fwd: Helpers to clarify what host addresses aren't guest accessible

We usually avoid NAT, but in a few cases we need to apply address
translations.  For inbound connections that happens for addresses which
make sense to the host but are either inaccessible, or mean a different
location from the guest's point of view.

Add some helper functions to determine such addresses, and use them in
fwd_nat_from_host().  In doing so clarify some of the reasons for the
logic.  We'll also have further use for these helpers in future.

While we're there fix one unneccessary inconsistency between IPv4 and IPv6.
We always translated the guest's observed address, but for IPv4 we didn't
translate the guest's assigned address, whereas for IPv6 we did.  Change
this to translate both in all cases for consistency.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
This commit is contained in:
David Gibson 2024-08-21 14:20:12 +10:00 committed by Stefano Brivio
parent 975cfa5f32
commit 4d8dd1fbe7

94
fwd.c
View file

@ -170,6 +170,85 @@ static bool is_dns_flow(uint8_t proto, const struct flowside *ini)
((ini->oport == 53) || (ini->oport == 853)); ((ini->oport == 53) || (ini->oport == 853));
} }
/**
* fwd_guest_accessible4() - Is IPv4 address guest-accessible
* @c: Execution context
* @addr: Host visible IPv4 address
*
* Return: true if @addr on the host is accessible to the guest without
* translation, false otherwise
*/
static bool fwd_guest_accessible4(const struct ctx *c,
const struct in_addr *addr)
{
if (IN4_IS_ADDR_LOOPBACK(addr))
return false;
/* In socket interfaces 0.0.0.0 generally means "any" or unspecified,
* however on the wire it can mean "this host on this network". Since
* that has a different meaning for host and guest, we can't let it
* through untranslated.
*/
if (IN4_IS_ADDR_UNSPECIFIED(addr))
return false;
/* For IPv4, addr_seen is initialised to addr, so is always a valid
* address
*/
if (IN4_ARE_ADDR_EQUAL(addr, &c->ip4.addr) ||
IN4_ARE_ADDR_EQUAL(addr, &c->ip4.addr_seen))
return false;
return true;
}
/**
* fwd_guest_accessible6() - Is IPv6 address guest-accessible
* @c: Execution context
* @addr: Host visible IPv6 address
*
* Return: true if @addr on the host is accessible to the guest without
* translation, false otherwise
*/
static bool fwd_guest_accessible6(const struct ctx *c,
const struct in6_addr *addr)
{
if (IN6_IS_ADDR_LOOPBACK(addr))
return false;
if (IN6_ARE_ADDR_EQUAL(addr, &c->ip6.addr))
return false;
/* For IPv6, addr_seen starts unspecified, because we don't know what LL
* address the guest will take until we see it. Only check against it
* if it has been set to a real address.
*/
if (!IN6_IS_ADDR_UNSPECIFIED(&c->ip6.addr_seen) &&
IN6_ARE_ADDR_EQUAL(addr, &c->ip6.addr_seen))
return false;
return true;
}
/**
* fwd_guest_accessible() - Is IPv[46] address guest-accessible
* @c: Execution context
* @addr: Host visible IPv[46] address
*
* Return: true if @addr on the host is accessible to the guest without
* translation, false otherwise
*/
static bool fwd_guest_accessible(const struct ctx *c,
const union inany_addr *addr)
{
const struct in_addr *a4 = inany_v4(addr);
if (a4)
return fwd_guest_accessible4(c, a4);
return fwd_guest_accessible6(c, &addr->a6);
}
/** /**
* fwd_nat_from_tap() - Determine to forward a flow from the tap interface * fwd_nat_from_tap() - Determine to forward a flow from the tap interface
* @c: Execution context * @c: Execution context
@ -307,18 +386,15 @@ uint8_t fwd_nat_from_host(const struct ctx *c, uint8_t proto,
return PIF_SPLICE; return PIF_SPLICE;
} }
tgt->oaddr = ini->eaddr; if (!fwd_guest_accessible(c, &ini->eaddr)) {
tgt->oport = ini->eport; if (inany_v4(&ini->eaddr))
if (inany_is_loopback4(&tgt->oaddr) ||
inany_is_unspecified4(&tgt->oaddr) ||
inany_equals4(&tgt->oaddr, &c->ip4.addr_seen)) {
tgt->oaddr = inany_from_v4(c->ip4.gw); tgt->oaddr = inany_from_v4(c->ip4.gw);
} else if (inany_is_loopback6(&tgt->oaddr) || else
inany_equals6(&tgt->oaddr, &c->ip6.addr_seen) ||
inany_equals6(&tgt->oaddr, &c->ip6.addr)) {
tgt->oaddr.a6 = c->ip6.our_tap_ll; tgt->oaddr.a6 = c->ip6.our_tap_ll;
} else {
tgt->oaddr = ini->eaddr;
} }
tgt->oport = ini->eport;
if (inany_v4(&tgt->oaddr)) { if (inany_v4(&tgt->oaddr)) {
tgt->eaddr = inany_from_v4(c->ip4.addr_seen); tgt->eaddr = inany_from_v4(c->ip4.addr_seen);