Make NAT translation reporting generic#1467
Conversation
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request refactors the NAT operational state model in openconfig-nat.yang by replacing the flat internal/external address structure with a more flexible 5-tuple representation (original and translated) to support SNAT, DNAT, and double NAT. It also renames pool and mapping leaves and restructures counters to be direction-based. Feedback indicates that these breaking changes require a version bump and revision history update. Additionally, suggestions were made to add a NONE or PASSTHROUGH enum to nat-translation-type and to use a less restrictive interface reference type to support subinterfaces.
| leaf interface { | ||
| type oc-if:base-interface-ref; |
There was a problem hiding this comment.
The interface leaf uses oc-if:base-interface-ref, which only allows referencing a top-level interface. Since NAT is frequently applied to subinterfaces (where L3 configuration resides in OpenConfig), this type may be too restrictive. Consider using a type that allows referencing subinterfaces (like a simple string or a more complex interface-ref structure), or clarify if only base interfaces are intended to be reported here.
There was a problem hiding this comment.
oc-if:base-interface-ref is used in several other places already in the model - should I update all instances of it to use oc-if:interface-ref-common ?
There was a problem hiding this comment.
Let's leave it as is for now. If subinterface-level NAT is needed in the future, both the config and state references should be upgraded to interface-ref together in a follow-up PR.
|
Does the OC team prefer force pushes in response to feedback, or incremental commits for each discussion item? |
|
@nleiva would you like to review? |
|
/gcbrun |
|
No major YANG version changes in commit 31c7a62 |
Of course, give me a week or two. Got this and SNMP on my TODO list now. |
|
@dplore Just looking at this in a process perspective, I noticed that this is marked automatically as My question is that are we still considering this as unpublished so we can make backwards incompatible changes? Is that why If unpublished, when are we going to add |
Since the major version in the OC yang is If this is something where we already have production use, we should increment the version to The documentation absence seems like a separate issue? Will look into it. @dplore |
Thanks @bewing for your contribution, it looks good to me. What do you think about adding direction to the config section as well to make it consistent with the state changes? Something along the lines of: Arista and Juniper support this config option. |
Something like this? +--rw static
| +--rw mapping* [name]
| +--rw name -> ../config/name
| +--rw config
| | +--rw name? string
- | | +--rw type? identityref
- | | +--rw internal-address? inet:ip-address
- | | +--rw external-address? inet:ip-address
- | | +--rw internal-port? inet:port-number
- | | +--rw external-port? inet:port-number
+ | | +--rw nat-direction? identityref
+ | | +--rw original
+ | | | +--rw src-address? inet:ip-address
+ | | | +--rw src-port? inet:port-number
+ | | | +--rw dst-address? inet:ip-address
+ | | | +--rw dst-port? inet:port-number
+ | | +--rw translated
+ | | | +--rw src-address? inet:ip-address
+ | | | +--rw src-port? inet:port-number
+ | | | +--rw dst-address? inet:ip-address
+ | | | +--rw dst-port? inet:port-number
| | +--rw protocol? protocol-type
| | +--rw acl-set? -> /oc-acl:acl/acl-sets/acl-set/config/name
| | +--rw max-translations? uint64
| +--ro stateProbably also worth discussing nat-type/nat-direction, and whether we are better served by an ENUM or an identityref |
Yeah, something like that. Regarding identityref, I believe it's better suited for cases where a vendor might need to augment it via an external module.
What do you think? |
6 participants
Change Scope
Platform Implementations
Implementation A: Linux Conntrack
Implementation B: Arista
Tree View
module: openconfig-nat +--rw nat +--rw instances +--rw instance* [name] +--ro translations +--ro translation* [translation-id] +--ro translation-id -> ../state/translation-id +--ro state +--ro translation-id? uint64 - +--ro internal-address? inet:ip-address - +--ro internal-port? inet:port-number - +--ro external-address? inet:ip-address - +--ro external-port? inet:port-number +--ro protocol? protocol-type + +--ro nat-type? nat-translation-type + +--ro interface? oc-if:base-interface-ref + +--ro original + | +--ro src-address? inet:ip-address + | +--ro src-port? inet:port-number + | +--ro dst-address? inet:ip-address + | +--ro dst-port? inet:port-number + +--ro translated + | +--ro src-address? inet:ip-address + | +--ro src-port? inet:port-number + | +--ro dst-address? inet:ip-address + | +--ro dst-port? inet:port-number +--ro creation-time? yang:date-and-time +--ro last-activity? yang:date-and-time +--ro timeout? uint32 - +--ro source-pool? string - +--ro source-mapping? string + +--ro nat-pool? string + +--ro nat-mapping? string +--ro counters - +--ro packet-count-inbound? yang:counter64 - +--ro packet-count-outbound? yang:counter64 - +--ro byte-count-inbound? yang:counter64 - +--ro byte-count-outbound? yang:counter64 + +--ro original-direction + | +--ro packets? yang:counter64 + | +--ro bytes? yang:counter64 + +--ro reply-direction + +--ro packets? yang:counter64 + +--ro bytes? yang:counter64