NAT RPW

common/src/api/external/mod.rs

@@ -750,6 +750,7 @@ pub enum ResourceType {
     UserBuiltin,
     Zpool,
     Vmm,
+    Ipv4NatEntry,
 }
 
 // IDENTITY METADATA

common/src/nexus_config.rs

@@ -335,6 +335,8 @@ pub struct BackgroundTaskConfig {
     pub dns_external: DnsTasksConfig,
     /// configuration for external endpoint list watcher
     pub external_endpoints: ExternalEndpointsConfig,
+    /// configuration for nat table garbage collector
+    pub nat_cleanup: NatCleanupConfig,
 }
 
 #[serde_as]
@@ -369,6 +371,14 @@ pub struct ExternalEndpointsConfig {
     // allow/disallow wildcard certs, don't serve expired certs, etc.)
 }
 
+#[serde_as]
+#[derive(Clone, Debug, Deserialize, Eq, PartialEq, Serialize)]
+pub struct NatCleanupConfig {
+    /// period (in seconds) for periodic activations of this background task
+    #[serde_as(as = "DurationSeconds<u64>")]
+    pub period_secs: Duration,
+}
+
 /// Configuration for a nexus server
 #[derive(Clone, Debug, Deserialize, PartialEq, Serialize)]
 pub struct PackageConfig {
@@ -478,7 +488,7 @@ mod test {
     use crate::nexus_config::{
         BackgroundTaskConfig, ConfigDropshotWithTls, Database,
         DeploymentConfig, DnsTasksConfig, DpdConfig, ExternalEndpointsConfig,
-        InternalDns, LoadErrorKind, MgdConfig,
+        InternalDns, LoadErrorKind, MgdConfig, NatCleanupConfig,
     };
     use dropshot::ConfigDropshot;
     use dropshot::ConfigLogging;
@@ -626,6 +636,7 @@ mod test {
             dns_external.period_secs_propagation = 7
             dns_external.max_concurrent_server_updates = 8
             external_endpoints.period_secs = 9
+            nat_cleanup.period_secs = 30
             [default_region_allocation_strategy]
             type = "random"
             seed = 0
@@ -719,7 +730,10 @@ mod test {
                         },
                         external_endpoints: ExternalEndpointsConfig {
                             period_secs: Duration::from_secs(9),
-                        }
+                        },
+                        nat_cleanup: NatCleanupConfig {
+                            period_secs: Duration::from_secs(30),
+                        },
                     },
                     default_region_allocation_strategy:
                         crate::nexus_config::RegionAllocationStrategy::Random {
@@ -773,6 +787,7 @@ mod test {
             dns_external.period_secs_propagation = 7
             dns_external.max_concurrent_server_updates = 8
             external_endpoints.period_secs = 9
+            nat_cleanup.period_secs = 30
             [default_region_allocation_strategy]
             type = "random"
             "##,

dev-tools/omdb/src/bin/omdb/nexus.rs

@@ -155,6 +155,7 @@ async fn cmd_nexus_background_tasks_show(
         "dns_config_external",
         "dns_servers_external",
         "dns_propagation_external",
+        "nat_v4_garbage_collector",
     ] {
         if let Some(bgtask) = tasks.remove(name) {
             print_task(&bgtask);

dev-tools/omdb/tests/env.out

@@ -57,6 +57,11 @@ task: "external_endpoints"
     on each one
 
 
+task: "nat_v4_garbage_collector"
+    prunes soft-deleted IPV4 NAT entries from ipv4_nat_entry table based on a
+    predetermined retention policy
+
+
 ---------------------------------------------
 stderr:
 note: using Nexus URL http://127.0.0.1:REDACTED_PORT
@@ -113,6 +118,11 @@ task: "external_endpoints"
     on each one
 
 
+task: "nat_v4_garbage_collector"
+    prunes soft-deleted IPV4 NAT entries from ipv4_nat_entry table based on a
+    predetermined retention policy
+
+
 ---------------------------------------------
 stderr:
 note: Nexus URL not specified.  Will pick one from DNS.
@@ -156,6 +166,11 @@ task: "external_endpoints"
     on each one
 
 
+task: "nat_v4_garbage_collector"
+    prunes soft-deleted IPV4 NAT entries from ipv4_nat_entry table based on a
+    predetermined retention policy
+
+
 ---------------------------------------------
 stderr:
 note: Nexus URL not specified.  Will pick one from DNS.

dev-tools/omdb/tests/successes.out

@@ -231,6 +231,11 @@ task: "external_endpoints"
     on each one
 
 
+task: "nat_v4_garbage_collector"
+    prunes soft-deleted IPV4 NAT entries from ipv4_nat_entry table based on a
+    predetermined retention policy
+
+
 ---------------------------------------------
 stderr:
 note: using Nexus URL http://127.0.0.1:REDACTED_PORT/
@@ -295,6 +300,13 @@ task: "dns_propagation_external"
       [::1]:REDACTED_PORT     success     
 
 
+task: "nat_v4_garbage_collector"
+  configured period: every 30s
+  currently executing: no
+  last completed activation: iter 2, triggered by an explicit signal
+    started at <REDACTED     TIMESTAMP> (<REDACTED DURATION>s ago) and ran for <REDACTED DURATION>ms
+warning: unknown background task: "nat_v4_garbage_collector" (don't know how to interpret details: Null)
+
 task: "external_endpoints"
   configured period: every 1m
   currently executing: no

nexus/db-model/src/ipv4_nat_entry.rs

@@ -0,0 +1,126 @@
+use std::net::{Ipv4Addr, Ipv6Addr};
+
+use super::MacAddr;
+use crate::{
+    schema::{ipv4_nat_entry, ipv4_nat_version},
+    SqlU16, SqlU32, Vni,
+};
+use chrono::{DateTime, Utc};
+use omicron_common::api::external;
+use schemars::JsonSchema;
+use serde::Serialize;
+use uuid::Uuid;
+
+// TODO correctness
+// If we're not going to store ipv4 and ipv6
+// NAT entries in the same table, and we don't
+// need any of the special properties of the IpNetwork
+// column type, does it make sense to use a different
+// column type?
+/// Database representation of an Ipv4 NAT Entry.
+#[derive(Insertable, Debug, Clone)]
+#[diesel(table_name = ipv4_nat_entry)]
+pub struct Ipv4NatValues {
+    pub external_address: ipnetwork::IpNetwork,
+    pub first_port: SqlU16,
+    pub last_port: SqlU16,
+    pub sled_address: ipnetwork::IpNetwork,
+    pub vni: Vni,
+    pub mac: MacAddr,
+}
+
+// TODO correctness
+// If we're not going to store ipv4 and ipv6
+// NAT entries in the same table, we should probably
+// make the types more restrictive to prevent an
+// accidental ipv6 entry from being created.
+#[derive(Queryable, Debug, Clone, Selectable)]
+#[diesel(table_name = ipv4_nat_entry)]
+pub struct Ipv4NatEntry {
+    pub id: Uuid,
+    pub external_address: ipnetwork::IpNetwork,
+    pub first_port: SqlU16,
+    pub last_port: SqlU16,
+    pub sled_address: ipnetwork::IpNetwork,
+    pub vni: Vni,
+    pub mac: MacAddr,
+    pub version_added: SqlU32,
+    pub version_removed: Option<SqlU32>,
+    pub time_created: DateTime<Utc>,
+    pub time_deleted: Option<DateTime<Utc>>,
+}
+
+impl Ipv4NatEntry {
+    pub fn first_port(&self) -> u16 {
+        self.first_port.into()
+    }
+
+    pub fn last_port(&self) -> u16 {
+        self.last_port.into()
+    }
+
+    pub fn version_added(&self) -> u32 {
+        self.version_added.into()
+    }
+
+    pub fn version_removed(&self) -> Option<u32> {
+        self.version_removed.map(|i| i.into())
+    }
+}
+
+#[derive(Queryable, Debug, Clone, Selectable)]
+#[diesel(table_name = ipv4_nat_version)]
+pub struct Ipv4NatGen {
+    pub last_value: SqlU32,
+    pub log_cnt: SqlU32,
+    pub is_called: bool,
+}
+
+/// NAT Record
+#[derive(Clone, Debug, Serialize, JsonSchema)]
+pub struct Ipv4NatEntryView {
+    pub external_address: Ipv4Addr,
+    pub first_port: u16,
+    pub last_port: u16,
+    pub sled_address: Ipv6Addr,
+    pub vni: external::Vni,
+    pub mac: external::MacAddr,
+    pub gen: u32,
+    pub deleted: bool,
+}
+
+impl From<Ipv4NatEntry> for Ipv4NatEntryView {
+    fn from(value: Ipv4NatEntry) -> Self {
+        let external_address = match value.external_address.ip() {
+            std::net::IpAddr::V4(a) => a,
+            std::net::IpAddr::V6(_) => unreachable!(),
+        };
+
+        let sled_address = match value.sled_address.ip() {
+            std::net::IpAddr::V4(_) => unreachable!(),
+            std::net::IpAddr::V6(a) => a,
+        };
+
+        let (gen, deleted) = match value.version_removed {
+            Some(gen) => (*gen, true),
+            None => (*value.version_added, false),
+        };
+
+        Self {
+            external_address,
+            first_port: value.first_port(),
+            last_port: value.last_port(),
+            sled_address,
+            vni: value.vni.0,
+            mac: *value.mac,
+            gen,
+            deleted,
+        }
+    }
+}
+
+/// NAT Generation
+#[derive(Clone, Debug, Serialize, JsonSchema)]
+pub struct Ipv4NatGenView {
+    pub gen: u32,
+}

nexus/db-model/src/lib.rs

@@ -52,6 +52,7 @@ mod system_update;
 // These actually represent subqueries, not real table.
 // However, they must be defined in the same crate as our tables
 // for join-based marker trait generation.
+mod ipv4_nat_entry;
 pub mod queries;
 mod rack;
 mod region;
@@ -122,6 +123,7 @@ pub use instance::*;
 pub use instance_cpu_count::*;
 pub use instance_state::*;
 pub use ip_pool::*;
+pub use ipv4_nat_entry::*;
 pub use ipv4net::*;
 pub use ipv6::*;
 pub use ipv6net::*;

nexus/db-model/src/schema.rs

@@ -489,6 +489,32 @@ table! {
     }
 }
 
+table! {
+    ipv4_nat_entry (id) {
+        id -> Uuid,
+        external_address -> Inet,
+        first_port -> Int4,
+        last_port -> Int4,
+        sled_address -> Inet,
+        vni -> Int4,
+        mac -> Int8,
+        version_added -> Int8,
+        version_removed -> Nullable<Int8>,
+        time_created -> Timestamptz,
+        time_deleted -> Nullable<Timestamptz>,
+    }
+}
+
+// This is the sequence used for the version number
+// in ipv4_nat_entry.
+table! {
+    ipv4_nat_version (last_value) {
+        last_value -> Int8,
+        log_cnt -> Int8,
+        is_called -> Bool,
+    }
+}
+
 table! {
     external_ip (id) {
         id -> Uuid,