Add release tests for NAT

[pau-hedgehog]

No description provided.

[Copilot]

Pull Request Overview

This PR adds comprehensive test coverage for NAT (Network Address Translation) functionality in gateway peering configurations. The changes extend the existing VPC peering test framework to support NAT scenarios including basic NAT peering and overlapping subnet resolution using NAT.

• Extends existing gateway peering functions to accept NAT CIDR parameters
• Adds two new test cases for NAT functionality with expected failure markers
• Enhances test reporting infrastructure to support expected failures (XFAIL)

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[github-actions]

Test Results

 13 files  52 suites   5h 19m 36s ⏱️
 24 tests 23 ✅   1 💤 0 ❌
312 runs  93 ✅ 219 💤 0 ❌

Results for commit 18a54e6.

♻️ This comment has been updated with latest results.

[Copilot]

Pull Request Overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 4 comments.

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[Copilot]

The VLAN ID 1020 is hardcoded. Consider using a constant or dynamic allocation to avoid potential conflicts with other tests or deployments.

[Copilot]

NAT CIDR ranges are hardcoded in multiple places (lines 2453-2454 and 2674-2675). Consider defining these as constants to ensure consistency and make them easier to modify.

[Copilot]

The function signature has grown to 7 parameters, which impacts readability and maintainability. Consider using a struct parameter to group related parameters (e.g., PeeringConfig struct with VPC1Subnets, VPC2Subnets, VPC1NATCIDR, VPC2NATCIDR fields).

[github-actions]

Release Tests

 16 files   64 suites   7h 11m 41s ⏱️
 33 tests  31 ✅   2 💤 0 ❌
528 runs  181 ✅ 347 💤 0 ❌

Results for commit d681737.

♻️ This comment has been updated with latest results.

[pau-hedgehog]

@qmonnet, as you may have taken a look at this PR, could you please share which additional tests would be needed to give coverage to the 1st release? Thanks

[qmonnet]

Let's see, I think ideally we should cover the following things:

Stateless NAT

1. Set up / configuration & validation
   -> I think your first test is related; configuration and validation will be more a matter of dataplane and agent unit tests anyway

2. Source NAT

3. Destination NAT

4. Source + destination NAT

5. For the above, combination of ICMP / TCP / UDP, IPv4 / IPv6
   -> I think at the moment you have ICMP + TCP/UDP for IPv4, for the case source + destination NAT?

6. Try using IPs not from exposed or NATed ranges, should result in packets being dropped

Stateful NAT

1. Set up / configuration & validation
   -> Same as stateless, you seem to have a test for basic setup

2. Source NAT (we don't support destination or source + destination at the moment)
   -> You cover that (with the current issues we've been investigating pending)

3. Source NAT + stateless destination NAT?
   -> To be confirmed, need to see with Manish if we support this

4. For the above, combination of ICMP / TCP / UDP, IPv4 / IPv6
   -> At the moment you have ICMP + TCP (iperf3) for IPv4?

5. Try using IPs not from exposed or NATed ranges, should be dropped

6. ICMP Destination unreachable with embedded packet datagram (inner ICMP / TCP / UDP, for IPv4 and IPv6)

7. Ideally, path MTU discovery (related to previous item)
   -> Not sure that's doable before the release, plus I think Manish mentioned an issue when we send packets with the max MTU at the moment

Additional tests

1. Throwing in a mix of VpcExpose blocks with stateful, stateless, or not NAT together and make sure that they don't interfere with each other
   -> Not sure this is doable by release time

2. IP overlap
   -> You have this covered for stateless NAT at least

3. Permutations of IPs/Nots
   -> IPs and Nots are converted internally into a list of IPs only in dataplane, so as long as this conversion is correct, the presence of Nots should not have a significant impact.

Note: IPv6 should work the same as IPv4 in most cases, so dedicated tests are maybe not indispensable but would be nice to have. UDP should be the same as TCP in most cases.

[edipascale]

Thanks @pau-hedgehog,this was very useful for testing the latest release! However I'd like to improve some things, since we have time before it can be merged.

Note that I completely ignored the new test connectivity code as that will be thrown out regardless

[edipascale]

nit: for cases like these where you have a basic use-case with only a subset of parameters and that is called in a bunch of places, I would keep the original function signature and make it a wrapper around the call to the new signature, i.e.:

func appendGwPeeringSpec(gwPeerings map[string]*gwapi.PeeringSpec, vpc1, vpc2 *vpcapi.VPC, vpc1Subnets, vpc2Subnets []string) {
    appendGwPeeringSpecWithNAT(gwPeerings, vpc1, vpc2, vpc1Subnets, vpc2Subnets, nil, nil, nil)
}

func appendGwPeeringSpecWithNAT(...) {

The struct alternative is also a valid option

[edipascale]

should we do a waitReady instead?

[pau-hedgehog]

Replaced