Attached (External) Subnets

This PR reworks certain aspects of how NAT and gateway layers are
constructed to enable attached (external) subnets to function. The
primary aim here is that traffic to/from these subnets (owned by
the host) do not undergo NAT, and bypass spoof detection as transit
IPs would. A few wider changes have been necessary to ensure that
these can be attached/detached without breaking any existing transit
IPs, and to ensure that traffic originated from an external subnet
cannot be directed towards a private VPC recipient.

Author: FelixMcFelix

.github/buildomat/jobs/opte-api.sh

@@ -28,7 +28,7 @@ header "analyze std"
 ptime -m cargo clippy --all-targets
 
 header "analyze no_std"
-ptime -m cargo clippy --no-default-features --all-targets
+ptime -m cargo clippy --no-default-features --all-targets -- --deny warnings
 
 header "test"
 ptime -m cargo test

.github/buildomat/jobs/opte-ioctl.sh

@@ -22,4 +22,4 @@ header "check style"
 ptime -m cargo +$NIGHTLY fmt -- --check
 
 header "analyze"
-ptime -m cargo clippy --all-targets
+ptime -m cargo clippy --all-targets -- --deny warnings

.github/buildomat/jobs/opte.sh

@@ -31,10 +31,10 @@ RUSTDOCFLAGS="-D warnings" ptime -m \
 	cargo +$NIGHTLY doc --no-default-features --features=api,std,engine,kernel
 
 header "analyze std + api"
-ptime -m cargo clippy --all-targets
+ptime -m cargo clippy --all-targets -- --deny warnings
 
 header "analyze no_std + engine + kernel"
-ptime -m cargo +$NIGHTLY clippy --no-default-features --features engine,kernel
+ptime -m cargo +$NIGHTLY clippy --no-default-features --features engine,kernel -- --deny warnings
 
 header "test"
 ptime -m cargo test

.github/buildomat/jobs/opteadm.sh

@@ -31,7 +31,7 @@ header "check style"
 ptime -m cargo +$NIGHTLY fmt -- --check
 
 header "analyze"
-ptime -m cargo clippy --all-targets
+ptime -m cargo clippy --all-targets -- --deny warnings
 
 header "debug build"
 ptime -m cargo build

.github/buildomat/jobs/oxide-vpc.sh

@@ -31,7 +31,7 @@ RUSTDOCFLAGS="-D warnings" ptime -m \
 	    cargo +$NIGHTLY doc --no-default-features --features=api,std,engine,kernel
 
 header "analyze std + api + usdt"
-ptime -m cargo clippy --features usdt --all-targets
+ptime -m cargo clippy --features usdt --all-targets -- --deny warnings
 
 header "analyze no_std + engine + kernel"
 ptime -m cargo +$NIGHTLY clippy --no-default-features --features engine,kernel

.github/buildomat/jobs/xde.sh

@@ -113,7 +113,7 @@ sha256sum $REL_TGT/xde_link.so > $REL_TGT/xde_link.so.sha256
 header "build xde integration tests"
 pushd xde-tests
 cargo +$NIGHTLY fmt -- --check
-cargo clippy --all-targets
+cargo clippy --all-targets -- --deny warnings
 cargo build --test loopback
 loopback_test=$(
     cargo build -q --test loopback --message-format=json |\

bench/src/packet.rs

@@ -2,7 +2,7 @@
 // License, v. 2.0. If a copy of the MPL was not distributed with this
 // file, You can obtain one at https://mozilla.org/MPL/2.0/.
 
-// Copyright 2024 Oxide Computer Company
+// Copyright 2026 Oxide Computer Company
 
 use opte::ddi::mblk::MsgBlk;
 use opte::engine::Direction;
@@ -26,6 +26,7 @@ use opte_test_utils::icmp::gen_icmp_echo;
 use opte_test_utils::icmp::gen_icmpv6_echo;
 use opte_test_utils::icmp::generate_ndisc;
 use opte_test_utils::*;
+use std::collections::BTreeMap;
 
 pub type TestCase = (MsgBlk, Direction);
 
@@ -91,6 +92,8 @@ impl BenchPacket for UlpProcess {
                     ephemeral_ip: Some("10.60.1.20".parse().unwrap()),
                     floating_ips: vec![],
                 },
+                attached_subnets: BTreeMap::default(),
+                transit_ips: BTreeMap::default(),
             },
             ipv6: Ipv6Cfg {
                 vpc_subnet: "fd00::/64".parse().unwrap(),
@@ -104,6 +107,8 @@ impl BenchPacket for UlpProcess {
                     ephemeral_ip: Some("2001:db8::2".parse().unwrap()),
                     floating_ips: vec![],
                 },
+                attached_subnets: BTreeMap::default(),
+                transit_ips: BTreeMap::default(),
             },
         };
 
@@ -269,18 +274,13 @@ impl BenchPacketInstance for UlpProcessInstance {
         let out_pkt = match self.direction {
             Direction::Out => inner_pkt,
             Direction::In => {
-                let bsvc_phys = TestIpPhys {
-                    ip: BS_IP_ADDR,
-                    mac: BS_MAC_ADDR,
-                    vni: Vni::new(BOUNDARY_SERVICES_VNI).unwrap(),
-                };
                 let guest_phys = TestIpPhys {
                     ip: self.cfg.phys_ip,
                     mac: self.cfg.guest_mac,
                     vni: self.cfg.vni,
                 };
 
-                encap_external(inner_pkt, bsvc_phys, guest_phys)
+                encap_external(inner_pkt, *BSVC_PHYS, guest_phys)
             }
         };
 

bin/opteadm/src/bin/opteadm.rs

@@ -2,7 +2,7 @@
 // License, v. 2.0. If a copy of the MPL was not distributed with this
 // file, You can obtain one at https://mozilla.org/MPL/2.0/.
 
-// Copyright 2025 Oxide Computer Company
+// Copyright 2026 Oxide Computer Company
 
 use anyhow::Context;
 use clap::Args;
@@ -70,6 +70,7 @@ use oxide_vpc::print::print_mcast_fwd;
 use oxide_vpc::print::print_mcast_subs;
 use oxide_vpc::print::print_v2b;
 use oxide_vpc::print::print_v2p;
+use std::collections::BTreeMap;
 use std::io;
 use std::io::Write;
 use std::str::FromStr;
@@ -403,6 +404,36 @@ enum Command {
         #[arg(long = "dir")]
         direction: Option<Direction>,
     },
+
+    /// Give a guest ownership of a given CIDR block.
+    ///
+    /// This is equivalent to a bidirectional `AllowCidr`, with an exemption
+    /// from NAT if the subnet is marked as `external`.
+    ///
+    /// Repeated calls on any given `prefix` will update its configuration.
+    AttachSubnet {
+        /// The OPTE port to configure.
+        #[arg(short)]
+        port: String,
+
+        /// The subnet to attach.
+        prefix: IpCidr,
+
+        /// Marks the subnet as a block of external IPs for which in/outbound
+        /// NAT should not be performed.
+        #[arg(long, short)]
+        external: bool,
+    },
+
+    /// Rescind a guest's ownership of a given CIDR block.
+    DetachSubnet {
+        /// The OPTE port to configure.
+        #[arg(short)]
+        port: String,
+
+        /// The subnet to detach.
+        prefix: IpCidr,
+    },
 }
 
 #[derive(Debug, Parser)]
@@ -805,6 +836,8 @@ fn main() -> anyhow::Result<()> {
                         private_ip,
                         gateway_ip,
                         external_ips,
+                        attached_subnets: BTreeMap::new(),
+                        transit_ips: BTreeMap::new(),
                     })
                 }
                 IpAddr::Ip6(private_ip) => {
@@ -823,6 +856,8 @@ fn main() -> anyhow::Result<()> {
                         private_ip,
                         gateway_ip,
                         external_ips,
+                        attached_subnets: BTreeMap::new(),
+                        transit_ips: BTreeMap::new(),
                     })
                 }
             };
@@ -833,9 +868,10 @@ fn main() -> anyhow::Result<()> {
                 gateway_mac,
                 vni: vpc_vni,
                 phys_ip: src_underlay_addr,
+                dhcp: dhcp.into(),
             };
 
-            hdl.create_xde(&name, cfg, dhcp.into(), passthrough)?;
+            hdl.create_xde(&name, cfg, passthrough)?;
         }
 
         Command::DeleteXde { name } => {
@@ -1054,6 +1090,14 @@ fn main() -> anyhow::Result<()> {
                 })?;
             }
         }
+
+        Command::AttachSubnet { port, prefix, external } => {
+            hdl.attach_subnet(&port, prefix, external)?;
+        }
+
+        Command::DetachSubnet { port, prefix } => {
+            hdl.detach_subnet(&port, prefix)?;
+        }
     }
 
     Ok(())

crates/opte-api/src/cmd.rs

@@ -2,7 +2,7 @@
 // License, v. 2.0. If a copy of the MPL was not distributed with this
 // file, You can obtain one at https://mozilla.org/MPL/2.0/.
 
-// Copyright 2025 Oxide Computer Company
+// Copyright 2026 Oxide Computer Company
 
 use super::API_VERSION;
 use super::RuleId;
@@ -25,40 +25,95 @@ pub const XDE_IOC_OPTE_CMD: i32 = XDE_IOC as i32 | 0x01;
 #[derive(Clone, Copy, Debug)]
 #[repr(C)]
 pub enum OpteCmd {
-    ListPorts = 1,                // list all ports
-    AddFwRule = 20,               // add firewall rule
-    RemFwRule = 21,               // remove firewall rule
-    SetFwRules = 22,              // set/replace all firewall rules at once
-    DumpTcpFlows = 30,            // dump TCP flows
-    DumpLayer = 31,               // dump the specified Layer
-    DumpUft = 32,                 // dump the Unified Flow Table
-    ListLayers = 33,              // list the layers on a given port
-    ClearUft = 40,                // clear the UFT
-    ClearLft = 41,                // clear the given Layer's Flow Table
-    SetVirt2Phys = 50,            // set a v2p mapping
-    DumpVirt2Phys = 51,           // dump the v2p mappings
-    SetVirt2Boundary = 52,        // set a v2b mapping
-    ClearVirt2Boundary = 53,      // clear a v2b mapping
-    DumpVirt2Boundary = 54,       // dump the v2b mappings
-    ClearVirt2Phys = 55,          // clear a v2p mapping
-    AddRouterEntry = 60,          // add a router entry for IP dest
-    DelRouterEntry = 61,          // remove a router entry for IP dest
-    CreateXde = 70,               // create a new xde device
-    DeleteXde = 71,               // delete an xde device
-    SetXdeUnderlay = 72,          // set xde underlay devices
-    ClearXdeUnderlay = 73,        // clear xde underlay devices
-    SetExternalIps = 80,          // set xde external IPs for a port
-    AllowCidr = 90,               // allow ip block through gateway tx/rx
-    RemoveCidr = 91,              // deny ip block through gateway tx/rx
-    SetMcastForwarding = 100,     // set multicast forwarding entries
-    ClearMcastForwarding = 101,   // clear multicast forwarding entries
-    DumpMcastForwarding = 102,    // dump multicast forwarding table
-    McastSubscribe = 103,         // subscribe a port to a multicast group
-    McastUnsubscribe = 104,       // unsubscribe a port from a multicast group
-    SetMcast2Phys = 105,          // set M2P mapping (group -> underlay mcast)
-    ClearMcast2Phys = 106,        // clear M2P mapping
-    DumpMcastSubscriptions = 107, // dump multicast subscription table
-    McastUnsubscribeAll = 108, // unsubscribe all ports from a multicast group
+    /// List all ports.
+    ListPorts = 1,
+
+    /// Add a firewall rule.
+    AddFwRule = 20,
+    /// Remove a firewall rule.
+    RemFwRule = 21,
+    /// Set/replace all firewall rules at once.
+    SetFwRules = 22,
+
+    /// Read out TCP flows and statistics.
+    DumpTcpFlows = 30,
+    /// Read out installed rules and hit counters in a given layer.
+    DumpLayer = 31,
+    /// Read out UFT (fastpath) flow entries and their associated counters.
+    DumpUft = 32,
+    /// List the layers on a given port.
+    ListLayers = 33,
+
+    /// Clear the UFT (fastpath) for a port.
+    ClearUft = 40,
+    /// Clear a layer's flow table.
+    ClearLft = 41,
+
+    /// Set a V2P mapping.
+    SetVirt2Phys = 50,
+    /// Read out all V2P mappings.
+    DumpVirt2Phys = 51,
+    /// Set a V2B mapping.
+    SetVirt2Boundary = 52,
+    /// Remove a V2B mapping.
+    ClearVirt2Boundary = 53,
+    /// Read out all V2B mappings.
+    DumpVirt2Boundary = 54,
+    /// Remove a V2P mapping.
+    ClearVirt2Phys = 55,
+
+    /// Add a router entry for an IP destination CIDR.
+    AddRouterEntry = 60,
+    /// Remove a router entry for an IP destination CIDR.
+    DelRouterEntry = 61,
+
+    /// Create a new XDE device.
+    ///
+    /// Requires that `SetXdeUnderlay` has been successfully called.
+    CreateXde = 70,
+    /// Delete an XDE device.
+    DeleteXde = 71,
+    /// Set the physical devices which XDE should transmit over.
+    SetXdeUnderlay = 72,
+    /// Unbind the underlay devices.
+    ///
+    /// Requires that no XDE ports exist.
+    ClearXdeUnderlay = 73,
+
+    /// Set all external IP config for a port.
+    SetExternalIps = 80,
+
+    /// Add a transit IP CIDR to this port's allow list.
+    ///
+    /// NOOPs if the given CIDR is an attached subnet.
+    AllowCidr = 90,
+    /// Remove a transit IP CIDR from this port's allow list.
+    ///
+    /// NOOPs if the given CIDR is an attached subnet.
+    RemoveCidr = 91,
+    /// Add or set the config of an attached subnet.
+    AttachSubnet = 92,
+    /// Remove an attached subnet.
+    DetachSubnet = 93,
+
+    /// Set multicast forwarding entries.
+    SetMcastForwarding = 100,
+    /// Clear multicast forwarding entries.
+    ClearMcastForwarding = 101,
+    /// Read out the multicast forwarding table.
+    DumpMcastForwarding = 102,
+    /// Subscribe a port to a multicast group.
+    McastSubscribe = 103,
+    /// Unsubscribe a port to a multicast group.
+    McastUnsubscribe = 104,
+    /// Set an M2P mapping (group -> underlay mcast).
+    SetMcast2Phys = 105,
+    /// Remove an M2P mapping.
+    ClearMcast2Phys = 106,
+    /// Read out the table of multicast subscriptions.
+    DumpMcastSubscriptions = 107,
+    /// Unsubscribe all ports from a multicast group.
+    McastUnsubscribeAll = 108,
 }
 
 impl TryFrom<c_int> for OpteCmd {

crates/opte-api/src/lib.rs

@@ -2,7 +2,7 @@
 // License, v. 2.0. If a copy of the MPL was not distributed with this
 // file, You can obtain one at https://mozilla.org/MPL/2.0/.
 
-// Copyright 2025 Oxide Computer Company
+// Copyright 2026 Oxide Computer Company
 
 #![no_std]
 #![deny(unreachable_patterns)]
@@ -51,7 +51,7 @@ pub use ulp::*;
 ///
 /// We rely on CI and the check-api-version.sh script to verify that
 /// this number is incremented anytime the oxide-api code changes.
-pub const API_VERSION: u64 = 38;
+pub const API_VERSION: u64 = 39;
 
 /// Major version of the OPTE package.
 pub const MAJOR_VERSION: u64 = 0;