flow-filter update for dst_vpcd lookup fallback with flow table#1264
Draft
qmonnet wants to merge 12 commits intopr/fredi/nat_use_casesfrom
Draft
flow-filter update for dst_vpcd lookup fallback with flow table#1264qmonnet wants to merge 12 commits intopr/fredi/nat_use_casesfrom
qmonnet wants to merge 12 commits intopr/fredi/nat_use_casesfrom
Conversation
qmonnet
force-pushed
the
pr/qmonnet/overlap-again
branch
from
f4112e6 to
5fe4b31
Compare
Drive-by cleanup. No need to check that the count for filtered elements is strictly positive; just use the .any() iterator method with the condition. Signed-off-by: Quentin Monnet <qmo@qmon.net>
Consolidate the duplicated AllPorts/Ranges enum pattern from SrcConnectionData and RemotePortRangesData into a single generic PortRangeMap<T> type. This eliminates ~40 lines of duplicate code for the ValueWithAssociatedRanges trait implementation and the new/get methods. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> Signed-off-by: Quentin Monnet <qmo@qmon.net>
Replace the repeated get-or-insert pattern in the four insert methods with a single get_or_create_table helper using HashMap's entry API. This removes ~40 lines of duplicated boilerplate code. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> Signed-off-by: Quentin Monnet <qmo@qmon.net>
Replace create_default_source and create_default_source_to_default_remote with a single set_default_source helper that handles the guard logic. The update_* methods now construct the data inline and call the helper. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> Signed-off-by: Quentin Monnet <qmo@qmon.net>
Rename default_source_opt to default_source for consistency with default_remote_data. The Option type already indicates optionality. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> Signed-off-by: Quentin Monnet <qmo@qmon.net>
Rewrite the structural comment to clearly explain the lookup flow with an ASCII diagram and logical descriptions of what each level provides, making the nested data structure easier to understand. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> Signed-off-by: Quentin Monnet <qmo@qmon.net>
This will allow us to handle the case when we have multiple matching possible destination VPCs for a packet in the flow-filter lookup, to support some overlap of publicly-exposed prefixes between peerings. The current commit only adds the enum with a single variant, we'll add a new variant in a follow-up commit. This is somewhat of a revert of commit d588e14 ("chore(flow-filter): Remove code for exposed IP overlap support"). Signed-off-by: Quentin Monnet <qmo@qmon.net>
For the destination VPC lookup, support returning a "MultipleMatches" variant indicating that the destination is ambiguous, and that looking up in the flow-filter table without additional state context from the flow table is not enough to provide a definitive answer. Based on this return value, we adjust the processing for the packet: if we find no destination VPC at all, we drop it immediately. When we get MultipleMatches instead, we fall back to the flow table lookup. Note that we don't actually exercise this code yet, because we never build the case where we have multiple matches in the flow-filter table. This will come in a follow-up commit. Signed-off-by: Quentin Monnet <qmo@qmon.net>
In preparation for allowing support again for some cases of overlapping prefixes, adjust the update() method for DstConnectionData objects so it accepts overwriting a value, when both the old and new value refer to multiple matches for the destination VPC lookup. Signed-off-by: Quentin Monnet <qmo@qmon.net>
Generate "MultipleMatches" enum variants to populate the table for the destination VPC discriminant lookup for prefixes that overlap across peerings, so we can handle this specific case and fall back to the flow table lookup for trying to determine the actual destination VPC when the result is otherwise ambiguous. Note that prefix overlap is still forbidden at the validation step, so the related code remains unused in practice for now. Signed-off-by: Quentin Monnet <qmo@qmon.net>
In preparation for splitting overlapping prefixes to support overlapping again, this time with "default"-destination expose blocks, rework the processing of a peering to add it to the context table for the flow-filter stage. In particular, we want to dissociate the processing of the default expose from the processing of the prefixes from regular exposes, because for the latter case we want to work with list of prefixes (local_prefixes, remote_prefixes) rather than looping over exposes. This will help with handling lists of split prefixes in a follow-up commit. This reapplies some elements from commit d588e14 ("chore(flow-filter): Remove code for exposed IP overlap support"). Signed-off-by: Quentin Monnet <qmo@qmon.net>
Add support partial overlap between exposed prefixes, by splitting prefixes into smaller segments that are either fully overlapping (and can share common destination information), or not overlapping at all. This is a partial and updated reapply of commit d588e14 ("chore(flow-filter): Remove code for exposed IP overlap support"). Signed-off-by: Quentin Monnet <qmo@qmon.net>
qmonnet
force-pushed
the
pr/qmonnet/overlap-again
branch
from
5fe4b31 to
afe3337
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Completing #1257
The first commits are by Claude, to whom I asked to clean-up flow-filter/src/tables.rs. I find we marginally gain in clarity (I hoped I'd get a clearer code organisation) but the clean-ups still simplify some portions of the code, so I took them in, because we're about to make the file more complex so any simplification is welcome.
Then we wrap the lookup result in an enum that supports a
MultipleMatchcase, and we update the packet processing accordingly.In progress: Updating the flow-filter stage to build this
MultipleMatchcase (not in the PR yet).