Stateless NAT: Remove nots and not_as from NAT tables and processing logics
#653
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
daniel-noland
approved these changes
Jun 30, 2025
mvachhar
requested changes
Jul 1, 2025
qmonnet
force-pushed
the
pr/qmonnet/nat-no-excludes
branch
from
5b4d25a to
ad47ea3
Compare
Implement a function to "collapse" prefixes: take a set of allowed prefixes, and another set of exclusion prefixes to apply to the first set, and produce a new set of allowed prefixes that are smaller segments representing the same IP address range as the combination of the initial two sets - but without the use of exclusion prefixes. Implement a function to run this on all expose objects in a Peering. The function is not called yet. Add unit tests to validate the algorithm. Signed-off-by: Quentin Monnet <[email protected]>
Rather than optimizing the lists for prefixes by only removing exclusion prefixes when they cover one half of allowed prefixes, split allowed prefixes into smaller fragments to get rid of all exclusion prefixes altogether. We don't spend too much effort on the new error introduced in this commit; it's more convenient at the moment to return a TrieError from the function (because we return it in several locations), so just add an "Other" error for the case where the internal algorithm has a bug. Signed-off-by: Quentin Monnet <[email protected]>
We changed the way we build the stateless NAT tables; get rid of the unused code. Signed-off-by: Quentin Monnet <[email protected]>
We have optimised out the exclusion prefixes from the list of allowed prefixes, so that the NAT tables no longer rely on it. Let's remove all the associated processing in the NAT tables and the IpList structure, hurray! Signed-off-by: Quentin Monnet <[email protected]>
Signed-off-by: Manish Vachharajani <[email protected]>
The fuzzer works by generating some random prefixes/excludes then uses a simple oracle to test against a set of IP addrs and compares it to the determination of the collapsed prefix list. [ Quentin: Shorten checks in prefix_oracle() ] Signed-off-by: Manish Vachharajani <[email protected]> Signed-off-by: Quentin Monnet <[email protected]>
qmonnet
force-pushed
the
pr/qmonnet/nat-no-excludes
branch
from
ad47ea3 to
30cc425
Compare
mvachhar
approved these changes
Jul 1, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Implement a function to collapse exclusion prefixes (
nots,not_as) into allowed prefixes (ips,as_range) to create a list of smaller fragment prefixes representing the same IP addressing ranges, but without the need to keep track of any exclusion prefixes.Use this function to get rid of exclusion prefixes altogether in the NAT tables. This allows us to greatly simplify the processing when building NAT tables and when computing the IP address mapping for stateless NAT.
One other consequence is that it allows us to revert e296c01 (we don't do it in this PR) and address #650.