nexus/src/app/rack.rs

-Original file line number
+Diff line change
@@ Expand Up / @@ -740,8 +740,10 @@ impl super::Nexus { @@
                 )
                 .await?;
-            // Plumb the firewall rules for the built-in services
-            self.plumb_service_firewall_rules(opctx, &[]).await?;
+            // Note: Service firewall rules are plumbed in Server::start() via
+            // await_ip_allowlist_plumbing(), which runs before the external HTTP
+            // server starts. This ensures rules are in place for both fresh rack
+            // initialization and Nexus restart scenarios.
             // We've potentially updated the list of DNS servers and the DNS
             // configuration for both internal and external DNS, plus the Silo
@@ Expand Down @@

nexus/src/app/sled.rs

-Original file line number
+Diff line change
@@ Expand Up / @@ -363,20 +363,4 @@ impl super::Nexus { @@
             self.db_datastore.crucible_dataset_upsert(dataset).await?;
             Ok(())
         }
-        /// Ensure firewall rules for internal services get reflected on all the relevant sleds.
-        pub(crate) async fn plumb_service_firewall_rules(
-            &self,
-            opctx: &OpContext,
-            sleds_filter: &[SledUuid],
-        ) -> Result<(), Error> {
-            nexus_networking::plumb_service_firewall_rules(
-                &self.db_datastore,
-                opctx,
-                sleds_filter,
-                &self.opctx_alloc,
-                &self.log,
-            )
-            .await
-        }
     }

Remove redundant plumb_service_firewall_rules call from rack_initialize #9764

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged

smklein merged 1 commit into main from firewall-opt

Feb 2, 2026

-Original file line number
+Diff line change
@@ Expand Up / @@ -740,8 +740,10 @@ impl super::Nexus { @@
                 )
                 .await?;
-            // Plumb the firewall rules for the built-in services
-            self.plumb_service_firewall_rules(opctx, &[]).await?;
+            // Note: Service firewall rules are plumbed in Server::start() via
+            // await_ip_allowlist_plumbing(), which runs before the external HTTP
+            // server starts. This ensures rules are in place for both fresh rack
+            // initialization and Nexus restart scenarios.
             // We've potentially updated the list of DNS servers and the DNS
             // configuration for both internal and external DNS, plus the Silo
@@ Expand Down @@

-Original file line number
+Diff line change
@@ Expand Up / @@ -363,20 +363,4 @@ impl super::Nexus { @@
             self.db_datastore.crucible_dataset_upsert(dataset).await?;
             Ok(())
         }
-        /// Ensure firewall rules for internal services get reflected on all the relevant sleds.
-        pub(crate) async fn plumb_service_firewall_rules(
-            &self,
-            opctx: &OpContext,
-            sleds_filter: &[SledUuid],
-        ) -> Result<(), Error> {
-            nexus_networking::plumb_service_firewall_rules(
-                &self.db_datastore,
-                opctx,
-                sleds_filter,
-                &self.opctx_alloc,
-                &self.log,
-            )
-            .await
-        }
     }

Provide feedback