Attached (External) Subnets

.github/buildomat/jobs/opte-api.sh

@@ -28,7 +28,7 @@ header "analyze std"
 ptime -m cargo clippy --all-targets
 
 header "analyze no_std"
-ptime -m cargo clippy --no-default-features --all-targets
+ptime -m cargo clippy --no-default-features --all-targets -- --deny warnings
 
 header "test"
 ptime -m cargo test

.github/buildomat/jobs/opte-ioctl.sh

@@ -22,4 +22,4 @@ header "check style"
 ptime -m cargo +$NIGHTLY fmt -- --check
 
 header "analyze"
-ptime -m cargo clippy --all-targets
+ptime -m cargo clippy --all-targets -- --deny warnings

.github/buildomat/jobs/opte.sh

@@ -31,10 +31,10 @@ RUSTDOCFLAGS="-D warnings" ptime -m \
 	cargo +$NIGHTLY doc --no-default-features --features=api,std,engine,kernel
 
 header "analyze std + api"
-ptime -m cargo clippy --all-targets
+ptime -m cargo clippy --all-targets -- --deny warnings
 
 header "analyze no_std + engine + kernel"
-ptime -m cargo +$NIGHTLY clippy --no-default-features --features engine,kernel
+ptime -m cargo +$NIGHTLY clippy --no-default-features --features engine,kernel -- --deny warnings
 
 header "test"
 ptime -m cargo test

.github/buildomat/jobs/opteadm.sh

@@ -31,7 +31,7 @@ header "check style"
 ptime -m cargo +$NIGHTLY fmt -- --check
 
 header "analyze"
-ptime -m cargo clippy --all-targets
+ptime -m cargo clippy --all-targets -- --deny warnings
 
 header "debug build"
 ptime -m cargo build

.github/buildomat/jobs/oxide-vpc.sh

@@ -31,7 +31,7 @@ RUSTDOCFLAGS="-D warnings" ptime -m \
 	    cargo +$NIGHTLY doc --no-default-features --features=api,std,engine,kernel
 
 header "analyze std + api + usdt"
-ptime -m cargo clippy --features usdt --all-targets
+ptime -m cargo clippy --features usdt --all-targets -- --deny warnings
 
 header "analyze no_std + engine + kernel"
 ptime -m cargo +$NIGHTLY clippy --no-default-features --features engine,kernel

.github/buildomat/jobs/xde.sh

@@ -113,7 +113,7 @@ sha256sum $REL_TGT/xde_link.so > $REL_TGT/xde_link.so.sha256
 header "build xde integration tests"
 pushd xde-tests
 cargo +$NIGHTLY fmt -- --check
-cargo clippy --all-targets
+cargo clippy --all-targets -- --deny warnings
 cargo build --test loopback
 loopback_test=$(
     cargo build -q --test loopback --message-format=json |\

bench/src/packet.rs

@@ -2,7 +2,7 @@
 // License, v. 2.0. If a copy of the MPL was not distributed with this
 // file, You can obtain one at https://mozilla.org/MPL/2.0/.
 
-// Copyright 2024 Oxide Computer Company
+// Copyright 2026 Oxide Computer Company
 
 use opte::ddi::mblk::MsgBlk;
 use opte::engine::Direction;
@@ -26,6 +26,7 @@ use opte_test_utils::icmp::gen_icmp_echo;
 use opte_test_utils::icmp::gen_icmpv6_echo;
 use opte_test_utils::icmp::generate_ndisc;
 use opte_test_utils::*;
+use std::collections::BTreeMap;
 
 pub type TestCase = (MsgBlk, Direction);
 
@@ -91,6 +92,8 @@ impl BenchPacket for UlpProcess {
                     ephemeral_ip: Some("10.60.1.20".parse().unwrap()),
                     floating_ips: vec![],
                 },
+                attached_subnets: BTreeMap::default(),
+                transit_ips: BTreeMap::default(),
             },
             ipv6: Ipv6Cfg {
                 vpc_subnet: "fd00::/64".parse().unwrap(),
@@ -104,6 +107,8 @@ impl BenchPacket for UlpProcess {
                     ephemeral_ip: Some("2001:db8::2".parse().unwrap()),
                     floating_ips: vec![],
                 },
+                attached_subnets: BTreeMap::default(),
+                transit_ips: BTreeMap::default(),
             },
         };
 
@@ -269,18 +274,13 @@ impl BenchPacketInstance for UlpProcessInstance {
         let out_pkt = match self.direction {
             Direction::Out => inner_pkt,
             Direction::In => {
-                let bsvc_phys = TestIpPhys {
-                    ip: BS_IP_ADDR,
-                    mac: BS_MAC_ADDR,
-                    vni: Vni::new(BOUNDARY_SERVICES_VNI).unwrap(),
-                };
                 let guest_phys = TestIpPhys {
                     ip: self.cfg.phys_ip,
                     mac: self.cfg.guest_mac,
                     vni: self.cfg.vni,
                 };
 
-                encap_external(inner_pkt, bsvc_phys, guest_phys)
+                encap_external(inner_pkt, *BSVC_PHYS, guest_phys)
             }
         };
 

bin/opteadm/src/bin/opteadm.rs

@@ -2,7 +2,7 @@
 // License, v. 2.0. If a copy of the MPL was not distributed with this
 // file, You can obtain one at https://mozilla.org/MPL/2.0/.
 
-// Copyright 2025 Oxide Computer Company
+// Copyright 2026 Oxide Computer Company
 
 use anyhow::Context;
 use clap::Args;
@@ -70,6 +70,7 @@ use oxide_vpc::print::print_mcast_fwd;
 use oxide_vpc::print::print_mcast_subs;
 use oxide_vpc::print::print_v2b;
 use oxide_vpc::print::print_v2p;
+use std::collections::BTreeMap;
 use std::io;
 use std::io::Write;
 use std::str::FromStr;
@@ -403,6 +404,36 @@ enum Command {
         #[arg(long = "dir")]
         direction: Option<Direction>,
     },
+
+    /// Give a guest ownership of a given CIDR block.
+    ///
+    /// This is equivalent to a bidirectional `AllowCidr`, with an exemption
+    /// from NAT if the subnet is marked as `external`.
+    ///
+    /// Repeated calls on any given `prefix` will update its configuration.
+    AttachSubnet {
+        /// The OPTE port to configure.
+        #[arg(short)]
+        port: String,
+
+        /// The subnet to attach.
+        prefix: IpCidr,
+
+        /// Marks the subnet as a block of external IPs for which in/outbound
+        /// NAT should not be performed.
+        #[arg(long, short)]
+        external: bool,
+    },
+
+    /// Rescind a guest's ownership of a given CIDR block.
+    DetachSubnet {
+        /// The OPTE port to configure.
+        #[arg(short)]
+        port: String,
+
+        /// The subnet to detach.
+        prefix: IpCidr,
+    },
 }
 
 #[derive(Debug, Parser)]
@@ -805,6 +836,8 @@ fn main() -> anyhow::Result<()> {
                         private_ip,
                         gateway_ip,
                         external_ips,
+                        attached_subnets: BTreeMap::new(),
+                        transit_ips: BTreeMap::new(),
                     })
                 }
                 IpAddr::Ip6(private_ip) => {
@@ -823,6 +856,8 @@ fn main() -> anyhow::Result<()> {
                         private_ip,
                         gateway_ip,
                         external_ips,
+                        attached_subnets: BTreeMap::new(),
+                        transit_ips: BTreeMap::new(),
                     })
                 }
             };
@@ -833,9 +868,10 @@ fn main() -> anyhow::Result<()> {
                 gateway_mac,
                 vni: vpc_vni,
                 phys_ip: src_underlay_addr,
+                dhcp: dhcp.into(),
             };
 
-            hdl.create_xde(&name, cfg, dhcp.into(), passthrough)?;
+            hdl.create_xde(&name, cfg, passthrough)?;
         }
 
         Command::DeleteXde { name } => {
@@ -1054,6 +1090,14 @@ fn main() -> anyhow::Result<()> {
                 })?;
             }
         }
+
+        Command::AttachSubnet { port, prefix, external } => {
+            hdl.attach_subnet(&port, prefix, external)?;
+        }
+
+        Command::DetachSubnet { port, prefix } => {
+            hdl.detach_subnet(&port, prefix)?;
+        }
     }
 
     Ok(())

crates/opte-api/src/cmd.rs

@@ -2,7 +2,7 @@
 // License, v. 2.0. If a copy of the MPL was not distributed with this
 // file, You can obtain one at https://mozilla.org/MPL/2.0/.
 
-// Copyright 2025 Oxide Computer Company
+// Copyright 2026 Oxide Computer Company
 
 use super::API_VERSION;
 use super::RuleId;
@@ -25,40 +25,95 @@ pub const XDE_IOC_OPTE_CMD: i32 = XDE_IOC as i32 | 0x01;
 #[derive(Clone, Copy, Debug)]
 #[repr(C)]
 pub enum OpteCmd {
-    ListPorts = 1,                // list all ports
-    AddFwRule = 20,               // add firewall rule
-    RemFwRule = 21,               // remove firewall rule
-    SetFwRules = 22,              // set/replace all firewall rules at once
-    DumpTcpFlows = 30,            // dump TCP flows
-    DumpLayer = 31,               // dump the specified Layer
-    DumpUft = 32,                 // dump the Unified Flow Table
-    ListLayers = 33,              // list the layers on a given port
-    ClearUft = 40,                // clear the UFT
-    ClearLft = 41,                // clear the given Layer's Flow Table
-    SetVirt2Phys = 50,            // set a v2p mapping
-    DumpVirt2Phys = 51,           // dump the v2p mappings
-    SetVirt2Boundary = 52,        // set a v2b mapping
-    ClearVirt2Boundary = 53,      // clear a v2b mapping
-    DumpVirt2Boundary = 54,       // dump the v2b mappings
-    ClearVirt2Phys = 55,          // clear a v2p mapping
-    AddRouterEntry = 60,          // add a router entry for IP dest
-    DelRouterEntry = 61,          // remove a router entry for IP dest
-    CreateXde = 70,               // create a new xde device
-    DeleteXde = 71,               // delete an xde device
-    SetXdeUnderlay = 72,          // set xde underlay devices
-    ClearXdeUnderlay = 73,        // clear xde underlay devices
-    SetExternalIps = 80,          // set xde external IPs for a port
-    AllowCidr = 90,               // allow ip block through gateway tx/rx
-    RemoveCidr = 91,              // deny ip block through gateway tx/rx
-    SetMcastForwarding = 100,     // set multicast forwarding entries
-    ClearMcastForwarding = 101,   // clear multicast forwarding entries
-    DumpMcastForwarding = 102,    // dump multicast forwarding table
-    McastSubscribe = 103,         // subscribe a port to a multicast group
-    McastUnsubscribe = 104,       // unsubscribe a port from a multicast group
-    SetMcast2Phys = 105,          // set M2P mapping (group -> underlay mcast)
-    ClearMcast2Phys = 106,        // clear M2P mapping
-    DumpMcastSubscriptions = 107, // dump multicast subscription table
-    McastUnsubscribeAll = 108, // unsubscribe all ports from a multicast group
+    /// List all ports.
+    ListPorts = 1,
+
+    /// Add a firewall rule.
+    AddFwRule = 20,
+    /// Remove a firewall rule.
+    RemFwRule = 21,
+    /// Set/replace all firewall rules at once.
+    SetFwRules = 22,
+
+    /// Read out TCP flows and statistics.
+    DumpTcpFlows = 30,
+    /// Read out installed rules and hit counters in a given layer.
+    DumpLayer = 31,
+    /// Read out UFT (fastpath) flow entries and their associated counters.
+    DumpUft = 32,
+    /// List the layers on a given port.
+    ListLayers = 33,
+
+    /// Clear the UFT (fastpath) for a port.
+    ClearUft = 40,
+    /// Clear a layer's flow table.
+    ClearLft = 41,
+
+    /// Set a V2P mapping.
+    SetVirt2Phys = 50,
+    /// Read out all V2P mappings.
+    DumpVirt2Phys = 51,
+    /// Set a V2B mapping.
+    SetVirt2Boundary = 52,
+    /// Remove a V2B mapping.
+    ClearVirt2Boundary = 53,
+    /// Read out all V2B mappings.
+    DumpVirt2Boundary = 54,
+    /// Remove a V2P mapping.
+    ClearVirt2Phys = 55,
+
+    /// Add a router entry for an IP destination CIDR.
+    AddRouterEntry = 60,
+    /// Remove a router entry for an IP destination CIDR.
+    DelRouterEntry = 61,
+
+    /// Create a new XDE device.
+    ///
+    /// Requires that `SetXdeUnderlay` has been successfully called.
+    CreateXde = 70,
+    /// Delete an XDE device.
+    DeleteXde = 71,
+    /// Set the physical devices which XDE should transmit over.
+    SetXdeUnderlay = 72,
+    /// Unbind the underlay devices.
+    ///
+    /// Requires that no XDE ports exist.
+    ClearXdeUnderlay = 73,
+
+    /// Set all external IP config for a port.
+    SetExternalIps = 80,
+
+    /// Add a transit IP CIDR to this port's allow list.
+    ///
+    /// NOOPs if the given CIDR is an attached subnet.
+    AllowCidr = 90,
+    /// Remove a transit IP CIDR from this port's allow list.
+    ///
+    /// NOOPs if the given CIDR is an attached subnet.
+    RemoveCidr = 91,
+    /// Add or set the config of an attached subnet.
+    AttachSubnet = 92,
+    /// Remove an attached subnet.
+    DetachSubnet = 93,
+
+    /// Set multicast forwarding entries.
+    SetMcastForwarding = 100,
+    /// Clear multicast forwarding entries.
+    ClearMcastForwarding = 101,
+    /// Read out the multicast forwarding table.
+    DumpMcastForwarding = 102,
+    /// Subscribe a port to a multicast group.
+    McastSubscribe = 103,
+    /// Unsubscribe a port to a multicast group.
+    McastUnsubscribe = 104,
+    /// Set an M2P mapping (group -> underlay mcast).
+    SetMcast2Phys = 105,
+    /// Remove an M2P mapping.
+    ClearMcast2Phys = 106,
+    /// Read out the table of multicast subscriptions.
+    DumpMcastSubscriptions = 107,
+    /// Unsubscribe all ports from a multicast group.
+    McastUnsubscribeAll = 108,
 }
 
 impl TryFrom<c_int> for OpteCmd {

crates/opte-api/src/lib.rs

@@ -2,7 +2,7 @@
 // License, v. 2.0. If a copy of the MPL was not distributed with this
 // file, You can obtain one at https://mozilla.org/MPL/2.0/.
 
-// Copyright 2025 Oxide Computer Company
+// Copyright 2026 Oxide Computer Company
 
 #![no_std]
 #![deny(unreachable_patterns)]
@@ -51,7 +51,7 @@ pub use ulp::*;
 ///
 /// We rely on CI and the check-api-version.sh script to verify that
 /// this number is incremented anytime the oxide-api code changes.
-pub const API_VERSION: u64 = 38;
+pub const API_VERSION: u64 = 39;
 
 /// Major version of the OPTE package.
 pub const MAJOR_VERSION: u64 = 0;