1
0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2024-12-23 21:34:54 +03:00

net: support set public ip range for forward mode nat

Support setting which public ip to use for NAT via attribute
address in subelement <nat> in <forward>:

...
  <forward mode='nat'>
      <address start='1.2.3.4' end='1.2.3.10'/>
  </forward>
...

This will construct an iptables line using:

  '-j SNAT --to-source <start>-<end>'

instead of:

  '-j MASQUERADE'

Signed-off-by: Natanael Copa <ncopa@alpinelinux.org>
Signed-off-by: Laine Stump <laine@laine.org>
This commit is contained in:
Natanael Copa 2013-02-19 11:44:14 +01:00 committed by Laine Stump
parent 5d6f636764
commit 905629f47e
6 changed files with 245 additions and 15 deletions

View File

@ -136,6 +136,24 @@
network, and to/from the host to the guests, are network, and to/from the host to the guests, are
unrestricted and not NATed.<span class="since">Since unrestricted and not NATed.<span class="since">Since
0.4.2</span> 0.4.2</span>
<p><span class="since">Since 1.0.3</span> it is possible to
specify a public IPv4 address range to be used for the NAT by
using the <code>&lt;nat&gt;</code> and
<code>&lt;address&gt;</code> subelements.
<pre>
...
&lt;forward mode='nat'&gt;
&lt;nat&gt;
&lt;address start='1.2.3.4' end='1.2.3.10'/&gt;
&lt;/nat&gt;
&lt;/forward&gt;
...
</pre>
An singe IPv4 address can be set by setting
<code>start</code> and <code>end</code> attributes to
the same value.
</p>
</dd> </dd>
<dt><code>route</code></dt> <dt><code>route</code></dt>

View File

@ -1324,6 +1324,81 @@ cleanup:
return result; return result;
} }
static int
virNetworkForwardNatDefParseXML(const char *networkName,
xmlNodePtr node,
xmlXPathContextPtr ctxt,
virNetworkForwardDefPtr def)
{
int ret = -1;
xmlNodePtr *natAddrNodes = NULL;
int nNatAddrs;
char *addrStart = NULL;
char *addrEnd = NULL;
xmlNodePtr save = ctxt->node;
ctxt->node = node;
if (def->type != VIR_NETWORK_FORWARD_NAT) {
virReportError(VIR_ERR_XML_ERROR,
_("The <nat> element can only be used when <forward> 'mode' is 'nat' in network %s"),
networkName);
goto cleanup;
}
/* addresses for SNAT */
nNatAddrs = virXPathNodeSet("./address", ctxt, &natAddrNodes);
if (nNatAddrs < 0) {
virReportError(VIR_ERR_XML_ERROR,
_("invalid <address> element found in <forward> of "
"network %s"), networkName);
goto cleanup;
} else if (nNatAddrs > 1) {
virReportError(VIR_ERR_XML_ERROR,
_("Only one <address> element is allowed in <nat> in "
"<forward> in network %s"), networkName);
goto cleanup;
} else if (nNatAddrs == 1) {
addrStart = virXMLPropString(*natAddrNodes, "start");
if (addrStart == NULL) {
virReportError(VIR_ERR_XML_ERROR,
_("missing 'start' attribute in <address> element in <nat> in "
"<forward> in network %s"), networkName);
goto cleanup;
}
addrEnd = virXMLPropString(*natAddrNodes, "end");
if (addrEnd == NULL) {
virReportError(VIR_ERR_XML_ERROR,
_("missing 'end' attribute in <address> element in <nat> in "
"<forward> in network %s"), networkName);
goto cleanup;
}
}
if (addrStart && virSocketAddrParse(&def->addrStart, addrStart, AF_INET) < 0) {
virReportError(VIR_ERR_XML_ERROR,
_("Bad ipv4 start address '%s' in <nat> in <forward> in "
"network '%s'"), addrStart, networkName);
goto cleanup;
}
if (addrEnd && virSocketAddrParse(&def->addrEnd, addrEnd, AF_INET) < 0) {
virReportError(VIR_ERR_XML_ERROR,
_("Bad ipv4 end address '%s' in <nat> in <forward> in "
"network '%s'"), addrEnd, networkName);
goto cleanup;
}
ret = 0;
cleanup:
VIR_FREE(addrStart);
VIR_FREE(addrEnd);
VIR_FREE(natAddrNodes);
ctxt->node = save;
return ret;
}
static int static int
virNetworkForwardDefParseXML(const char *networkName, virNetworkForwardDefParseXML(const char *networkName,
xmlNodePtr node, xmlNodePtr node,
@ -1334,7 +1409,8 @@ virNetworkForwardDefParseXML(const char *networkName,
xmlNodePtr *forwardIfNodes = NULL; xmlNodePtr *forwardIfNodes = NULL;
xmlNodePtr *forwardPfNodes = NULL; xmlNodePtr *forwardPfNodes = NULL;
xmlNodePtr *forwardAddrNodes = NULL; xmlNodePtr *forwardAddrNodes = NULL;
int nForwardIfs, nForwardAddrs, nForwardPfs; xmlNodePtr *forwardNatNodes = NULL;
int nForwardIfs, nForwardAddrs, nForwardPfs, nForwardNats;
char *forwardDev = NULL; char *forwardDev = NULL;
char *forwardManaged = NULL; char *forwardManaged = NULL;
char *type = NULL; char *type = NULL;
@ -1384,6 +1460,24 @@ virNetworkForwardDefParseXML(const char *networkName,
goto cleanup; goto cleanup;
} }
nForwardNats = virXPathNodeSet("./nat", ctxt, &forwardNatNodes);
if (nForwardNats < 0) {
virReportError(VIR_ERR_XML_ERROR,
_("invalid <nat> element found in <forward> of network %s"),
networkName);
goto cleanup;
} else if (nForwardNats > 1) {
virReportError(VIR_ERR_XML_ERROR,
_("Only one <nat> element is allowed in <forward> of network %s"),
networkName);
goto cleanup;
} else if (nForwardNats == 1) {
if (virNetworkForwardNatDefParseXML(networkName,
*forwardNatNodes,
ctxt, def) < 0)
goto cleanup;
}
if (((nForwardIfs > 0) + (nForwardAddrs > 0) + (nForwardPfs > 0)) > 1) { if (((nForwardIfs > 0) + (nForwardAddrs > 0) + (nForwardPfs > 0)) > 1) {
virReportError(VIR_ERR_XML_ERROR, virReportError(VIR_ERR_XML_ERROR,
_("<address>, <interface>, and <pf> elements in <forward> " _("<address>, <interface>, and <pf> elements in <forward> "
@ -1525,6 +1619,7 @@ cleanup:
VIR_FREE(forwardPfNodes); VIR_FREE(forwardPfNodes);
VIR_FREE(forwardIfNodes); VIR_FREE(forwardIfNodes);
VIR_FREE(forwardAddrNodes); VIR_FREE(forwardAddrNodes);
VIR_FREE(forwardNatNodes);
ctxt->node = save; ctxt->node = save;
return ret; return ret;
} }
@ -2078,6 +2173,47 @@ virPortGroupDefFormat(virBufferPtr buf,
return 0; return 0;
} }
static int
virNetworkForwardNatDefFormat(virBufferPtr buf,
const virNetworkForwardDefPtr fwd)
{
char *addrStart = NULL;
char *addrEnd = NULL;
int ret = -1;
if (VIR_SOCKET_ADDR_VALID(&fwd->addrStart)) {
addrStart = virSocketAddrFormat(&fwd->addrStart);
if (!addrStart)
goto cleanup;
}
if (VIR_SOCKET_ADDR_VALID(&fwd->addrEnd)) {
addrEnd = virSocketAddrFormat(&fwd->addrEnd);
if (!addrEnd)
goto cleanup;
}
if (!addrEnd && !addrStart)
return 0;
virBufferAddLit(buf, "<nat>\n");
virBufferAdjustIndent(buf, 2);
virBufferAsprintf(buf, "<address start='%s'", addrStart);
if (addrEnd)
virBufferAsprintf(buf, " end='%s'", addrEnd);
virBufferAddLit(buf, "/>\n");
virBufferAdjustIndent(buf, -2);
virBufferAddLit(buf, "</nat>\n");
ret = 0;
cleanup:
VIR_FREE(addrStart);
VIR_FREE(addrEnd);
return ret;
}
static int static int
virNetworkDefFormatInternal(virBufferPtr buf, virNetworkDefFormatInternal(virBufferPtr buf,
const virNetworkDefPtr def, const virNetworkDefPtr def,
@ -2085,7 +2221,7 @@ virNetworkDefFormatInternal(virBufferPtr buf,
{ {
unsigned char *uuid; unsigned char *uuid;
char uuidstr[VIR_UUID_STRING_BUFLEN]; char uuidstr[VIR_UUID_STRING_BUFLEN];
int ii; int ii, shortforward;
virBufferAddLit(buf, "<network"); virBufferAddLit(buf, "<network");
if (!(flags & VIR_NETWORK_XML_INACTIVE) && (def->connections > 0)) { if (!(flags & VIR_NETWORK_XML_INACTIVE) && (def->connections > 0)) {
@ -2122,10 +2258,17 @@ virNetworkDefFormatInternal(virBufferPtr buf,
else else
virBufferAddLit(buf, " managed='no'"); virBufferAddLit(buf, " managed='no'");
} }
virBufferAsprintf(buf, "%s>\n", shortforward = !(def->forward.nifs || def->forward.npfs
(def->forward.nifs || def->forward.npfs) ? "" : "/"); || VIR_SOCKET_ADDR_VALID(&def->forward.addrStart)
|| VIR_SOCKET_ADDR_VALID(&def->forward.addrEnd));
virBufferAsprintf(buf, "%s>\n", shortforward ? "/" : "");
virBufferAdjustIndent(buf, 2); virBufferAdjustIndent(buf, 2);
if (def->forward.type == VIR_NETWORK_FORWARD_NAT) {
if (virNetworkForwardNatDefFormat(buf, &def->forward) < 0)
goto error;
}
/* For now, hard-coded to at most 1 forward.pfs */ /* For now, hard-coded to at most 1 forward.pfs */
if (def->forward.npfs) if (def->forward.npfs)
virBufferEscapeString(buf, "<pf dev='%s'/>\n", virBufferEscapeString(buf, "<pf dev='%s'/>\n",
@ -2155,7 +2298,7 @@ virNetworkDefFormatInternal(virBufferPtr buf,
} }
} }
virBufferAdjustIndent(buf, -2); virBufferAdjustIndent(buf, -2);
if (def->forward.npfs || def->forward.nifs) if (!shortforward)
virBufferAddLit(buf, "</forward>\n"); virBufferAddLit(buf, "</forward>\n");
} }

View File

@ -174,6 +174,9 @@ struct _virNetworkForwardDef {
size_t nifs; size_t nifs;
virNetworkForwardIfDefPtr ifs; virNetworkForwardIfDefPtr ifs;
/* adresses for SNAT */
virSocketAddr addrStart, addrEnd;
}; };
typedef struct _virPortGroupDef virPortGroupDef; typedef struct _virPortGroupDef virPortGroupDef;

View File

@ -1587,6 +1587,8 @@ networkAddMasqueradingIptablesRules(struct network_driver *driver,
&ipdef->address, &ipdef->address,
prefix, prefix,
forwardIf, forwardIf,
&network->def->forward.addrStart,
&network->def->forward.addrEnd,
NULL) < 0) { NULL) < 0) {
virReportError(VIR_ERR_SYSTEM_ERROR, virReportError(VIR_ERR_SYSTEM_ERROR,
forwardIf ? forwardIf ?
@ -1601,6 +1603,8 @@ networkAddMasqueradingIptablesRules(struct network_driver *driver,
&ipdef->address, &ipdef->address,
prefix, prefix,
forwardIf, forwardIf,
&network->def->forward.addrStart,
&network->def->forward.addrEnd,
"udp") < 0) { "udp") < 0) {
virReportError(VIR_ERR_SYSTEM_ERROR, virReportError(VIR_ERR_SYSTEM_ERROR,
forwardIf ? forwardIf ?
@ -1615,6 +1619,8 @@ networkAddMasqueradingIptablesRules(struct network_driver *driver,
&ipdef->address, &ipdef->address,
prefix, prefix,
forwardIf, forwardIf,
&network->def->forward.addrStart,
&network->def->forward.addrEnd,
"tcp") < 0) { "tcp") < 0) {
virReportError(VIR_ERR_SYSTEM_ERROR, virReportError(VIR_ERR_SYSTEM_ERROR,
forwardIf ? forwardIf ?
@ -1631,12 +1637,16 @@ networkAddMasqueradingIptablesRules(struct network_driver *driver,
&ipdef->address, &ipdef->address,
prefix, prefix,
forwardIf, forwardIf,
&network->def->forward.addrStart,
&network->def->forward.addrEnd,
"udp"); "udp");
masqerr4: masqerr4:
iptablesRemoveForwardMasquerade(driver->iptables, iptablesRemoveForwardMasquerade(driver->iptables,
&ipdef->address, &ipdef->address,
prefix, prefix,
forwardIf, forwardIf,
&network->def->forward.addrStart,
&network->def->forward.addrEnd,
NULL); NULL);
masqerr3: masqerr3:
iptablesRemoveForwardAllowRelatedIn(driver->iptables, iptablesRemoveForwardAllowRelatedIn(driver->iptables,
@ -1667,16 +1677,22 @@ networkRemoveMasqueradingIptablesRules(struct network_driver *driver,
&ipdef->address, &ipdef->address,
prefix, prefix,
forwardIf, forwardIf,
&network->def->forward.addrStart,
&network->def->forward.addrEnd,
"tcp"); "tcp");
iptablesRemoveForwardMasquerade(driver->iptables, iptablesRemoveForwardMasquerade(driver->iptables,
&ipdef->address, &ipdef->address,
prefix, prefix,
forwardIf, forwardIf,
&network->def->forward.addrStart,
&network->def->forward.addrEnd,
"udp"); "udp");
iptablesRemoveForwardMasquerade(driver->iptables, iptablesRemoveForwardMasquerade(driver->iptables,
&ipdef->address, &ipdef->address,
prefix, prefix,
forwardIf, forwardIf,
&network->def->forward.addrStart,
&network->def->forward.addrEnd,
NULL); NULL);
iptablesRemoveForwardAllowRelatedIn(driver->iptables, iptablesRemoveForwardAllowRelatedIn(driver->iptables,

View File

@ -805,11 +805,16 @@ iptablesForwardMasquerade(iptablesContext *ctx,
virSocketAddr *netaddr, virSocketAddr *netaddr,
unsigned int prefix, unsigned int prefix,
const char *physdev, const char *physdev,
virSocketAddr *addrStart,
virSocketAddr *addrEnd,
const char *protocol, const char *protocol,
int action) int action)
{ {
int ret; int ret = -1;
char *networkstr; char *networkstr = NULL;
char *addrStartStr = NULL;
char *addrEndStr = NULL;
char *natRangeStr = NULL;
virCommandPtr cmd = NULL; virCommandPtr cmd = NULL;
if (!(networkstr = iptablesFormatNetwork(netaddr, prefix))) if (!(networkstr = iptablesFormatNetwork(netaddr, prefix)))
@ -820,8 +825,16 @@ iptablesForwardMasquerade(iptablesContext *ctx,
virReportError(VIR_ERR_INTERNAL_ERROR, virReportError(VIR_ERR_INTERNAL_ERROR,
_("Attempted to NAT '%s'. NAT is only supported for IPv4."), _("Attempted to NAT '%s'. NAT is only supported for IPv4."),
networkstr); networkstr);
VIR_FREE(networkstr); goto cleanup;
return -1; }
if (VIR_SOCKET_ADDR_IS_FAMILY(addrStart, AF_INET)) {
if (!(addrStartStr = virSocketAddrFormat(addrStart)))
goto cleanup;
if (VIR_SOCKET_ADDR_IS_FAMILY(addrEnd, AF_INET)) {
if (!(addrEndStr = virSocketAddrFormat(addrEnd)))
goto cleanup;
}
} }
cmd = iptablesCommandNew(ctx->nat_postrouting, AF_INET, action); cmd = iptablesCommandNew(ctx->nat_postrouting, AF_INET, action);
@ -835,13 +848,42 @@ iptablesForwardMasquerade(iptablesContext *ctx,
if (physdev && physdev[0]) if (physdev && physdev[0])
virCommandAddArgList(cmd, "--out-interface", physdev, NULL); virCommandAddArgList(cmd, "--out-interface", physdev, NULL);
virCommandAddArgList(cmd, "--jump", "MASQUERADE", NULL); /* Use --jump SNAT if public addr is specified */
if (addrStartStr && addrStartStr[0]) {
const char *portStr = "";
int r = 0;
if (protocol && protocol[0]) if (protocol && protocol[0])
virCommandAddArgList(cmd, "--to-ports", "1024-65535", NULL); portStr = ":1024-65535";
ret = iptablesCommandRunAndFree(cmd); if (addrEndStr && addrEndStr[0]) {
r = virAsprintf(&natRangeStr, "%s-%s%s", addrStartStr, addrEndStr,
portStr);
} else {
r = virAsprintf(&natRangeStr, "%s%s", addrStartStr, portStr);
}
if (r < 0) {
virReportOOMError();
goto cleanup;
}
virCommandAddArgList(cmd, "--jump", "SNAT",
"--to-source", natRangeStr, NULL);
} else {
virCommandAddArgList(cmd, "--jump", "MASQUERADE", NULL);
if (protocol && protocol[0])
virCommandAddArgList(cmd, "--to-ports", "1024-65535", NULL);
}
ret = virCommandRun(cmd, NULL);
cleanup:
virCommandFree(cmd);
VIR_FREE(networkstr); VIR_FREE(networkstr);
VIR_FREE(addrStartStr);
VIR_FREE(addrEndStr);
VIR_FREE(natRangeStr);
return ret; return ret;
} }
@ -863,9 +905,11 @@ iptablesAddForwardMasquerade(iptablesContext *ctx,
virSocketAddr *netaddr, virSocketAddr *netaddr,
unsigned int prefix, unsigned int prefix,
const char *physdev, const char *physdev,
virSocketAddr *addrStart,
virSocketAddr *addrEnd,
const char *protocol) const char *protocol)
{ {
return iptablesForwardMasquerade(ctx, netaddr, prefix, physdev, protocol, ADD); return iptablesForwardMasquerade(ctx, netaddr, prefix, physdev, addrStart, addrEnd, protocol, ADD);
} }
/** /**
@ -886,9 +930,11 @@ iptablesRemoveForwardMasquerade(iptablesContext *ctx,
virSocketAddr *netaddr, virSocketAddr *netaddr,
unsigned int prefix, unsigned int prefix,
const char *physdev, const char *physdev,
virSocketAddr *addrStart,
virSocketAddr *addrEnd,
const char *protocol) const char *protocol)
{ {
return iptablesForwardMasquerade(ctx, netaddr, prefix, physdev, protocol, REMOVE); return iptablesForwardMasquerade(ctx, netaddr, prefix, physdev, addrStart, addrEnd, protocol, REMOVE);
} }

View File

@ -107,11 +107,15 @@ int iptablesAddForwardMasquerade (iptablesContext *ctx,
virSocketAddr *netaddr, virSocketAddr *netaddr,
unsigned int prefix, unsigned int prefix,
const char *physdev, const char *physdev,
virSocketAddr *addrStart,
virSocketAddr *addrEnd,
const char *protocol); const char *protocol);
int iptablesRemoveForwardMasquerade (iptablesContext *ctx, int iptablesRemoveForwardMasquerade (iptablesContext *ctx,
virSocketAddr *netaddr, virSocketAddr *netaddr,
unsigned int prefix, unsigned int prefix,
const char *physdev, const char *physdev,
virSocketAddr *addrStart,
virSocketAddr *addrEnd,
const char *protocol); const char *protocol);
int iptablesAddOutputFixUdpChecksum (iptablesContext *ctx, int iptablesAddOutputFixUdpChecksum (iptablesContext *ctx,
const char *iface, const char *iface,