vpp: T7972: Make nat44 no-forwarding feature automatically configurable

natali-rs1985 · natali-rs1985 · commit 1540d0407aec · 2025-12-04T14:41:10.000+02:00
If any dynamic rule is configured forwarding should be disabled because each
packet must be processed through the NAT session table to apply proper
translations
diff --git a/interface-definitions/include/version/vpp-version.xml.i b/interface-definitions/include/version/vpp-version.xml.i
@@ -1,3 +1,3 @@
 <!-- include start from include/version/vpp-version.xml.i -->
-<syntaxVersion component='vpp' version='3'></syntaxVersion>
+<syntaxVersion component='vpp' version='4'></syntaxVersion>
 <!-- include end -->
diff --git a/interface-definitions/vpp.xml.in b/interface-definitions/vpp.xml.in
@@ -1033,12 +1033,6 @@
                 <multi/>
               </properties>
             </leafNode>
-            <leafNode name="no-forwarding">
-              <properties>
-                <help>Do not forward packets which do not match existing NAT translations (static or dynamic)</help>
-                <valueless/>
-              </properties>
-            </leafNode>
           </children>
         </node>
         <node name="physmem">
diff --git a/smoketest/scripts/cli/test_vpp.py b/smoketest/scripts/cli/test_vpp.py
@@ -1366,6 +1366,13 @@ def test_16_vpp_nat(self):
         self.cli_set(
             base_nat + ['address-pool', 'translation', 'address', translation_pool]
         )
+        self.cli_commit()
+
+        # Forwarding is disabled when only dynamic NAT is configured
+        vpp = VPPControl()
+        out = vpp.api.nat44_show_running_config().forwarding_enabled
+        self.assertFalse(out)
+
         self.cli_set(
             base_nat + ['exclude', 'rule', '100', 'local-address', exclude_local_addr]
         )
@@ -1386,7 +1393,6 @@ def test_16_vpp_nat(self):
             base_nat + ['static', 'rule', '100', 'local', 'address', static_local_addr]
         )
 
-        self.cli_set(base_nat_settings + ['no-forwarding'])
         self.cli_set(base_nat_settings + ['session-limit', sess_limit])
         self.cli_set(base_nat_settings + ['timeout', 'icmp', timeout_icmp])
         self.cli_set(
@@ -1426,6 +1432,20 @@ def test_16_vpp_nat(self):
         _, out = rc_cmd('sudo vppctl show nat44 summary')
         self.assertIn(f'max translations per thread: {sess_limit} fib 0', out)
 
+        # Forwarding should be disabled with statyc+dynamic NAT
+        vpp = VPPControl()
+        out = vpp.api.nat44_show_running_config().forwarding_enabled
+        self.assertFalse(out)
+
+        # Delete dynamic NAT and check forwarding
+        self.cli_delete(base_nat + ['address-pool'])
+        self.cli_commit()
+
+        # Forwarding should be enabled if only statyc NAT is configured
+        vpp = VPPControl()
+        out = vpp.api.nat44_show_running_config().forwarding_enabled
+        self.assertTrue(out)
+
     def test_17_vpp_sflow(self):
         base_sflow = ['system', 'sflow']
         sampling_rate = '1500'
diff --git a/src/conf_mode/vpp_nat.py b/src/conf_mode/vpp_nat.py
@@ -440,9 +440,7 @@ def apply(config):
     n.enable_nat44_ed()
 
     # Enable/disable forwarding
-    enable_forwarding = True
-    if 'no_forwarding' in config:
-        enable_forwarding = False
+    enable_forwarding = not bool(config.get('address_pool', {}).get('translation'))
     n.enable_disable_nat44_forwarding(enable_forwarding)
 
     # Add inside interfaces
diff --git a/src/migration-scripts/vpp/3-to-4 b/src/migration-scripts/vpp/3-to-4
@@ -0,0 +1,30 @@
+# Copyright VyOS maintainers and contributors <maintainers@vyos.io>
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library.  If not, see <http://www.gnu.org/licenses/>.
+
+# Delete 'vpp settings nat44 no-forwarding'
+# because it will be set automatically (T7972)
+
+
+from vyos.configtree import ConfigTree
+
+base = ['vpp', 'settings', 'nat44']
+
+def migrate(config: ConfigTree) -> None:
+
+    if config.exists(base + ['no-forwarding']):
+        # Delete no-forwarding option from NAT44 settings
+        config.delete(base + ['no-forwarding'])
+    if config.exists(base) and len(config.list_nodes(base)) == 0:
+            config.delete(base)
