[multicast] Narrow admin-scoped to admin-local only (ff04::/16)

Previously, internal multicast groups accepted admin-scoped addresses
including admin-local (ff04), site-local (ff05), and org-local (ff08).
This narrows the scope to only admin-local (ff04::/16), which is what
Omicron *now* dictates.

- [ ] This should be merged after
    oxidecomputer/omicron#9450 is reviewed
    and merged into Omicron. We now make Dendrite/Dpd match Omicron
    consistently for validation.

Key changes:
  - Remove IPV6_SITE_LOCAL_PATTERN and IPV6_ORG_SCOPE_PATTERN from P4
  - Update P4 table entries to only match admin-local (size 4→2)
  - Add ADMIN_LOCAL_PREFIX const to dpd-types with RFC doc links
  - Update validation to use `is_admin_local_multicast()` from oxnet v0.1.4
  - Bump to API version 2 for doc changes (only)
  - Update README with OpenAPI generation instructions
  - Use new multicast subnet constants from `omicron-common` for validation

Author: zeeshanlakhani

Cargo.lock

@@ -46,11 +46,11 @@ ispf = { git = "https://github.com/oxidecomputer/ispf" }
 gateway-client = { git = "https://github.com/oxidecomputer/omicron", branch = "main" }
 gateway-types = { git = "https://github.com/oxidecomputer/omicron", branch = "main" }
 nexus-client = { git = "https://github.com/oxidecomputer/omicron", branch = "main" }
-omicron-common = { git = "https://github.com/oxidecomputer/omicron", branch= "main" }
-oximeter = { git = "https://github.com/oxidecomputer/omicron", branch = "main" }
-oximeter-producer = { git = "https://github.com/oxidecomputer/omicron", branch = "main" }
-oximeter-instruments = { git = "https://github.com/oxidecomputer/omicron", branch = "main", default-features = false, features = ["kstat"] }
-oxnet = { version = "0.1.3", default-features = false, features = ["schemars", "serde"] }
+omicron-common = { git = "https://github.com/oxidecomputer/omicron", branch= "zl/mcast-implicit-lifecycle" }
+oximeter = { git = "https://github.com/oxidecomputer/omicron", branch = "zl/mcast-implicit-lifecycle" }
+oximeter-producer = { git = "https://github.com/oxidecomputer/omicron", branch = "zl/mcast-implicit-lifecycle" }
+oximeter-instruments = { git = "https://github.com/oxidecomputer/omicron", branch = "zl/mcast-implicit-lifecycle", default-features = false, features = ["kstat"] }
+oxnet = { version = "0.1.4", default-features = false, features = ["schemars", "serde"] }
 propolis = { git = "https://github.com/oxidecomputer/propolis" }
 smf = { git = "https://github.com/illumos/smf-rs" }
 softnpu-lib = { git = "https://github.com/oxidecomputer/softnpu" , package = "softnpu" , branch = "main"}

Cargo.toml

@@ -341,5 +341,14 @@ proxy_arp:
 3. run `SDE=/opt/oxide/tofino_sde cargo test --features=<feature>` to execute
    the tests.
 
-If regenerating the openapi specifications, set `EXPECTORATE=overwrite` when
-runnning the tests with the `tofino_asic` feature.
+### OpenAPI Generation
+
+`dpd-api/src/lib.rs` contains endpoint [dropshot][dropshot-gh] definitions and
+controls API versioning for the `dpd` OpenAPI interface. If you add/remove or
+edit API points and/or documentation, you can update the API version and
+regenerate the latest OpenAPI specification bindings by running
+`cargo xtask openapi generate`. Use `cargo xtask openapi check` to verify
+specs are up-to-date.
+
+
+[dropshot-gh]: https://github.com/oxidecomputer/dropshot

README.md

@@ -41,7 +41,7 @@ use oxnet::{Ipv4Net, Ipv6Net};
 use schemars::JsonSchema;
 use serde::{Deserialize, Serialize};
 use transceiver_controller::{
-    Datapath, Monitors, PowerState, message::LedState,
+    message::LedState, Datapath, Monitors, PowerState,
 };
 
 api_versions!([
@@ -56,6 +56,7 @@ api_versions!([
     // |  example for the next person.
     // v
     // (next_int, IDENT),
+    (2, MCAST_DOCS_ADMIN_LOCAL),
     (1, INITIAL),
 ]);
 
@@ -1431,7 +1432,7 @@ pub trait DpdApi {
     /**
      * Create an external-only multicast group configuration.
      *
-     * External-only groups are used for IPv4 and non-admin-scoped IPv6 multicast
+     * External-only groups are used for IPv4 and non-admin-local IPv6 multicast
      * traffic that doesn't require replication infrastructure. These groups use
      * simple forwarding tables and require a NAT target.
      */
@@ -1450,9 +1451,10 @@ pub trait DpdApi {
     /**
      * Create an underlay (internal) multicast group configuration.
      *
-     * Underlay groups are used for admin-scoped IPv6 multicast traffic that
-     * requires replication infrastructure. These groups support both external
-     * and underlay members with full replication capabilities.
+     * Underlay groups are used for admin-local IPv6 multicast traffic
+     * (ff04::/16, as defined in RFC 7346 and RFC 4291) that requires
+     * replication infrastructure. These groups support both external and
+     * underlay members with full replication capabilities.
      */
     #[endpoint {
         method = POST,
@@ -1502,10 +1504,10 @@ pub trait DpdApi {
     ) -> Result<HttpResponseOk<mcast::MulticastGroupResponse>, HttpError>;
 
     /**
-     * Get an underlay (internal) multicast group configuration by admin-scoped
+     * Get an underlay (internal) multicast group configuration by admin-local
      * IPv6 address.
      *
-     * Underlay groups handle admin-scoped IPv6 multicast traffic with
+     * Underlay groups handle admin-local IPv6 multicast traffic (ff04::/16) with
      * replication infrastructure for external and underlay members.
      */
     #[endpoint {
@@ -1521,8 +1523,8 @@ pub trait DpdApi {
      * Update an underlay (internal) multicast group configuration for a given
      * group IP address.
      *
-     * Underlay groups are used for admin-scoped IPv6 multicast traffic that
-     * requires replication infrastructure with external and underlay members.
+     * Underlay groups are used for admin-local IPv6 multicast traffic (ff04::/16)
+     * that requires replication infrastructure with external and underlay members.
      */
     #[endpoint {
         method = PUT,
@@ -1537,7 +1539,7 @@ pub trait DpdApi {
     /**
      * Update an external-only multicast group configuration for a given group IP address.
      *
-     * External-only groups are used for IPv4 and non-admin-scoped IPv6 multicast
+     * External-only groups are used for IPv4 and non-admin-local IPv6 multicast
      * traffic that doesn't require replication infrastructure.
      */
     #[endpoint {
@@ -2270,8 +2272,11 @@ pub struct MulticastGroupIpParam {
     pub group_ip: IpAddr,
 }
 
-/// Used to identify an underlay (internal) multicast group by admin-scoped IPv6
-/// address.
+/// Used to identify an underlay (internal) multicast group by admin-local IPv6
+/// address (ff04::/16, as defined in [RFC 7346] and [RFC 4291]).
+///
+/// [RFC 7346]: https://www.rfc-editor.org/rfc/rfc7346.html
+/// [RFC 4291]: https://www.rfc-editor.org/rfc/rfc4291.html
 #[derive(Deserialize, Serialize, JsonSchema)]
 pub struct MulticastUnderlayGroupIpParam {
     pub group_ip: mcast::AdminScopedIpv6,

dpd-api/src/lib.rs

@@ -33,6 +33,7 @@ packet = { path = "../packet" }
 pcap = { path = "../pcap" }
 asic = { path = "../asic" }
 anyhow.workspace = true
+dpd-types.workspace = true
 lazy_static.workspace = true
 parking_lot.workspace = true
 rand.workspace = true