Skip to content

User ACLs logic implementation#1634

Open
qmonnet wants to merge 9 commits into
mainfrom
pr/qmonnet/user-acls
Open

User ACLs logic implementation#1634
qmonnet wants to merge 9 commits into
mainfrom
pr/qmonnet/user-acls

Conversation

@qmonnet

@qmonnet qmonnet commented Jul 13, 2026

Copy link
Copy Markdown
Member

Based on #1618

It will probably require some changes in the way we use the ACLs (similar to the flow-filter reimplementation from #1611).

@qmonnet qmonnet added the area/acl Related to ACLs (Access Control Lists) label Jul 13, 2026
@coderabbitai

coderabbitai Bot commented Jul 13, 2026

Copy link
Copy Markdown

Review Change Stack

Note

Currently processing new changes in this PR. This may take a few minutes, please wait...

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 22f27dec-435c-4ca2-9f1d-3387a870d64c

📥 Commits

Reviewing files that changed from the base of the PR and between 82cb6ae and f615f3a.

⛔ Files ignored due to path filters (1)
  • Cargo.lock is excluded by !**/*.lock
📒 Files selected for processing (16)
  • Cargo.toml
  • acl-filter/Cargo.toml
  • acl-filter/src/access.rs
  • acl-filter/src/context.rs
  • acl-filter/src/display.rs
  • acl-filter/src/lib.rs
  • acl-filter/src/tests.rs
  • acl/src/reference/table.rs
  • config/src/external/overlay/acl.rs
  • dataplane/Cargo.toml
  • dataplane/src/packet_processor/mod.rs
  • dataplane/src/runtime.rs
  • lpm/src/prefix/with_ports.rs
  • mgmt/Cargo.toml
  • mgmt/src/processor/proc.rs
  • mgmt/src/tests/mgmt.rs
📝 Walkthrough

Walkthrough

Adds a Rust ACL filter crate that builds tables from validated overlay ACLs, evaluates packet and flow-scoped rules, formats table state, tests behavior, and integrates configuration updates with dataplane packet processing.

Changes

ACL filter implementation

Layer / File(s) Summary
ACL contracts and matching conversions
Cargo.toml, acl-filter/Cargo.toml, acl/src/reference/table.rs, config/src/external/overlay/*, lpm/Cargo.toml, lpm/src/prefix/*
Adds the ACL filter workspace crate, ACL validation/accessors, reference-table rule access, and IP prefix and port-range conversions.
ACL context and lookup tables
acl-filter/src/access.rs, acl-filter/src/context.rs
Builds protocol-specific IPv4/IPv6 ACL tables from validated overlays and provides hot-swappable context handles.
Packet filtering and table display
acl-filter/src/lib.rs, acl-filter/src/display.rs
Extracts packet summaries, evaluates direct and reverse flow-aware matches, applies filtering outcomes, and formats ACL tables.
ACL filter behavior validation
acl-filter/src/tests.rs
Tests defaults, rule ordering, protocol and IPv6 matching, flow scope, reply handling, and NAT pipeline behavior.
Dataplane and management wiring
dataplane/..., mgmt/...
Adds ACL context writers to configuration processing, inserts the ACL filter into the dataplane pipeline, and applies validated ACL updates.

Possibly related PRs

Suggested reviewers: mvachhar, sergeymatov, fredi-raspall, daniel-noland

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 59.65% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title is concise and clearly matches the main change: implementing ACL logic for users/dataplane.
Description check ✅ Passed The description is related to the ACL implementation and its expected usage changes.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

Comment @coderabbitai help to get the list of available commands.

@qmonnet qmonnet linked an issue Jul 13, 2026 that may be closed by this pull request
@qmonnet qmonnet changed the title User ACL logic implementation User ACLs logic implementation Jul 13, 2026
@qmonnet qmonnet force-pushed the pr/qmonnet/user-acls branch 2 times, most recently from 53fbdae to 5526612 Compare July 13, 2026 17:10
@qmonnet qmonnet marked this pull request as ready for review July 13, 2026 17:11
@qmonnet qmonnet requested a review from a team as a code owner July 13, 2026 17:11
@qmonnet qmonnet requested review from Fredi-raspall, daniel-noland and mvachhar and removed request for a team July 13, 2026 17:11
Base automatically changed from ema/acl-crd-converters to main July 13, 2026 18:06
qmonnet added 4 commits July 14, 2026 11:03
In preparation for using port ranges with ACL tables, implement trait
From to convert types with ports into RangeSpec<u16> elements.

Signed-off-by: Quentin Monnet <qmo@qmon.net>
No need to clone the enum variants.

Signed-off-by: Quentin Monnet <qmo@qmon.net>
Add a way to return the ValidatedAcl object attached to a
ValidatedPeering, if any. We'll use it to process the ACL rules in a
future commit.

Signed-off-by: Quentin Monnet <qmo@qmon.net>
There's no point in allowing an empty list in the first place: remove
the ACL list (to allow all), or the peering altogether (to deny all).
This will also avoid the corner case of an empty list when building the
context for the ACLs.

Signed-off-by: Quentin Monnet <qmo@qmon.net>
@qmonnet qmonnet force-pushed the pr/qmonnet/user-acls branch from 5526612 to 81463d2 Compare July 14, 2026 10:20

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🧹 Nitpick comments (1)
acl-filter/src/tests.rs (1)

644-654: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Consider testing prefix matching against pre-NAT addresses through the real NAT pipeline.

The e2e ACL rule uses empty src/dst patterns (match-all), so this test never validates that a prefix-restricted rule correctly matches the VPC-internal addresses present at ACL-evaluation time (as opposed to the translated/public addresses). Since the module doc comment specifically calls out this address-timing contract, a rule with concrete prefixes (e.g. matching 1.2.3.0/24/192.168.0.0/24) plus a negative case (a prefix that would only match the public/translated addresses) would give confidence the placement is correct rather than just documented.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@acl-filter/src/tests.rs` around lines 644 - 654, Update the build_overlay
test fixture to use concrete source and destination prefixes matching the
pre-NAT VPC addresses, such as 1.2.3.0/24 and 192.168.0.0/24, instead of empty
match-all patterns. Extend the real NAT-pipeline test with a negative case using
prefixes that match only translated/public addresses, while preserving the
existing UDP flow rule and ACL behavior.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@acl-filter/src/context.rs`:
- Around line 97-116: In insert_for_src_and_dst_prefix, correct the non-TCP/UDP
IPv6 match arm to append rules to self.other_v6 instead of self.other_v4, while
preserving the existing TCP/UDP routing and IPv4 behavior.

In `@acl-filter/src/tests.rs`:
- Around line 600-608: Update the end-to-end flow-scope test comment to describe
the ACL filter’s address state as pre-source-NAT and pre-destination-NAT,
replacing the incorrect post-destination-NAT wording while preserving the
surrounding NAT and flow-link explanation.

---

Nitpick comments:
In `@acl-filter/src/tests.rs`:
- Around line 644-654: Update the build_overlay test fixture to use concrete
source and destination prefixes matching the pre-NAT VPC addresses, such as
1.2.3.0/24 and 192.168.0.0/24, instead of empty match-all patterns. Extend the
real NAT-pipeline test with a negative case using prefixes that match only
translated/public addresses, while preserving the existing UDP flow rule and ACL
behavior.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: ee2311e1-0af3-4640-bc97-5facff832f41

📥 Commits

Reviewing files that changed from the base of the PR and between 79ef5d3 and 81463d2.

⛔ Files ignored due to path filters (1)
  • Cargo.lock is excluded by !**/*.lock
📒 Files selected for processing (19)
  • Cargo.toml
  • acl-filter/Cargo.toml
  • acl-filter/src/access.rs
  • acl-filter/src/context.rs
  • acl-filter/src/display.rs
  • acl-filter/src/lib.rs
  • acl-filter/src/tests.rs
  • acl/src/reference/table.rs
  • config/src/external/overlay/acl.rs
  • config/src/external/overlay/vpc.rs
  • dataplane/Cargo.toml
  • dataplane/src/packet_processor/mod.rs
  • dataplane/src/runtime.rs
  • lpm/Cargo.toml
  • lpm/src/prefix/ip.rs
  • lpm/src/prefix/with_ports.rs
  • mgmt/Cargo.toml
  • mgmt/src/processor/proc.rs
  • mgmt/src/tests/mgmt.rs

Comment thread acl-filter/src/context.rs
Comment thread acl-filter/src/tests.rs
Copilot AI review requested due to automatic review settings July 14, 2026 10:39
@qmonnet qmonnet force-pushed the pr/qmonnet/user-acls branch from 81463d2 to 7f5a882 Compare July 14, 2026 10:39

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Implements dataplane-side enforcement for the newly introduced user ACLs by adding an acl-filter stage to the packet-processing pipeline, wiring its hot-swappable context into the config processor, and adding the supporting model conversions and validation.

Changes:

  • Add new acl-filter crate implementing AclFilter network function + context building, display, and comprehensive tests.
  • Integrate ACL context publication into mgmt config processing and inject AclFilter stage after flow-filter in the dataplane pipeline.
  • Add match-action lowering helpers in lpm (prefix/port specs) and tighten ACL validation (reject empty ACL rule lists).

Reviewed changes

Copilot reviewed 19 out of 20 changed files in this pull request and generated 4 comments.

Show a summary per file
File Description
mgmt/src/tests/mgmt.rs Adds AclFilterContextWriter to test processor setup.
mgmt/src/processor/proc.rs Publishes AclFilterContext on reconfig and applies ACL config during processing.
mgmt/Cargo.toml Adds workspace dependency on acl-filter.
lpm/src/prefix/with_ports.rs Adds RangeSpec<u16> conversions + wildcard const for ACL lowering.
lpm/src/prefix/ip.rs Adds conversions from IPv4/IPv6 prefix types into match_action::PrefixSpec.
lpm/Cargo.toml Adds dependency on match-action.
dataplane/src/runtime.rs Wires ACL context writer into ConfigProcessorParams.
dataplane/src/packet_processor/mod.rs Installs AclFilter stage after flow-filter; creates reader/writer handles.
dataplane/Cargo.toml Adds workspace dependency on acl-filter.
config/src/external/overlay/vpc.rs Exposes validated peering ACL via ValidatedPeering::acl().
config/src/external/overlay/acl.rs Makes AclProtoMatch Copy, tweaks proto accessor, makes Acl::new public, rejects empty ACLs, adds tests.
Cargo.toml Adds acl-filter workspace member + workspace metadata.
Cargo.lock Records new dataplane-acl-filter package and dependency updates.
acl/src/reference/table.rs Adds accessor to read back stored rules for display/debugging.
acl-filter/src/tests.rs Adds unit + end-to-end tests for packet/flow scope behavior and NAT interactions.
acl-filter/src/lib.rs Implements AclFilter network function and packet summary logic.
acl-filter/src/display.rs Adds CLI/display decoding of lowered ACL rules and defaults.
acl-filter/src/context.rs Builds lowered match-action tables and default-action map from validated overlay ACLs.
acl-filter/src/access.rs Implements hot-swappable AclFilterContext reader/writer handles.
acl-filter/Cargo.toml New crate manifest with deps and dev-deps for tests.

Comment thread acl-filter/src/context.rs Outdated
Comment on lines +128 to +132
let remote_vni = overlay.vpc_table().get_remote_vni(peering);
for acl_rule in acl.rules() {
ruleset.insert(
local_vni,
remote_vni,
Comment thread acl-filter/src/lib.rs
Comment thread acl-filter/src/lib.rs
Comment thread acl-filter/src/lib.rs
@qmonnet qmonnet force-pushed the pr/qmonnet/user-acls branch from 7f5a882 to 82cb6ae Compare July 14, 2026 12:17
qmonnet and others added 5 commits July 14, 2026 15:56
ICMP doesn't really deserve any specific treatment internally, as we can
trivially implement it with AclProtoMatch::Other(1).

Signed-off-by: Quentin Monnet <qmo@qmon.net>
Add a new crate containing the implementation for the user ACLs: list of
access control rules that allow or deny specific packets or flow. We
recently introduced support for parsing and validating user ACL objects;
The new pipeline stage builds up context tables from validated ACLs, and
then apply the rules on coming packets.

With the "scope: flow" option, reply traffic for authorized flows is
automatically allowed as well (unless another explicit rule denies it).
This mode should be extended to all NAT modes (including no-NAT) in the
future, but is only supported with masquerade and port forwarding at
this time.

Signed-off-by: Quentin Monnet <qmo@qmon.net>
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Signed-off-by: Quentin Monnet <qmo@qmon.net>
Add unit tests to validate the behaviour of the new ACL filter pipeline
stage.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Signed-off-by: Quentin Monnet <qmo@qmon.net>
Add a pipeline stage with the recently-added ACL filter to the main
pipeline, so that users can enforce ACLs on the traffic.

Signed-off-by: Quentin Monnet <qmo@qmon.net>
@qmonnet qmonnet force-pushed the pr/qmonnet/user-acls branch from 82cb6ae to f615f3a Compare July 14, 2026 15:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

area/acl Related to ACLs (Access Control Lists)

Projects

None yet

Development

Successfully merging this pull request may close these issues.

User ACL logic implementation

2 participants