NAT RPW

common/src/api/external/mod.rs

@@ -750,6 +750,7 @@ pub enum ResourceType {
     UserBuiltin,
     Zpool,
     Vmm,
+    Ipv4NatEntry,
 }
 
 // IDENTITY METADATA

common/src/nexus_config.rs

@@ -335,6 +335,8 @@ pub struct BackgroundTaskConfig {
     pub dns_external: DnsTasksConfig,
     /// configuration for external endpoint list watcher
     pub external_endpoints: ExternalEndpointsConfig,
+    /// configuration for nat table garbage collector
+    pub nat_cleanup: NatCleanupConfig,
     /// configuration for inventory tasks
     pub inventory: InventoryConfig,
 }
@@ -371,6 +373,14 @@ pub struct ExternalEndpointsConfig {
     // allow/disallow wildcard certs, don't serve expired certs, etc.)
 }
 
+#[serde_as]
+#[derive(Clone, Debug, Deserialize, Eq, PartialEq, Serialize)]
+pub struct NatCleanupConfig {
+    /// period (in seconds) for periodic activations of this background task
+    #[serde_as(as = "DurationSeconds<u64>")]
+    pub period_secs: Duration,
+}
+
 #[serde_as]
 #[derive(Clone, Debug, Deserialize, Eq, PartialEq, Serialize)]
 pub struct InventoryConfig {
@@ -498,7 +508,7 @@ mod test {
         BackgroundTaskConfig, Config, ConfigDropshotWithTls, ConsoleConfig,
         Database, DeploymentConfig, DnsTasksConfig, DpdConfig,
         ExternalEndpointsConfig, InternalDns, InventoryConfig, LoadError,
-        LoadErrorKind, MgdConfig, PackageConfig, SchemeName,
+        LoadErrorKind, MgdConfig, NatCleanupConfig, PackageConfig, SchemeName,
         TimeseriesDbConfig, Tunables, UpdatesConfig,
     };
     use crate::address::{Ipv6Subnet, RACK_PREFIX};
@@ -649,6 +659,7 @@ mod test {
             dns_external.period_secs_propagation = 7
             dns_external.max_concurrent_server_updates = 8
             external_endpoints.period_secs = 9
+            nat_cleanup.period_secs = 30
             inventory.period_secs = 10
             inventory.nkeep = 11
             inventory.disable = false
@@ -746,6 +757,9 @@ mod test {
                         external_endpoints: ExternalEndpointsConfig {
                             period_secs: Duration::from_secs(9),
                         },
+                        nat_cleanup: NatCleanupConfig {
+                            period_secs: Duration::from_secs(30),
+                        },
                         inventory: InventoryConfig {
                             period_secs: Duration::from_secs(10),
                             nkeep: 11,
@@ -804,6 +818,7 @@ mod test {
             dns_external.period_secs_propagation = 7
             dns_external.max_concurrent_server_updates = 8
             external_endpoints.period_secs = 9
+            nat_cleanup.period_secs = 30
             inventory.period_secs = 10
             inventory.nkeep = 3
             inventory.disable = false

dev-tools/omdb/src/bin/omdb/nexus.rs

@@ -159,6 +159,7 @@ async fn cmd_nexus_background_tasks_show(
         "dns_config_external",
         "dns_servers_external",
         "dns_propagation_external",
+        "nat_v4_garbage_collector",
     ] {
         if let Some(bgtask) = tasks.remove(name) {
             print_task(&bgtask);

dev-tools/omdb/tests/env.out

@@ -61,6 +61,11 @@ task: "inventory_collection"
     collects hardware and software inventory data from the whole system
 
 
+task: "nat_v4_garbage_collector"
+    prunes soft-deleted IPV4 NAT entries from ipv4_nat_entry table based on a
+    predetermined retention policy
+
+
 ---------------------------------------------
 stderr:
 note: using Nexus URL http://127.0.0.1:REDACTED_PORT
@@ -121,6 +126,11 @@ task: "inventory_collection"
     collects hardware and software inventory data from the whole system
 
 
+task: "nat_v4_garbage_collector"
+    prunes soft-deleted IPV4 NAT entries from ipv4_nat_entry table based on a
+    predetermined retention policy
+
+
 ---------------------------------------------
 stderr:
 note: Nexus URL not specified.  Will pick one from DNS.
@@ -168,6 +178,11 @@ task: "inventory_collection"
     collects hardware and software inventory data from the whole system
 
 
+task: "nat_v4_garbage_collector"
+    prunes soft-deleted IPV4 NAT entries from ipv4_nat_entry table based on a
+    predetermined retention policy
+
+
 ---------------------------------------------
 stderr:
 note: Nexus URL not specified.  Will pick one from DNS.

dev-tools/omdb/tests/successes.out

@@ -255,6 +255,11 @@ task: "inventory_collection"
     collects hardware and software inventory data from the whole system
 
 
+task: "nat_v4_garbage_collector"
+    prunes soft-deleted IPV4 NAT entries from ipv4_nat_entry table based on a
+    predetermined retention policy
+
+
 ---------------------------------------------
 stderr:
 note: using Nexus URL http://127.0.0.1:REDACTED_PORT/
@@ -319,6 +324,13 @@ task: "dns_propagation_external"
       [::1]:REDACTED_PORT     success     
 
 
+task: "nat_v4_garbage_collector"
+  configured period: every 30s
+  currently executing: no
+  last completed activation: iter 2, triggered by an explicit signal
+    started at <REDACTED     TIMESTAMP> (<REDACTED DURATION>s ago) and ran for <REDACTED DURATION>ms
+warning: unknown background task: "nat_v4_garbage_collector" (don't know how to interpret details: Null)
+
 task: "external_endpoints"
   configured period: every 1m
   currently executing: no

nexus/db-model/src/ipv4_nat_entry.rs

@@ -0,0 +1,81 @@
+use std::net::{Ipv4Addr, Ipv6Addr};
+
+use super::MacAddr;
+use crate::{schema::ipv4_nat_entry, Ipv4Net, Ipv6Net, SqlU16, Vni};
+use chrono::{DateTime, Utc};
+use omicron_common::api::external;
+use schemars::JsonSchema;
+use serde::Serialize;
+use uuid::Uuid;
+
+/// Values used to create an Ipv4NatEntry
+#[derive(Insertable, Debug, Clone)]
+#[diesel(table_name = ipv4_nat_entry)]
+pub struct Ipv4NatValues {
+    pub external_address: Ipv4Net,
+    pub first_port: SqlU16,
+    pub last_port: SqlU16,
+    pub sled_address: Ipv6Net,
+    pub vni: Vni,
+    pub mac: MacAddr,
+}
+
+/// Database representation of an Ipv4 NAT Entry.
+#[derive(Queryable, Debug, Clone, Selectable)]
+#[diesel(table_name = ipv4_nat_entry)]
+pub struct Ipv4NatEntry {
+    pub id: Uuid,
+    pub external_address: Ipv4Net,
+    pub first_port: SqlU16,
+    pub last_port: SqlU16,
+    pub sled_address: Ipv6Net,
+    pub vni: Vni,
+    pub mac: MacAddr,
+    pub version_added: i64,
+    pub version_removed: Option<i64>,
+    pub time_created: DateTime<Utc>,
+    pub time_deleted: Option<DateTime<Utc>>,
+}
+
+impl Ipv4NatEntry {
+    pub fn first_port(&self) -> u16 {
+        self.first_port.into()
+    }
+
+    pub fn last_port(&self) -> u16 {
+        self.last_port.into()
+    }
+}
+
+/// NAT Record
+#[derive(Clone, Debug, Serialize, JsonSchema)]
+pub struct Ipv4NatEntryView {
+    pub external_address: Ipv4Addr,
+    pub first_port: u16,
+    pub last_port: u16,
+    pub sled_address: Ipv6Addr,
+    pub vni: external::Vni,
+    pub mac: external::MacAddr,
+    pub gen: i64,
+    pub deleted: bool,
+}
+
+impl From<Ipv4NatEntry> for Ipv4NatEntryView {
+    fn from(value: Ipv4NatEntry) -> Self {
+        let (gen, deleted) = match value.version_removed {
+            Some(gen) => (gen, true),
+            None => (value.version_added, false),
+        };
+
+        Self {
+            external_address: value.external_address.ip(),
+            first_port: value.first_port(),
+            last_port: value.last_port(),
+            sled_address: value.sled_address.ip(),
+            vni: value.vni.0,
+            mac: *value.mac,
+            gen,
+            deleted,
+        }
+    }
+}

nexus/db-model/src/lib.rs

@@ -53,6 +53,7 @@ mod system_update;
 // These actually represent subqueries, not real table.
 // However, they must be defined in the same crate as our tables
 // for join-based marker trait generation.
+mod ipv4_nat_entry;
 pub mod queries;
 mod rack;
 mod region;
@@ -124,6 +125,7 @@ pub use instance_cpu_count::*;
 pub use instance_state::*;
 pub use inventory::*;
 pub use ip_pool::*;
+pub use ipv4_nat_entry::*;
 pub use ipv4net::*;
 pub use ipv6::*;
 pub use ipv6net::*;

nexus/db-model/src/schema.rs

@@ -489,6 +489,32 @@ table! {
     }
 }
 
+table! {
+    ipv4_nat_entry (id) {
+        id -> Uuid,
+        external_address -> Inet,
+        first_port -> Int4,
+        last_port -> Int4,
+        sled_address -> Inet,
+        vni -> Int4,
+        mac -> Int8,
+        version_added -> Int8,
+        version_removed -> Nullable<Int8>,
+        time_created -> Timestamptz,
+        time_deleted -> Nullable<Timestamptz>,
+    }
+}
+
+// This is the sequence used for the version number
+// in ipv4_nat_entry.
+table! {
+    ipv4_nat_version (last_value) {
+        last_value -> Int8,
+        log_cnt -> Int8,
+        is_called -> Bool,
+    }
+}
+
 table! {
     external_ip (id) {
         id -> Uuid,
@@ -1243,7 +1269,7 @@ table! {
 ///
 /// This should be updated whenever the schema is changed. For more details,
 /// refer to: schema/crdb/README.adoc
-pub const SCHEMA_VERSION: SemverVersion = SemverVersion::new(10, 0, 0);
+pub const SCHEMA_VERSION: SemverVersion = SemverVersion::new(11, 0, 0);
 
 allow_tables_to_appear_in_same_query!(
     system_update,