Why not name some rules?

FelixMcFelix · FelixMcFelix · commit 1336572b4460 · 2025-05-29T15:12:53.000+01:00
diff --git a/lib/oxide-vpc/src/api/mod.rs b/lib/oxide-vpc/src/api/mod.rs
@@ -2,7 +2,7 @@
 // License, v. 2.0. If a copy of the MPL was not distributed with this
 // file, You can obtain one at https://mozilla.org/MPL/2.0/.
 
-// Copyright 2024 Oxide Computer Company
+// Copyright 2025 Oxide Computer Company
 
 use alloc::collections::BTreeMap;
 use alloc::collections::BTreeSet;
@@ -19,6 +19,8 @@ use serde::Deserialize;
 use serde::Serialize;
 use uuid::Uuid;
 
+pub mod stat;
+
 /// This is the MAC address that OPTE uses to act as the virtual gateway.
 pub const GW_MAC_ADDR: MacAddr =
     MacAddr::from_const([0xA8, 0x40, 0x25, 0xFF, 0x77, 0x77]);
diff --git a/lib/oxide-vpc/src/api/stat.rs b/lib/oxide-vpc/src/api/stat.rs
@@ -0,0 +1,33 @@
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at https://mozilla.org/MPL/2.0/.
+
+// Copyright 2025 Oxide Computer Company
+
+//! Stat IDs for the Oxide VPC API.
+
+use uuid::Uuid;
+
+pub static FW_DEFAULT_IN: Uuid =
+    Uuid::from_fields(0x01de_f00d, 0x7777, 0x0000, &0u64.to_be_bytes());
+pub static FW_DEFAULT_OUT: Uuid =
+    Uuid::from_fields(0x01de_f00d, 0x7777, 0x0000, &1u64.to_be_bytes());
+
+pub static GATEWAY_NOSPOOF_IN: Uuid =
+    Uuid::from_fields(0x01de_f00d, 0x7777, 0x0001, &0u64.to_be_bytes());
+pub static GATEWAY_NOSPOOF_OUT: Uuid =
+    Uuid::from_fields(0x01de_f00d, 0x7777, 0x0001, &1u64.to_be_bytes());
+
+pub static ROUTER_NOROUTE: Uuid =
+    Uuid::from_fields(0x01de_f00d, 0x7777, 0x0002, &0u64.to_be_bytes());
+
+pub static NAT_SNAT_V4: Uuid =
+    Uuid::from_fields(0x01de_f00d, 0x7777, 0x0003, &0u64.to_be_bytes());
+pub static NAT_SNAT_V6: Uuid =
+    Uuid::from_fields(0x01de_f00d, 0x7777, 0x0003, &1u64.to_be_bytes());
+pub static NAT_VALID_IGW_V4: Uuid =
+    Uuid::from_fields(0x01de_f00d, 0x7777, 0x0003, &2u64.to_be_bytes());
+pub static NAT_VALID_IGW_V6: Uuid =
+    Uuid::from_fields(0x01de_f00d, 0x7777, 0x0003, &3u64.to_be_bytes());
+pub static NAT_NONE: Uuid =
+    Uuid::from_fields(0x01de_f00d, 0x7777, 0x0003, &255u64.to_be_bytes());
diff --git a/lib/oxide-vpc/src/engine/firewall.rs b/lib/oxide-vpc/src/engine/firewall.rs
@@ -18,6 +18,7 @@ use crate::api::Ports;
 pub use crate::api::ProtoFilter;
 use crate::api::RemFwRuleReq;
 use crate::api::SetFwRulesReq;
+use crate::api::stat::*;
 use crate::engine::overlay::ACTION_META_VNI;
 use alloc::string::ToString;
 use core::num::NonZeroU32;
@@ -60,7 +61,9 @@ pub fn setup(
     // allow.
     let actions = LayerActions {
         default_in: DefaultAction::Deny,
+        default_in_stat_id: Some(FW_DEFAULT_IN),
         default_out: DefaultAction::StatefulAllow,
+        default_out_stat_id: Some(FW_DEFAULT_OUT),
         ..Default::default()
     };
 
diff --git a/lib/oxide-vpc/src/engine/gateway/mod.rs b/lib/oxide-vpc/src/engine/gateway/mod.rs
@@ -77,6 +77,7 @@ use opte::engine::rule::MetaAction;
 use opte::engine::rule::ModMetaResult;
 use opte::engine::rule::Rule;
 use opte::engine::rule::StaticAction;
+use crate::api::stat::*;
 
 pub mod arp;
 pub mod dhcp;
@@ -105,7 +106,9 @@ pub fn setup(
     // for inbound traffic to be that of the gateway.
     let actions = LayerActions {
         default_in: DefaultAction::Deny,
+        default_in_stat_id: Some(GATEWAY_NOSPOOF_IN),
         default_out: DefaultAction::Deny,
+        default_out_stat_id: Some(GATEWAY_NOSPOOF_IN),
         ..Default::default()
     };
 
diff --git a/lib/oxide-vpc/src/engine/nat.rs b/lib/oxide-vpc/src/engine/nat.rs
@@ -47,6 +47,7 @@ use opte::engine::rule::Rule;
 use opte::engine::snat::ConcreteIpAddr;
 use opte::engine::snat::SNat;
 use uuid::Uuid;
+use crate::api::stat::*;
 
 pub const NAT_LAYER_NAME: &str = "nat";
 const FLOATING_ONE_TO_ONE_NAT_PRIORITY: u16 = 5;
@@ -102,7 +103,9 @@ pub fn setup(
     // be forwarded to boundary services.
     let actions = LayerActions {
         default_in: DefaultAction::Allow,
+        default_in_stat_id: Some(NAT_NONE),
         default_out: DefaultAction::Allow,
+        default_out_stat_id: Some(NAT_NONE),
         ..Default::default()
     };
 
@@ -289,7 +292,7 @@ fn setup_ipv4_nat(
 
         for igw_id in igw_matches {
             let mut rule =
-                Rule::new(SNAT_PRIORITY, Action::Stateful(snat.clone()));
+                Rule::new_with_id(SNAT_PRIORITY, Action::Stateful(snat.clone()), Some(NAT_SNAT_V4));
 
             rule.add_predicate(Predicate::InnerEtherType(vec![
                 EtherTypeMatch::Exact(ETHER_TYPE_IPV4),
@@ -438,7 +441,7 @@ fn setup_ipv6_nat(
 
         for igw_id in igw_matches {
             let mut rule =
-                Rule::new(SNAT_PRIORITY, Action::Stateful(snat.clone()));
+                Rule::new_with_id(SNAT_PRIORITY, Action::Stateful(snat.clone()), Some(NAT_SNAT_V6));
 
             rule.add_predicate(Predicate::InnerEtherType(vec![
                 EtherTypeMatch::Exact(ETHER_TYPE_IPV6),
diff --git a/lib/oxide-vpc/src/engine/router.rs b/lib/oxide-vpc/src/engine/router.rs
@@ -48,6 +48,7 @@ use opte::engine::rule::MetaAction;
 use opte::engine::rule::ModMetaResult;
 use opte::engine::rule::Rule;
 use uuid::Uuid;
+use crate::api::stat::*;
 
 pub const ROUTER_LAYER_NAME: &str = "router";
 
@@ -259,6 +260,7 @@ pub fn setup(
     let actions = LayerActions {
         default_in: DefaultAction::Allow,
         default_out: DefaultAction::Deny,
+        default_out_stat_id: Some(ROUTER_NOROUTE),
         ..Default::default()
     };
 
