Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Limit number of firewall rules per VPC #5914

Merged
merged 8 commits into from
Jul 25, 2024
Merged

Conversation

david-crespo
Copy link
Contributor

@david-crespo david-crespo commented Jun 18, 2024

Closes #5662
Closes #6032

  • Max firewall rules
  • Enforce max length on filters (hosts, protocols, and ports) and targets too
  • Improve doc comments on firewall rules types and API endpoint

@david-crespo david-crespo added the api Related to the API. label Jun 18, 2024
@@ -264,6 +265,20 @@ impl VpcFirewallRule {
}
}

const MAX_FIREWALL_RULES: usize = 32;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this an arbitrary number? Perhaps it'd be good to have a comment that explains why we chose this limit?

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This number feels way too low. I would expect a value in the hundreds at least, especially since we don't have tags for grouping firewall rules.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, definitely. Was going to ask about the number next. How about 512?

Base automatically changed from firewall-same-name-500 to main June 19, 2024 19:45
@david-crespo david-crespo force-pushed the max-firewall-rules branch 2 times, most recently from a4b3ba0 to 75b2ea8 Compare June 19, 2024 22:27
@david-crespo david-crespo marked this pull request as ready for review June 28, 2024 15:24
Copy link
Contributor

@karencfv karencfv left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for this PR! It'll really help set customer's expectations on what is allowed. Could you add documentation about these limits to the relevant API endpoints?

Comment on lines +250 to +260
ensure_max_len(&rule.targets, "targets", MAX_FW_RULE_PARTS)?;

if let Some(hosts) = rule.filters.hosts.as_ref() {
ensure_max_len(&hosts, "filters.hosts", MAX_FW_RULE_PARTS)?;
}
if let Some(ports) = rule.filters.ports.as_ref() {
ensure_max_len(&ports, "filters.ports", MAX_FW_RULE_PARTS)?;
}
if let Some(protocols) = rule.filters.protocols.as_ref() {
ensure_max_len(&protocols, "filters.protocols", MAX_FW_RULE_PARTS)?;
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If a customer is exceeding 2 or more of these limits, it'd be really nice to get a single error message that tells them every limit they've exceeded. WDYT?

nexus/db-model/src/vpc_firewall_rule.rs Outdated Show resolved Hide resolved
@david-crespo
Copy link
Contributor Author

Will add a line to the descriptions, and where possible add a max length to the OpenAPI schema.

@@ -20438,7 +20439,7 @@
]
},
"VpcFirewallRuleFilter": {
"description": "Filter for a firewall rule. A given packet must match every field that is present for the rule to apply to it. A packet matches a field if any entry in that field matches the packet.",
"description": "Filters reduce the scope of a firewall rule. Without filters, the rule applies to all packets to the targets (or from the targets, if it's an outbound rule). With multiple filters, the rule applies only to packets matching ALL filters. The maximum number of each type of filter is 256.",
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@karencfv I brought in something more like the console explanation here. I think it's an improvement, the only issue is that it's hard to find on the docs site, buried in the request body.

image

What might be nicer would be to put some basic summary of all of it here at the top... OR we could just link to the guide, which is pretty nice: https://docs.oxide.computer/guides/configuring-guest-networking#_firewall_rules

image

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh nice! This is great. I'd like to keep this here so the SDKs inherit the descriptions, but it would be really great to add the text from the second image as well for the docs. Would it be too weird to have it all?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, I’ll add more. I don’t think anyone will be mad at us for having too good of documentation.

const MAX_FW_RULES_PER_VPC: usize = 1024;

/// Cap on targets and on each type of filter
const MAX_FW_RULE_PARTS: usize = 256;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just occurred to me. We don't support port ranges (e.g. "3000-4000") as a value, do we? If so, we should increase this number. Or better yet, add support for port ranges at some point.

If we do support port ranges, then ignore this comment :)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We do support ranges. You just put in “123-456”.

Copy link
Contributor

@karencfv karencfv Jul 19, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sweet! Can we add that to the API docs?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's sort of in there, but I will improve the wording.

image

@@ -20438,7 +20439,7 @@
]
},
"VpcFirewallRuleFilter": {
"description": "Filter for a firewall rule. A given packet must match every field that is present for the rule to apply to it. A packet matches a field if any entry in that field matches the packet.",
"description": "Filters reduce the scope of a firewall rule. Without filters, the rule applies to all packets to the targets (or from the targets, if it's an outbound rule). With multiple filters, the rule applies only to packets matching ALL filters. The maximum number of each type of filter is 256.",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh nice! This is great. I'd like to keep this here so the SDKs inherit the descriptions, but it would be really great to add the text from the second image as well for the docs. Would it be too weird to have it all?

@david-crespo
Copy link
Contributor Author

david-crespo commented Jul 24, 2024

I've added a nice description to the update endpoint that includes some of the explanation. Note that we need oxidecomputer/dropshot#1068 and a CSS tweak in the docs site to make this look good, but it's not awful as-is.

What it will look like if we don't do anything else

image

What it will look like after we fix a couple of things in dropshot and the docs site

image

@david-crespo david-crespo merged commit 71fe60a into main Jul 25, 2024
23 checks passed
@david-crespo david-crespo deleted the max-firewall-rules branch July 25, 2024 06:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
api Related to the API.
Projects
None yet
3 participants