1
0
mirror of https://passt.top/passt synced 2025-01-12 15:43:05 +00:00

fwd, conf: Allow NAT of the guest's assigned address

The guest is usually assigned one of the host's IP addresses.  That means
it can't access the host itself via its usual address.  The
--map-host-loopback option (enabled by default with the gateway address)
allows the guest to contact the host.  However, connections forwarded this
way appear on the host to have originated from the loopback interface,
which isn't always desirable.

Add a new --map-guest-addr option, which acts similarly but forwarded
connections will go to the host's external address, instead of loopback.

If '-a' is used, so the guest's address is not the same as the host's, this
will instead forward to whatever host-visible site is shadowed by the
guest's assigned address.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
This commit is contained in:
David Gibson 2024-08-21 14:20:19 +10:00 committed by Stefano Brivio
parent 8436c0d61b
commit 57b7bd2a48
4 changed files with 60 additions and 17 deletions

44
conf.c

@ -820,6 +820,9 @@ static void usage(const char *name, FILE *f, int status)
" --map-host-loopback ADDR Translate ADDR to refer to host\n" " --map-host-loopback ADDR Translate ADDR to refer to host\n"
" can be specified zero to two times (for IPv4 and IPv6)\n" " can be specified zero to two times (for IPv4 and IPv6)\n"
" default: gateway address\n" " default: gateway address\n"
" --map-guest-addr ADDR Translate ADDR to guest's address\n"
" can be specified zero to two times (for IPv4 and IPv6)\n"
" default: none\n"
" --dns-forward ADDR Forward DNS queries sent to ADDR\n" " --dns-forward ADDR Forward DNS queries sent to ADDR\n"
" can be specified zero to two times (for IPv4 and IPv6)\n" " can be specified zero to two times (for IPv4 and IPv6)\n"
" default: don't forward DNS queries\n" " default: don't forward DNS queries\n"
@ -1136,29 +1139,32 @@ static void conf_ugid(char *runas, uid_t *uid, gid_t *gid)
} }
/** /**
* conf_nat() - Parse --map-host-loopback option * conf_nat() - Parse --map-host-loopback or --map-guest-addr option
* @c: Execution context * @arg: String argument to option
* @arg: String argument to --map-host-loopback * @addr4: IPv4 to update with parsed address
* @no_map_gw: --no-map-gw flag, updated for "none" argument * @addr6: IPv6 to update with parsed address
* @no_map_gw: --no-map-gw flag, or NULL, updated for "none" argument
*/ */
static void conf_nat(struct ctx *c, const char *arg, int *no_map_gw) static void conf_nat(const char *arg, struct in_addr *addr4,
struct in6_addr *addr6, int *no_map_gw)
{ {
if (strcmp(arg, "none") == 0) { if (strcmp(arg, "none") == 0) {
c->ip4.map_host_loopback = in4addr_any; *addr4 = in4addr_any;
c->ip6.map_host_loopback = in6addr_any; *addr6 = in6addr_any;
if (no_map_gw)
*no_map_gw = 1; *no_map_gw = 1;
} }
if (inet_pton(AF_INET6, arg, &c->ip6.map_host_loopback) && if (inet_pton(AF_INET6, arg, addr6) &&
!IN6_IS_ADDR_UNSPECIFIED(&c->ip6.map_host_loopback) && !IN6_IS_ADDR_UNSPECIFIED(addr6) &&
!IN6_IS_ADDR_LOOPBACK(&c->ip6.map_host_loopback) && !IN6_IS_ADDR_LOOPBACK(addr6) &&
!IN6_IS_ADDR_MULTICAST(&c->ip6.map_host_loopback)) !IN6_IS_ADDR_MULTICAST(addr6))
return; return;
if (inet_pton(AF_INET, arg, &c->ip4.map_host_loopback) && if (inet_pton(AF_INET, arg, addr4) &&
!IN4_IS_ADDR_UNSPECIFIED(&c->ip4.map_host_loopback) && !IN4_IS_ADDR_UNSPECIFIED(addr4) &&
!IN4_IS_ADDR_LOOPBACK(&c->ip4.map_host_loopback) && !IN4_IS_ADDR_LOOPBACK(addr4) &&
!IN4_IS_ADDR_MULTICAST(&c->ip4.map_host_loopback)) !IN4_IS_ADDR_MULTICAST(addr4))
return; return;
die("Invalid address to remap to host: %s", optarg); die("Invalid address to remap to host: %s", optarg);
@ -1274,6 +1280,7 @@ void conf(struct ctx *c, int argc, char **argv)
{"no-copy-addrs", no_argument, NULL, 19 }, {"no-copy-addrs", no_argument, NULL, 19 },
{"netns-only", no_argument, NULL, 20 }, {"netns-only", no_argument, NULL, 20 },
{"map-host-loopback", required_argument, NULL, 21 }, {"map-host-loopback", required_argument, NULL, 21 },
{"map-guest-addr", required_argument, NULL, 22 },
{ 0 }, { 0 },
}; };
const char *logname = (c->mode == MODE_PASTA) ? "pasta" : "passt"; const char *logname = (c->mode == MODE_PASTA) ? "pasta" : "passt";
@ -1444,7 +1451,12 @@ void conf(struct ctx *c, int argc, char **argv)
*userns = 0; *userns = 0;
break; break;
case 21: case 21:
conf_nat(c, optarg, &no_map_gw); conf_nat(optarg, &c->ip4.map_host_loopback,
&c->ip6.map_host_loopback, &no_map_gw);
break;
case 22:
conf_nat(optarg, &c->ip4.map_guest_addr,
&c->ip6.map_guest_addr, NULL);
break; break;
case 'd': case 'd':
c->debug = 1; c->debug = 1;

10
fwd.c

@ -272,6 +272,10 @@ uint8_t fwd_nat_from_tap(const struct ctx *c, uint8_t proto,
tgt->eaddr = inany_loopback4; tgt->eaddr = inany_loopback4;
else if (inany_equals6(&ini->oaddr, &c->ip6.map_host_loopback)) else if (inany_equals6(&ini->oaddr, &c->ip6.map_host_loopback))
tgt->eaddr = inany_loopback6; tgt->eaddr = inany_loopback6;
else if (inany_equals4(&ini->oaddr, &c->ip4.map_guest_addr))
tgt->eaddr = inany_from_v4(c->ip4.addr);
else if (inany_equals6(&ini->oaddr, &c->ip6.map_guest_addr))
tgt->eaddr.a6 = c->ip6.addr;
else else
tgt->eaddr = ini->oaddr; tgt->eaddr = ini->oaddr;
@ -393,6 +397,12 @@ uint8_t fwd_nat_from_host(const struct ctx *c, uint8_t proto,
} else if (!IN6_IS_ADDR_UNSPECIFIED(&c->ip6.map_host_loopback) && } else if (!IN6_IS_ADDR_UNSPECIFIED(&c->ip6.map_host_loopback) &&
inany_equals6(&ini->eaddr, &in6addr_loopback)) { inany_equals6(&ini->eaddr, &in6addr_loopback)) {
tgt->oaddr.a6 = c->ip6.map_host_loopback; tgt->oaddr.a6 = c->ip6.map_host_loopback;
} else if (!IN4_IS_ADDR_UNSPECIFIED(&c->ip4.map_guest_addr) &&
inany_equals4(&ini->eaddr, &c->ip4.addr)) {
tgt->oaddr = inany_from_v4(c->ip4.map_guest_addr);
} else if (!IN6_IS_ADDR_UNSPECIFIED(&c->ip6.map_guest_addr) &&
inany_equals6(&ini->eaddr, &c->ip6.addr)) {
tgt->oaddr.a6 = c->ip6.map_guest_addr;
} else if (!fwd_guest_accessible(c, &ini->eaddr)) { } else if (!fwd_guest_accessible(c, &ini->eaddr)) {
if (inany_v4(&ini->eaddr)) { if (inany_v4(&ini->eaddr)) {
if (IN4_IS_ADDR_UNSPECIFIED(&c->ip4.our_tap_addr)) if (IN4_IS_ADDR_UNSPECIFIED(&c->ip4.our_tap_addr))

15
passt.1

@ -348,6 +348,21 @@ as destination, to the host. Implied if there is no gateway on the selected
default route, or if there is no default route, for any of the enabled address default route, or if there is no default route, for any of the enabled address
families. families.
.TP
.BR \-\-map-guest-addr " " \fIaddr
Translate \fIaddr\fR in the guest to be equal to the guest's assigned
address on the host. That is, packets from the guest to \fIaddr\fR
will be redirected to the address assigned to the guest with \fB-a\fR,
or by default the host's global address. This allows the guest to
access services availble on the host's global address, even though its
own address shadows that of the host.
If \fIaddr\fR is 'none', no address is mapped. Only one IPv4 and one
IPv6 address can be translated, and if the option is specified
multiple times, the last one for each address type takes effect.
Default is no mapping.
.TP .TP
.BR \-4 ", " \-\-ipv4-only .BR \-4 ", " \-\-ipv4-only
Enable IPv4-only operation. IPv6 traffic will be ignored. Enable IPv4-only operation. IPv6 traffic will be ignored.

@ -104,6 +104,8 @@ enum passt_modes {
* @guest_gw: IPv4 gateway as seen by the guest * @guest_gw: IPv4 gateway as seen by the guest
* @map_host_loopback: Outbound connections to this address are NATted to the * @map_host_loopback: Outbound connections to this address are NATted to the
* host's 127.0.0.1 * host's 127.0.0.1
* @map_guest_addr: Outbound connections to this address are NATted to the
* guest's assigned address
* @dns: DNS addresses for DHCP, zero-terminated * @dns: DNS addresses for DHCP, zero-terminated
* @dns_match: Forward DNS query if sent to this address * @dns_match: Forward DNS query if sent to this address
* @our_tap_addr: IPv4 address for passt's use on tap * @our_tap_addr: IPv4 address for passt's use on tap
@ -120,6 +122,7 @@ struct ip4_ctx {
int prefix_len; int prefix_len;
struct in_addr guest_gw; struct in_addr guest_gw;
struct in_addr map_host_loopback; struct in_addr map_host_loopback;
struct in_addr map_guest_addr;
struct in_addr dns[MAXNS + 1]; struct in_addr dns[MAXNS + 1];
struct in_addr dns_match; struct in_addr dns_match;
struct in_addr our_tap_addr; struct in_addr our_tap_addr;
@ -142,6 +145,8 @@ struct ip4_ctx {
* @guest_gw: IPv6 gateway as seen by the guest * @guest_gw: IPv6 gateway as seen by the guest
* @map_host_loopback: Outbound connections to this address are NATted to the * @map_host_loopback: Outbound connections to this address are NATted to the
* host's [::1] * host's [::1]
* @map_guest_addr: Outbound connections to this address are NATted to the
* guest's assigned address
* @dns: DNS addresses for DHCPv6 and NDP, zero-terminated * @dns: DNS addresses for DHCPv6 and NDP, zero-terminated
* @dns_match: Forward DNS query if sent to this address * @dns_match: Forward DNS query if sent to this address
* @our_tap_ll: Link-local IPv6 address for passt's use on tap * @our_tap_ll: Link-local IPv6 address for passt's use on tap
@ -158,6 +163,7 @@ struct ip6_ctx {
struct in6_addr addr_ll_seen; struct in6_addr addr_ll_seen;
struct in6_addr guest_gw; struct in6_addr guest_gw;
struct in6_addr map_host_loopback; struct in6_addr map_host_loopback;
struct in6_addr map_guest_addr;
struct in6_addr dns[MAXNS + 1]; struct in6_addr dns[MAXNS + 1];
struct in6_addr dns_match; struct in6_addr dns_match;
struct in6_addr our_tap_ll; struct in6_addr our_tap_ll;