remove another hardcoded boundary services addr, general cleanup

.github/buildomat/jobs/test.sh

@@ -81,7 +81,3 @@ pfexec add_drv xde
 banner "test"
 pfexec chmod +x /input/xde/work/test/loopback
 pfexec /input/xde/work/test/loopback --nocapture
-
-pfexec add_drv xde || true
-pfexec chmod +x /input/xde/work/test/flowpin
-pfexec /input/xde/work/test/flowpin --nocapture

.github/buildomat/jobs/xde.sh

@@ -133,10 +133,3 @@ loopback_test=$(
 )
 mkdir -p /work/test
 cp $loopback_test /work/test/loopback
-
-cargo build --test flowpin
-flowpin_test=$(
-    cargo build -q --test flowpin --message-format=json |\
-    jq -r "select(.profile.test == true) | .filenames[]"
-)
-cp $flowpin_test /work/test/flowpin

crates/opte-api/src/ip.rs

@@ -650,6 +650,10 @@ impl Ipv6Addr {
         self.inner
     }
 
+    pub fn prefix_match(&self, prefix: u128) -> bool {
+        (u128::from_be_bytes(self.inner) & prefix) != 0
+    }
+
     /// Return the address after applying the network mask.
     pub fn mask(mut self, mask: u8) -> Result<Self, String> {
         if mask > 128 {
@@ -703,6 +707,11 @@ impl Ipv6Addr {
             ],
         }
     }
+
+    pub fn has_prefix(&self, prefix: u128, len: u8) -> bool {
+        let mask = ((1u128 << len) - 1) << (128 - len);
+        (mask & u128::from_be_bytes(self.inner)) == prefix
+    }
 }
 
 impl fmt::Display for Ipv6Addr {

crates/opte-api/src/lib.rs

@@ -58,7 +58,7 @@ pub use ulp::*;
 ///
 /// We rely on CI and the check-api-version.sh script to verify that
 /// this number is incremented anytime the oxide-api code changes.
-pub const API_VERSION: u64 = 25;
+pub const API_VERSION: u64 = 24;
 
 #[derive(Clone, Copy, Debug, Deserialize, Eq, PartialEq, Serialize)]
 pub enum Direction {

lib/oxide-vpc/src/api.rs

@@ -453,7 +453,7 @@ impl Display for RouterTarget {
     fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
         match self {
             Self::Drop => write!(f, "Drop"),
-            Self::InternetGateway => write!(f, "ig"),
+            Self::InternetGateway => write!(f, "IG"),
             Self::Ip(IpAddr::Ip4(ip4)) => write!(f, "ip4={}", ip4),
             Self::Ip(IpAddr::Ip6(ip6)) => write!(f, "ip6={}", ip6),
             Self::VpcSubnet(IpCidr::Ip4(sub4)) => write!(f, "sub4={}", sub4),

lib/oxide-vpc/src/engine/overlay.rs

@@ -521,13 +521,26 @@ pub struct Virt2Phys {
 
 /// A mapping from virtual IPs to boundary services addresses.
 pub struct Virt2Boundary {
+    // The BTreeMap-based representation of the v2b table is a representation
+    // that is easily updated.
     ip4: KMutex<BTreeMap<Ipv4Cidr, TunnelEndpoint>>,
     ip6: KMutex<BTreeMap<Ipv6Cidr, TunnelEndpoint>>,
+
+    // The Poptrie-based representation of the v2b table is a data structure
+    // optimized for fast query times. It's not easily updated in-place. It's
+    // rebuilt each time an update is made. The heuristic being applied here is
+    // we expect table churn to be highly-infrequent compared to lookups.
+    // Lookups may happen millions of times per second and and we want those to
+    // be as fast as possible. At the time of writing, poptrie is the fastest
+    // LPM lookup data structure known to the author.
+    //
+    // The poptrie is under an read-write lock to allow multiple concurrent
+    // readers. When we update we hold the lock just long enough to do a swap
+    // with a poptrie that was pre-built out of band.
     pt4: KRwLock<Poptrie<TunnelEndpoint>>,
     pt6: KRwLock<Poptrie<TunnelEndpoint>>,
 }
 
-pub const VIRT_2_BOUNDARY_NAME: &str = "Virt2Boundary";
 pub const BOUNDARY_SERVICES_VNI: u32 = 99u32;
 
 impl Virt2Boundary {
@@ -607,16 +620,16 @@ impl Virt2Boundary {
     pub fn set(
         &self,
         vip: IpCidr,
-        phys: TunnelEndpoint,
+        tep: TunnelEndpoint,
     ) -> Option<TunnelEndpoint> {
         match vip {
             IpCidr::Ip4(ip4) => {
-                let e = self.ip4.lock().insert(ip4, phys);
+                let e = self.ip4.lock().insert(ip4, tep);
                 self.update_poptrie_v4();
                 e
             }
             IpCidr::Ip6(ip6) => {
-                let e = self.ip6.lock().insert(ip6, phys);
+                let e = self.ip6.lock().insert(ip6, tep);
                 self.update_poptrie_v6();
                 e
             }

preflight.sh

@@ -1,5 +1,8 @@
 #!/bin/bash
 
+# This script can be helpful for catching issues locally before paying the CI
+# tax.
+
 ./.github/buildomat/jobs/opte.sh
 ./.github/buildomat/jobs/opteadm.sh
 ./.github/buildomat/jobs/test.sh

xde/src/xde.rs

@@ -107,9 +107,10 @@ const XDE_STR: *const c_char = b"xde\0".as_ptr() as *const c_char;
 /// Name of the control device.
 const XDE_CTL_STR: *const c_char = b"ctl\0".as_ptr() as *const c_char;
 
-/// The boundary services anycast address fd00:99::
-const BOUNDARY_SERVICES_ACAST: Ipv6Addr =
-    Ipv6Addr::from_const([0xfd00, 0x99, 0, 0, 0, 0, 0, 0]);
+//TODO make configurable
+/// The boundary services prefix fd00:99::
+const BOUNDARY_SERVICES_PREFIX: u128 =
+    0xfd00_0099_0000_0000_0000_0000_0000_0000u128;
 
 /// Minor number for the control device.
 // Set once in `xde_attach`.
@@ -1532,7 +1533,7 @@ unsafe extern "C" fn xde_mc_tx(
                 return guest_loopback(src_dev, pkt, vni);
             }
 
-            let hash = if ip6.dst == BOUNDARY_SERVICES_ACAST {
+            let hash = if ip6.dst.has_prefix(BOUNDARY_SERVICES_PREFIX, 32) {
                 match meta.inner.ip {
                     Some(IpMeta::Ip4(m)) => Some(l4_hash!(meta, m)),
                     Some(IpMeta::Ip6(m)) => Some(l4_hash!(meta, m)),