[multicast] Narrow underlay scope to ff04::/64 and add ASM source filtering #189
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…tering Underlay changes: - Restrict internal multicast from admin/site/org scoped (ff04, ff05, ff08) to just Omicron's reserved subnet (ff04::/64). These underlay addresses are made unique in Omicron. - Rename `AdminScopedIpv6` to `UnderlayMulticastIpv6`. - Simplify P4 to only match ff04::/64. - Use omicron-common multicast constants for validation. Source filtering changes: - Replace IpSrc::Subnet with IpSrc::Any for any-source matching. - Change IPv6 source filter from exact to LPM match. - Allow source filters on ASM groups (previously SSM-only). API changes: - API v5 adds IpSrc::Any for ASM source filtering. - API v6 enforces strict underlay subnet validation.
zeeshanlakhani
requested review from
FelixMcFelix,
Nieuwejaar and
rcgoodfellow
This was referenced Jan 22, 2026
zeeshanlakhani
added a commit
that referenced
this pull request
Jan 22, 2026
…tering Re-opening this from #162, as that PR was getting pretty gnarly with a saturation of merge commits. This one deserves a re-review after some added changes to match the Omicron mcast-lifecycle work in oxidecomputer/omicron#9450. Underlay changes: - Restrict internal multicast from admin/site/org scoped (ff04, ff05, ff08) to just Omicron's reserved subnet (ff04::/64). These underlay addresses are made unique in Omicron. - Rename `AdminScopedIpv6` to `UnderlayMulticastIpv6`. - Simplify P4 to only match ff04::/64. - Use omicron-common multicast constants for validation. Source filtering changes: - Replace IpSrc::Subnet with IpSrc::Any for any-source matching. - Change IPv6 source filter from exact to LPM match. - Allow source filters on ASM groups (previously SSM-only). API changes: - API v5 adds IpSrc::Any for ASM source filtering. - API v6 enforces strict underlay subnet validation. Reviewers: FelixMcFelix, Nieuwejaar, rcgoodfellow Pull Request: #189
zeeshanlakhani
added a commit
that referenced
this pull request
Jan 22, 2026
Fixes #107. Stacked on #189. This adds VLAN-aware NAT ingress matching to prevent cross-VLAN translation. Previously, a packet arriving with VLAN 100 destined to a multicast group configured for VLAN 200 would be NAT encapsulated and forwarded, effectively translating the packet to the wrong customer's network. NAT ingress table matching (mcast_nat.rs, mod.rs): - Add Ipv4VlanMatchKey and Ipv6VlanMatchKey that match on destination address, VLAN header validity, and VLAN ID - For groups with VLAN, install two entries: untagged (for decapsulated Geneve from underlay) and correctly tagged (for customer packets) - Packets with the wrong VLAN miss both entries and are not NAT encapsulated Multicast router VLAN handling (sidecar.p4): - Strip incoming VLAN tag before routing lookup in MulticastRouter4/6 - forward_vlan action re-adds the group's configured VLAN on egress - Prevents unintended VLAN translation at the routing stage Rollback changes: - Remove dead NAT rollback branches for internal groups (no NAT entries) - Add rollback support for VLAN changes in NAT and route tables Counter fix: - The underlay multicast counter condition was unreachable for packets tagged MULTICAST_TAG_UNDERLAY_EXTERNAL that were not decapped. The check for == MULTICAST_TAG_UNDERLAY excluded these packets, causing them to fall through to the external counter. Pull Request: #194
zeeshanlakhani
added a commit
that referenced
this pull request
Jan 22, 2026
…tering Re-opening this from #162, as that PR was getting pretty gnarly with a saturation of merge commits. This one deserves a re-review after some added changes to match the Omicron mcast-lifecycle work in oxidecomputer/omicron#9450. Underlay changes: - Restrict internal multicast from admin/site/org scoped (ff04, ff05, ff08) to just Omicron's reserved subnet (ff04::/64). These underlay addresses are made unique in Omicron. - Rename `AdminScopedIpv6` to `UnderlayMulticastIpv6`. - Simplify P4 to only match ff04::/64. - Use omicron-common multicast constants for validation. Source filtering changes: - Replace IpSrc::Subnet with IpSrc::Any for any-source matching. - Change IPv6 source filter from exact to LPM match. - Allow source filters on ASM groups (previously SSM-only). API changes: - API v5 adds IpSrc::Any for ASM source filtering. - API v6 enforces strict underlay subnet validation. Reviewers: FelixMcFelix, Nieuwejaar, rcgoodfellow Pull Request: #189
zeeshanlakhani
added a commit
that referenced
this pull request
Jan 22, 2026
Fixes #107. Stacked on #189. This adds VLAN-aware NAT ingress matching to prevent cross-VLAN translation. Previously, a packet arriving with VLAN 100 destined to a multicast group configured for VLAN 200 would be NAT encapsulated and forwarded, effectively translating the packet to the wrong customer's network. NAT ingress table matching (mcast_nat.rs, mod.rs): - Add Ipv4VlanMatchKey and Ipv6VlanMatchKey that match on destination address, VLAN header validity, and VLAN ID - For groups with VLAN, install two entries: untagged (for decapsulated Geneve from underlay) and correctly tagged (for customer packets) - Packets with the wrong VLAN miss both entries and are not NAT encapsulated Multicast router VLAN handling (sidecar.p4): - Strip incoming VLAN tag before routing lookup in MulticastRouter4/6 - forward_vlan action re-adds the group's configured VLAN on egress - Prevents unintended VLAN translation at the routing stage Rollback changes: - Remove dead NAT rollback branches for internal groups (no NAT entries) - Add rollback support for VLAN changes in NAT and route tables Counter fix: - The underlay multicast counter condition was unreachable for packets tagged MULTICAST_TAG_UNDERLAY_EXTERNAL that were not decapped. The check for == MULTICAST_TAG_UNDERLAY excluded these packets, causing them to fall through to the external counter. Pull Request: #194
zeeshanlakhani
added a commit
that referenced
this pull request
Jan 22, 2026
Fixes #107. Stacked on #189. This adds VLAN-aware NAT ingress matching to prevent cross-VLAN translation. Previously, a packet arriving with VLAN 100 destined to a multicast group configured for VLAN 200 would be NAT encapsulated and forwarded, effectively translating the packet to the wrong customer's network. NAT ingress table matching (mcast_nat.rs, mod.rs): - Add Ipv4VlanMatchKey and Ipv6VlanMatchKey that match on destination address, VLAN header validity, and VLAN ID - For groups with VLAN, install two entries: untagged (for decapsulated Geneve from underlay) and correctly tagged (for customer packets) - Packets with the wrong VLAN miss both entries and are not NAT encapsulated Multicast router VLAN handling (sidecar.p4): - Strip incoming VLAN tag before routing lookup in MulticastRouter4/6 - forward_vlan action re-adds the group's configured VLAN on egress - Prevents unintended VLAN translation at the routing stage Rollback changes: - Remove dead NAT rollback branches for internal groups (no NAT entries) - Add rollback support for VLAN changes in NAT and route tables Counter fix: - The underlay multicast counter condition was unreachable for packets tagged MULTICAST_TAG_UNDERLAY_EXTERNAL that were not decapped. The check for == MULTICAST_TAG_UNDERLAY excluded these packets, causing them to fall through to the external counter. Pull Request: #194
zeeshanlakhani
added a commit
that referenced
this pull request
Jan 22, 2026
Fixes #107. Stacked on #189. This adds VLAN-aware NAT ingress matching to prevent cross-VLAN translation. Previously, a packet arriving with VLAN 100 destined to a multicast group configured for VLAN 200 would be NAT encapsulated and forwarded, effectively translating the packet to the wrong customer's network. NAT ingress table matching (mcast_nat.rs, mod.rs): - Add Ipv4VlanMatchKey and Ipv6VlanMatchKey that match on destination address, VLAN header validity, and VLAN ID - For groups with VLAN, install two entries: untagged (for decapsulated Geneve from underlay) and correctly tagged (for customer packets) - Packets with the wrong VLAN miss both entries and are not NAT encapsulated Multicast router VLAN handling (sidecar.p4): - Strip incoming VLAN tag before routing lookup in MulticastRouter4/6 - forward_vlan action re-adds the group's configured VLAN on egress - Prevents unintended VLAN translation at the routing stage Rollback changes: - Remove dead NAT rollback branches for internal groups (no NAT entries) - Add rollback support for VLAN changes in NAT and route tables Counter fix: - The underlay multicast counter condition was unreachable for packets tagged MULTICAST_TAG_UNDERLAY_EXTERNAL that were not decapped. The check for == MULTICAST_TAG_UNDERLAY excluded these packets, causing them to fall through to the external counter. Pull Request: #194
Contributor
FelixMcFelix
left a comment
FelixMcFelix
left a comment
There was a problem hiding this comment.
Thanks Zeeshan -- I've had a quick look, except for the integration tests.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Re-opening this from #162, as that PR was getting pretty gnarly with a saturation of merge commits. This one deserves a re-review after some added changes to match the Omicron mcast-lifecycle work in oxidecomputer/omicron#9450.
Underlay changes:
AdminScopedIpv6toUnderlayMulticastIpv6.Source filtering changes:
API changes: