Filter VPC by VNI

[plotnick]

Fixes #1756 (using option 3) and fixes #1821 (using new OPTE default actions and proper VPC/VNI host filters). Depends on #1904.

[plotnick]

The test failure on helios / deploy (BadApiVersion { user: 18, kernel: 15 }) should go away as soon as #1904 is merged.

[rzezeski]

I'm not sure the VpcAddress name makes sense. As the hosts/address filter could be for a VPC Subnet address or any address at all. Also, based on RFD 21 table 14 it seems like the VPC "target/filter" is meant to always target the entire VPC. So when used as a firewall host filter it should probably always result in an Address::Vni value.

Do we need to update the DEFAULT_FIREWALL_RULES value to use the new VNI filter, or does it just do the right thing now based on what "default" means?

[plotnick]

I'm not sure the VpcAddress name makes sense.

Yeah, I'm not wild about the name either. But we need an enum like this (though maybe called something different) that is either an IP address/network or a VNI indicating a VPC. Alternatively, we could (as OPTE did) push the VNI address type down into IpNet, but then that would be poorly named, because it could then designate networks by non-IP-address means. So I prefer the former route, but am open to naming suggestions. VpcOrIpNet? VpcNet? Net?

Do we need to update the DEFAULT_FIREWALL_RULES value to use the new VNI filter, or does it just do the right thing now based on what "default" means?

The latter (i.e., no update is needed). Any host filter of "type": "vpc" (e.g., the one for default) will be translated into a VNI. (As a target it does what it did before, which is to either apply or not apply the rule depending on whether the instance is in the VPC.) For instance, here's the result of opteadm dump-layer firewall -p opte0 after booting a new instance with the default firewall rules:

Inbound Rules [Default: deny]
----------------------------------------------------------------------
ID       PRI    PREDICATES                                       ACTION            
2        65534  inner.ip.proto=TCP                               "Stateful Allow"
                inner.ulp.dst=22                                

1        65534  meta: vni=12897409                               "Stateful Allow"
0        65534  inner.ip.proto=ICMP                              "Stateful Allow"

Outbound Rules [Default: stateful allow]
----------------------------------------------------------------------
ID       PRI    PREDICATES                                       ACTION            

Rule ID 0 is allow-icmp (from anywhere), 1 is allow-internal-inbound (just from the VPC, identified by VNI), and 2 is allow-ssh (from anywhere).

[rzezeski]

I'm not sure the VpcAddress name makes sense.

Yeah, I'm not wild about the name either. But we need an enum like this (though maybe called something different) that is either an IP address/network or a VNI indicating a VPC. Alternatively, we could (as OPTE did) push the VNI address type down into IpNet, but then that would be poorly named, because it could then designate networks by non-IP-address means. So I prefer the former route, but am open to naming suggestions. VpcOrIpNet? VpcNet? Net?

Okay. For me I read VpcAddress as "this is a VPC address", but now I see you mean "this is a VPC or an address" (and I just noticed you stated this in the code comment). I think that was part of my confusion. I defer to others who spend more time working on the control plane. In fact, I think @bnaecker or someone else should also review this since I'm less familiar with some of the other bits here.

That said, this seems good to me.

[bnaecker]

Looks good, thanks! A suggestion to help resolve the naming issue @rzezeski brought up, but otherwise great.

[bnaecker]

I think I understand why this enum exists, to cover the ways we ascribe a firewall rule to a set of hosts. Would a name more like HostIdentifier be appropriate?

I also wonder whether this needs to live in the external API. There are no external calls that should see this, AFAICT, so common/src/api/internal/mod.rs might be more appropriate. There may be some Rust visibility or Cargo dependency that makes that less attractive, but it might be nice to investigate.

[plotnick]

HostIdentifier is a great suggestion, thanks! And good call on the internal API; I always forget that we have that. Renamed and moved in 47361a5.

(Minor follow-up question: after much playing around with building, rebuilding, and running the various _openapi tests with EXPECTORATE=overwrite, I still can't figure out why HostIdentifier shows up in sled-agent.json but not nexus-internal.json. The build seems happy, so I'm not going to sweat it, but I'm still a bit confused.)

[bnaecker]

That might be a question for @ahl! It's possible that types only show up in the OpenAPI output when they are actually needed to make requests to a given server. Since this type is technically only used by Nexus making calls to the sled agent, only including needed names could explain it. But that's a WAG :)