vpp: T7972: Make nat44 no-forwarding feature automatically configurable

[natali-rs1985]

Change summary

Automatically enable nat44 forwarding if static rules are configured

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Code style update (formatting, renaming)
• Refactoring (no functional changes)
• Migration from an old Vyatta component to vyos-1x, please link to related PR inside obsoleted component
• Other (please describe): configure feature automatically

Related Task(s)

• https://vyos.dev/T7972

Related PR(s)

vyos/vyos-documentation#1717

How to test / Smoketest result

vyos@vyos# /usr/libexec/vyos/tests/smoke/cli/test_vpp.py -k test_16_vpp_nat
test_16_vpp_nat (__main__.TestVPP.test_16_vpp_nat) ... ok

----------------------------------------------------------------------
Ran 1 test in 56.907s

OK

Checklist:

• I have read the CONTRIBUTING document
• I have linked this PR to one or more Phabricator Task(s)
• I have run the components SMOKETESTS if applicable
• My commit headlines contain a valid Task id
• My change requires a change to the documentation
• I have updated the documentation accordingly

[github-actions]

👍
No issues in PR Title / Commit Title

[natali-rs1985]

@sever-sever All change requests were addressed

[sever-sever]

All my requests have been fulfilled.
Migrate NAT no-forwarding option to more clear CLI syntax/meaning

[zdc]

Shouldn't the static-bypass option to be the default one?

How I read this.

• Before: by default, nat44 forwarding was enabled (no no-forwarding in CLI).
• After: by default, nat44 forwarding is disabled, because static-dynamic is a default value and enable_forwarding = config['processing_mode'] == 'static-bypass'

Am I missing something?

[natali-rs1985]

Made changes to PR. Now `forwarding' is enable or disabled automatically depending on static rules configuration

[zdc]

As I understand, the logic appears incomplete. There are three possible configurations to consider:

1. Only dynamic rules are configured.
2. Both dynamic and static rules are configured.
3. Only static rules are configured.

Here is a decision table outlining which forwarding option states are compatible with each configuration:

Rules	Forwarding	Description
Dynamic	Disabled	All traffic on an "in" interface is processed by dynamic NAT rules.
Dynamic + Static	Disabled	All traffic on an "in" interface is processed by static (higher priority) or dynamic NAT rules.
Static	Enabled	Only traffic on an "in" interface matching static rules undergoes NAT; all other traffic is forwarded unchanged.

In other words, the logic should actually be reversed. If you want to use a single condition to determine the forwarding status, it should be based on dynamic rules. If any dynamic rule is present in the configuration, forwarding must always be disabled - otherwise, those dynamic rules will not function as intended.

[natali-rs1985]

@zdc Yes, you are right! Thanks for pointing to this!

[zdc]

Looks good. I just want to see a bit more detailed comment on this, so no one will need to read the whole history next time

[github-actions]

CI integration 👍 passed!

Details

CI logs

• CLI Smoketests (no interfaces) 👍 passed
• CLI Smoketests VPP 👍 passed
• CLI Smoketests (interfaces only) 👍 passed
• Config tests 👍 passed
• Config tests VPP 👍 passed
• RAID1 tests 👍 passed
• TPM tests 👍 passed