Add outbound_addr to allow for SNAT instead of MASQ

Signed-off-by: lto-dev <[email protected]>

Author: lto-dev

src/firewall/iptables.rs

@@ -3,7 +3,8 @@ use crate::firewall;
 use crate::firewall::firewalld;
 use crate::firewall::varktables::types::TeardownPolicy::OnComplete;
 use crate::firewall::varktables::types::{
-    create_network_chains, get_network_chains, get_port_forwarding_chains, TeardownPolicy,
+    create_network_chains, get_network_chains, get_port_forwarding_chains, NetworkChainConfig,
+    TeardownPolicy,
 };
 use crate::network::internal_types::{
     PortForwardConfig, SetupNetwork, TearDownNetwork, TeardownPortForward,
@@ -54,15 +55,15 @@ impl firewall::FirewallDriver for IptablesDriver {
                     conn = &self.conn6;
                 }
 
-                let chains = get_network_chains(
-                    conn,
+                let config = NetworkChainConfig {
                     network,
-                    &network_setup.network_hash_name,
-                    is_ipv6,
-                    network_setup.bridge_name.clone(),
-                    network_setup.isolation,
-                    network_setup.dns_port,
-                );
+                    network_hash_name: network_setup.network_hash_name.clone(),
+                    interface_name: network_setup.bridge_name.clone(),
+                    isolation: network_setup.isolation,
+                    dns_port: network_setup.dns_port,
+                    outbound_addr: network_setup.outbound_addr,
+                };
+                let chains = get_network_chains(conn, config);
 
                 create_network_chains(chains)?;
 
@@ -83,15 +84,15 @@ impl firewall::FirewallDriver for IptablesDriver {
                 if is_ipv6 {
                     conn = &self.conn6;
                 }
-                let chains = get_network_chains(
-                    conn,
+                let config = NetworkChainConfig {
                     network,
-                    &tear.config.network_hash_name,
-                    is_ipv6,
-                    tear.config.bridge_name.clone(),
-                    tear.config.isolation,
-                    tear.config.dns_port,
-                );
+                    network_hash_name: tear.config.network_hash_name.clone(),
+                    interface_name: tear.config.bridge_name.clone(),
+                    isolation: tear.config.isolation,
+                    dns_port: tear.config.dns_port,
+                    outbound_addr: tear.config.outbound_addr,
+                };
+                let chains = get_network_chains(conn, config);
 
                 for c in &chains {
                     c.remove_rules(tear.complete_teardown)?;

src/firewall/nft.rs

@@ -367,18 +367,69 @@ impl firewall::FirewallDriver for Nftables {
                     ],
                 ));
 
-                // Subnet chain: ip daddr != 224.0.0.0/4 masquerade
+                // Subnet chain: ip daddr != 224.0.0.0/4 snat/masquerade
                 let multicast_address: IpNet = match subnet {
                     IpNet::V4(_) => "224.0.0.0/4".parse()?,
                     IpNet::V6(_) => "ff::00/8".parse()?,
                 };
-                batch.add(make_rule(
-                    &chain,
-                    vec![
-                        get_subnet_match(&multicast_address, "daddr", stmt::Operator::NEQ),
-                        stmt::Statement::Masquerade(None),
-                    ],
-                ));
+
+                // If outbound_addr is set and valid IPv4, use SNAT, otherwise use MASQUERADE
+                if let Some(addr) = network_setup.outbound_addr {
+                    if let IpNet::V4(_) = subnet {
+                        if addr.is_ipv4() {
+                            log::trace!("Creating SNAT rule with outbound address {}", addr);
+                            batch.add(make_rule(
+                                &chain,
+                                vec![
+                                    get_subnet_match(
+                                        &multicast_address,
+                                        "daddr",
+                                        stmt::Operator::NEQ,
+                                    ),
+                                    stmt::Statement::SNAT(Some(stmt::NAT {
+                                        addr: Some(expr::Expression::String(addr.to_string())),
+                                        family: Some(stmt::NATFamily::IP),
+                                        port: None,
+                                        flags: None,
+                                    })),
+                                ],
+                            ));
+                        } else {
+                            log::trace!(
+                                "Outbound address {} is not IPv4, using default MASQUERADE rule",
+                                addr
+                            );
+                            batch.add(make_rule(
+                                &chain,
+                                vec![
+                                    get_subnet_match(
+                                        &multicast_address,
+                                        "daddr",
+                                        stmt::Operator::NEQ,
+                                    ),
+                                    stmt::Statement::Masquerade(None),
+                                ],
+                            ));
+                        }
+                    } else {
+                        batch.add(make_rule(
+                            &chain,
+                            vec![
+                                get_subnet_match(&multicast_address, "daddr", stmt::Operator::NEQ),
+                                stmt::Statement::Masquerade(None),
+                            ],
+                        ));
+                    }
+                } else {
+                    log::trace!("No outbound address set, using default MASQUERADE rule");
+                    batch.add(make_rule(
+                        &chain,
+                        vec![
+                            get_subnet_match(&multicast_address, "daddr", stmt::Operator::NEQ),
+                            stmt::Statement::Masquerade(None),
+                        ],
+                    ));
+                }
 
                 // Next, populate basic chains with forwarding rules
                 // Input chain: ip saddr <subnet> udp dport 53 accept

src/firewall/state.rs

@@ -272,6 +272,7 @@ mod tests {
             network_hash_name: "hash".to_string(),
             isolation: IsolateOption::Never,
             dns_port: 53,
+            outbound_addr: None,
         };
         let net_conf_json = r#"{"subnets":["10.0.0.0/24"],"bridge_name":"bridge","network_id":"c2c8a073252874648259997d53b0a1bffa491e21f04bc1bf8609266359931395","network_hash_name":"hash","isolation":"Never","dns_port":53}"#;
 

src/firewall/varktables/types.rs

@@ -66,6 +66,7 @@ impl VarkRule {
         &self.rule
     }
 }
+
 // Varkchain is an iptable chain with extra info
 pub struct VarkChain<'a> {
     // name of chain
@@ -192,17 +193,23 @@ pub fn create_network_chains(chains: Vec<VarkChain<'_>>) -> NetavarkResult<()> {
     Ok(())
 }
 
-pub fn get_network_chains<'a>(
-    conn: &'a IPTables,
-    network: IpNet,
-    network_hash_name: &'a str,
-    is_ipv6: bool,
-    interface_name: String,
-    isolation: IsolateOption,
-    dns_port: u16,
-) -> Vec<VarkChain<'a>> {
+pub struct NetworkChainConfig {
+    pub network: IpNet,
+    pub network_hash_name: String,
+    pub interface_name: String,
+    pub isolation: IsolateOption,
+    pub dns_port: u16,
+    pub outbound_addr: Option<IpAddr>,
+}
+
+pub fn get_network_chains(conn: &IPTables, config: NetworkChainConfig) -> Vec<VarkChain<'_>> {
     let mut chains = Vec::new();
-    let prefixed_network_hash_name = format!("{}-{}", "NETAVARK", network_hash_name);
+    let prefixed_network_hash_name = format!("{}-{}", "NETAVARK", config.network_hash_name);
+
+    let is_ipv6 = match config.network {
+        IpNet::V4(_) => false,
+        IpNet::V6(_) => true,
+    };
 
     // NETAVARK-HASH
     let mut hashed_network_chain = VarkChain::new(
@@ -214,25 +221,45 @@ pub fn get_network_chains<'a>(
     hashed_network_chain.create = true;
 
     hashed_network_chain.build_rule(VarkRule::new(
-        format!("-d {network} -j {ACCEPT}"),
+        format!("-d {} -j {}", config.network, ACCEPT),
         Some(TeardownPolicy::OnComplete),
     ));
 
     let mut multicast_dest = MULTICAST_NET_V4;
     if is_ipv6 {
         multicast_dest = MULTICAST_NET_V6;
     }
-    hashed_network_chain.build_rule(VarkRule::new(
-        format!("! -d {multicast_dest} -j {MASQUERADE}"),
-        Some(TeardownPolicy::OnComplete),
-    ));
+    if let Some(addr) = config.outbound_addr {
+        if !is_ipv6 && addr.is_ipv4() {
+            log::trace!("Creating SNAT rule with outbound address {}", addr);
+            hashed_network_chain.build_rule(VarkRule::new(
+                format!("! -d {multicast_dest} -j SNAT --to-source {}", addr),
+                Some(TeardownPolicy::OnComplete),
+            ));
+        } else {
+            log::trace!(
+                "Outbound address {} is not IPv4, using default MASQUERADE rule",
+                addr
+            );
+            hashed_network_chain.build_rule(VarkRule::new(
+                format!("! -d {multicast_dest} -j {MASQUERADE}"),
+                Some(TeardownPolicy::OnComplete),
+            ));
+        }
+    } else {
+        log::trace!("No outbound address set, using default MASQUERADE rule");
+        hashed_network_chain.build_rule(VarkRule::new(
+            format!("! -d {multicast_dest} -j {MASQUERADE}"),
+            Some(TeardownPolicy::OnComplete),
+        ));
+    }
     chains.push(hashed_network_chain);
 
     // POSTROUTING
     let mut postrouting_chain =
         VarkChain::new(conn, NAT.to_string(), POSTROUTING.to_string(), None);
     postrouting_chain.build_rule(VarkRule::new(
-        format!("-s {network} -j {prefixed_network_hash_name}"),
+        format!("-s {} -j {}", config.network, prefixed_network_hash_name),
         Some(TeardownPolicy::OnComplete),
     ));
     chains.push(postrouting_chain);
@@ -272,7 +299,7 @@ pub fn get_network_chains<'a>(
     );
     netavark_isolation_chain_3.create = true;
 
-    if let IsolateOption::Normal | IsolateOption::Strict = isolation {
+    if let IsolateOption::Normal | IsolateOption::Strict = config.isolation {
         debug!("Add extra isolate rules");
         // NETAVARK_ISOLATION_1
         let mut netavark_isolation_chain_1 = VarkChain::new(
@@ -290,7 +317,7 @@ pub fn get_network_chains<'a>(
             td_policy: Some(TeardownPolicy::OnComplete),
         });
 
-        let netavark_isolation_1_target = if let IsolateOption::Strict = isolation {
+        let netavark_isolation_1_target = if let IsolateOption::Strict = config.isolation {
             // NETAVARK_ISOLATION_1 -i bridge_name ! -o bridge_name -j NETAVARK_ISOLATION_3
             NETAVARK_ISOLATION_3
         } else {
@@ -299,15 +326,16 @@ pub fn get_network_chains<'a>(
         };
         netavark_isolation_chain_1.build_rule(VarkRule {
             rule: format!(
-                "-i {interface_name} ! -o {interface_name} -j {netavark_isolation_1_target}"
+                "-i {} ! -o {} -j {}",
+                config.interface_name, config.interface_name, netavark_isolation_1_target
             ),
             position: Some(ind),
             td_policy: Some(TeardownPolicy::OnComplete),
         });
 
         // NETAVARK_ISOLATION_2 -o bridge_name -j DROP
         netavark_isolation_chain_2.build_rule(VarkRule {
-            rule: format!("-o {} -j {}", interface_name, "DROP"),
+            rule: format!("-o {} -j {}", config.interface_name, "DROP"),
             position: Some(ind),
             td_policy: Some(TeardownPolicy::OnComplete),
         });
@@ -328,7 +356,7 @@ pub fn get_network_chains<'a>(
 
         // NETAVARK_ISOLATION_3 -o bridge_name -j DROP
         netavark_isolation_chain_3.build_rule(VarkRule {
-            rule: format!("-o {} -j {}", interface_name, "DROP"),
+            rule: format!("-o {} -j {}", config.interface_name, "DROP"),
             position: Some(ind),
             td_policy: Some(TeardownPolicy::OnComplete),
         });
@@ -377,7 +405,7 @@ pub fn get_network_chains<'a>(
         netavark_input_chain.build_rule(VarkRule::new(
             format!(
                 "-p {} -s {} --dport {} -j {}",
-                proto, network, dns_port, ACCEPT
+                proto, config.network, config.dns_port, ACCEPT
             ),
             Some(TeardownPolicy::OnComplete),
         ));
@@ -395,14 +423,17 @@ pub fn get_network_chains<'a>(
     // Create incoming traffic rule
     // CNI did this by IP address, this is implemented per subnet
     netavark_forward_chain.build_rule(VarkRule::new(
-        format!("-d {network} -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT"),
+        format!(
+            "-d {} -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT",
+            config.network
+        ),
         Some(TeardownPolicy::OnComplete),
     ));
 
     // Create outgoing traffic rule
     // CNI did this by IP address, this is implemented per subnet
     netavark_forward_chain.build_rule(VarkRule::new(
-        format!("-s {network} -j ACCEPT"),
+        format!("-s {} -j ACCEPT", config.network),
         Some(TeardownPolicy::OnComplete),
     ));
     chains.push(netavark_forward_chain);

src/network/bridge.rs

@@ -23,7 +23,8 @@ use super::{
     constants::{
         ISOLATE_OPTION_FALSE, ISOLATE_OPTION_STRICT, ISOLATE_OPTION_TRUE,
         NO_CONTAINER_INTERFACE_ERROR, OPTION_HOST_INTERFACE_NAME, OPTION_ISOLATE, OPTION_METRIC,
-        OPTION_MODE, OPTION_MTU, OPTION_NO_DEFAULT_ROUTE, OPTION_VLAN, OPTION_VRF,
+        OPTION_MODE, OPTION_MTU, OPTION_NO_DEFAULT_ROUTE, OPTION_OUTBOUND_ADDR, OPTION_VLAN,
+        OPTION_VRF,
     },
     core_utils::{self, get_ipam_addresses, join_netns, parse_option, CoreUtils},
     driver::{self, DriverInfo},
@@ -392,6 +393,10 @@ impl<'a> Bridge<'a> {
             network_hash_name: id_network_hash.clone(),
             isolation: isolate,
             dns_port: self.info.dns_port,
+            outbound_addr: parse_option::<IpAddr>(
+                &self.info.network.options,
+                OPTION_OUTBOUND_ADDR,
+            )?,
         };
 
         let mut has_ipv4 = false;

src/network/constants.rs

@@ -24,6 +24,7 @@ pub const OPTION_BCLIM: &str = "bclim";
 pub const OPTION_VRF: &str = "vrf";
 pub const OPTION_VLAN: &str = "vlan";
 pub const OPTION_HOST_INTERFACE_NAME: &str = "host_interface_name";
+pub const OPTION_OUTBOUND_ADDR: &str = "outbound_addr";
 
 /// 100 is the default metric for most Linux networking tools.
 pub const DEFAULT_METRIC: u32 = 100;

src/network/internal_types.rs

@@ -26,6 +26,10 @@ pub struct SetupNetwork {
     pub isolation: IsolateOption,
     /// port used for the dns server
     pub dns_port: u16,
+    /// outbound address for SNAT
+    #[serde(skip_serializing_if = "Option::is_none")]
+    #[serde(default)]
+    pub outbound_addr: Option<IpAddr>,
 }
 
 #[derive(Debug)]

test/100-bridge-iptables.bats

@@ -1093,6 +1093,19 @@ function check_simple_bridge_iptables() {
     assert "${#lines[@]}" = 4 "too many NETAVARK_FORWARD rules"
 }
 
+@test "$fw_driver - bridge with outbound addr" {
+    run_netavark --file ${TESTSDIR}/testfiles/bridge-outbound-addr.json setup $(get_container_netns_path)
+
+    # Check that the iptables rules were created with SNAT
+    run_in_host_netns iptables -t nat -S NETAVARK-F11DC6A6D09CF
+    assert "${lines[2]}" == "-A NETAVARK-F11DC6A6D09CF ! -d 224.0.0.0/4 -j SNAT --to-source 100.1.100.1"
+
+    run_netavark --file ${TESTSDIR}/testfiles/bridge-outbound-addr.json teardown $(get_container_netns_path)
+
+    # Check that the chain is removed
+    expected_rc=1 run_in_host_netns iptables -t nat -nvL NETAVARK-F11DC6A6D09CF
+}
+
 @test "$fw_driver - aardvark-dns error cleanup" {
     expected_rc=1 run_netavark -a /usr/bin/false --file ${TESTSDIR}/testfiles/dualstack-bridge-custom-dns-server.json setup $(get_container_netns_path)
     assert_json ".error" "error while applying dns entries: IO error: aardvark-dns exited unexpectedly without error message" "aardvark-dns error"

test/250-bridge-nftables.bats

@@ -1032,6 +1032,19 @@ function check_simple_bridge_nftables() {
     assert "$output" == $'table inet netavark {\n\tchain NETAVARK-HOSTPORT-DNAT {\n\t}\n}' "NETAVARK-HOSTPORT-DNAT chain must be empty"
 }
 
+@test "$fw_driver - bridge with outbound addr" {
+    run_netavark --file ${TESTSDIR}/testfiles/bridge-outbound-addr.json setup $(get_container_netns_path)
+
+    # Check that the nftables rules were created with SNAT
+    run_in_host_netns nft list chain inet netavark nv_2f259bab_10_89_0_0_nm24
+    assert "${lines[3]}" =~ "ip daddr != 224.0.0.0/4 snat ip to 100.1.100.1"
+
+    run_netavark --file ${TESTSDIR}/testfiles/bridge-outbound-addr.json teardown $(get_container_netns_path)
+
+    # Check that the chain is removed
+    expected_rc=1 run_in_host_netns nft list chain inet netavark nv_2f259bab_10_89_0_0_nm24
+}
+
 @test "$fw_driver - aardvark-dns error cleanup" {
     expected_rc=1 run_netavark -a /usr/bin/false --file ${TESTSDIR}/testfiles/dualstack-bridge-custom-dns-server.json setup $(get_container_netns_path)
     assert_json ".error" "error while applying dns entries: IO error: aardvark-dns exited unexpectedly without error message" "aardvark-dns error"