Skip to content

Plumb firewall rules #1636

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 42 commits into from
Oct 14, 2022
Merged

Plumb firewall rules #1636

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
42 commits
Select commit Hold shift + click to select a range
93ba272
Don't restrict IPv4 addresses to private subnets
plotnick Aug 3, 2022
d0f2d78
Start plumbing firewall rules through sled-agent
plotnick Aug 1, 2022
2909d15
Send firewall rules to sled-agent
plotnick Aug 1, 2022
8715ba8
Plumb ports in firewall rules
plotnick Aug 8, 2022
1c4d983
Handle multiple hosts & protocols in firewall rules
plotnick Aug 8, 2022
8fe8dfe
Handle Ipv4Net host filters
plotnick Aug 15, 2022
b15b452
Resolve firewall targets and hosts
plotnick Aug 19, 2022
c5944c5
Set firewall rules only on matching targets
plotnick Aug 22, 2022
a50ddf0
fmt
plotnick Aug 22, 2022
0156492
clippy
plotnick Aug 22, 2022
ca6d01a
Merge branch 'main' into firewall
plotnick Aug 22, 2022
4241a7e
Customize default firewall rules for non-default VPCs
plotnick Aug 23, 2022
1dc02d3
Factor out default firewall rule generation
plotnick Sep 7, 2022
1fa97ab
De-duplicate firewall rule target interfaces
plotnick Sep 8, 2022
1994a43
Match OPTE ports to NICs by (VNI, MAC) pair
plotnick Sep 8, 2022
578a2d9
Select just the columns needed in resolve_subnets_to_ips
plotnick Sep 8, 2022
2c70fd8
clippy
plotnick Sep 9, 2022
902e6a8
Factor derive_*_network_interface_info routines
plotnick Sep 9, 2022
f08f06c
Merge branch 'main' into firewall
plotnick Sep 21, 2022
a1f17cf
Send firewall rules to sled-agent on instance creation
plotnick Sep 23, 2022
41f61ca
Setup firewall rules on OPTE port creation
plotnick Sep 23, 2022
3a2bd37
Merge branch 'main' into firewall
plotnick Sep 28, 2022
5e1d7a8
Ip(Net) targets for firewall rules
plotnick Sep 28, 2022
ab86911
Skip firewall rules with unresolved target/host filters
plotnick Sep 28, 2022
3433bcd
fmt
plotnick Sep 29, 2022
cb0dc62
clippy
plotnick Sep 29, 2022
53d97f6
Merge branch 'main' into firewall
plotnick Sep 29, 2022
a8a6d3e
Merge branch 'main' into firewall
plotnick Oct 3, 2022
f0dc4dd
Link to tracking issue for missing instance migration info
plotnick Oct 4, 2022
f3b64ae
Ungroup imports
plotnick Oct 4, 2022
8ab92af
Rename resolution function for clarity
plotnick Oct 4, 2022
cbedb56
Use a B-tree instead of a hash map in resolution function
plotnick Oct 4, 2022
adc62cc
Remove superfluous scope
plotnick Oct 4, 2022
6048c14
fmt
plotnick Oct 4, 2022
9869832
Refactor firewall rule conversion routine
plotnick Oct 5, 2022
f7ba1eb
Elide needless clone
plotnick Oct 5, 2022
171a625
Clarify doc comment for `default_firewall_rules_for_vpc`
plotnick Oct 5, 2022
aae7d20
Link to multiple-error-handling issue
plotnick Oct 5, 2022
cc424a2
Merge branch 'main' into firewall
plotnick Oct 5, 2022
f204527
Merge branch 'main' into firewall
plotnick Oct 12, 2022
63e92bc
SELECT DISTINCT sleds for firewall rule updates
plotnick Oct 13, 2022
fd5c3e4
Don't fail on missing names in firewall rule resolution
plotnick Oct 13, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions Cargo.lock
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

26 changes: 2 additions & 24 deletions common/src/api/external/mod.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1005,33 +1005,11 @@ impl JsonSchema for Ipv4Net {
})),
instance_type: Some(schemars::schema::InstanceType::String.into()),
string: Some(Box::new(schemars::schema::StringValidation {
// Addresses must be from an RFC 1918 private address space
pattern: Some(
concat!(
r#"^("#,
// 10.0.0.0/8 (10.0.0.0 .. 10.255.255.255)
r#"10\."#,
r#"^(([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\.){3}"#,
r#"([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])"#,
r#"\."#,
r#"([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])"#,
r#"\."#,
r#"([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])"#,
r#"\/([8-9]|1[0-9]|2[0-9]|3[0-2])|"#,
// 172.16.0.0/12 (172.16.0.0 .. 172.31.255.255)
r#"172\."#,
r#"(1[6-9]|2[0-9]|3[0-1])"#,
r#"\."#,
r#"([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])"#,
r#"\."#,
r#"([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])"#,
r#"\/(1[2-9]|2[0-9]|3[0-2])|"#,
// 192.168.0.0/16 (192.168.0.0 .. 192.168.255.255)
r#"192\.168\."#,
r#"([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])"#,
r#"\."#,
r#"([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])"#,
r#"\/(1[6-9]|2[0-9]|3[0-2])"#,
r#")$"#,
r#"/([8-9]|1[0-9]|2[0-9]|3[0-2])$"#,
)
.to_string(),
),
Expand Down
1 change: 1 addition & 0 deletions nexus/db-model/src/name.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ use serde::{Deserialize, Serialize};
AsExpression,
FromSqlRow,
Eq,
Hash,
PartialEq,
Ord,
PartialOrd,
Expand Down
28 changes: 28 additions & 0 deletions nexus/src/app/instance.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@ use omicron_common::api::external::InternalContext;
use omicron_common::api::external::ListResultVec;
use omicron_common::api::external::LookupResult;
use omicron_common::api::external::UpdateResult;
use omicron_common::api::external::Vni;
use omicron_common::api::internal::nexus;
use sled_agent_client::types::InstanceRuntimeStateMigrateParams;
use sled_agent_client::types::InstanceRuntimeStateRequested;
Expand Down Expand Up @@ -556,6 +557,32 @@ impl super::Nexus {
let source_nat =
SourceNatConfig::from(snat_ip.into_iter().next().unwrap());

// Gather the firewall rules for the VPC this instance is in.
// The NIC info we gathered above doesn't have VPC information
// because the sled agent doesn't care about that directly,
// so we fetch it via the first interface's VNI. (It doesn't
// matter which one we use because all NICs must be in the
// same VPC; see the check in project_create_instance.)
let firewall_rules = if let Some(nic) = nics.first() {
let vni = Vni::try_from(nic.vni.0)?;
let vpc = self
.db_datastore
.resolve_vni_to_vpc(opctx, db::model::Vni(vni))
.await?;
let (.., authz_vpc) = LookupPath::new(opctx, &self.db_datastore)
.vpc_id(vpc.id())
.lookup_for(authz::Action::Read)
.await?;
let rules = self
.db_datastore
.vpc_list_firewall_rules(opctx, &authz_vpc)
.await?;
self.resolve_firewall_rules_for_sled_agent(opctx, &vpc, &rules)
.await?
} else {
vec![]
};

// Gather the SSH public keys of the actor make the request so
// that they may be injected into the new image via cloud-init.
// TODO-security: this should be replaced with a lookup based on
Expand Down Expand Up @@ -596,6 +623,7 @@ impl super::Nexus {
nics,
source_nat,
external_ips,
firewall_rules,
disks: disk_reqs,
cloud_init_bytes: Some(base64::encode(
db_instance.generate_cidata(&public_keys)?,
Expand Down
4 changes: 4 additions & 0 deletions nexus/src/app/sagas/instance_migrate.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -221,12 +221,16 @@ async fn sim_instance_migrate(
}
let source_nat = SourceNatConfig::from(snat_ip.into_iter().next().unwrap());

// The TODOs below are tracked in
// https://github.com/oxidecomputer/omicron/issues/1783
let instance_hardware = InstanceHardware {
runtime: runtime.into(),
// TODO: populate NICs
nics: vec![],
source_nat,
external_ips,
// TODO: populate firewall rules
firewall_rules: vec![],
// TODO: populate disks
disks: vec![],
// TODO: populate cloud init bytes
Expand Down
Loading