Open
Description
(Breaking out of https://github.com/oxidecomputer/customer-support/issues/448)
VPC:default as a filter is expressable as a single entry. However, nexus is clearly not making these unique (see below). Rules passed down to OPTE can only have one host and protocol, so sled-agent installs [filter_hosts] x [filter_protocol] x rest_of_rule -- hence the rather silly opte configuration. This is extra bloat in the JSON body, but it's less weighty than a thousand (or more) full NICs.
filter_hosts: Some([Vpc(Vni(10005096)), Vpc(Vni(10005096)), Vpc(Vni(10005096)), Vpc(Vni(10005096)),
Vpc(Vni(10005096)), Vpc(Vni(10005096)), Vpc(Vni(10005096)), Vpc(Vni(10005096)), Vpc(Vni(10005096)),
Vpc(Vni(10005096)), Vpc(Vni(10005096)), Vpc(Vni(10005096)), Vpc(Vni(10005096)), Vpc(Vni(10005096)),
Vpc(Vni(10005096)), Vpc(Vni(10005096)), Vpc(Vni(10005096)), Vpc(Vni(10005096)), Vpc(Vni(10005096)),
Vpc(Vni(10005096)), Vpc(Vni(10005096)), Vpc(Vni(10005096)), Vpc(Vni(10005096)), Vpc(Vni(10005096)),
Vpc(Vni(10005096)), Vpc(Vni(10005096)), Vpc(Vni(10005096)), Vpc(Vni(10005096)), Vpc(Vni(10005096)),
Vpc(Vni(10005096)), Vpc(Vni(10005096)), Vpc(Vni(10005096)), Vpc(Vni(10005096)), Vpc(Vni(10005096)),
Vpc(Vni(10005096)), Vpc(Vni(10005096)), Vpc(Vni(10005096)), Vpc(Vni(10005096)), Vpc(Vni(10005096)),
Vpc(Vni(10005096)), Vpc(Vni(10005096))]),host_addrs below is a Vec, as expected:
omicron/nexus/networking/src/firewall_rules.rs
Lines 394 to 396 in 21baa14