Skip to content

Attached (External) Subnets #911

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
FelixMcFelix wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Attached (External) Subnets #911

FelixMcFelix wants to merge 2 commits into from

Conversation

@FelixMcFelix
Copy link
Collaborator

@FelixMcFelix FelixMcFelix commented Dec 31, 2025
edited
Loading

This PR reworks certain aspects of how NAT and gateway layers are constructed to enable attached (external) subnets to function. The primary aim here is that traffic to/from these subnets (owned by the host) do not undergo NAT, and bypass spoof detection as transit IPs would. A few wider changes have been necessary to ensure that these can be attached/detached without breaking any existing transit IPs, and to ensure that traffic originated from an external subnet cannot be directed towards a private VPC recipient.

  • To be compatible with add/remove of transit IPs, we have to store both transit/attached subnets consistently in VpcCfg rather than working directly on the port's ruleset. This also gives us the opportunity to set these on port create rather than using a followup ioctl.
  • Reconfiguring the gateway layer requires that we store DhcpCfg in VpcCfg now.
  • Keeping separate copies of VpcCfg in XdeDev and the port itself seemed... misleading, at best. When XDE needs that, we now reach through port.network().
  • StatefulActions should never have had mutable access to a packet's ActionMeta (the string-to-string map), because they may never be rerun after an LFT is created on subsequent slowpath walks. It is now up to the generated ActionDescs to update metadata -- this trait's role is similar to StaticAction, which is allowed mutable access to this metadata.
  • Use of V2B/V2P mappings is now explicitly restricted to sending traffic from external/internal IPs. I put in some rework of ActionMeta ergonomics to make this easier to express and implement.

As far as the control plane is concerned, it should need to only:

  • Attach external/VPC subnets as they arrive.
  • Ensure that for attached VPC subnets, the system router is updated s.t. that subnet has an Instance(<name>) target (in turn resolved to an IP target when reifying rules for the port, as happens with instance targets today).

Answers the functional dataplane requirements of #890. Closes #703.

@bnaecker bnaecker mentioned this pull request Dec 31, 2025
Open
@FelixMcFelix FelixMcFelix force-pushed the attached-subnets-mvp branch 7 times, most recently from 374d344 to a832697 Compare January 5, 2026 20:38
@FelixMcFelix FelixMcFelix changed the title Attached External Subnets Attached (External) Subnets Jan 5, 2026
@FelixMcFelix
Attached (External) Subnets
2e7cf69 
This PR reworks certain aspects of how NAT and gateway layers are
constructed to enable attached (external) subnets to function. The
primary aim here is that traffic to/from these subnets (owned by
the host) do not undergo NAT, and bypass spoof detection as transit
IPs would. A few wider changes have been necessary to ensure that
these can be attached/detached without breaking any existing transit
IPs, and to ensure that traffic originated from an external subnet
cannot be directed towards a private VPC recipient.
FelixMcFelix
FelixMcFelix commented Jan 6, 2026
View reviewed changes
lib/opte/src/engine/snat.rs
use opte_api::Protocol;

pub trait Ip: Into<super::IpAddr> {
pub trait Ip: Into<super::IpAddr> + Send + Sync {
Copy link
Collaborator Author

@FelixMcFelix FelixMcFelix Jan 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Followup from #883 -- this moves the Send + Sync bounds up so that we don't need to explicitly specify them in as many spots.

lib/oxide-vpc/src/engine/nat.rs
Comment on lines +563 to +568
pub fn attach_subnet(
port: &Port<VpcNetwork>,
inet_gw_map: Option<&InternetGatewayMap>,
vpc_mappings: &Arc<VpcMappings>,
req: AttachSubnetReq,
) -> Result<(), OpteError> {
Copy link
Collaborator Author

@FelixMcFelix FelixMcFelix Jan 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I had a bit of uncertainty as to whether this and detach_subnet should live here, gateway, or some other module since the feature crosses multiple layers.

@FelixMcFelix FelixMcFelix marked this pull request as ready for review January 6, 2026 13:44
@rmustacc rmustacc requested a review from bnaecker January 8, 2026 17:10
bnaecker
bnaecker reviewed Jan 8, 2026
View reviewed changes
Copy link
Contributor

@bnaecker bnaecker left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've not looked through the entire PR yet, but this seems solid. Nice interface for attaching subnets, and some helpful cleanup along the way. Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bnaecker bnaecker bnaecker left review comments

@rcgoodfellow rcgoodfellow Awaiting requested review from rcgoodfellow

@zeeshanlakhani zeeshanlakhani Awaiting requested review from zeeshanlakhani

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

ActionMeta could allow direct storage/retrieval of an ActionMetaValue

3 participants

@FelixMcFelix @bnaecker