Prevent guest traffic from reaching the backplane

Author: Nieuwejaar

dpd-api/src/lib.rs

@@ -59,6 +59,7 @@ api_versions!([
     // |  example for the next person.
     // v
     // (next_int, IDENT),
+    (5, UPLINK_PORTS),
     (4, V4_OVER_V6_ROUTES),
     (3, ATTACHED_SUBNETS),
     (2, DUAL_STACK_NAT_WORKFLOW),
@@ -988,21 +989,50 @@ pub trait DpdApi {
     #[endpoint {
         method = GET,
         path = "/ports/{port_id}/links/{link_id}/nat_only",
+	versions = ..VERSION_UPLINK_PORTS
     }]
     async fn link_nat_only_get(
         rqctx: RequestContext<Self::Context>,
         path: Path<LinkPath>,
+    ) -> Result<HttpResponseOk<bool>, HttpError> {
+        Self::link_uplink_get(rqctx, path).await
+    }
+
+    /// Return whether a port is intended to carry uplink traffic
+    #[endpoint {
+        method = GET,
+        path = "/ports/{port_id}/links/{link_id}/uplink",
+	versions = VERSION_UPLINK_PORTS..
+    }]
+    async fn link_uplink_get(
+        rqctx: RequestContext<Self::Context>,
+        path: Path<LinkPath>,
     ) -> Result<HttpResponseOk<bool>, HttpError>;
 
     /// Set whether a port is configured to use drop non-nat traffic
     #[endpoint {
         method = PUT,
         path = "/ports/{port_id}/links/{link_id}/nat_only",
+	versions = ..VERSION_UPLINK_PORTS
     }]
     async fn link_nat_only_set(
         rqctx: RequestContext<Self::Context>,
         path: Path<LinkPath>,
         body: TypedBody<bool>,
+    ) -> Result<HttpResponseUpdatedNoContent, HttpError> {
+        Self::link_uplink_set(rqctx, path, body).await
+    }
+
+    /// Set whether a port is intended to carry uplink traffic
+    #[endpoint {
+        method = PUT,
+        path = "/ports/{port_id}/links/{link_id}/uplink",
+	versions = VERSION_UPLINK_PORTS..
+    }]
+    async fn link_uplink_set(
+        rqctx: RequestContext<Self::Context>,
+        path: Path<LinkPath>,
+        body: TypedBody<bool>,
     ) -> Result<HttpResponseUpdatedNoContent, HttpError>;
 
     /// Get the event history for the given link.

dpd-client/tests/integration_tests/attached_subnet.rs

@@ -116,6 +116,7 @@ async fn test_egress(switch: &Switch, test: &ExternalTest) -> TestResult {
         tag: switch.client.inner().tag.clone(),
     };
     switch.client.link_ipv6_create(&port_id, &link_id, &entry).await.unwrap();
+    switch.set_uplink(test.uplink_port, true).await;
 
     // populate the ndp/arp table with the upstream router's mac and IP.
     if test.upstream_router_ip.parse::<Ipv4Addr>().is_ok() {

dpd-client/tests/integration_tests/common.rs

@@ -537,6 +537,15 @@ impl Switch {
         Ok(())
     }
 
+    pub async fn set_uplink(&self, phys_port: PhysPort, uplink: bool) {
+        let (port_id, link_id) = self.link_id(phys_port).unwrap();
+        self.client
+            .link_uplink_set(&port_id, &link_id, uplink)
+            .await
+            .unwrap()
+            .into_inner()
+    }
+
     pub fn tofino_port(&self, phys_port: PhysPort) -> u16 {
         let idx: usize = phys_port.into();
         if phys_port == NO_PORT {

dpd-client/tests/integration_tests/counters.rs

@@ -202,16 +202,16 @@ async fn test_nat_filtering() -> TestResult {
     );
 
     let (port_id, link_id) = switch.link_id(ingress).unwrap();
-    // Mark the port as NAT-only
-    switch.client.link_nat_only_set(&port_id, &link_id, true).await.unwrap();
+    // Mark the port as uplink
+    switch.client.link_uplink_set(&port_id, &link_id, true).await.unwrap();
 
     // We run the test now, but defer the evaluation of the result.  This lets
-    // us clean up the NAT-only change even on a test failure.
+    // us clean up the uplink change even on a test failure.
     let result =
         one_drop_test(switch, ingress, packet, "nat_ingress_miss").await;
 
-    // Remove the NAT-only property
-    switch.client.link_nat_only_set(&port_id, &link_id, false).await.unwrap();
+    // Remove the uplink property
+    switch.client.link_uplink_set(&port_id, &link_id, false).await.unwrap();
 
     assert!(result?);
     Ok(())

dpd-client/tests/integration_tests/icmp_ipv4.rs

@@ -88,22 +88,14 @@ async fn execute_ping_reply_test(
 
     if enable_nat_filtering {
         // Mark the port as NAT-only
-        switch
-            .client
-            .link_nat_only_set(&port_id, &link_id, true)
-            .await
-            .unwrap();
+        switch.client.link_uplink_set(&port_id, &link_id, true).await.unwrap();
     }
 
     let result = switch.packet_test(vec![send], vec![recv]);
 
     if enable_nat_filtering {
         // Mark the port as NAT-only
-        switch
-            .client
-            .link_nat_only_set(&port_id, &link_id, false)
-            .await
-            .unwrap();
+        switch.client.link_uplink_set(&port_id, &link_id, false).await.unwrap();
     }
     result
 }
@@ -116,7 +108,7 @@ async fn test_ping_ipv4_reply() -> TestResult {
 
 #[tokio::test]
 #[ignore]
-async fn test_ping_ipv4_reply_nat_only() -> TestResult {
+async fn test_ping_ipv4_reply_uplink() -> TestResult {
     execute_ping_reply_test(true, false).await
 }
 
@@ -128,7 +120,7 @@ async fn test_ping_ipv4_vlan_reply() -> TestResult {
 
 #[tokio::test]
 #[ignore]
-async fn test_ping_ipv4_vlan_reply_nat_only() -> TestResult {
+async fn test_ping_ipv4_vlan_reply_uplink() -> TestResult {
     execute_ping_reply_test(true, true).await
 }
 
@@ -177,22 +169,14 @@ async fn execute_ping_ipv4_forward_test(
 
     if enable_nat_filtering {
         // Mark the port as NAT-only
-        switch
-            .client
-            .link_nat_only_set(&port_id, &link_id, true)
-            .await
-            .unwrap();
+        switch.client.link_uplink_set(&port_id, &link_id, true).await.unwrap();
     }
 
     let result = switch.packet_test(vec![send], vec![recv]);
 
     if enable_nat_filtering {
         // Mark the port as NAT-only
-        switch
-            .client
-            .link_nat_only_set(&port_id, &link_id, false)
-            .await
-            .unwrap();
+        switch.client.link_uplink_set(&port_id, &link_id, false).await.unwrap();
     }
     result
 }
@@ -205,6 +189,6 @@ async fn test_ping_ipv4_forward() -> TestResult {
 
 #[tokio::test]
 #[ignore]
-async fn test_ping_ipv4_forward_nat_only() -> TestResult {
+async fn test_ping_ipv4_forward_uplink() -> TestResult {
     execute_ping_ipv4_forward_test(true).await
 }

dpd-client/tests/integration_tests/nat.rs

@@ -171,6 +171,7 @@ struct NatTest {
     // uplink network info
     uplink_port: PhysPort,
     uplink_port_external: String, // external addr assigned to our upstream port
+    uplink_port_registered: bool, // register this port as an uplink
     uplink_route: String,         // subnet to which the switch is connected
     router_ip: String,            // ip address of the upstream router
     router_mac: String,           // mac address of the upstream router
@@ -207,6 +208,8 @@ async fn test_nat_egress(switch: &Switch, test: &NatTest) -> TestResult {
     };
     switch.client.link_ipv6_create(&port_id, &link_id, &entry).await.unwrap();
 
+    switch.set_uplink(test.uplink_port, test.uplink_port_registered).await;
+
     if test.router_ip.parse::<Ipv4Addr>().is_ok() {
         common::set_route_ipv4(
             switch,
@@ -293,15 +296,25 @@ async fn test_nat_egress(switch: &Switch, test: &NatTest) -> TestResult {
         &payload[14..],
     );
 
-    let mut to_recv =
-        common::gen_packet_routed(switch, test.uplink_port, &payload_pkt);
-    eth::EthHdr::rewrite_dmac(&mut to_recv, router_mac);
+    let expected = match test.uplink_port_registered {
+        true => {
+            let mut to_recv = common::gen_packet_routed(
+                switch,
+                test.uplink_port,
+                &payload_pkt,
+            );
+            eth::EthHdr::rewrite_dmac(&mut to_recv, router_mac);
+            vec![TestPacket {
+                packet: Arc::new(to_recv),
+                port: test.uplink_port,
+            }]
+        }
+        false => Vec::new(),
+    };
 
     let send = TestPacket { packet: Arc::new(to_send), port: test.gimlet_port };
-    let expected =
-        TestPacket { packet: Arc::new(to_recv), port: test.uplink_port };
 
-    switch.packet_test(vec![send], vec![expected])
+    switch.packet_test(vec![send], expected)
 }
 
 async fn test_nat_ingress(switch: &Switch, test: &NatTest) -> TestResult {
@@ -448,15 +461,16 @@ async fn test_nat_ingress(switch: &Switch, test: &NatTest) -> TestResult {
     switch.packet_test(send, expected)
 }
 
-// UDP packet to/from IPv4 addresses, with an IPv6 address for the OPTE host
-#[tokio::test]
-#[ignore]
-async fn test_egress_ipv4() -> TestResult {
-    let switch = &*get_switch().await;
-
+// packet to/from IPv4 addresses, with an IPv6 address for the OPTE host
+async fn test_egress_ipv4(
+    switch: &Switch,
+    l4_protocol: L4Protocol,
+    uplink_port_registered: bool,
+) -> TestResult {
     let test = NatTest {
         uplink_port: PhysPort(14),
         uplink_port_external: "192.168.1.2".to_string(),
+        uplink_port_registered,
         uplink_route: "0.0.0.0/0".to_string(),
         router_ip: "192.168.1.1".to_string(),
         router_mac: "02:aa:bb:cc:dd:ee".to_string(),
@@ -474,44 +488,43 @@ async fn test_egress_ipv4() -> TestResult {
         gimlet_port_ip: "fd00:1122:3344:0101::5".to_string(),
 
         nat_l4_port: 10,
-        l4_protocol: L4Protocol::Udp,
+        l4_protocol,
         geneve_vni: 1, // not used on egress tests
     };
 
     test_nat_egress(switch, &test).await
 }
 
-// ICMP packet to/from IPv4 addresses, with an IPv6 address for the OPTE host
+// UDP packet to/from IPv4 addresses
 #[tokio::test]
 #[ignore]
-async fn test_egress_ipv4_icmp() -> TestResult {
+async fn test_egress_ipv4_udp() -> TestResult {
     let switch = &*get_switch().await;
+    test_egress_ipv4(switch, L4Protocol::Udp, true).await
+}
 
-    let test = NatTest {
-        uplink_port: PhysPort(14),
-        uplink_port_external: "192.168.1.2".to_string(),
-        uplink_route: "0.0.0.0/0".to_string(),
-        router_ip: "192.168.1.1".to_string(),
-        router_mac: "02:aa:bb:cc:dd:ee".to_string(),
-
-        vpc_src_ip: "172.16.10.33".to_string(),
-        vpc_src_mac: "04:01:01:01:01:01".to_string(),
-        vpc_src_port: 3333,
-        vpc_dst_ip: "10.10.10.32".to_string(),
-        vpc_dst_mac: "04:01:01:01:01:02".to_string(),
-        vpc_dst_port: 4444,
-
-        gimlet_port: PhysPort(10),
-        gimlet_ip: "fd00:1122:7788:0101::4".to_string(),
-        gimlet_mac: "11:22:33:44:55:66".to_string(),
-        gimlet_port_ip: "fd00:1122:3344:0101::5".to_string(),
+// TCP packet to/from IPv4 addresses
+#[tokio::test]
+#[ignore]
+async fn test_egress_ipv4_tcp() -> TestResult {
+    let switch = &*get_switch().await;
+    test_egress_ipv4(switch, L4Protocol::Tcp, true).await
+}
 
-        nat_l4_port: 10,
-        l4_protocol: L4Protocol::Icmp,
-        geneve_vni: 1, // not used on egress tests
-    };
+// ICMP packet to/from IPv4 addresses
+#[tokio::test]
+#[ignore]
+async fn test_egress_ipv4_icmp() -> TestResult {
+    let switch = &*get_switch().await;
+    test_egress_ipv4(switch, L4Protocol::Icmp, true).await
+}
 
-    test_nat_egress(switch, &test).await
+// UDP packet to an IPv4 address, egressing a backplane port.
+#[tokio::test]
+#[ignore]
+async fn test_backplane_egress_ipv4_udp() -> TestResult {
+    let switch = &*get_switch().await;
+    test_egress_ipv4(switch, L4Protocol::Udp, false).await
 }
 
 async fn test_ingress_ipv4(
@@ -521,6 +534,7 @@ async fn test_ingress_ipv4(
     let test = NatTest {
         uplink_port: PhysPort(14),
         uplink_port_external: "192.168.1.2".to_string(),
+        uplink_port_registered: true,
         uplink_route: "unused".to_string(),
         router_ip: "192.168.1.1".to_string(),
         router_mac: "02:aa:bb:cc:dd:ee".to_string(),
@@ -574,14 +588,16 @@ async fn test_ingress_ipv4_tcp() -> TestResult {
     test_ingress_ipv4(switch, L4Protocol::Tcp).await
 }
 
-// UDP packet to/from IPv6 addresses,
+// packet to/from IPv6 addresses,
 async fn test_egress_ipv6(
     switch: &Switch,
     l4_protocol: L4Protocol,
+    uplink_port_registered: bool,
 ) -> TestResult {
     let test = NatTest {
         uplink_port: PhysPort(14),
         uplink_port_external: "fd00:3344:5566::4".to_string(),
+        uplink_port_registered,
         uplink_route: "0::0/0".to_string(),
         router_ip: "fd00:3344:5566::1".to_string(),
         router_mac: "02:aa:bb:cc:dd:ee".to_string(),
@@ -610,14 +626,21 @@ async fn test_egress_ipv6(
 #[ignore]
 async fn test_egress_ipv6_udp() -> TestResult {
     let switch = &*get_switch().await;
-    test_egress_ipv6(switch, L4Protocol::Udp).await
+    test_egress_ipv6(switch, L4Protocol::Udp, true).await
 }
 
 #[tokio::test]
 #[ignore]
 async fn test_egress_ipv6_tcp() -> TestResult {
     let switch = &*get_switch().await;
-    test_egress_ipv6(switch, L4Protocol::Tcp).await
+    test_egress_ipv6(switch, L4Protocol::Tcp, true).await
+}
+
+#[tokio::test]
+#[ignore]
+async fn test_backplane_egress_ipv6_tcp() -> TestResult {
+    let switch = &*get_switch().await;
+    test_egress_ipv6(switch, L4Protocol::Tcp, false).await
 }
 
 async fn test_ingress_ipv6(
@@ -627,6 +650,7 @@ async fn test_ingress_ipv6(
     let test = NatTest {
         uplink_port: PhysPort(14),
         uplink_port_external: "fd00:3344:5566::4".to_string(),
+        uplink_port_registered: true,
         uplink_route: "0:0::0/0".to_string(),
         router_ip: "fd00:3344:5566::1".to_string(),
         router_mac: "02:aa:bb:cc:dd:ee".to_string(),