From: David Gibson <david@gibson.dropbear.id.au>
To: passt-dev@passt.top, Stefano Brivio <sbrivio@redhat.com>
Cc: Paul Holzinger <pholzing@redhat.com>,
David Gibson <david@gibson.dropbear.id.au>
Subject: [PATCH v2 19/23] conf, fwd: Split notion of gateway/router from guest-visible host address
Date: Wed, 21 Aug 2024 14:20:15 +1000 [thread overview]
Message-ID: <20240821042020.718422-20-david@gibson.dropbear.id.au> (raw)
In-Reply-To: <20240821042020.718422-1-david@gibson.dropbear.id.au>
The @gw fields in the ip4_ctx and ip6_ctx give the (host's) default
gateway. We use this for two quite distinct things: advertising the
gateway that the guest should use (via DHCP, NDP and/or --config-net)
and for a limited form of NAT. So that the guest can access services
on the host, we map the gateway address within the guest to the
loopback address on the host.
Using the gateway address for this isn't necessarily the best choice
for this purpose, certainly not for all circumstances. So, start off
by splitting the notion of these into two different values: @guest_gw
which is the gateway address the guest should use and @nat_host_loopback,
which is the guest visible address to remap to the host's loopback.
Usually nat_host_loopback will have the same value as guest_gw. However
when --no-map-gw is specified we leave them unspecified instead. This
means when we use nat_host_loopback, we don't need to separately check
c->no_map_gw to see if it's relevant.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
---
conf.c | 61 +++++++++++++++++++++++++++++++--------------------------
dhcp.c | 10 ++++++----
fwd.c | 4 ++--
passt.h | 16 +++++++++------
pasta.c | 6 ++++--
5 files changed, 55 insertions(+), 42 deletions(-)
diff --git a/conf.c b/conf.c
index 7eec3134..d4a3e9c7 100644
--- a/conf.c
+++ b/conf.c
@@ -410,12 +410,12 @@ static void add_dns_resolv(struct ctx *c, const char *nameserver,
* redirect
*/
if (IN4_IS_ADDR_LOOPBACK(&ns4)) {
- if (c->no_map_gw)
+ if (IN4_IS_ADDR_UNSPECIFIED(&c->ip4.map_host_loopback))
return;
- ns4 = c->ip4.gw;
+ ns4 = c->ip4.map_host_loopback;
if (IN4_IS_ADDR_UNSPECIFIED(&c->ip4.dns_match))
- c->ip4.dns_match = c->ip4.gw;
+ c->ip4.dns_match = c->ip4.map_host_loopback;
}
*idx4 += add_dns4(c, &ns4, *idx4);
@@ -429,13 +429,13 @@ static void add_dns_resolv(struct ctx *c, const char *nameserver,
* redirect
*/
if (IN6_IS_ADDR_LOOPBACK(&ns6)) {
- if (c->no_map_gw)
+ if (IN6_IS_ADDR_UNSPECIFIED(&c->ip6.map_host_loopback))
return;
- ns6 = c->ip6.gw;
+ ns6 = c->ip6.map_host_loopback;
if (IN6_IS_ADDR_UNSPECIFIED(&c->ip6.dns_match))
- c->ip6.dns_match = c->ip6.gw;
+ c->ip6.dns_match = c->ip6.map_host_loopback;
}
*idx6 += add_dns6(c, &ns6, *idx6);
@@ -625,8 +625,9 @@ static unsigned int conf_ip4(unsigned int ifi, struct ip4_ctx *ip4)
return 0;
}
- if (IN4_IS_ADDR_UNSPECIFIED(&ip4->gw)) {
- int rc = nl_route_get_def(nl_sock, ifi, AF_INET, &ip4->gw);
+ if (IN4_IS_ADDR_UNSPECIFIED(&ip4->guest_gw)) {
+ int rc = nl_route_get_def(nl_sock, ifi, AF_INET,
+ &ip4->guest_gw);
if (rc < 0) {
err("Couldn't discover IPv4 gateway address: %s",
strerror(-rc));
@@ -658,7 +659,7 @@ static unsigned int conf_ip4(unsigned int ifi, struct ip4_ctx *ip4)
ip4->addr_seen = ip4->addr;
- ip4->our_tap_addr = ip4->gw;
+ ip4->our_tap_addr = ip4->guest_gw;
if (IN4_IS_ADDR_UNSPECIFIED(&ip4->addr))
return 0;
@@ -686,8 +687,8 @@ static unsigned int conf_ip6(unsigned int ifi, struct ip6_ctx *ip6)
return 0;
}
- if (IN6_IS_ADDR_UNSPECIFIED(&ip6->gw)) {
- rc = nl_route_get_def(nl_sock, ifi, AF_INET6, &ip6->gw);
+ if (IN6_IS_ADDR_UNSPECIFIED(&ip6->guest_gw)) {
+ rc = nl_route_get_def(nl_sock, ifi, AF_INET6, &ip6->guest_gw);
if (rc < 0) {
err("Couldn't discover IPv6 gateway address: %s",
strerror(-rc));
@@ -705,8 +706,8 @@ static unsigned int conf_ip6(unsigned int ifi, struct ip6_ctx *ip6)
ip6->addr_seen = ip6->addr;
- if (IN6_IS_ADDR_LINKLOCAL(&ip6->gw))
- ip6->our_tap_ll = ip6->gw;
+ if (IN6_IS_ADDR_LINKLOCAL(&ip6->guest_gw))
+ ip6->our_tap_ll = ip6->guest_gw;
if (IN6_IS_ADDR_UNSPECIFIED(&ip6->addr) ||
IN6_IS_ADDR_UNSPECIFIED(&ip6->our_tap_ll))
@@ -969,7 +970,8 @@ static void conf_print(const struct ctx *c)
info(" mask: %s",
inet_ntop(AF_INET, &mask, buf4, sizeof(buf4)));
info(" router: %s",
- inet_ntop(AF_INET, &c->ip4.gw, buf4, sizeof(buf4)));
+ inet_ntop(AF_INET, &c->ip4.guest_gw,
+ buf4, sizeof(buf4)));
}
for (i = 0; !IN4_IS_ADDR_UNSPECIFIED(&c->ip4.dns[i]); i++) {
@@ -999,7 +1001,7 @@ static void conf_print(const struct ctx *c)
info(" assign: %s",
inet_ntop(AF_INET6, &c->ip6.addr, buf6, sizeof(buf6)));
info(" router: %s",
- inet_ntop(AF_INET6, &c->ip6.gw, buf6, sizeof(buf6)));
+ inet_ntop(AF_INET6, &c->ip6.guest_gw, buf6, sizeof(buf6)));
info(" our link-local: %s",
inet_ntop(AF_INET6, &c->ip6.our_tap_ll,
buf6, sizeof(buf6)));
@@ -1173,7 +1175,7 @@ fail:
*/
void conf(struct ctx *c, int argc, char **argv)
{
- int netns_only = 0;
+ int netns_only = 0, no_map_gw = 0;
const struct option options[] = {
{"debug", no_argument, NULL, 'd' },
{"quiet", no_argument, NULL, 'q' },
@@ -1202,7 +1204,7 @@ void conf(struct ctx *c, int argc, char **argv)
{"no-dhcpv6", no_argument, &c->no_dhcpv6, 1 },
{"no-ndp", no_argument, &c->no_ndp, 1 },
{"no-ra", no_argument, &c->no_ra, 1 },
- {"no-map-gw", no_argument, &c->no_map_gw, 1 },
+ {"no-map-gw", no_argument, &no_map_gw, 1 },
{"ipv4-only", no_argument, NULL, '4' },
{"ipv6-only", no_argument, NULL, '6' },
{"one-off", no_argument, NULL, '1' },
@@ -1503,18 +1505,18 @@ void conf(struct ctx *c, int argc, char **argv)
parse_mac(c->our_tap_mac, optarg);
break;
case 'g':
- if (inet_pton(AF_INET6, optarg, &c->ip6.gw) &&
- !IN6_IS_ADDR_UNSPECIFIED(&c->ip6.gw) &&
- !IN6_IS_ADDR_LOOPBACK(&c->ip6.gw)) {
+ if (inet_pton(AF_INET6, optarg, &c->ip6.guest_gw) &&
+ !IN6_IS_ADDR_UNSPECIFIED(&c->ip6.guest_gw) &&
+ !IN6_IS_ADDR_LOOPBACK(&c->ip6.guest_gw)) {
if (c->mode == MODE_PASTA)
c->ip6.no_copy_routes = true;
break;
}
- if (inet_pton(AF_INET, optarg, &c->ip4.gw) &&
- !IN4_IS_ADDR_UNSPECIFIED(&c->ip4.gw) &&
- !IN4_IS_ADDR_BROADCAST(&c->ip4.gw) &&
- !IN4_IS_ADDR_LOOPBACK(&c->ip4.gw)) {
+ if (inet_pton(AF_INET, optarg, &c->ip4.guest_gw) &&
+ !IN4_IS_ADDR_UNSPECIFIED(&c->ip4.guest_gw) &&
+ !IN4_IS_ADDR_BROADCAST(&c->ip4.guest_gw) &&
+ !IN4_IS_ADDR_LOOPBACK(&c->ip4.guest_gw)) {
if (c->mode == MODE_PASTA)
c->ip4.no_copy_routes = true;
break;
@@ -1637,11 +1639,14 @@ void conf(struct ctx *c, int argc, char **argv)
(*c->ip6.ifname_out && !c->ifi6))
die("External interface not usable");
- if (c->ifi4 && IN4_IS_ADDR_UNSPECIFIED(&c->ip4.gw))
- c->no_map_gw = c->no_dhcp = 1;
+ if (c->ifi4 && !no_map_gw)
+ c->ip4.map_host_loopback = c->ip4.guest_gw;
- if (c->ifi6 && IN6_IS_ADDR_UNSPECIFIED(&c->ip6.gw))
- c->no_map_gw = 1;
+ if (c->ifi6 && !no_map_gw)
+ c->ip6.map_host_loopback = c->ip6.guest_gw;
+
+ if (c->ifi4 && IN4_IS_ADDR_UNSPECIFIED(&c->ip4.guest_gw))
+ c->no_dhcp = 1;
/* Inbound port options & DNS can be parsed now (after IPv4/IPv6
* settings)
diff --git a/dhcp.c b/dhcp.c
index 353de323..a06f1438 100644
--- a/dhcp.c
+++ b/dhcp.c
@@ -346,19 +346,21 @@ int dhcp(const struct ctx *c, const struct pool *p)
m->yiaddr = c->ip4.addr;
mask.s_addr = htonl(0xffffffff << (32 - c->ip4.prefix_len));
memcpy(opts[1].s, &mask, sizeof(mask));
- memcpy(opts[3].s, &c->ip4.gw, sizeof(c->ip4.gw));
+ memcpy(opts[3].s, &c->ip4.guest_gw, sizeof(c->ip4.guest_gw));
memcpy(opts[54].s, &c->ip4.our_tap_addr, sizeof(c->ip4.our_tap_addr));
/* If the gateway is not on the assigned subnet, send an option 121
* (Classless Static Routing) adding a dummy route to it.
*/
if ((c->ip4.addr.s_addr & mask.s_addr)
- != (c->ip4.gw.s_addr & mask.s_addr)) {
+ != (c->ip4.guest_gw.s_addr & mask.s_addr)) {
/* a.b.c.d/32:0.0.0.0, 0:a.b.c.d */
opts[121].slen = 14;
opts[121].s[0] = 32;
- memcpy(opts[121].s + 1, &c->ip4.gw, sizeof(c->ip4.gw));
- memcpy(opts[121].s + 10, &c->ip4.gw, sizeof(c->ip4.gw));
+ memcpy(opts[121].s + 1,
+ &c->ip4.guest_gw, sizeof(c->ip4.guest_gw));
+ memcpy(opts[121].s + 10,
+ &c->ip4.guest_gw, sizeof(c->ip4.guest_gw));
}
if (c->mtu != -1) {
diff --git a/fwd.c b/fwd.c
index 664b8ac6..f99d2040 100644
--- a/fwd.c
+++ b/fwd.c
@@ -268,9 +268,9 @@ uint8_t fwd_nat_from_tap(const struct ctx *c, uint8_t proto,
else if (is_dns_flow(proto, ini) &&
inany_equals6(&ini->oaddr, &c->ip6.dns_match))
tgt->eaddr.a6 = c->ip6.dns_host;
- else if (!c->no_map_gw && inany_equals4(&ini->oaddr, &c->ip4.gw))
+ else if (inany_equals4(&ini->oaddr, &c->ip4.map_host_loopback))
tgt->eaddr = inany_loopback4;
- else if (!c->no_map_gw && inany_equals6(&ini->oaddr, &c->ip6.gw))
+ else if (inany_equals6(&ini->oaddr, &c->ip6.map_host_loopback))
tgt->eaddr = inany_loopback6;
else
tgt->eaddr = ini->oaddr;
diff --git a/passt.h b/passt.h
index c6c67ffc..7cdba85e 100644
--- a/passt.h
+++ b/passt.h
@@ -101,7 +101,9 @@ enum passt_modes {
* @addr: IPv4 address assigned to guest
* @addr_seen: Latest IPv4 address seen as source from tap
* @prefixlen: IPv4 prefix length (netmask)
- * @gw: Default IPv4 gateway
+ * @guest_gw: IPv4 gateway as seen by the guest
+ * @map_host_loopback: Outbound connections to this address are NATted to the
+ * host's 127.0.0.1
* @dns: DNS addresses for DHCP, zero-terminated
* @dns_match: Forward DNS query if sent to this address
* @our_tap_addr: IPv4 address for passt's use on tap
@@ -116,7 +118,8 @@ struct ip4_ctx {
struct in_addr addr;
struct in_addr addr_seen;
int prefix_len;
- struct in_addr gw;
+ struct in_addr guest_gw;
+ struct in_addr map_host_loopback;
struct in_addr dns[MAXNS + 1];
struct in_addr dns_match;
struct in_addr our_tap_addr;
@@ -136,7 +139,9 @@ struct ip4_ctx {
* @addr: IPv6 address assigned to guest
* @addr_seen: Latest IPv6 global/site address seen as source from tap
* @addr_ll_seen: Latest IPv6 link-local address seen as source from tap
- * @gw: Default IPv6 gateway
+ * @guest_gw: IPv6 gateway as seen by the guest
+ * @map_host_loopback: Outbound connections to this address are NATted to the
+ * host's [::1]
* @dns: DNS addresses for DHCPv6 and NDP, zero-terminated
* @dns_match: Forward DNS query if sent to this address
* @our_tap_ll: Link-local IPv6 address for passt's use on tap
@@ -151,7 +156,8 @@ struct ip6_ctx {
struct in6_addr addr;
struct in6_addr addr_seen;
struct in6_addr addr_ll_seen;
- struct in6_addr gw;
+ struct in6_addr guest_gw;
+ struct in6_addr map_host_loopback;
struct in6_addr dns[MAXNS + 1];
struct in6_addr dns_match;
struct in6_addr our_tap_ll;
@@ -213,7 +219,6 @@ struct ip6_ctx {
* @no_dhcpv6: Disable DHCPv6 server
* @no_ndp: Disable NDP handler altogether
* @no_ra: Disable router advertisements
- * @no_map_gw: Don't map connections, untracked UDP to gateway to host
* @low_wmem: Low probed net.core.wmem_max
* @low_rmem: Low probed net.core.rmem_max
*/
@@ -273,7 +278,6 @@ struct ctx {
int no_dhcpv6;
int no_ndp;
int no_ra;
- int no_map_gw;
int low_wmem;
int low_rmem;
diff --git a/pasta.c b/pasta.c
index 5f897d3e..0df7cb46 100644
--- a/pasta.c
+++ b/pasta.c
@@ -332,7 +332,8 @@ void pasta_ns_conf(struct ctx *c)
if (c->ip4.no_copy_routes) {
rc = nl_route_set_def(nl_sock_ns, c->pasta_ifi,
- AF_INET, &c->ip4.gw);
+ AF_INET,
+ &c->ip4.guest_gw);
} else {
rc = nl_route_dup(nl_sock, c->ifi4, nl_sock_ns,
c->pasta_ifi, AF_INET);
@@ -378,7 +379,8 @@ void pasta_ns_conf(struct ctx *c)
if (c->ip6.no_copy_routes) {
rc = nl_route_set_def(nl_sock_ns, c->pasta_ifi,
- AF_INET6, &c->ip6.gw);
+ AF_INET6,
+ &c->ip6.guest_gw);
} else {
rc = nl_route_dup(nl_sock, c->ifi6,
nl_sock_ns, c->pasta_ifi,
--
@@ -332,7 +332,8 @@ void pasta_ns_conf(struct ctx *c)
if (c->ip4.no_copy_routes) {
rc = nl_route_set_def(nl_sock_ns, c->pasta_ifi,
- AF_INET, &c->ip4.gw);
+ AF_INET,
+ &c->ip4.guest_gw);
} else {
rc = nl_route_dup(nl_sock, c->ifi4, nl_sock_ns,
c->pasta_ifi, AF_INET);
@@ -378,7 +379,8 @@ void pasta_ns_conf(struct ctx *c)
if (c->ip6.no_copy_routes) {
rc = nl_route_set_def(nl_sock_ns, c->pasta_ifi,
- AF_INET6, &c->ip6.gw);
+ AF_INET6,
+ &c->ip6.guest_gw);
} else {
rc = nl_route_dup(nl_sock, c->ifi6,
nl_sock_ns, c->pasta_ifi,
--
2.46.0
next prev parent reply other threads:[~2024-08-21 4:20 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-08-21 4:19 [PATCH v2 00/23] Allow configuration of special case NATs David Gibson
2024-08-21 4:19 ` [PATCH v2 01/23] treewide: Use "our address" instead of "forwarding address" David Gibson
2024-08-21 4:19 ` [PATCH v2 02/23] util: Helper for formatting MAC addresses David Gibson
2024-08-21 4:19 ` [PATCH v2 03/23] treewide: Rename MAC address fields for clarity David Gibson
2024-08-21 4:20 ` [PATCH v2 04/23] treewide: Use struct assignment instead of memcpy() for IP addresses David Gibson
2024-08-21 4:20 ` [PATCH v2 05/23] conf: Use array indices rather than pointers for DNS array slots David Gibson
2024-08-21 4:20 ` [PATCH v2 06/23] conf: More accurately count entries added in get_dns() David Gibson
2024-08-21 4:20 ` [PATCH v2 07/23] conf: Move DNS array bounds checks into add_dns[46] David Gibson
2024-08-21 4:20 ` [PATCH v2 08/23] conf: Move adding of a nameserver from resolv.conf into subfunction David Gibson
2024-08-21 4:20 ` [PATCH v2 09/23] conf: Correct setting of dns_match address in add_dns6() David Gibson
2024-08-21 4:20 ` [PATCH v2 10/23] conf: Treat --dns addresses as guest visible addresses David Gibson
2024-08-21 4:20 ` [PATCH v2 11/23] conf: Remove incorrect initialisation of addr_ll_seen David Gibson
2024-08-21 4:20 ` [PATCH v2 12/23] util: Correct sock_l4() binding for link local addresses David Gibson
2024-08-21 4:20 ` [PATCH v2 13/23] treewide: Change misleading 'addr_ll' name David Gibson
2024-08-21 4:20 ` [PATCH v2 14/23] Clarify which addresses in ip[46]_ctx are meaningful where David Gibson
2024-08-21 4:20 ` [PATCH v2 15/23] Initialise our_tap_ll to ip6.gw when suitable David Gibson
2024-08-21 4:20 ` [PATCH v2 16/23] fwd: Helpers to clarify what host addresses aren't guest accessible David Gibson
2024-08-21 4:20 ` [PATCH v2 17/23] fwd: Split notion of "our tap address" from gateway for IPv4 David Gibson
2024-08-21 4:20 ` [PATCH v2 18/23] Don't take "our" MAC address from the host David Gibson
2024-08-21 4:20 ` David Gibson [this message]
2024-08-21 4:20 ` [PATCH v2 20/23] test: Reconfigure IPv6 address after changing MTU David Gibson
2024-08-21 4:20 ` [PATCH v2 21/23] conf: Allow address remapped to host to be configured David Gibson
2024-08-21 4:20 ` [PATCH v2 22/23] fwd: Distinguish translatable from untranslatable addresses on inbound David Gibson
2024-08-21 4:20 ` [PATCH v2 23/23] fwd, conf: Allow NAT of the guest's assigned address David Gibson
2024-08-21 10:38 ` [PATCH v2 00/23] Allow configuration of special case NATs Stefano Brivio
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240821042020.718422-20-david@gibson.dropbear.id.au \
--to=david@gibson.dropbear.id.au \
--cc=passt-dev@passt.top \
--cc=pholzing@redhat.com \
--cc=sbrivio@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://passt.top/passt
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for IMAP folder(s).