleStatus; -use oxide_vpc::api::Action; use oxide_vpc::api::Address; use oxide_vpc::api::Direction; use oxide_vpc::api::Filters; +use oxide_vpc::api::FirewallAction; use oxide_vpc::api::FirewallRule; use oxide_vpc::api::Ipv4Cidr; use oxide_vpc::api::Ipv4PrefixLen; @@ -24,7 +24,7 @@ use oxide_vpc::api::ProtoFilter; use oxide_vpc::api::Protocol; trait FromVpcFirewallRule { - fn action(&self) -> Action; + fn action(&self) -> FirewallAction; fn direction(&self) -> Direction; fn disabled(&self) -> bool; fn hosts(&self) -> Vec
; @@ -34,10 +34,10 @@ trait FromVpcFirewallRule { } impl FromVpcFirewallRule for VpcFirewallRule { - fn action(&self) -> Action { + fn action(&self) -> FirewallAction { match self.action { - VpcFirewallRuleAction::Allow => Action::Allow, - VpcFirewallRuleAction::Deny => Action::Deny, + VpcFirewallRuleAction::Allow => FirewallAction::Allow, + VpcFirewallRuleAction::Deny => FirewallAction::Deny, } } diff --git a/sled-agent/src/opte/illumos/port_manager.rs b/sled-agent/src/opte/illumos/port_manager.rs index 9fa694f1aff..67879a504d1 100644 --- a/sled-agent/src/opte/illumos/port_manager.rs +++ b/sled-agent/src/opte/illumos/port_manager.rs @@ -278,7 +278,7 @@ impl PortManager { snat, external_ips: external_ip, }), - private_mac: MacAddr::from(mac.into_array()), + guest_mac: MacAddr::from(mac.into_array()), gateway_mac: MacAddr::from(gateway.mac.into_array()), vni, phys_ip: self.inner.underlay_ip.into(), @@ -302,7 +302,16 @@ impl PortManager { ); // Initialize firewall rules for the new port. - let rules = opte_firewall_rules(firewall_rules, &vni, &mac); + let mut rules = opte_firewall_rules(firewall_rules, &vni, &mac); + + // TODO-remove: This is part of the external IP hack. + // + // We need to allow incoming ARP packets past the firewall layer so + // that they may be handled properly at the gateway layer. + rules.push( + "dir=in priority=65534 protocol=arp action=allow".parse().unwrap(), + ); + debug!( self.inner.log, "Setting firewall rules"; diff --git a/tools/install_opte.sh b/tools/install_opte.sh index 14ea25bac47..e12da557a3f 100755 --- a/tools/install_opte.sh +++ b/tools/install_opte.sh @@ -122,7 +122,7 @@ function add_publisher { # `helios-netdev` provides the xde kernel driver and the `opteadm` userland tool # for interacting with it. HELIOS_NETDEV_BASE_URL="https://buildomat.eng.oxide.computer/public/file/oxidecomputer/opte/repo" -HELIOS_NETDEV_COMMIT="23fdf5856f10f23e2d26865d2d7e2d3bc537bca3" +HELIOS_NETDEV_COMMIT="f501445f5a6c275c79f08a876fff6a861df31d46" HELIOS_NETDEV_REPO_URL="$HELIOS_NETDEV_BASE_URL/$HELIOS_NETDEV_COMMIT/opte.p5p" HELIOS_NETDEV_REPO_SHA_URL="$HELIOS_NETDEV_BASE_URL/$HELIOS_NETDEV_COMMIT/opte.p5p.sha256" HELIOS_NETDEV_REPO_PATH="$XDE_DIR/$(basename "$HELIOS_NETDEV_REPO_URL")"