Merge pull request #2090 from davidbockelman/override-ext-address

stgraber · web-flow · commit b9762242f6e5 · 2025-05-26T20:40:46.000-04:00
Allow overriding the external address (NAT) for OVN NICs
diff --git a/doc/api-extensions.md b/doc/api-extensions.md
@@ -2811,3 +2811,9 @@ This API extension provides the ability to configure certificates in preseed ini
 ## `custom_volume_sftp`
 
 This adds the SFTP API to custom storage volumes.
+
+## `network_ovn_external_nic_address`
+
+This adds support for configuring a custom external IPv4 or IPv6 address
+for a given instance so long as that address is available through a
+network forward.
diff --git a/doc/config_options.txt b/doc/config_options.txt
@@ -847,6 +847,13 @@ For file systems (shared directories or custom volumes), this is one of:
 
 ```
 
+```{config:option} ipv4.address.external devices-nic_ovn
+:managed: "no"
+:shortdesc: "Select a specific external address (typically from a network forward)"
+:type: "string"
+
+```
+
 ```{config:option} ipv4.routes devices-nic_ovn
 :managed: "no"
 :shortdesc: "Comma-delimited list of IPv4 static routes to route to the NIC"
@@ -868,6 +875,13 @@ For file systems (shared directories or custom volumes), this is one of:
 
 ```
 
+```{config:option} ipv6.address.external devices-nic_ovn
+:managed: "no"
+:shortdesc: "Select a specific external address (typically from a network forward)"
+:type: "string"
+
+```
+
 ```{config:option} ipv6.routes devices-nic_ovn
 :managed: "no"
 :shortdesc: "Comma-delimited list of IPv6 static routes to route to the NIC"
diff --git a/internal/server/device/nic_ovn.go b/internal/server/device/nic_ovn.go
@@ -149,6 +149,22 @@ func (d *nicOVN) validateConfig(instConf instance.ConfigReader) error {
 		//  shortdesc: An IPv6 address to assign to the instance through DHCP, `none` can be used to disable IP allocation
 		"ipv6.address",
 
+		// gendoc:generate(entity=devices, group=nic_ovn, key=ipv4.address.external)
+		//
+		// ---
+		// type: string
+		// managed: no
+		// shortdesc: Select a specific external address (typically from a network forward)
+		"ipv4.address.external",
+
+		// gendoc:generate(entity=devices, group=nic_ovn, key=ipv6.address.external)
+		//
+		// ---
+		// type: string
+		// managed: no
+		// shortdesc: Select a specific external address (typically from a network forward)
+		"ipv6.address.external",
+
 		// gendoc:generate(entity=devices, group=nic_ovn, key=ipv4.routes)
 		//
 		// ---
@@ -428,6 +444,26 @@ func (d *nicOVN) validateConfig(instConf instance.ConfigReader) error {
 		return validate.IsNetworkAddressV6(value)
 	})
 
+	// Validate the external address against the list of network forwards.
+	isNetworkForward := func(value string) error {
+		return d.state.DB.Cluster.Transaction(context.TODO(), func(ctx context.Context, tx *db.ClusterTx) error {
+			netID, _, _, err := tx.GetNetworkInAnyState(ctx, networkProjectName, d.config["network"])
+			if err != nil {
+				return fmt.Errorf("Failed getting network ID: %w", err)
+			}
+
+			_, _, err = tx.GetNetworkForward(ctx, netID, false, value)
+			if err != nil {
+				return fmt.Errorf("External address %q is not a network forward on network %q: %w", value, d.config["network"], err)
+			}
+
+			return nil
+		})
+	}
+
+	rules["ipv4.address.external"] = validate.Optional(validate.And(validate.IsNetworkAddressV4, isNetworkForward))
+	rules["ipv6.address.external"] = validate.Optional(validate.And(validate.IsNetworkAddressV6, isNetworkForward))
+
 	// Now run normal validation.
 	err = d.config.Validate(rules)
 	if err != nil {
diff --git a/internal/server/metadata/configuration.json b/internal/server/metadata/configuration.json
@@ -958,6 +958,14 @@
 							"type": "string"
 						}
 					},
+					{
+						"ipv4.address.external": {
+							"longdesc": "",
+							"managed": "no",
+							"shortdesc": "Select a specific external address (typically from a network forward)",
+							"type": "string"
+						}
+					},
 					{
 						"ipv4.routes": {
 							"longdesc": "",
@@ -982,6 +990,14 @@
 							"type": "string"
 						}
 					},
+					{
+						"ipv6.address.external": {
+							"longdesc": "",
+							"managed": "no",
+							"shortdesc": "Select a specific external address (typically from a network forward)",
+							"type": "string"
+						}
+					},
 					{
 						"ipv6.routes": {
 							"longdesc": "",
diff --git a/internal/server/network/driver_ovn.go b/internal/server/network/driver_ovn.go
@@ -4387,6 +4387,67 @@ func (n *ovn) InstanceDevicePortStart(opts *OVNInstanceNICSetupOpts, securityACL
 		checkAndStoreIP(net.ParseIP(staticIP))
 	}
 
+	// Apply device specific external address if any.
+	for _, keyPrefix := range []string{"ipv4", "ipv6"} {
+		// Check if the address is present.
+		value := opts.DeviceConfig[fmt.Sprintf("%s.address.external", keyPrefix)]
+		if value == "" {
+			continue
+		}
+
+		// Check if the family is configured.
+		if keyPrefix == "ipv4" && ipv4 == "" {
+			continue
+		}
+
+		if keyPrefix == "ipv6" && ipv6 == "" {
+			continue
+		}
+
+		// Parse the internal address.
+		var intNet *net.IPNet
+		if keyPrefix == "ipv4" {
+			_, intNet, err = net.ParseCIDR(fmt.Sprintf("%s/32", ipv4))
+			if err != nil {
+				return "", nil, fmt.Errorf("Invalid internal address %q: %w", ipv4, err)
+			}
+		} else {
+			_, intNet, err = net.ParseCIDR(fmt.Sprintf("%s/128", ipv6))
+			if err != nil {
+				return "", nil, fmt.Errorf("Invalid internal address %q: %w", ipv6, err)
+			}
+		}
+
+		// Parse the external address.
+		extIP := net.ParseIP(value)
+		if extIP == nil {
+			return "", nil, fmt.Errorf("Invalid external address %q", value)
+		}
+
+		if err := n.ovnnb.CreateLogicalRouterNAT(
+			context.TODO(),
+			n.getRouterName(),
+			"snat",
+			intNet,
+			extIP,
+			nil,
+			false,
+			true,
+		); err != nil {
+			return "", nil, fmt.Errorf("Failed to add SNAT %q: %w", value, err)
+		}
+
+		reverter.Add(func() {
+			_ = n.ovnnb.DeleteLogicalRouterNAT(
+				context.TODO(),
+				n.getRouterName(),
+				"snat",
+				false,
+				extIP,
+			)
+		})
+	}
+
 	// Get dynamic IPs for switch port if any IPs not assigned statically.
 	if (ipv4 != "none" && dnsIPv4 == nil) || (ipv6 != "none" && dnsIPv6 == nil) {
 		var dynamicIPs []net.IP
@@ -4916,6 +4977,27 @@ func (n *ovn) InstanceDevicePortStop(ovsExternalOVNPort networkOVN.OVNSwitchPort
 		}
 	}
 
+	// Tear down per‑NIC egress SNAT rules (ipv4/ipv6.address.external)
+	for _, keyPrefix := range []string{"ipv4", "ipv6"} {
+		// Check if the address is present.
+		value := opts.DeviceConfig[fmt.Sprintf("%s.address.external", keyPrefix)]
+		if value == "" {
+			continue
+		}
+
+		// Validate the address.
+		extIP := net.ParseIP(value)
+		if extIP == nil {
+			return fmt.Errorf("Invalid external address %q", value)
+		}
+
+		// Remove the SNAT entry.
+		err := n.ovnnb.DeleteLogicalRouterNAT(context.TODO(), n.getRouterName(), "snat", false, extIP)
+		if err != nil && !errors.Is(err, networkOVN.ErrNotFound) {
+			return err
+		}
+	}
+
 	return nil
 }
 
diff --git a/internal/version/api.go b/internal/version/api.go
@@ -484,6 +484,7 @@ var APIExtensions = []string{
 	"instance_publish_split",
 	"init_preseed_certificates",
 	"custom_volume_sftp",
+	"network_ovn_external_nic_address",
 }
 
 // APIExtensionsCount returns the number of available API extensions.

Original file line number	Diff line number	Diff line change
`@@ -484,6 +484,7 @@ var APIExtensions = []string{`
`484`	`484`	`"instance_publish_split",`
`485`	`485`	`"init_preseed_certificates",`
`486`	`486`	`"custom_volume_sftp",`
	`487`	`+ "network_ovn_external_nic_address",`
`487`	`488`	`}`
`488`	`489`
`489`	`490`	`// APIExtensionsCount returns the number of available API extensions.`