User ACLs logic implementation#1634
Conversation
|
Note Currently processing new changes in this PR. This may take a few minutes, please wait... ⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: ⛔ Files ignored due to path filters (1)
📒 Files selected for processing (16)
📝 WalkthroughWalkthroughAdds a Rust ACL filter crate that builds tables from validated overlay ACLs, evaluates packet and flow-scoped rules, formats table state, tests behavior, and integrates configuration updates with dataplane packet processing. ChangesACL filter implementation
Possibly related PRs
Suggested reviewers: 🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
Comment |
53fbdae to
5526612
Compare
In preparation for using port ranges with ACL tables, implement trait From to convert types with ports into RangeSpec<u16> elements. Signed-off-by: Quentin Monnet <qmo@qmon.net>
No need to clone the enum variants. Signed-off-by: Quentin Monnet <qmo@qmon.net>
Add a way to return the ValidatedAcl object attached to a ValidatedPeering, if any. We'll use it to process the ACL rules in a future commit. Signed-off-by: Quentin Monnet <qmo@qmon.net>
There's no point in allowing an empty list in the first place: remove the ACL list (to allow all), or the peering altogether (to deny all). This will also avoid the corner case of an empty list when building the context for the ACLs. Signed-off-by: Quentin Monnet <qmo@qmon.net>
5526612 to
81463d2
Compare
There was a problem hiding this comment.
Actionable comments posted: 2
🧹 Nitpick comments (1)
acl-filter/src/tests.rs (1)
644-654: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick winConsider testing prefix matching against pre-NAT addresses through the real NAT pipeline.
The e2e ACL rule uses empty src/dst patterns (match-all), so this test never validates that a prefix-restricted rule correctly matches the VPC-internal addresses present at ACL-evaluation time (as opposed to the translated/public addresses). Since the module doc comment specifically calls out this address-timing contract, a rule with concrete prefixes (e.g. matching
1.2.3.0/24/192.168.0.0/24) plus a negative case (a prefix that would only match the public/translated addresses) would give confidence the placement is correct rather than just documented.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@acl-filter/src/tests.rs` around lines 644 - 654, Update the build_overlay test fixture to use concrete source and destination prefixes matching the pre-NAT VPC addresses, such as 1.2.3.0/24 and 192.168.0.0/24, instead of empty match-all patterns. Extend the real NAT-pipeline test with a negative case using prefixes that match only translated/public addresses, while preserving the existing UDP flow rule and ACL behavior.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@acl-filter/src/context.rs`:
- Around line 97-116: In insert_for_src_and_dst_prefix, correct the non-TCP/UDP
IPv6 match arm to append rules to self.other_v6 instead of self.other_v4, while
preserving the existing TCP/UDP routing and IPv4 behavior.
In `@acl-filter/src/tests.rs`:
- Around line 600-608: Update the end-to-end flow-scope test comment to describe
the ACL filter’s address state as pre-source-NAT and pre-destination-NAT,
replacing the incorrect post-destination-NAT wording while preserving the
surrounding NAT and flow-link explanation.
---
Nitpick comments:
In `@acl-filter/src/tests.rs`:
- Around line 644-654: Update the build_overlay test fixture to use concrete
source and destination prefixes matching the pre-NAT VPC addresses, such as
1.2.3.0/24 and 192.168.0.0/24, instead of empty match-all patterns. Extend the
real NAT-pipeline test with a negative case using prefixes that match only
translated/public addresses, while preserving the existing UDP flow rule and ACL
behavior.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: ee2311e1-0af3-4640-bc97-5facff832f41
⛔ Files ignored due to path filters (1)
Cargo.lockis excluded by!**/*.lock
📒 Files selected for processing (19)
Cargo.tomlacl-filter/Cargo.tomlacl-filter/src/access.rsacl-filter/src/context.rsacl-filter/src/display.rsacl-filter/src/lib.rsacl-filter/src/tests.rsacl/src/reference/table.rsconfig/src/external/overlay/acl.rsconfig/src/external/overlay/vpc.rsdataplane/Cargo.tomldataplane/src/packet_processor/mod.rsdataplane/src/runtime.rslpm/Cargo.tomllpm/src/prefix/ip.rslpm/src/prefix/with_ports.rsmgmt/Cargo.tomlmgmt/src/processor/proc.rsmgmt/src/tests/mgmt.rs
81463d2 to
7f5a882
Compare
There was a problem hiding this comment.
Pull request overview
Implements dataplane-side enforcement for the newly introduced user ACLs by adding an acl-filter stage to the packet-processing pipeline, wiring its hot-swappable context into the config processor, and adding the supporting model conversions and validation.
Changes:
- Add new
acl-filtercrate implementingAclFilternetwork function + context building, display, and comprehensive tests. - Integrate ACL context publication into mgmt config processing and inject
AclFilterstage after flow-filter in the dataplane pipeline. - Add match-action lowering helpers in
lpm(prefix/port specs) and tighten ACL validation (reject empty ACL rule lists).
Reviewed changes
Copilot reviewed 19 out of 20 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| mgmt/src/tests/mgmt.rs | Adds AclFilterContextWriter to test processor setup. |
| mgmt/src/processor/proc.rs | Publishes AclFilterContext on reconfig and applies ACL config during processing. |
| mgmt/Cargo.toml | Adds workspace dependency on acl-filter. |
| lpm/src/prefix/with_ports.rs | Adds RangeSpec<u16> conversions + wildcard const for ACL lowering. |
| lpm/src/prefix/ip.rs | Adds conversions from IPv4/IPv6 prefix types into match_action::PrefixSpec. |
| lpm/Cargo.toml | Adds dependency on match-action. |
| dataplane/src/runtime.rs | Wires ACL context writer into ConfigProcessorParams. |
| dataplane/src/packet_processor/mod.rs | Installs AclFilter stage after flow-filter; creates reader/writer handles. |
| dataplane/Cargo.toml | Adds workspace dependency on acl-filter. |
| config/src/external/overlay/vpc.rs | Exposes validated peering ACL via ValidatedPeering::acl(). |
| config/src/external/overlay/acl.rs | Makes AclProtoMatch Copy, tweaks proto accessor, makes Acl::new public, rejects empty ACLs, adds tests. |
| Cargo.toml | Adds acl-filter workspace member + workspace metadata. |
| Cargo.lock | Records new dataplane-acl-filter package and dependency updates. |
| acl/src/reference/table.rs | Adds accessor to read back stored rules for display/debugging. |
| acl-filter/src/tests.rs | Adds unit + end-to-end tests for packet/flow scope behavior and NAT interactions. |
| acl-filter/src/lib.rs | Implements AclFilter network function and packet summary logic. |
| acl-filter/src/display.rs | Adds CLI/display decoding of lowered ACL rules and defaults. |
| acl-filter/src/context.rs | Builds lowered match-action tables and default-action map from validated overlay ACLs. |
| acl-filter/src/access.rs | Implements hot-swappable AclFilterContext reader/writer handles. |
| acl-filter/Cargo.toml | New crate manifest with deps and dev-deps for tests. |
| let remote_vni = overlay.vpc_table().get_remote_vni(peering); | ||
| for acl_rule in acl.rules() { | ||
| ruleset.insert( | ||
| local_vni, | ||
| remote_vni, |
7f5a882 to
82cb6ae
Compare
ICMP doesn't really deserve any specific treatment internally, as we can trivially implement it with AclProtoMatch::Other(1). Signed-off-by: Quentin Monnet <qmo@qmon.net>
Add a new crate containing the implementation for the user ACLs: list of access control rules that allow or deny specific packets or flow. We recently introduced support for parsing and validating user ACL objects; The new pipeline stage builds up context tables from validated ACLs, and then apply the rules on coming packets. With the "scope: flow" option, reply traffic for authorized flows is automatically allowed as well (unless another explicit rule denies it). This mode should be extended to all NAT modes (including no-NAT) in the future, but is only supported with masquerade and port forwarding at this time. Signed-off-by: Quentin Monnet <qmo@qmon.net>
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Signed-off-by: Quentin Monnet <qmo@qmon.net>
Add unit tests to validate the behaviour of the new ACL filter pipeline stage. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Signed-off-by: Quentin Monnet <qmo@qmon.net>
Add a pipeline stage with the recently-added ACL filter to the main pipeline, so that users can enforce ACLs on the traffic. Signed-off-by: Quentin Monnet <qmo@qmon.net>
82cb6ae to
f615f3a
Compare
Based on #1618
It will probably require some changes in the way we use the ACLs (similar to the flow-filter reimplementation from #1611).