Plumb firewall rules

[plotnick]

Plumb VPC firewall rules through Nexus → sled-agent → OPTE. Builds on @bnaecker's work in the propagate-firewall-rules-to-sled branch, which in turn was based on work started in PR #465.

Outstanding issues:

• Target interfaces are matched by MAC address only right now. Is this ok? Use (VNI, MAC) pair to match.
• IP and network targets are not yet supported. The console doesn't support these yet either, but the API does.
• Send default rules to sled agent on instance creation. Right now rules are only sent on VPC creation and rule updates. Fixes Send current firewall rules applying to a guest in the sled agent instance-creation request #1017.
• Missing integration tests (issue Need VPC firewall rule integration tests #1792). I have tested this manually with multiple instances and a small variety of targets and host filters, but we definitely need automated tests.
• Fix existing tests, which are now failing with cross-VPC firewall target unsupported

[zephraph]

Feel free to create an issue in the console repo to capture whatever is missing.

[bnaecker]

This is a lot of great work, thanks for taking it on! I see your TODO-list on the PR comment itself. Is the plan to tackle those now as part of this PR? Or are those going to be separate issues?

[bnaecker]

Just checking that the intent is to silently ignore targets other than VPCs, rather than, say, returning 400. Maybe when we add IP address and subnet targets, we should have a catchall that returns 400?

[plotnick]

1dc02d3 now raises an error for these cases, which should never occur (if they do, it's because we made a mistake in specifying DEFAULT_FIREWALL_RULES).

[bnaecker]

Same question here.

[plotnick]

Fixed in 1dc02d3.

[bnaecker]

We're splitting up interfaces by instance, VPC, and VPC Subnet here. Below, in the compilation loop starting on L600, we then push these onto a single array, targets. What happens with duplicate interfaces? As long as they don't change between those calls to derive_{guests,vpc,subnet}_network_interface_info, is that just an optimization to avoid looking up or sending more information to the sled agents than necessary?

[plotnick]

Excellent question; 1fa97ab does explicit de-duplication on the NICs. (If sled_agent_client::types::NetworkInterface were Hash, this could be simplified by accumulating directly into a HashSet; please LMK if you know how to do that.)

[bnaecker]

I think you can implement Hash manually, probably by hashing all the fields. Not sure if it's worth it, up to you at this point, since I don't want to further delay this PR unnecessarily.

[bnaecker]

I'd probably remove this, since it refers to a comment in the other guest-specific function now.

[bnaecker]

This is the only line that differs between these three implementations, AFAICT. Could we either make this function generic, on the column we're filtering, or have a shared function that implements most of this and accepts a boxed query on the table? Let me know if you'd like to talk through the Diesel details here, it can get pretty hairy with generics.

[plotnick]

Hairy indeed, but probably worth it. Refactoring of these three routines forthcoming.

[plotnick]

Ok, factored using a boxed query in 902e6a8.

[bnaecker]

Since we're just interested in the name and IP subnets, we could select exactly those from the table rather than the whole record. E.g., .select((vpc_subnet::name, vpc_subnet::ipv4_block, vpc_subnet::ipv6_block)), I think.

[plotnick]

Done in 578a2d9, thanks.

[bnaecker]

Yep. We can generally think of each filter in a rule as restricting the set of objects to which the rule applies. Adding a protocol filter of TCP means it applies only TCP traffic, and no other protocol, for example.

[plotnick]

Great, that's what I thought.

[bnaecker]

I'm not sure this is quite right. MAC addresses are unique within a VPC, not globally. Suppose we had two rules, each applying exclusively to two different VPCs, but otherwise identical. If those VPCs happened to each have a NIC with the same MAC, the rule would be applied to both of those.

If that sounds right to you as well, then I think we to check the identity of the VPC and the MAC of the Port. The vni field of the NetworkInterface sent in in the rules is bijective with the VPC identity, so that's the best thing to use at this point.

[plotnick]

Fixed in 1994a43, thanks.

[rzezeski]

Heads up: connectivity inbound to a guest will fail when firewall rules are populated until oxidecomputer/opte#252 lands.

[rzezeski]

Okay, oxidecomputer/opte#252 is fixed. So inbound connectivity should work with latest xde. If it doesn't please let me know.

[bnaecker]

My apologies for the long delay. There's a lot of great work here, thank you! I've mostly got questions about improving names or comments, but the functionality itself looks great.

[bnaecker]

I think you can implement Hash manually, probably by hashing all the fields. Not sure if it's worth it, up to you at this point, since I don't want to further delay this PR unnecessarily.

[plotnick]

@bnaecker: Thanks for the very helpful second review! The one remaining concern I have that I'd like to fix is that if you use a non-existent VPC name in a target or host filter, things currently fail in a rather opaque way. I'm going to try to fix that today (Wed), and then I think it'll be in ok shape (though see also issue #1756, which I think is serious but not blocking).

However, I'd like to maybe delay actually merging this until @smklein branches for the demo next week. Since this change involves touching many critical pieces (including instance creation), does not have integration tests, and is not necessary for that demo, I think it's a bit risky to land with so little time for testing. Other opinions welcome.

[bnaecker]

That's all excellent, thanks for chasing down those threads @plotnick! I think your plan of merging after the demo branch is created sounds very wise. I'm approving this now, feel free to merge whenever that happens. And again, nice work. It's really excellent to see such a core networking primitive start to take shape!