[multicast] prevent VLAN translation via match key enforcement#195
Merged
zeeshanlakhani merged 9 commits intomainfrom Mar 10, 2026
Merged
[multicast] prevent VLAN translation via match key enforcement#195zeeshanlakhani merged 9 commits intomainfrom
zeeshanlakhani merged 9 commits intomainfrom
Conversation
…tering Underlay changes: - Restrict internal multicast from admin/site/org scoped (ff04, ff05, ff08) to just Omicron's reserved subnet (ff04::/64). These underlay addresses are made unique in Omicron. - Rename `AdminScopedIpv6` to `UnderlayMulticastIpv6`. - Simplify P4 to only match ff04::/64. - Use omicron-common multicast constants for validation. Source filtering changes: - Replace IpSrc::Subnet with IpSrc::Any for any-source matching. - Change IPv6 source filter from exact to LPM match. - Allow source filters on ASM groups (previously SSM-only). API changes: - API v5 adds IpSrc::Any for ASM source filtering. - API v6 enforces strict underlay subnet validation.
Fixes #107. Stacked on #189. This adds VLAN-aware NAT ingress matching to prevent cross-VLAN translation. Previously, a packet arriving with VLAN 100 destined to a multicast group configured for VLAN 200 would be NAT encapsulated and forwarded, effectively translating the packet to the wrong customer's network. NAT ingress table matching (mcast_nat.rs, mod.rs): - Add Ipv4VlanMatchKey and Ipv6VlanMatchKey that match on destination address, VLAN header validity, and VLAN ID - For groups with VLAN, install two entries: untagged (for decapsulated Geneve from underlay) and correctly tagged (for customer packets) - Packets with the wrong VLAN miss both entries and are not NAT encapsulated Multicast router VLAN handling (sidecar.p4): - Strip incoming VLAN tag before routing lookup in MulticastRouter4/6 - forward_vlan action re-adds the group's configured VLAN on egress - Prevents unintended VLAN translation at the routing stage Rollback changes: - Remove dead NAT rollback branches for internal groups (no NAT entries) - Add rollback support for VLAN changes in NAT and route tables Counter fix: - The underlay multicast counter condition was unreachable for packets tagged MULTICAST_TAG_UNDERLAY_EXTERNAL that were not decapped. The check for == MULTICAST_TAG_UNDERLAY excluded these packets, causing them to fall through to the external counter. Pull Request: #194
zeeshanlakhani
force-pushed
the
vlan-translation
branch
from
16ee0d2 to
e15d9e0
Compare
…ation_ids This includes some cleanup as well.
zeeshanlakhani
force-pushed
the
zl/admin-scope-oxnet
branch
from
1c3d2b8 to
a1c8a94
Compare
zeeshanlakhani
force-pushed
the
vlan-translation
branch
from
b0eb9c2 to
3adf3d8
Compare
zeeshanlakhani
force-pushed
the
vlan-translation
branch
from
3adf3d8 to
878c737
Compare
Decapsulated Geneve packets never reach the NatIngress tables due to the outermost !hdr.geneve.isValid() check, so the dual-entry approach (untagged + tagged) per VLAN group is unnecessary. Each group now installs a single NAT entry with an exact VLAN match key. This also contains a fix for MulticastRouter4 (in P4) using IPv6 ICMP error codes (ICMP6_DST_UNREACH) instead of IPv4 ones (ICMP_DEST_UNREACH), and removes redundant entry-count assertions from VLAN lifecycle tests.
Contributor
Author
|
@FelixMcFelix updated. |
FelixMcFelix
approved these changes
Mar 9, 2026
Contributor
FelixMcFelix
left a comment
FelixMcFelix
left a comment
There was a problem hiding this comment.
I'm concerned about IPV4_LPM_SIZE, but I think I'm happy that this change is more correct. Thanks for acting on the earlier feedback!
…acity drop - Adds EthHdr::hdr_len() to the packet crate to return the wire size of the L2 header including any 802.1Q tag, replacing duplicate inline ops. - Add a TODO noting multicast reduces IPv4 LPM capacity from 8187 to 7164.
zeeshanlakhani
added a commit
to oxidecomputer/omicron
that referenced
this pull request
Mar 10, 2026
This incorporates oxidecomputer/dendrite#232 and oxidecomputer/dendrite#195. Note: No API changes here.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
integration_tests::mcast::test_multicast_vlan_translation_not_possible#107.This adds VLAN-aware NAT ingress matching to prevent cross-VLAN translation. Previously, a packet arriving with VLAN 100 destined to a multicast group configured for VLAN 200 would be NAT encapsulated and forwarded, effectively translating the packet to the wrong customer's network.
NAT ingress table matching (mcast_nat.rs, mod.rs):
Multicast router VLAN handling (sidecar.p4):
Rollback changes: