Add support for ICMPv6 protocol filter in firewall rules

This splits out the pre-existing, shared firewall protocol enum from
`omicron-common` into local versions for Nexus and the sled-agent. This
reflects the fact that the type was present from the initial version
anyway, and lets make normal updates to the API. This also adds new
versions to the Nexus and sled-agent APIs with type conversions and
endpoint handlers.

Fixes #9908

Author: bnaecker

clients/sled-agent-client/src/lib.rs

@@ -270,6 +270,7 @@ impl From<omicron_common::api::external::VpcFirewallRuleProtocol>
             Tcp => Self::Tcp,
             Udp => Self::Udp,
             Icmp(v) => Self::Icmp(v),
+            Icmp6(v) => Self::Icmp6(v),
         }
     }
 }

common/src/api/external/mod.rs

@@ -1877,8 +1877,7 @@ pub enum VpcFirewallRuleProtocol {
     Tcp,
     Udp,
     Icmp(Option<VpcFirewallIcmpFilter>),
-    // TODO: IPv6 not supported by instances.
-    // Icmpv6(Option<VpcFirewallIcmpFilter>),
+    Icmp6(Option<VpcFirewallIcmpFilter>),
     // TODO: OPTE does not yet permit further L4 protocols. (opte#609)
     // Other(u16),
 }
@@ -1901,6 +1900,12 @@ impl FromStr for VpcFirewallRuleProtocol {
             (lhs, Some(rhs)) if lhs.eq_ignore_ascii_case("icmp") => {
                 Ok(Self::Icmp(Some(rhs.parse()?)))
             }
+            (lhs, None) if lhs.eq_ignore_ascii_case("icmp6") => {
+                Ok(Self::Icmp6(None))
+            }
+            (lhs, Some(rhs)) if lhs.eq_ignore_ascii_case("icmp6") => {
+                Ok(Self::Icmp6(Some(rhs.parse()?)))
+            }
             (lhs, None) => Err(Error::invalid_value(
                 "vpc_firewall_rule_protocol",
                 format!("unrecognized protocol: {lhs}"),
@@ -1930,6 +1935,8 @@ impl Display for VpcFirewallRuleProtocol {
             VpcFirewallRuleProtocol::Udp => write!(f, "udp"),
             VpcFirewallRuleProtocol::Icmp(None) => write!(f, "icmp"),
             VpcFirewallRuleProtocol::Icmp(Some(v)) => write!(f, "icmp:{v}"),
+            VpcFirewallRuleProtocol::Icmp6(None) => write!(f, "icmp6"),
+            VpcFirewallRuleProtocol::Icmp6(Some(v)) => write!(f, "icmp6:{v}"),
         }
     }
 }

illumos-utils/src/opte/firewall_rules.rs

@@ -110,6 +110,14 @@ impl FromVpcFirewallRule for ResolvedVpcFirewallRule {
                             }
                         }))
                     }
+                    VpcFirewallRuleProtocol::Icmp6(v) => {
+                        ProtoFilter::Icmpv6(v.map(|v| {
+                            oxide_vpc::api::IcmpFilter {
+                                ty: v.icmp_type,
+                                codes: v.code.map(Into::into),
+                            }
+                        }))
+                    }
                 })
                 .collect(),
             _ => vec![ProtoFilter::Any],

nexus/external-api/src/lib.rs

@@ -48,6 +48,7 @@ use openapiv3::OpenAPI;
 mod v2025_11_20_00_local;
 mod v2026_01_01_00_local;
 mod v2026_01_30_00_local;
+mod v2026_03_14_00_local;
 
 api_versions!([
     // API versions are in the format YYYY_MM_DD_NN.0.0, defined below as
@@ -78,6 +79,7 @@ api_versions!([
     // |  date-based version should be at the top of the list.
     // v
     // (next_yyyy_mm_dd_nn, IDENT),
+    (2026_03_18_00, ADD_ICMPV6_FIREWALL_SUPPORT),
     (2026_03_14_00, MULTICAST_DROP_MVLAN),
     (2026_03_12_00, CAPITALIZE_DESCRIPTIONS),
     (2026_03_06_01, SWITCH_SLOT_ENUM),
@@ -6080,12 +6082,31 @@ pub trait NexusExternalApi {
         method = GET,
         path = "/v1/vpc-firewall-rules",
         tags = ["vpcs"],
+        versions = VERSION_ADD_ICMPV6_FIREWALL_SUPPORT..,
     }]
     async fn vpc_firewall_rules_view(
         rqctx: RequestContext<Self::Context>,
         query_params: Query<latest::vpc::VpcSelector>,
     ) -> Result<HttpResponseOk<VpcFirewallRules>, HttpError>;
 
+    /// List firewall rules
+    #[endpoint {
+        operation_id = "vpc_firewall_rules_view",
+        method = GET,
+        path = "/v1/vpc-firewall-rules",
+        tags = ["vpcs"],
+        versions = ..VERSION_ADD_ICMPV6_FIREWALL_SUPPORT,
+    }]
+    async fn vpc_firewall_rules_view_v2026_03_14_00(
+        rqctx: RequestContext<Self::Context>,
+        query_params: Query<latest::vpc::VpcSelector>,
+    ) -> Result<HttpResponseOk<v2026_03_14_00_local::VpcFirewallRules>, HttpError>
+    {
+        Self::vpc_firewall_rules_view(rqctx, query_params).await.and_then(
+            |resp| resp.try_map(TryInto::try_into).map_err(HttpError::from),
+        )
+    }
+
     // Note: the limits in the below comment come from the firewall rules model
     // file, nexus/db-model/src/vpc_firewall_rule.rs.
 
@@ -6107,13 +6128,36 @@ pub trait NexusExternalApi {
         method = PUT,
         path = "/v1/vpc-firewall-rules",
         tags = ["vpcs"],
+        versions = VERSION_ADD_ICMPV6_FIREWALL_SUPPORT..,
     }]
     async fn vpc_firewall_rules_update(
         rqctx: RequestContext<Self::Context>,
         query_params: Query<latest::vpc::VpcSelector>,
-        router_params: TypedBody<VpcFirewallRuleUpdateParams>,
+        update: TypedBody<VpcFirewallRuleUpdateParams>,
     ) -> Result<HttpResponseOk<VpcFirewallRules>, HttpError>;
 
+    /// Replace firewall rules
+    #[endpoint {
+        operation_id = "vpc_firewall_rules_update",
+        method = PUT,
+        path = "/v1/vpc-firewall-rules",
+        tags = ["vpcs"],
+        versions = ..VERSION_ADD_ICMPV6_FIREWALL_SUPPORT,
+    }]
+    async fn vpc_firewall_rules_update_v2026_03_14_00(
+        rqctx: RequestContext<Self::Context>,
+        query_params: Query<latest::vpc::VpcSelector>,
+        update: TypedBody<v2026_03_14_00_local::VpcFirewallRuleUpdateParams>,
+    ) -> Result<HttpResponseOk<v2026_03_14_00_local::VpcFirewallRules>, HttpError>
+    {
+        let body = update.map(Into::into);
+        Self::vpc_firewall_rules_update(rqctx, query_params, body)
+            .await
+            .and_then(|resp| {
+                resp.try_map(TryInto::try_into).map_err(HttpError::from)
+            })
+    }
+
     // VPC Routers
 
     /// List routers

nexus/external-api/src/v2026_03_14_00_local.rs

@@ -0,0 +1,236 @@
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at https://mozilla.org/MPL/2.0/.
+
+//! Types from API version 2026_03_14_00 that cannot live in `nexus-types-versions`
+//! because they convert to/from `omicron-common` types (orphan rule).
+
+use api_identity::ObjectIdentity;
+use omicron_common::api::external;
+use omicron_common::api::external::Error;
+use omicron_common::api::external::IdentityMetadata;
+use omicron_common::api::external::L4PortRange;
+use omicron_common::api::external::Name;
+use omicron_common::api::external::ObjectIdentity;
+use omicron_common::api::external::VpcFirewallIcmpFilter;
+use omicron_common::api::external::VpcFirewallRuleAction;
+use omicron_common::api::external::VpcFirewallRuleDirection;
+use omicron_common::api::external::VpcFirewallRuleHostFilter;
+use omicron_common::api::external::VpcFirewallRulePriority;
+use omicron_common::api::external::VpcFirewallRuleStatus;
+use omicron_common::api::external::VpcFirewallRuleTarget;
+use schemars::JsonSchema;
+use serde::Deserialize;
+use serde::Serialize;
+use uuid::Uuid;
+
+/// The protocols that may be specified in a firewall rule's filter.
+//
+// This is the version of the enum without `Icmp6`, for API versions up
+// through `MULTICAST_DROP_MVLAN`.
+#[derive(Clone, Copy, Debug, PartialEq, Deserialize, Serialize, JsonSchema)]
+#[serde(rename_all = "snake_case")]
+#[serde(tag = "type", content = "value")]
+pub enum VpcFirewallRuleProtocol {
+    Tcp,
+    Udp,
+    Icmp(Option<VpcFirewallIcmpFilter>),
+}
+
+impl From<VpcFirewallRuleProtocol> for external::VpcFirewallRuleProtocol {
+    fn from(p: VpcFirewallRuleProtocol) -> Self {
+        match p {
+            VpcFirewallRuleProtocol::Tcp => Self::Tcp,
+            VpcFirewallRuleProtocol::Udp => Self::Udp,
+            VpcFirewallRuleProtocol::Icmp(v) => Self::Icmp(v),
+        }
+    }
+}
+
+/// Filters reduce the scope of a firewall rule.
+//
+// This is the version of the filter without `Icmp6` protocol support, for API
+// versions up through `MULTICAST_DROP_MVLAN`.
+#[derive(Clone, Debug, PartialEq, Deserialize, Serialize, JsonSchema)]
+pub struct VpcFirewallRuleFilter {
+    /// If present, host filters match the "other end" of traffic from the
+    /// target's perspective: for an inbound rule, they match the source of
+    /// traffic. For an outbound rule, they match the destination.
+    #[schemars(length(max = 256))]
+    pub hosts: Option<Vec<VpcFirewallRuleHostFilter>>,
+
+    /// If present, the networking protocols this rule applies to.
+    #[schemars(length(max = 256))]
+    pub protocols: Option<Vec<VpcFirewallRuleProtocol>>,
+
+    /// If present, the destination ports or port ranges this rule applies to.
+    #[schemars(length(max = 256))]
+    pub ports: Option<Vec<L4PortRange>>,
+}
+
+impl TryFrom<external::VpcFirewallRuleFilter> for VpcFirewallRuleFilter {
+    type Error = Error;
+
+    fn try_from(f: external::VpcFirewallRuleFilter) -> Result<Self, Error> {
+        let protocols = f
+            .protocols
+            .map(|ps| {
+                ps.into_iter()
+                    .map(|p| match p {
+                        external::VpcFirewallRuleProtocol::Tcp => {
+                            Ok(VpcFirewallRuleProtocol::Tcp)
+                        }
+                        external::VpcFirewallRuleProtocol::Udp => {
+                            Ok(VpcFirewallRuleProtocol::Udp)
+                        }
+                        external::VpcFirewallRuleProtocol::Icmp(v) => {
+                            Ok(VpcFirewallRuleProtocol::Icmp(v))
+                        }
+                        external::VpcFirewallRuleProtocol::Icmp6(_) => {
+                            Err(Error::invalid_value(
+                                "vpc_firewall_rule_protocol",
+                                format!("unrecognized protocol: {p}"),
+                            ))
+                        }
+                    })
+                    .collect::<Result<Vec<_>, _>>()
+            })
+            .transpose()?;
+        Ok(Self { hosts: f.hosts, protocols, ports: f.ports })
+    }
+}
+
+impl From<VpcFirewallRuleFilter> for external::VpcFirewallRuleFilter {
+    fn from(f: VpcFirewallRuleFilter) -> Self {
+        Self {
+            hosts: f.hosts,
+            protocols: f
+                .protocols
+                .map(|ps| ps.into_iter().map(Into::into).collect()),
+            ports: f.ports,
+        }
+    }
+}
+
+/// A single rule in a VPC firewall.
+//
+// This is the version of the rule without `Icmp6` protocol support, for API
+// versions up through `MULTICAST_DROP_MVLAN`.
+#[derive(ObjectIdentity, Clone, Debug, Deserialize, Serialize, JsonSchema)]
+pub struct VpcFirewallRule {
+    /// Common identifying metadata
+    #[serde(flatten)]
+    pub identity: IdentityMetadata,
+    /// Whether this rule is in effect
+    pub status: VpcFirewallRuleStatus,
+    /// Whether this rule is for incoming or outgoing traffic
+    pub direction: VpcFirewallRuleDirection,
+    /// Determine the set of instances that the rule applies to
+    pub targets: Vec<VpcFirewallRuleTarget>,
+    /// Reductions on the scope of the rule
+    pub filters: VpcFirewallRuleFilter,
+    /// Whether traffic matching the rule should be allowed or dropped
+    pub action: VpcFirewallRuleAction,
+    /// The relative priority of this rule
+    pub priority: VpcFirewallRulePriority,
+    /// The VPC to which this rule belongs
+    pub vpc_id: Uuid,
+}
+
+impl TryFrom<external::VpcFirewallRule> for VpcFirewallRule {
+    type Error = Error;
+
+    fn try_from(r: external::VpcFirewallRule) -> Result<Self, Error> {
+        Ok(Self {
+            identity: r.identity,
+            status: r.status,
+            direction: r.direction,
+            targets: r.targets,
+            filters: r.filters.try_into()?,
+            action: r.action,
+            priority: r.priority,
+            vpc_id: r.vpc_id,
+        })
+    }
+}
+
+/// Collection of a VPC's firewall rules.
+//
+// This is the version of the collection without `Icmp6` protocol support, for
+// API versions up through `MULTICAST_DROP_MVLAN`.
+#[derive(Clone, Debug, Deserialize, Serialize, JsonSchema)]
+pub struct VpcFirewallRules {
+    pub rules: Vec<VpcFirewallRule>,
+}
+
+impl TryFrom<external::VpcFirewallRules> for VpcFirewallRules {
+    type Error = Error;
+
+    fn try_from(r: external::VpcFirewallRules) -> Result<Self, Error> {
+        let rules = r
+            .rules
+            .into_iter()
+            .map(VpcFirewallRule::try_from)
+            .collect::<Result<Vec<_>, _>>()?;
+        Ok(Self { rules })
+    }
+}
+
+/// A single rule in a VPC firewall update request.
+//
+// This is the version of the update without `Icmp6` protocol support, for API
+// versions up through `MULTICAST_DROP_MVLAN`.
+#[derive(Clone, Debug, PartialEq, Deserialize, Serialize, JsonSchema)]
+pub struct VpcFirewallRuleUpdate {
+    /// Name of the rule, unique to this VPC
+    pub name: Name,
+    /// Human-readable free-form text about a resource
+    pub description: String,
+    /// Whether this rule is in effect
+    pub status: VpcFirewallRuleStatus,
+    /// Whether this rule is for incoming or outgoing traffic
+    pub direction: VpcFirewallRuleDirection,
+    /// Determine the set of instances that the rule applies to
+    #[schemars(length(max = 256))]
+    pub targets: Vec<VpcFirewallRuleTarget>,
+    /// Reductions on the scope of the rule
+    pub filters: VpcFirewallRuleFilter,
+    /// Whether traffic matching the rule should be allowed or dropped
+    pub action: VpcFirewallRuleAction,
+    /// The relative priority of this rule
+    pub priority: VpcFirewallRulePriority,
+}
+
+impl From<VpcFirewallRuleUpdate> for external::VpcFirewallRuleUpdate {
+    fn from(u: VpcFirewallRuleUpdate) -> Self {
+        Self {
+            name: u.name,
+            description: u.description,
+            status: u.status,
+            direction: u.direction,
+            targets: u.targets,
+            filters: u.filters.into(),
+            action: u.action,
+            priority: u.priority,
+        }
+    }
+}
+
+/// Updated list of firewall rules. Will replace all existing rules.
+//
+// This is the version of the params without `Icmp6` protocol support, for API
+// versions up through `MULTICAST_DROP_MVLAN`.
+#[derive(Clone, Debug, Deserialize, Serialize, JsonSchema)]
+pub struct VpcFirewallRuleUpdateParams {
+    #[schemars(length(max = 1024))]
+    #[serde(default)]
+    pub rules: Vec<VpcFirewallRuleUpdate>,
+}
+
+impl From<VpcFirewallRuleUpdateParams>
+    for external::VpcFirewallRuleUpdateParams
+{
+    fn from(p: VpcFirewallRuleUpdateParams) -> Self {
+        Self { rules: p.rules.into_iter().map(Into::into).collect() }
+    }
+}

openapi/nexus/nexus-2026031400.0.0-203a86.json.gitstub

@@ -0,0 +1 @@
+7bb5c322905252aa53b36256c313356d056278c3:openapi/nexus/nexus-2026031400.0.0-203a86.json