Skip to content

In flow-filter, mark NAT requirements for packets #1225

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
qmonnet merged 8 commits into from
Jan 22, 2026
Merged

In flow-filter, mark NAT requirements for packets #1225

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
51805c2
chore(flow-filter): Rename RemotePrefixPortData as RemotePortRangesData
qmonnet Jan 21, 2026
9de1b91
chore(flow-filter): Move flow-filter's result to dedicated struct
qmonnet Jan 21, 2026
c35f60b
chore(flow-filter): Add NAT requirements to flow-filter lookup result
qmonnet Jan 21, 2026
d7ad3fb
chore(flow-filter): Simplify VNI/VPC discriminant handling in tests
qmonnet Jan 21, 2026
277068a
feat(flow-filter): Tag packets with NAT requirements
qmonnet Jan 21, 2026
da44208
feat(nat): Use packet flags to determine whether NAT is necessary
qmonnet Jan 21, 2026
8040501
feat(nat): Remove moot "exempt tables" from stateful NAT
qmonnet Jan 21, 2026
c9ed9b6
feat(nat): Add error message on failure to find source IP to NAT
qmonnet Jan 21, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
263 changes: 220 additions & 43 deletions flow-filter/src/lib.rs
View file
Open in desktop

Large diffs are not rendered by default.

61 changes: 53 additions & 8 deletions flow-filter/src/setup.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,9 +2,11 @@
// Copyright Open Network Fabric Authors

use crate::FlowFilterTable;
use crate::tables::{NatRequirement, RemoteData};
use config::ConfigError;
use config::external::overlay::Overlay;
use config::external::overlay::vpc::{Peering, Vpc};
use config::external::overlay::vpcpeering::{VpcExpose, VpcExposeNat};
use config::internal::interfaces::interface::InterfaceConfigTable;
use config::utils::{ConfigUtilError, collapse_prefixes_peering};
use net::packet::VpcDiscriminant;
Expand Down Expand Up @@ -40,15 +42,16 @@ impl FlowFilterTable {
for remote_expose in &peering.remote.exposes {
if remote_expose.default {
for local_expose in &peering.local.exposes {
let dst_data = build_dst_data(dst_vpcd, local_expose, remote_expose);
if local_expose.default {
// Both the local and remote expose are default exposes
self.insert_default_source_to_default_remote(local_vpcd, dst_vpcd)?;
self.insert_default_source_to_default_remote(local_vpcd, dst_data.clone())?;
} else {
// Only the remote expose is a default expose
for local_prefix in &local_expose.ips {
self.insert_default_remote(
local_vpcd,
dst_vpcd,
dst_data.clone(),
local_prefix.prefix(),
local_prefix.ports(),
)?;
Expand All @@ -57,12 +60,13 @@ impl FlowFilterTable {
}
} else {
for local_expose in &peering.local.exposes {
let dst_data = build_dst_data(dst_vpcd, local_expose, remote_expose);
if local_expose.default {
// Only the local expose is a default expose
for remote_prefix in remote_expose.public_ips() {
self.insert_default_source(
local_vpcd,
dst_vpcd,
dst_data.clone(),
remote_prefix.prefix(),
remote_prefix.ports(),
)?;
Expand All @@ -73,7 +77,7 @@ impl FlowFilterTable {
for remote_prefix in remote_expose.public_ips() {
self.insert(
local_vpcd,
dst_vpcd,
dst_data.clone(),
local_prefix.prefix(),
local_prefix.ports(),
remote_prefix.prefix(),
Expand Down Expand Up @@ -118,6 +122,33 @@ fn clone_skipping_peerings(vpc: &Vpc) -> Vpc {
}
}

fn build_dst_data(
dst_vpcd: VpcDiscriminant,
local_expose: &VpcExpose,
remote_expose: &VpcExpose,
) -> RemoteData {
RemoteData::new(
dst_vpcd,
get_nat_requirement(&local_expose.nat),
get_nat_requirement(&remote_expose.nat),
)
}

fn get_nat_requirement(nat: &Option<VpcExposeNat>) -> NatRequirement {
match nat {
Some(nat) => {
if nat.is_stateful() {
NatRequirement::StatefulNatRequired
} else if nat.is_stateless() {
NatRequirement::StatelessNatRequired
} else {
unreachable!("Unknown NAT mode")
}
}
None => NatRequirement::NoNat,
}
}

#[cfg(test)]
mod tests {
use super::*;
Expand Down Expand Up @@ -168,8 +199,15 @@ mod tests {
let src_addr = "10.0.0.5".parse().unwrap();
let dst_addr = "20.0.0.5".parse().unwrap();

let dst_vpcd = table.lookup(src_vpcd, &src_addr, &dst_addr, None);
assert_eq!(dst_vpcd, Some(VpcDiscriminant::VNI(vni2)));
let dst_data = table.lookup(src_vpcd, &src_addr, &dst_addr, None);
assert_eq!(
dst_data,
Some(&RemoteData::new(
VpcDiscriminant::VNI(vni2),
NatRequirement::NoNat,
NatRequirement::NoNat,
))
);
}

#[test]
Expand Down Expand Up @@ -244,7 +282,14 @@ mod tests {
let src_addr = "10.0.0.5".parse().unwrap();
let dst_addr = "20.0.0.5".parse().unwrap();

let dst_vpcd = table.lookup(src_vpcd, &src_addr, &dst_addr, None);
assert_eq!(dst_vpcd, Some(VpcDiscriminant::VNI(vni2)));
let dst_data = table.lookup(src_vpcd, &src_addr, &dst_addr, None);
assert_eq!(
dst_data,
Some(&RemoteData::new(
VpcDiscriminant::VNI(vni2),
NatRequirement::NoNat,
NatRequirement::NoNat,
))
);
}
}
Loading
Loading