githedgehog · qmonnet · Jun 9, 2026 · May 15, 2026 · May 15, 2026 · May 15, 2026
@@ -420,11 +420,7 @@ pub mod test {
 
         // Build overlay object and validate it
         let overlay = Overlay::new(vpc_table, peering_table);
-        assert!(
-            overlay
-                .validate()
-                .is_err_and(|e| e == ConfigError::IncompatibleNatModes("Peering-1".to_owned()))
-        );
+        assert!(overlay.validate().is_ok());
     }
 
     #[test]

@@ -1209,7 +1209,7 @@ mod test {
         assert!(validate_overlay_with_peering(peering).is_ok());
     }
 
-    // Stateless + stateful rejected
+    // Stateless + stateful passes
     #[test]
     fn test_stateless_plus_stateful_rejected() {
         let peering = VpcPeering::with_default_group(
@@ -1237,15 +1237,10 @@ mod test {
                 ],
             ),
         );
-        let result = validate_overlay_with_peering(peering);
-        assert_eq!(
-            result,
-            Err(ConfigError::IncompatibleNatModes("Peering-1".to_owned())),
-            "{result:?}",
-        );
+        assert!(validate_overlay_with_peering(peering).is_ok());
     }
 
-    // Stateless + port forwarding rejected
+    // Stateless + port forwarding passes
     #[test]
     fn test_stateless_plus_port_forwarding_rejected() {
         let peering = VpcPeering::with_default_group(
@@ -1273,12 +1268,7 @@ mod test {
                 ],
             ),
         );
-        let result = validate_overlay_with_peering(peering);
-        assert_eq!(
-            result,
-            Err(ConfigError::IncompatibleNatModes("Peering-1".to_owned())),
-            "{result:?}",
-        );
+        assert!(validate_overlay_with_peering(peering).is_ok());
     }
 
     // Stateful + stateful rejected (across peering sides)

@@ -122,55 +122,39 @@ impl ValidatedPeering {
     fn validate_nat_combinations(&self) -> ConfigResult {
         // If stateful NAT is set up on one side of the peering, we don't support NAT (stateless or
         // stateful) on the other side.
-        let mut local_has_stateless_nat = false;
-        let mut local_has_stateful_nat = false;
+        let mut local_has_masquerading = false;
         let mut local_has_port_forwarding = false;
         for expose in self.local.valexp() {
             match expose.nat_config() {
                 Some(VpcExposeNatConfig::Stateful { .. }) => {
-                    local_has_stateful_nat = true;
-                }
-                Some(VpcExposeNatConfig::Stateless { .. }) => {
-                    local_has_stateless_nat = true;
+                    local_has_masquerading = true;
                 }
                 Some(VpcExposeNatConfig::PortForwarding { .. }) => {
                     local_has_port_forwarding = true;
                 }
-                None => {}
+                Some(VpcExposeNatConfig::Stateless { .. }) | None => {}
             }
         }
-        let local_has_nat =
-            local_has_stateless_nat || local_has_stateful_nat || local_has_port_forwarding;
 
-        if !local_has_nat {
+        // No NAT or static NAT only is compatible with all other modes on the other side
+        if !(local_has_masquerading || local_has_port_forwarding) {
             return Ok(());
         }
 
-        let local_has_stateless_nat_only =
-            local_has_stateless_nat && !local_has_stateful_nat && !local_has_port_forwarding;
-
         // Allowed:
         //
         // - no NAT ------------ *
-        // - stateless NAT ----- stateless NAT
+        // - stateless NAT ----- *
         //
         // Disallowed (some of them may be supported in the future):
         //
-        // - stateful NAT ------ stateless NAT
-        // - stateful NAT ------ stateful NAT
-        // - stateful NAT ------ port forwarding
+        // - masquerading ------ masquerading
+        // - masquerading ------ port forwarding
         // - port forwarding --- port forwarding
-        // - port forwarding --- stateless NAT
-
         for remote_expose in self.remote.valexp() {
-            if !remote_expose.has_nat() {
-                continue;
-            }
-            if local_has_stateless_nat_only && remote_expose.has_stateless_nat() {
-                continue;
+            if remote_expose.has_stateful_nat() || remote_expose.has_port_forwarding() {
+                return Err(ConfigError::IncompatibleNatModes(self.name.clone()));
             }
-            // Other combinations are rejected
-            return Err(ConfigError::IncompatibleNatModes(self.name.clone()));
         }
         Ok(())
     }

@@ -535,13 +535,6 @@ impl ValidatedExpose {
         )
     }
 
-    #[must_use]
-    pub(crate) fn has_nat(&self) -> bool {
-        self.nat
-            .as_ref()
-            .is_some_and(|nat| !nat.as_range.is_empty())
-    }
-
     #[must_use]
     pub fn has_stateful_nat(&self) -> bool {
         self.nat.as_ref().is_some_and(VpcExposeNat::is_stateful)

@@ -101,7 +101,7 @@ pub(crate) fn start_router<Buf: PacketBufferMut>(
         let stage_egress = Egress::new("Egress", iftr_factory.handle(), atabler_factory.handle());
         let iprouter1 = IpForwarder::new("IP-Forward-1", fibtr_factory.handle());
         let iprouter2 = IpForwarder::new("IP-Forward-2", fibtr_factory.handle());
-        let stateless_nat = StatelessNat::with_reader("stateless-NAT", nattabler_factory.handle());
+        let static_nat = StatelessNat::with_reader("static-NAT-1", nattabler_factory.handle());
         let stateful_nat = StatefulNat::new(
             "stateful-NAT",
             flow_table_clone.clone(),
@@ -128,8 +128,8 @@ pub(crate) fn start_router<Buf: PacketBufferMut>(
             .add_stage(icmp_error_handler)
             .add_stage(flow_lookup)
             .add_stage(flow_filter)
+            .add_stage(static_nat)
             .add_stage(portfw)
-            .add_stage(stateless_nat)
             .add_stage(stateful_nat)
             .add_stage(iprouter2)
             .add_stage(stage_egress)

@@ -12,7 +12,6 @@ use pipeline::NetworkFunction;
 
 use crate::flow_table::FlowTable;
 use net::FlowKey;
-use net::flow_key;
 
 use tracectl::trace_target;
 trace_target!("flow-lookup", LevelFilter::INFO, &["pipeline"]);
@@ -40,7 +39,7 @@ impl<Buf: PacketBufferMut> NetworkFunction<Buf> for FlowLookup {
         input.filter_map(move |mut packet| {
             let nfi = &self.name;
             if !packet.is_done() && packet.meta().is_overlay() && packet.meta().dst_vpcd.is_none() {
-                if let Ok(flow_key) = FlowKey::try_from(flow_key::Uni(&packet)) {
+                if let Ok(flow_key) = FlowKey::try_from(&packet) {
                     if let Some(flow_info) = self.flow_table.lookup(&flow_key) {
                         debug!("{nfi}: Tagging packet with flow info for flow key {flow_key}",);
                         packet.meta_mut().flow_info = Some(flow_info);
@@ -62,7 +61,7 @@ mod test {
     use net::FlowKey;
     use net::buffer::PacketBufferMut;
     use net::buffer::TestBuffer;
-    use net::flows::FlowInfo;
+    use net::flows::{FlowInfo, FlowInfoFlags};
     use net::ip::NextHeader;
     use net::ip::UnicastIpAddr;
     use net::packet::Packet;
@@ -101,7 +100,7 @@ mod test {
         packet.meta_mut().set_overlay(true);
 
         // Insert matching flow entry
-        let flow_key = FlowKey::try_from(net::flow_key::Uni(&packet)).unwrap();
+        let flow_key = FlowKey::try_from(&packet).unwrap();
         let flow_info = FlowInfo::new(flow_key, Instant::now() + Duration::from_secs(10));
         flow_table.insert(flow_info).unwrap();
 
@@ -130,7 +129,7 @@ mod test {
             input: Input,
         ) -> impl Iterator<Item = Packet<Buf>> + 'a {
             input.filter_map(move |packet| {
-                let flow_key = FlowKey::try_from(net::flow_key::Uni(&packet)).unwrap();
+                let flow_key = FlowKey::try_from(&packet).unwrap();
                 let flow_info = FlowInfo::new(flow_key, Instant::now() + self.timeout);
                 self.flow_table
                     .insert(flow_info)
@@ -193,12 +192,18 @@ mod test {
             packet_2.meta_mut().set_overlay(true);
 
             // build keys for the packets
-            let key_1 = FlowKey::try_from(net::flow_key::Uni(&packet_1)).unwrap();
-            let key_2 = FlowKey::try_from(net::flow_key::Uni(&packet_2)).unwrap();
+            let key_1 = FlowKey::try_from(&packet_1).unwrap();
+            let key_2 = FlowKey::try_from(&packet_2).unwrap();
 
             // create a pair of related flow entries; flow_2 will get a longer timeout
             let expires_at = tokio::time::Instant::now().into_std() + Duration::from_secs(2);
-            let (flow_1, flow_2) = FlowInfo::related_pair(expires_at, key_1, key_2);
+            let (flow_1, flow_2) = FlowInfo::related_pair(
+                expires_at,
+                key_1,
+                FlowInfoFlags::default(),
+                key_2,
+                FlowInfoFlags::default(),
+            );
             assert_eq!(Arc::weak_count(&flow_1), 1);
             assert_eq!(Arc::weak_count(&flow_2), 1);
             assert_eq!(Arc::strong_count(&flow_1), 1);
@@ -245,8 +250,8 @@ mod test {
         let mut packet_2 = build_test_udp_ipv4_packet("192.168.1.1", "20.0.0.1", 500, 80);
         packet_1.meta_mut().set_overlay(true);
         packet_2.meta_mut().set_overlay(true);
-        let key_1 = FlowKey::try_from(net::flow_key::Uni(&packet_1)).unwrap();
-        let key_2 = FlowKey::try_from(net::flow_key::Uni(&packet_2)).unwrap();
+        let key_1 = FlowKey::try_from(&packet_1).unwrap();
+        let key_2 = FlowKey::try_from(&packet_2).unwrap();
         let input = vec![packet_1, packet_2];
         let out: Vec<_> = pipeline.process(input.into_iter()).collect();
         let packet_1 = &out[0];