Allow limited inbound ICMP to Nexus, add ICMP type/code filters to firewall rules (#8194)

This PR adds more detail to firewall protocol filters. Rather than being
specified purely as a string->enum mapping, each protocol filter is now
a standard tagged enum like many other types in the Nexus API. Here,
this allows us to express more control over ICMP traffic. For instance:
* all ICMP (`[{"type": "icmp"}]`),
* all ICMP echo (`[{"type": "icmp", "value": { icmp_type: 0 }}, {"type":
"icmp", "value": { icmp_type: 8 }}]`)
* a subset of ICMP destination unreachable (`{"type": "icmp", "value": {
icmp_type: 0, code: "0-4" }}`).

Building on this, Nexus now has a firewall entry to permit the receipt
of e.g., Destination Unreachable messages. I've added a new system
endpoint to control whether this is enabled or disabled.

As part of this, I've converted the CRDB representation from a fixed
`ENUM[]` to a `STRING(32)[]`. There are a couple of reasons for this:
* ICMPv6 will need a similar level of specificity,
* Users will need to specify arbitrary (ranges) of L4 protocols, once
OPTE is more permissive (oxidecomputer/opte#609).
* Future protocols we give first-class support to might also
require/want in-depth filters.

Should close #7998.

Author: FelixMcFelix

.github/buildomat/jobs/deploy.sh

@@ -2,7 +2,7 @@
 #:
 #: name = "helios / deploy"
 #: variety = "basic"
-#: target = "lab-2.0-opte-0.36"
+#: target = "lab-2.0-opte-0.37"
 #: output_rules = [
 #:  "%/var/svc/log/oxide-*.log*",
 #:  "%/zone/oxz_*/root/var/svc/log/oxide-*.log*",

Cargo.lock

@@ -511,8 +511,8 @@ lldp_protocol = { git = "https://github.com/oxidecomputer/lldp", package = "prot
 macaddr = { version = "1.0.1", features = ["serde_std"] }
 maplit = "1.0.2"
 newtype_derive = "0.1.6"
-mg-admin-client = { git = "https://github.com/oxidecomputer/maghemite", rev = "760b4b547e301a31d4dcb92ba97aabdb2a3e0cba" }
-ddm-admin-client = { git = "https://github.com/oxidecomputer/maghemite", rev = "760b4b547e301a31d4dcb92ba97aabdb2a3e0cba" }
+mg-admin-client = { git = "https://github.com/oxidecomputer/maghemite", rev = "638c897d5ed1e5d3f2de0c1cb9dfaa4d77a35dea" }
+ddm-admin-client = { git = "https://github.com/oxidecomputer/maghemite", rev = "638c897d5ed1e5d3f2de0c1cb9dfaa4d77a35dea" }
 multimap = "0.10.1"
 nexus-auth = { path = "nexus/auth" }
 nexus-background-task-interface = { path = "nexus/background-task-interface" }
@@ -568,7 +568,7 @@ omicron-workspace-hack = "0.1.0"
 omicron-zone-package = "0.12.2"
 oxide-client = { path = "clients/oxide-client" }
 oxide-tokio-rt = "0.1.1"
-oxide-vpc = { git = "https://github.com/oxidecomputer/opte", rev = "f5560fae02ad3fc349fabc6454c321143199ca9e", features = [ "api", "std" ] }
+oxide-vpc = { git = "https://github.com/oxidecomputer/opte", rev = "3f2dfe36f156b486e60e7a08263ad6227be1e969", features = [ "api", "std" ] }
 oxlog = { path = "dev-tools/oxlog" }
 oxnet = "0.1.2"
 once_cell = "1.21.3"
@@ -578,7 +578,7 @@ openapiv3 = "2.2.0"
 # must match samael's crate!
 openssl = "0.10"
 openssl-sys = "0.9"
-opte-ioctl = { git = "https://github.com/oxidecomputer/opte", rev = "f5560fae02ad3fc349fabc6454c321143199ca9e" }
+opte-ioctl = { git = "https://github.com/oxidecomputer/opte", rev = "3f2dfe36f156b486e60e7a08263ad6227be1e969" }
 oso = "0.27"
 owo-colors = "4.2.2"
 oximeter = { path = "oximeter/oximeter" }

Cargo.toml

@@ -90,6 +90,7 @@ progenitor::generate_api!(
         TypedUuidForSupportBundleKind = omicron_uuid_kinds::SupportBundleUuid,
         TypedUuidForZpoolKind = omicron_uuid_kinds::ZpoolUuid,
         Vni = omicron_common::api::external::Vni,
+        VpcFirewallIcmpFilter = omicron_common::api::external::VpcFirewallIcmpFilter,
         ZpoolKind = omicron_common::zpool_name::ZpoolKind,
         ZpoolName = omicron_common::zpool_name::ZpoolName,
     }
@@ -308,7 +309,7 @@ impl From<omicron_common::api::external::VpcFirewallRuleProtocol>
         match s {
             Tcp => Self::Tcp,
             Udp => Self::Udp,
-            Icmp => Self::Icmp,
+            Icmp(v) => Self::Icmp(v),
         }
     }
 }