Add Send + Sync bounds to resolve Arc clippy warnings

lib/opte/src/ddi/kstat.rs

@@ -306,3 +306,26 @@ impl From<alloc::ffi::NulError> for Error {
         Self::NulChar
     }
 }
+
+// SAFETY: KStatNamed<T> is safe for Send + Sync under the following conditions:
+//
+// 1. Read-only sharing: After creation, the `ksp` pointer is never mutated - only
+//    passed to kstat_delete() in Drop. Multiple threads can safely read the same
+//    immutable pointer value.
+//
+// 2. Kernel manages concurrency: The kstat framework handles concurrent access to
+//    the underlying kernel structures via its own internal mechanisms.
+//
+// 3. Atomic statistics: Individual stats in `vals` use AtomicU64, ensuring each
+//    counter update is atomic and thread-safe.
+//
+// 4. Intentional design trade-off: We explicitly do NOT set ks_lock (see struct
+//    comment), accepting that different threads may see inconsistent snapshots
+//    of the stats as a group, while individual values remain uncorrupted.
+//
+// 5. No shared mutable state: The raw pointer represents a kernel resource with
+//    a clear lifecycle (create -> install -> delete) with no Rust-side mutation.
+#[cfg(all(not(feature = "std"), not(test)))]
+unsafe impl<T: KStatProvider> Send for KStatNamed<T> {}
+#[cfg(all(not(feature = "std"), not(test)))]
+unsafe impl<T: KStatProvider> Sync for KStatNamed<T> {}

lib/opte/src/engine/flow_table.rs

@@ -64,7 +64,7 @@ impl Ttl {
 }
 
 /// A policy for expiring flow table entries over time.
-pub trait ExpiryPolicy<S: Dump>: fmt::Debug {
+pub trait ExpiryPolicy<S: Dump>: fmt::Debug + Send + Sync {
     /// Returns whether the given flow should be removed, given current flow
     /// state, the time a packet was last received, and the current time.
     fn is_expired(&self, entry: &FlowEntry<S>, now: Moment) -> bool;

lib/opte/src/engine/rule.rs

@@ -173,7 +173,7 @@ where
 /// An Action Descriptor holds the information needed to create the
 /// [`HdrTransform`] which implements the desired action. An
 /// ActionDesc is created by a [`StatefulAction`] implementation.
-pub trait ActionDesc {
+pub trait ActionDesc: Send + Sync {
     /// Generate the [`HdrTransform`] which implements this descriptor.
     fn gen_ht(&self, dir: Direction) -> HdrTransform;
 
@@ -742,7 +742,7 @@ pub enum GenDescError {
 
 pub type GenDescResult = ActionResult<Arc<dyn ActionDesc>, GenDescError>;
 
-pub trait StatefulAction: Display {
+pub trait StatefulAction: Display + Send + Sync {
     /// Generate a an [`ActionDesc`] based on the [`InnerFlowId`] and
     /// [`ActionMeta`]. This action may also add, remove, or modify
     /// metadata to communicate data to downstream actions.
@@ -772,7 +772,7 @@ pub enum GenHtError {
 
 pub type GenHtResult = ActionResult<HdrTransform, GenHtError>;
 
-pub trait StaticAction: Display {
+pub trait StaticAction: Display + Send + Sync {
     fn gen_ht(
         &self,
         dir: Direction,
@@ -795,7 +795,7 @@ pub type ModMetaResult = ActionResult<(), String>;
 /// metadata in some way. That is, it has no transformation to make on
 /// the packet, only add/modify/remove metadata for use by later
 /// layers.
-pub trait MetaAction: Display {
+pub trait MetaAction: Display + Send + Sync {
     /// Return the predicates implicit to this action.
     ///
     /// Return both the header [`Predicate`] list and
@@ -843,7 +843,7 @@ impl From<smoltcp::wire::Error> for GenBtError {
 ///
 /// For example, you could use this to hairpin an ARP Reply in response
 /// to a guest's ARP request.
-pub trait HairpinAction: Display {
+pub trait HairpinAction: Display + Send + Sync {
     /// Generate a [`Packet`] to hairpin back to the source. The
     /// `meta` argument holds the packet metadata, including any
     /// modifications made by previous layers up to this point.

lib/opte/src/engine/snat.rs

@@ -218,7 +218,7 @@ impl From<GenIcmpErr> for GenDescError {
     }
 }
 
-impl<T: ConcreteIpAddr + 'static> SNat<T> {
+impl<T: ConcreteIpAddr + 'static + Send + Sync> SNat<T> {
     pub fn new(addr: T) -> Self {
         SNat {
             priv_ip: addr,
@@ -299,7 +299,7 @@ impl Display for SNat<Ipv6Addr> {
     }
 }
 
-impl<T: ConcreteIpAddr + 'static> StatefulAction for SNat<T>
+impl<T: ConcreteIpAddr + 'static + Send + Sync> StatefulAction for SNat<T>
 where
     SNat<T>: Display,
 {
@@ -367,7 +367,7 @@ pub struct SNatDesc<T: ConcreteIpAddr> {
 
 pub const SNAT_NAME: &str = "SNAT";
 
-impl<T: ConcreteIpAddr> ActionDesc for SNatDesc<T> {
+impl<T: ConcreteIpAddr + Send + Sync> ActionDesc for SNatDesc<T> {
     fn gen_ht(&self, dir: Direction) -> HdrTransform {
         match dir {
             // Outbound traffic needs its source IP and source port
@@ -425,7 +425,7 @@ pub struct SNatIcmpEchoDesc<T: ConcreteIpAddr> {
 
 pub const SNAT_ICMP_ECHO_NAME: &str = "SNAT_ICMP_ECHO";
 
-impl<T: ConcreteIpAddr> ActionDesc for SNatIcmpEchoDesc<T> {
+impl<T: ConcreteIpAddr + Send + Sync> ActionDesc for SNatIcmpEchoDesc<T> {
     // SNAT needs to generate an additional transform for ICMP traffic in
     // order to treat the Echo Identifier as a psuedo ULP port.
     fn gen_ht(&self, dir: Direction) -> HdrTransform {

lib/opte/src/lib.rs

@@ -200,7 +200,7 @@ mod opte_provider {
 ///
 /// Logging levels are provided by [`LogLevel`]. These levels will map
 /// to the underlying provider with varying degrees of success.
-pub trait LogProvider {
+pub trait LogProvider: Send + Sync {
     /// Log a message at the specified level.
     fn log(&self, level: LogLevel, msg: &str);
 }