Skip to content
This repository was archived by the owner on Mar 21, 2026. It is now read-only.

chore: forbid double stateful NAT#334

Merged
Frostman merged 1 commit intomasterfrom
pr/ema/forbid-double-masquerade-nat
Mar 6, 2026
Merged

chore: forbid double stateful NAT#334
Frostman merged 1 commit intomasterfrom
pr/ema/forbid-double-masquerade-nat

Conversation

@edipascale
Copy link
Contributor

@edipascale edipascale commented Mar 5, 2026
edited
Loading

dataplane currently does not support stateful (as in masquerade or portForward) on both sides of a gateway peering, so validate it and forbid it. also forbid stateful + stateless on different sides of a peering, due to dataplane not supporting it yet.

Part of https://github.com/githedgehog/internal/issues/260

Copilot AI review requested due to automatic review settings March 5, 2026 08:56
@edipascale edipascale requested a review from Frostman as a code owner March 5, 2026 08:56
@edipascale edipascale requested a review from qmonnet March 5, 2026 08:57
@github-actions
Copy link

github-actions bot commented Mar 5, 2026

🚀 Temp artifacts published: v0-2cd410892 🚀

Copilot AI reviewed Mar 5, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds validation to reject gateway peering configurations that attempt to use “stateful” NAT features (masquerade / portForward) on both sides, reflecting a current dataplane limitation (per internal/issues/260).

Changes:

  • Add Peering.Validate() logic to detect and reject “double stateful NAT” configurations.
  • Update/extend peering NAT validation tests to cover the newly-forbidden combinations.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.

File Description
api/gateway/v1alpha1/peering_types.go Adds validation tracking “stateful NAT” usage and errors when used on more than one side.
api/gateway/v1alpha1/peering_types_test.go Updates/introduces tests for double-masquerade and portForward+masquerade rejection, plus static+masquerade allowed case.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@edipascale edipascale force-pushed the pr/ema/forbid-double-masquerade-nat branch from 2cd4108 to f77d832 Compare March 5, 2026 09:09
@github-actions
Copy link

github-actions bot commented Mar 5, 2026

🚀 Temp artifacts published: v0-f77d83288 🚀

@edipascale edipascale marked this pull request as draft March 5, 2026 09:18
Copilot AI review requested due to automatic review settings March 5, 2026 11:02
@edipascale edipascale force-pushed the pr/ema/forbid-double-masquerade-nat branch from f77d832 to d74143a Compare March 5, 2026 11:02
Copilot AI reviewed Mar 5, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@edipascale edipascale marked this pull request as ready for review March 5, 2026 11:07
@github-actions
Copy link

github-actions bot commented Mar 5, 2026

🚀 Temp artifacts published: v0-d74143ac9 🚀

qmonnet
qmonnet reviewed Mar 5, 2026
View reviewed changes
@edipascale edipascale marked this pull request as draft March 5, 2026 16:52
@edipascale
chore: forbid unsupported NAT combinations
a918cca 
dataplane currently does not support stateful (as in masquerade
or portForward) on both sides of a gateway peering, so validate
it and forbid it. also forbid stateful + stateless on different
sides of a peering, due to dataplane not supporting it yet.

Signed-off-by: Emanuele Di Pascale <emanuele@githedgehog.com>
@edipascale edipascale force-pushed the pr/ema/forbid-double-masquerade-nat branch from d74143a to a918cca Compare March 5, 2026 16:53
@edipascale edipascale requested a review from Copilot March 5, 2026 16:54
qmonnet
qmonnet approved these changes Mar 5, 2026
View reviewed changes
Copy link
Member

@qmonnet qmonnet left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, thank you!

Copilot AI reviewed Mar 5, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

@edipascale edipascale requested a review from Copilot March 5, 2026 17:10
Copilot AI reviewed Mar 5, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

@edipascale edipascale marked this pull request as ready for review March 5, 2026 17:29
@Frostman Frostman requested a review from Copilot March 6, 2026 09:39
Copilot AI reviewed Mar 6, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@Frostman Frostman added the ci label Mar 6, 2026
@Frostman Frostman added ci:-vlab Disable VLAB tests ci:-upgrade Disable VLAB upgrade tests labels Mar 6, 2026
@github-actions
Copy link

github-actions bot commented Mar 6, 2026

🚀 Temp artifacts published: v0-a918cca87 🚀

@Frostman Frostman merged commit 090bc16 into master Mar 6, 2026
15 of 20 checks passed
@Frostman Frostman deleted the pr/ema/forbid-double-masquerade-nat branch March 6, 2026 10:06
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

Copilot code review Copilot Copilot left review comments

+2 more reviewers

@Frostman Frostman Frostman approved these changes

@qmonnet qmonnet qmonnet approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

ci:-upgrade Disable VLAB upgrade tests ci:-vlab Disable VLAB tests ci

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@edipascale @Frostman @qmonnet