[PATCH 22/22] fwd, conf: Allow NAT of the guest's assigned address

[David Gibson <david@gibson.dropbear.id.au>]

The guest is usually assigned one of the host's IP addresses.  That means
it can't access the host itself via its usual address.  The
--nat-host-loopback option (enabled by default with the gateway address)
allows the guest to contact the host.  However, connections forwarded this
way appear on the host to have originated from the loopback interface,
which isn't always desirable.

Add a new --nat-guest-addr option, which acts similarly but forwarded
connections will go to the host's external address, instead of loopback.

If '-a' is used, so the guest's address is not the same as the host's, this
will instead forward to whatever host-visible site is shadowed by the
guest's assigned address.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
---
 conf.c  | 51 ++++++++++++++++++++++++++++++++++-----------------
 fwd.c   | 10 ++++++++++
 passt.1 | 15 +++++++++++++++
 passt.h |  6 ++++++
 4 files changed, 65 insertions(+), 17 deletions(-)

diff --git a/conf.c b/conf.c
index c5831e82..d14abc63 100644
--- a/conf.c
+++ b/conf.c
@@ -825,6 +825,14 @@ static void usage(const char *name, FILE *f, int status)
 	        "    Can be specified zero to two (for IPv4 and IPv6)\n"
 		"    default: gateway address, or none if --no-map-gw is also\n"
 		"             specified\n"
+		"  --nat-guest-addr ADDR	NAT ADDR to guest's address\n"
+		"    Packets from the guest to ADDR will be redirected to the\n"
+		"    adress on the host that's the same as the guest's\n"
+		"    assigned address.  Usually that means (one of) the host's\n"
+		"    global address.\n"
+		"    ADDR can be 'none', in which case nothing is mapped\n"
+	        "    Can be specified zero to two (for IPv4 and IPv6)\n"
+		"    default: none\n"
 		"  --dns-forward ADDR	Forward DNS queries sent to ADDR\n"
 		"    can be specified zero to two times (for IPv4 and IPv6)\n"
 		"    default: don't forward DNS queries\n"
@@ -1141,29 +1149,32 @@ static void conf_ugid(char *runas, uid_t *uid, gid_t *gid)
 }
 
 /**
- * conf_nat() - Parse --nat-host-loopback option
- * @c:		Execution context
- * @arg:	String argument to --nat-host-loopback
- * @no_map_gw:	--no-map-gw flag, updated for "none" argument
+ * conf_nat() - Parse --nat-host-loopback or --nat-guest-addr option
+ * @arg:	String argument to option
+ * @addr4:	IPv4 to update with parsed address
+ * @addr6:	IPv6 to update with parsed address
+ * @no_map_gw:	--no-map-gw flag, or NULL, updated for "none" argument
  */
-static void conf_nat(struct ctx *c, const char *arg, int *no_map_gw)
+static void conf_nat(const char *arg, struct in_addr *addr4,
+		     struct in6_addr *addr6, int *no_map_gw)
 {
 	if (strcmp(arg, "none") == 0) {
-		c->ip4.nat_host_loopback = in4addr_any;
-		c->ip6.nat_host_loopback = in6addr_any;
-		*no_map_gw = 1;
+		*addr4 = in4addr_any;
+		*addr6 = in6addr_any;
+		if (no_map_gw)
+			*no_map_gw = 1;
 	}
 
-	if (inet_pton(AF_INET6, arg, &c->ip6.nat_host_loopback) &&
-	    !IN6_IS_ADDR_UNSPECIFIED(&c->ip6.nat_host_loopback)	&&
-	    !IN6_IS_ADDR_LOOPBACK(&c->ip6.nat_host_loopback)	&&
-	    !IN6_IS_ADDR_MULTICAST(&c->ip6.nat_host_loopback))
+	if (inet_pton(AF_INET6, arg, addr6)	&&
+	    !IN6_IS_ADDR_UNSPECIFIED(addr6)	&&
+	    !IN6_IS_ADDR_LOOPBACK(addr6)	&&
+	    !IN6_IS_ADDR_MULTICAST(addr6))
 		return;
 
-	if (inet_pton(AF_INET, arg, &c->ip4.nat_host_loopback)	&&
-	    !IN4_IS_ADDR_UNSPECIFIED(&c->ip4.nat_host_loopback)	&&
-	    !IN4_IS_ADDR_LOOPBACK(&c->ip4.nat_host_loopback)	&&
-	    !IN4_IS_ADDR_MULTICAST(&c->ip4.nat_host_loopback))
+	if (inet_pton(AF_INET, arg, addr4)	&&
+	    !IN4_IS_ADDR_UNSPECIFIED(addr4)	&&
+	    !IN4_IS_ADDR_LOOPBACK(addr4)	&&
+	    !IN4_IS_ADDR_MULTICAST(addr4))
 		return;
 
 	die("Invalid address to remap to host: %s", optarg);
@@ -1279,6 +1290,7 @@ void conf(struct ctx *c, int argc, char **argv)
 		{"no-copy-addrs", no_argument,		NULL,		19 },
 		{"netns-only",	no_argument,		NULL,		20 },
 		{"nat-host-loopback", required_argument, NULL,		21 },
+		{"nat-guest-addr", required_argument,	NULL,		22 },
 		{ 0 },
 	};
 	const char *logname = (c->mode == MODE_PASTA) ? "pasta" : "passt";
@@ -1449,7 +1461,12 @@ void conf(struct ctx *c, int argc, char **argv)
 			*userns = 0;
 			break;
 		case 21:
-			conf_nat(c, optarg, &no_map_gw);
+			conf_nat(optarg, &c->ip4.nat_host_loopback,
+				 &c->ip6.nat_host_loopback, &no_map_gw);
+			break;
+		case 22:
+			conf_nat(optarg, &c->ip4.nat_guest_addr,
+				 &c->ip6.nat_guest_addr, NULL);
 			break;
 		case 'd':
 			c->debug = 1;
diff --git a/fwd.c b/fwd.c
index 7718f7e2..ff4789a2 100644
--- a/fwd.c
+++ b/fwd.c
@@ -272,6 +272,10 @@ uint8_t fwd_nat_from_tap(const struct ctx *c, uint8_t proto,
 		tgt->eaddr = inany_loopback4;
 	else if (inany_equals6(&ini->oaddr, &c->ip6.nat_host_loopback))
 		tgt->eaddr = inany_loopback6;
+	else if (inany_equals4(&ini->oaddr, &c->ip4.nat_guest_addr))
+		tgt->eaddr = inany_from_v4(c->ip4.addr);
+	else if (inany_equals6(&ini->oaddr, &c->ip6.nat_guest_addr))
+		tgt->eaddr.a6 = c->ip6.addr;
 	else
 		tgt->eaddr = ini->oaddr;
 
@@ -393,6 +397,12 @@ uint8_t fwd_nat_from_host(const struct ctx *c, uint8_t proto,
 	} else if (!IN6_IS_ADDR_UNSPECIFIED(&c->ip6.nat_host_loopback) &&
 		   inany_equals6(&ini->eaddr, &in6addr_loopback)) {
 		tgt->oaddr.a6 = c->ip6.nat_host_loopback;
+	} else if (!IN4_IS_ADDR_UNSPECIFIED(&c->ip4.nat_guest_addr) &&
+		   inany_equals4(&ini->eaddr, &c->ip4.addr)) {
+		tgt->oaddr = inany_from_v4(c->ip4.nat_guest_addr);
+	} else if (!IN6_IS_ADDR_UNSPECIFIED(&c->ip6.nat_guest_addr) &&
+		   inany_equals6(&ini->eaddr, &c->ip6.addr)) {
+		tgt->oaddr.a6 = c->ip6.nat_guest_addr;
 	} else if (!fwd_guest_accessible(c, &ini->eaddr)) {
 		if (inany_v4(&ini->eaddr)) {
 			if (IN4_IS_ADDR_UNSPECIFIED(&c->ip4.our_tap_addr))
diff --git a/passt.1 b/passt.1
index 3680056a..7cf553cf 100644
--- a/passt.1
+++ b/passt.1
@@ -350,6 +350,21 @@ as destination, to the host. Implied if there is no gateway on the selected
 default route, or if there is no default route, for any of the enabled address
 families.
 
+.TP
+.BR \-\-nat-guest-loopback " " \fIaddr
+Translate \fIaddr\fR in the guest to be equal to the guest's assigned
+address on the host.  That is, packets from the guest to \fIaddr\fR
+will be redirected to the address assigned to the guest with \fB-a\fR,
+or by default the host's global address.  This allows the guest to
+access services availble on the host's global address, even though its
+own address shadows that of the host.
+
+If \fIaddr\fR is 'none', no address is mapped.  Only one IPv4 and one
+IPv6 address can be translated, if the option is specified multiple
+times, the last one for each address type takes effect.
+
+Default is no mapping.
+
 .TP
 .BR \-4 ", " \-\-ipv4-only
 Enable IPv4-only operation. IPv6 traffic will be ignored.
diff --git a/passt.h b/passt.h
index 20a5904a..586c1d05 100644
--- a/passt.h
+++ b/passt.h
@@ -104,6 +104,8 @@ enum passt_modes {
  * @guest_gw:		IPv4 gateway as seen by the guest
  * @nat_host_loopback:	Outbound connections to this address are NATted to the
  *                      host's 127.0.0.1
+ * @nat_guest_addr:	Outbound connections to this address are NATted to the
+ *                      guest's assigned address
  * @dns:		DNS addresses for DHCP, zero-terminated
  * @dns_match:		Forward DNS query if sent to this address
  * @our_tap_addr:	IPv4 address for passt's use on tap
@@ -120,6 +122,7 @@ struct ip4_ctx {
 	int prefix_len;
 	struct in_addr guest_gw;
 	struct in_addr nat_host_loopback;
+	struct in_addr nat_guest_addr;
 	struct in_addr dns[MAXNS + 1];
 	struct in_addr dns_match;
 	struct in_addr our_tap_addr;
@@ -142,6 +145,8 @@ struct ip4_ctx {
  * @guest_gw:		IPv6 gateway as seen by the guest
  * @nat_host_loopback:	Outbound connections to this address are NATted to the
  *                      host's [::1]
+ * @nat_guest_addr:	Outbound connections to this address are NATted to the
+ *                      guest's assigned address
  * @dns:		DNS addresses for DHCPv6 and NDP, zero-terminated
  * @dns_match:		Forward DNS query if sent to this address
  * @our_tap_ll:		Link-local IPv6 address for passt's use on tap
@@ -158,6 +163,7 @@ struct ip6_ctx {
 	struct in6_addr addr_ll_seen;
 	struct in6_addr guest_gw;
 	struct in6_addr nat_host_loopback;
+	struct in6_addr nat_guest_addr;
 	struct in6_addr dns[MAXNS + 1];
 	struct in6_addr dns_match;
 	struct in6_addr our_tap_ll;
-- 
@@ -104,6 +104,8 @@ enum passt_modes {
  * @guest_gw:		IPv4 gateway as seen by the guest
  * @nat_host_loopback:	Outbound connections to this address are NATted to the
  *                      host's 127.0.0.1
+ * @nat_guest_addr:	Outbound connections to this address are NATted to the
+ *                      guest's assigned address
  * @dns:		DNS addresses for DHCP, zero-terminated
  * @dns_match:		Forward DNS query if sent to this address
  * @our_tap_addr:	IPv4 address for passt's use on tap
@@ -120,6 +122,7 @@ struct ip4_ctx {
 	int prefix_len;
 	struct in_addr guest_gw;
 	struct in_addr nat_host_loopback;
+	struct in_addr nat_guest_addr;
 	struct in_addr dns[MAXNS + 1];
 	struct in_addr dns_match;
 	struct in_addr our_tap_addr;
@@ -142,6 +145,8 @@ struct ip4_ctx {
  * @guest_gw:		IPv6 gateway as seen by the guest
  * @nat_host_loopback:	Outbound connections to this address are NATted to the
  *                      host's [::1]
+ * @nat_guest_addr:	Outbound connections to this address are NATted to the
+ *                      guest's assigned address
  * @dns:		DNS addresses for DHCPv6 and NDP, zero-terminated
  * @dns_match:		Forward DNS query if sent to this address
  * @our_tap_ll:		Link-local IPv6 address for passt's use on tap
@@ -158,6 +163,7 @@ struct ip6_ctx {
 	struct in6_addr addr_ll_seen;
 	struct in6_addr guest_gw;
 	struct in6_addr nat_host_loopback;
+	struct in6_addr nat_guest_addr;
 	struct in6_addr dns[MAXNS + 1];
 	struct in6_addr dns_match;
 	struct in6_addr our_tap_ll;
-- 
2.46.0