From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: passt.top; dmarc=none (p=none dis=none) header.from=gibson.dropbear.id.au Authentication-Results: passt.top; dkim=fail reason="key not found in DNS" header.d=gibson.dropbear.id.au header.i=@gibson.dropbear.id.au header.a=rsa-sha256 header.s=202312 header.b=f6d51+cl; dkim-atps=neutral Received: from mail.ozlabs.org (mail.ozlabs.org [IPv6:2404:9400:2221:ea00::3]) by passt.top (Postfix) with ESMTPS id 692385A0285 for ; Wed, 21 Aug 2024 06:20:37 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gibson.dropbear.id.au; s=202312; t=1724214023; bh=T1VyCFEKuOa042+/1eCe4fElvg9WBpgq7gV7PZYamH0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=f6d51+clPdC7cxwP3pp+iB695pdhQd4IGLQkVtDgyj/LB1ur0C/vL+HL3MoJuSHue fLZLrA7qV1WG6OwqCgHLpHOIZryzP+UHBQD1TPk5AVwTuMsIeGH4i9Jt6r0QLerMrX 9SlewYLs8XWCqAMwX2HOznRMl3NYGGMFv+mYJqGGmlmR0TPy1xiju4nekR/WejRed+ s/8CIQkuNkESlX/oogXxU4SGIDcm7BvcIgIlE5kIgL9842N6X0wB98nMkMZ4LZIr6Q XEVFyj1R2OxFcPR2icDQ6frsUnjBybovlL/3ce9H5Qz6U0DFxU827oSYFUMVjoxnxm 7evIGodPSTL6w== Received: by gandalf.ozlabs.org (Postfix, from userid 1007) id 4WpY5z372Gz4x8b; Wed, 21 Aug 2024 14:20:23 +1000 (AEST) From: David Gibson To: passt-dev@passt.top, Stefano Brivio Subject: [PATCH v2 23/23] fwd, conf: Allow NAT of the guest's assigned address Date: Wed, 21 Aug 2024 14:20:19 +1000 Message-ID: <20240821042020.718422-24-david@gibson.dropbear.id.au> X-Mailer: git-send-email 2.46.0 In-Reply-To: <20240821042020.718422-1-david@gibson.dropbear.id.au> References: <20240821042020.718422-1-david@gibson.dropbear.id.au> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-ID-Hash: QO5LDPWLPWVKRYSGNEJH5OP4SBMS5DQO X-Message-ID-Hash: QO5LDPWLPWVKRYSGNEJH5OP4SBMS5DQO X-MailFrom: dgibson@gandalf.ozlabs.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: Paul Holzinger , David Gibson X-Mailman-Version: 3.3.8 Precedence: list List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: The guest is usually assigned one of the host's IP addresses. That means it can't access the host itself via its usual address. The --map-host-loopback option (enabled by default with the gateway address) allows the guest to contact the host. However, connections forwarded this way appear on the host to have originated from the loopback interface, which isn't always desirable. Add a new --map-guest-addr option, which acts similarly but forwarded connections will go to the host's external address, instead of loopback. If '-a' is used, so the guest's address is not the same as the host's, this will instead forward to whatever host-visible site is shadowed by the guest's assigned address. Signed-off-by: David Gibson --- conf.c | 46 +++++++++++++++++++++++++++++----------------- fwd.c | 10 ++++++++++ passt.1 | 15 +++++++++++++++ passt.h | 6 ++++++ 4 files changed, 60 insertions(+), 17 deletions(-) diff --git a/conf.c b/conf.c index d605c215..67945086 100644 --- a/conf.c +++ b/conf.c @@ -820,6 +820,9 @@ static void usage(const char *name, FILE *f, int status) " --map-host-loopback ADDR Translate ADDR to refer to host\n" " can be specified zero to two times (for IPv4 and IPv6)\n" " default: gateway address\n" + " --map-guest-addr ADDR Translate ADDR to guest's address\n" + " can be specified zero to two times (for IPv4 and IPv6)\n" + " default: none\n" " --dns-forward ADDR Forward DNS queries sent to ADDR\n" " can be specified zero to two times (for IPv4 and IPv6)\n" " default: don't forward DNS queries\n" @@ -1136,29 +1139,32 @@ static void conf_ugid(char *runas, uid_t *uid, gid_t *gid) } /** - * conf_nat() - Parse --map-host-loopback option - * @c: Execution context - * @arg: String argument to --map-host-loopback - * @no_map_gw: --no-map-gw flag, updated for "none" argument + * conf_nat() - Parse --map-host-loopback or --map-guest-addr option + * @arg: String argument to option + * @addr4: IPv4 to update with parsed address + * @addr6: IPv6 to update with parsed address + * @no_map_gw: --no-map-gw flag, or NULL, updated for "none" argument */ -static void conf_nat(struct ctx *c, const char *arg, int *no_map_gw) +static void conf_nat(const char *arg, struct in_addr *addr4, + struct in6_addr *addr6, int *no_map_gw) { if (strcmp(arg, "none") == 0) { - c->ip4.map_host_loopback = in4addr_any; - c->ip6.map_host_loopback = in6addr_any; - *no_map_gw = 1; + *addr4 = in4addr_any; + *addr6 = in6addr_any; + if (no_map_gw) + *no_map_gw = 1; } - if (inet_pton(AF_INET6, arg, &c->ip6.map_host_loopback) && - !IN6_IS_ADDR_UNSPECIFIED(&c->ip6.map_host_loopback) && - !IN6_IS_ADDR_LOOPBACK(&c->ip6.map_host_loopback) && - !IN6_IS_ADDR_MULTICAST(&c->ip6.map_host_loopback)) + if (inet_pton(AF_INET6, arg, addr6) && + !IN6_IS_ADDR_UNSPECIFIED(addr6) && + !IN6_IS_ADDR_LOOPBACK(addr6) && + !IN6_IS_ADDR_MULTICAST(addr6)) return; - if (inet_pton(AF_INET, arg, &c->ip4.map_host_loopback) && - !IN4_IS_ADDR_UNSPECIFIED(&c->ip4.map_host_loopback) && - !IN4_IS_ADDR_LOOPBACK(&c->ip4.map_host_loopback) && - !IN4_IS_ADDR_MULTICAST(&c->ip4.map_host_loopback)) + if (inet_pton(AF_INET, arg, addr4) && + !IN4_IS_ADDR_UNSPECIFIED(addr4) && + !IN4_IS_ADDR_LOOPBACK(addr4) && + !IN4_IS_ADDR_MULTICAST(addr4)) return; die("Invalid address to remap to host: %s", optarg); @@ -1274,6 +1280,7 @@ void conf(struct ctx *c, int argc, char **argv) {"no-copy-addrs", no_argument, NULL, 19 }, {"netns-only", no_argument, NULL, 20 }, {"map-host-loopback", required_argument, NULL, 21 }, + {"map-guest-addr", required_argument, NULL, 22 }, { 0 }, }; const char *logname = (c->mode == MODE_PASTA) ? "pasta" : "passt"; @@ -1444,7 +1451,12 @@ void conf(struct ctx *c, int argc, char **argv) *userns = 0; break; case 21: - conf_nat(c, optarg, &no_map_gw); + conf_nat(optarg, &c->ip4.map_host_loopback, + &c->ip6.map_host_loopback, &no_map_gw); + break; + case 22: + conf_nat(optarg, &c->ip4.map_guest_addr, + &c->ip6.map_guest_addr, NULL); break; case 'd': c->debug = 1; diff --git a/fwd.c b/fwd.c index c55aea0b..2a0452fa 100644 --- a/fwd.c +++ b/fwd.c @@ -272,6 +272,10 @@ uint8_t fwd_nat_from_tap(const struct ctx *c, uint8_t proto, tgt->eaddr = inany_loopback4; else if (inany_equals6(&ini->oaddr, &c->ip6.map_host_loopback)) tgt->eaddr = inany_loopback6; + else if (inany_equals4(&ini->oaddr, &c->ip4.map_guest_addr)) + tgt->eaddr = inany_from_v4(c->ip4.addr); + else if (inany_equals6(&ini->oaddr, &c->ip6.map_guest_addr)) + tgt->eaddr.a6 = c->ip6.addr; else tgt->eaddr = ini->oaddr; @@ -393,6 +397,12 @@ uint8_t fwd_nat_from_host(const struct ctx *c, uint8_t proto, } else if (!IN6_IS_ADDR_UNSPECIFIED(&c->ip6.map_host_loopback) && inany_equals6(&ini->eaddr, &in6addr_loopback)) { tgt->oaddr.a6 = c->ip6.map_host_loopback; + } else if (!IN4_IS_ADDR_UNSPECIFIED(&c->ip4.map_guest_addr) && + inany_equals4(&ini->eaddr, &c->ip4.addr)) { + tgt->oaddr = inany_from_v4(c->ip4.map_guest_addr); + } else if (!IN6_IS_ADDR_UNSPECIFIED(&c->ip6.map_guest_addr) && + inany_equals6(&ini->eaddr, &c->ip6.addr)) { + tgt->oaddr.a6 = c->ip6.map_guest_addr; } else if (!fwd_guest_accessible(c, &ini->eaddr)) { if (inany_v4(&ini->eaddr)) { if (IN4_IS_ADDR_UNSPECIFIED(&c->ip4.our_tap_addr)) diff --git a/passt.1 b/passt.1 index e85d9885..79d134db 100644 --- a/passt.1 +++ b/passt.1 @@ -348,6 +348,21 @@ as destination, to the host. Implied if there is no gateway on the selected default route, or if there is no default route, for any of the enabled address families. +.TP +.BR \-\-map-guest-addr " " \fIaddr +Translate \fIaddr\fR in the guest to be equal to the guest's assigned +address on the host. That is, packets from the guest to \fIaddr\fR +will be redirected to the address assigned to the guest with \fB-a\fR, +or by default the host's global address. This allows the guest to +access services availble on the host's global address, even though its +own address shadows that of the host. + +If \fIaddr\fR is 'none', no address is mapped. Only one IPv4 and one +IPv6 address can be translated, and if the option is specified +multiple times, the last one for each address type takes effect. + +Default is no mapping. + .TP .BR \-4 ", " \-\-ipv4-only Enable IPv4-only operation. IPv6 traffic will be ignored. diff --git a/passt.h b/passt.h index 7cdba85e..031c9b66 100644 --- a/passt.h +++ b/passt.h @@ -104,6 +104,8 @@ enum passt_modes { * @guest_gw: IPv4 gateway as seen by the guest * @map_host_loopback: Outbound connections to this address are NATted to the * host's 127.0.0.1 + * @map_guest_addr: Outbound connections to this address are NATted to the + * guest's assigned address * @dns: DNS addresses for DHCP, zero-terminated * @dns_match: Forward DNS query if sent to this address * @our_tap_addr: IPv4 address for passt's use on tap @@ -120,6 +122,7 @@ struct ip4_ctx { int prefix_len; struct in_addr guest_gw; struct in_addr map_host_loopback; + struct in_addr map_guest_addr; struct in_addr dns[MAXNS + 1]; struct in_addr dns_match; struct in_addr our_tap_addr; @@ -142,6 +145,8 @@ struct ip4_ctx { * @guest_gw: IPv6 gateway as seen by the guest * @map_host_loopback: Outbound connections to this address are NATted to the * host's [::1] + * @map_guest_addr: Outbound connections to this address are NATted to the + * guest's assigned address * @dns: DNS addresses for DHCPv6 and NDP, zero-terminated * @dns_match: Forward DNS query if sent to this address * @our_tap_ll: Link-local IPv6 address for passt's use on tap @@ -158,6 +163,7 @@ struct ip6_ctx { struct in6_addr addr_ll_seen; struct in6_addr guest_gw; struct in6_addr map_host_loopback; + struct in6_addr map_guest_addr; struct in6_addr dns[MAXNS + 1]; struct in6_addr dns_match; struct in6_addr our_tap_ll; -- 2.46.0