NAT: Improve packet filtering, pipeline stage logic #996
Description
We should have a mechanism to
- Make sure that all packets transit between IPs exposed by existing VpcExpose blocks
- Drop all packets that don't respect this rule
- Drop packets for which stateful NAT is required, but we failed to allocate resources for source NAT.
We've got some mechanisms in place for these points, although I'm not sure we cover 100% of the cases yet, but they're hacky. In particular, all packets go through the stateless pipeline stage, and then the stateful pipeline stage, regardless of whether they need NAT. This is not optimised and make things cumbersome to handle in NAT. We also use "need_nat" flags that we should be able to drop at some point. Some of the logic is implemented inside of the allocator.
Instead we'd need to reconsider some of the design, maybe introduce something like a real filtering step marking packets for stateless and/or stateful NAT, but only if we actually need to process packets in that stage.