test(mgmt): Add statefull NAT tests with VpcExpose with excludes only

Make sure that we process expose objects containing exclusion prefixes
only as we expect.

Signed-off-by: Quentin Monnet <[email protected]>

Author: qmonnet

mgmt/src/models/internal/natconfig/table_extend.rs

@@ -355,15 +355,6 @@ mod tests {
             expected
         );
 
-        // Empty prefixes, non-empty excludes
-        let prefixes = BTreeSet::new();
-        let excludes = btree_from(vec!["1.0.0.0/16", "2.0.0.0/24"]);
-        let expected = prefixes.clone();
-        assert_eq!(
-            collapse_prefix_lists(&prefixes, &excludes).unwrap(),
-            expected
-        );
-
         // Excludes outside prefix
         let prefixes = btree_from(vec!["10.0.0.0/16"]);
         let excludes = btree_from(vec!["1.0.0.0/16", "2.0.0.0/24"]);
@@ -547,6 +538,48 @@ mod tests {
             expected
         );
 
+        // Empty prefixes, non-empty excludes
+        let prefixes = BTreeSet::new();
+        let excludes = btree_from(vec!["1.0.0.0/16", "2.0.0.0/24"]);
+        let expected = btree_from(vec![
+            "0.0.0.0/8",
+            "1.1.0.0/16",
+            "1.2.0.0/15",
+            "1.4.0.0/14",
+            "1.8.0.0/13",
+            "1.16.0.0/12",
+            "1.32.0.0/11",
+            "1.64.0.0/10",
+            "1.128.0.0/9",
+            "2.0.1.0/24",
+            "2.0.2.0/23",
+            "2.0.4.0/22",
+            "2.0.8.0/21",
+            "2.0.16.0/20",
+            "2.0.32.0/19",
+            "2.0.64.0/18",
+            "2.0.128.0/17",
+            "2.1.0.0/16",
+            "2.2.0.0/15",
+            "2.4.0.0/14",
+            "2.8.0.0/13",
+            "2.16.0.0/12",
+            "2.32.0.0/11",
+            "2.64.0.0/10",
+            "2.128.0.0/9",
+            "3.0.0.0/8",
+            "4.0.0.0/6",
+            "8.0.0.0/5",
+            "16.0.0.0/4",
+            "32.0.0.0/3",
+            "64.0.0.0/2",
+            "128.0.0.0/1",
+        ]);
+        assert_eq!(
+            collapse_prefix_lists(&prefixes, &excludes).unwrap(),
+            expected
+        );
+
         // Full peering
         let expose = VpcExpose::empty()
             .ip("1.0.0.0/16".into())

mgmt/src/models/internal/natconfig/test.rs

@@ -313,6 +313,11 @@ mod tests {
             .ip("192.168.100.0/24".into())
             .as_range("34.34.34.0/24".into());
         let expose431 = VpcExpose::empty().ip("4.4.0.0/24".into());
+        let expose432 = VpcExpose::empty()
+            .not("192.0.0.0/2".into())
+            .not("4.0.0.0/8".into())
+            .not_as("0.0.0.0/2".into())
+            .not_as("255.0.0.0/8".into());
 
         // VPC1 <-> VPC2
         let mut manifest12 = VpcManifest::new("VPC-1");
@@ -349,6 +354,7 @@ mod tests {
         add_expose(&mut manifest34, expose341);
         let mut manifest43 = VpcManifest::new("VPC-4");
         add_expose(&mut manifest43, expose431);
+        add_expose(&mut manifest43, expose432);
 
         let peering12 = VpcPeering::new("VPC-1--VPC-2", manifest12, manifest21);
         let peering31 = VpcPeering::new("VPC-3--VPC-1", manifest31, manifest13);
@@ -540,5 +546,16 @@ mod tests {
         let (output_src, output_dst) = check_packet(&mut nat, vni(400), target_dst, target_src);
         assert_eq!(output_src, orig_dst);
         assert_eq!(output_dst, orig_src);
+
+        // expose341 <-> expose432 (exclusion prefixes only)
+        let (orig_src, orig_dst) = (addr_v4("192.168.100.34"), addr_v4("65.1.1.1"));
+        let (target_src, target_dst) = (addr_v4("34.34.34.34"), addr_v4("1.1.1.1"));
+        let (output_src, output_dst) = check_packet(&mut nat, vni(300), orig_src, orig_dst);
+        assert_eq!(output_src, target_src);
+        assert_eq!(output_dst, target_dst);
+        // Reverse path
+        let (output_src, output_dst) = check_packet(&mut nat, vni(400), target_dst, target_src);
+        assert_eq!(output_src, orig_dst);
+        assert_eq!(output_dst, orig_src);
     }
 }