feat(flow-filter): Add support for "default" destination VpcExpose

Make sure that we account for "default" VpcExpose when we retrieve the
destination VPC discriminant for the packet.

Internally, we don't add a prefix for the default destination into the
tables, because we'd have to handle overlap to some extent. Instead, we
add a per-source-VPC value to use as a fallback when no other
destination prefix match.

At the moment, the code assumes that each VPC accepts at most one
"default" destination.

Signed-off-by: Quentin Monnet <[email protected]>

Author: qmonnet

flow-filter/src/lib.rs

@@ -77,16 +77,16 @@ impl FlowFilter {
         });
         let log_str = format_packet_addrs_ports(&src_ip, &dst_ip, ports);
 
-        let Some(VpcdLookupResult::Single(dst_vpcd)) =
-            tablesr.lookup(src_vpcd, &src_ip, &dst_ip, ports)
-        else {
-            debug!("{nfi}: Flow not allowed, dropping packet: {log_str}");
-            packet.done(DoneReason::Filtered);
-            return;
-        };
-
-        debug!("{nfi}: Flow allowed: {log_str}, setting packet dst_vpcd to {dst_vpcd}");
-        packet.meta.dst_vpcd = Some(dst_vpcd);
+        match tablesr.lookup(src_vpcd, &src_ip, &dst_ip, ports) {
+            Some(VpcdLookupResult::Single(dst_vpcd) | VpcdLookupResult::Default(dst_vpcd)) => {
+                debug!("{nfi}: Flow allowed: {log_str}, setting packet dst_vpcd to {dst_vpcd}");
+                packet.meta.dst_vpcd = Some(dst_vpcd);
+            }
+            None => {
+                debug!("{nfi}: Flow not allowed, dropping packet: {log_str}");
+                packet.done(DoneReason::Filtered);
+            }
+        }
     }
 }
 
@@ -188,7 +188,7 @@ mod tests {
         table
             .insert(
                 src_vpcd,
-                VpcdLookupResult::Single(dst_vpcd),
+                dst_vpcd,
                 Prefix::from("10.0.0.0/24"),
                 OptionalPortRange::NoPortRangeMeansAllPorts,
                 Prefix::from("20.0.0.0/24"),
@@ -227,7 +227,7 @@ mod tests {
         table
             .insert(
                 src_vpcd,
-                VpcdLookupResult::Single(dst_vpcd),
+                dst_vpcd,
                 Prefix::from("10.0.0.0/24"),
                 OptionalPortRange::NoPortRangeMeansAllPorts,
                 Prefix::from("20.0.0.0/24"),
@@ -288,7 +288,7 @@ mod tests {
         table
             .insert(
                 src_vpcd,
-                VpcdLookupResult::Single(dst_vpcd),
+                dst_vpcd,
                 Prefix::from("10.0.0.0/24"),
                 OptionalPortRange::NoPortRangeMeansAllPorts,
                 Prefix::from("20.0.0.0/24"),
@@ -326,7 +326,7 @@ mod tests {
         table
             .insert(
                 src_vpcd,
-                VpcdLookupResult::Single(dst_vpcd),
+                dst_vpcd,
                 Prefix::from("2001:db8::/32"),
                 OptionalPortRange::NoPortRangeMeansAllPorts,
                 Prefix::from("2001:db9::/32"),
@@ -365,7 +365,7 @@ mod tests {
         table
             .insert(
                 src_vpcd,
-                VpcdLookupResult::Single(dst_vpcd),
+                dst_vpcd,
                 Prefix::from("10.0.0.0/24"),
                 OptionalPortRange::NoPortRangeMeansAllPorts,
                 Prefix::from("20.0.0.0/24"),

flow-filter/src/setup.rs

@@ -2,7 +2,6 @@
 // Copyright Open Network Fabric Authors
 
 use crate::FlowFilterTable;
-use crate::tables::VpcdLookupResult;
 use config::ConfigError;
 use config::external::overlay::Overlay;
 use config::external::overlay::vpc::{Peering, Vpc};
@@ -42,20 +41,46 @@ impl FlowFilterTable {
             .remote
             .exposes
             .iter()
-            .flat_map(|expose| expose.public_ips());
-
-        // For each local prefix, add one entry for each associated remote prefix
-        for local_prefix in local_prefixes {
-            for remote_prefix in remote_prefixes.clone() {
-                self.insert(
+            .flat_map(|expose| expose.public_ips())
+            .collect::<Vec<_>>();
+        // We support one default at most for now
+        let remote_has_default = peering.remote.exposes.iter().any(|expose| expose.default);
+
+        if remote_prefixes.is_empty() && !remote_has_default {
+            return Err(ConfigError::FailureApply(
+                "No remote prefixes found".to_string(),
+            ));
+        } else if remote_prefixes.is_empty() && remote_has_default {
+            // Corner case: all prefixes go to the default remote. In this case we need to build
+            // entries for the source prefixes, so that we can validate that packets come from
+            // legitimate source prefixes, but we do not associate any destination (we'll fall back
+            // to the default destination)
+            for local_prefix in local_prefixes {
+                self.insert_default_only(
                     local_vpcd,
-                    VpcdLookupResult::Single(dst_vpcd),
                     local_prefix.prefix(),
                     local_prefix.ports().into(),
-                    remote_prefix.prefix(),
-                    remote_prefix.ports().into(),
                 )?;
             }
+        } else {
+            // remote_prefixes is not empty: for each local prefix, add one entry for each
+            // associated remote prefix
+            for local_prefix in local_prefixes {
+                for remote_prefix in &remote_prefixes {
+                    self.insert(
+                        local_vpcd,
+                        dst_vpcd,
+                        local_prefix.prefix(),
+                        local_prefix.ports().into(),
+                        remote_prefix.prefix(),
+                        remote_prefix.ports().into(),
+                    )?;
+                }
+            }
+        }
+
+        if remote_has_default {
+            self.add_default_remote(local_vpcd, dst_vpcd)?;
         }
         Ok(())
     }