[lxc-devel] [lxd/master] Allow setting the NAT source address (SNAT instead of MASQUERADE)

Sun Apr 14 15:46:47 UTC 2019

A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 435 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20190414/9442873d/attachment.bin>
-------------- next part --------------
From 6b6d0fb22632c23aadbab27d7588f5badfaa1bb6 Mon Sep 17 00:00:00 2001
From: tomponline <tomp at tomp.uk>
Date: Sun, 14 Apr 2019 15:01:34 +0000
Subject: [PATCH 1/2] Adds network config options to specify outbound SNAT
 source addresses:

ipv4.nat.address
ipv6.nat.address

Signed-off-by: tomponline <tomp at tomp.uk>
---
 lxd/networks_config.go | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/lxd/networks_config.go b/lxd/networks_config.go
index e2a31e4e2e..ae9194eaf0 100644
--- a/lxd/networks_config.go
+++ b/lxd/networks_config.go
@@ -67,6 +67,7 @@ var networkConfigKeys = map[string]func(value string) error{
 	"ipv4.nat.order": func(value string) error {
 		return shared.IsOneOf(value, []string{"before", "after"})
 	},
+	"ipv4.nat.address":  networkValidAddressV4,
 	"ipv4.dhcp":         shared.IsBool,
 	"ipv4.dhcp.gateway": networkValidAddressV4,
 	"ipv4.dhcp.expiry":  shared.IsAny,
@@ -86,6 +87,7 @@ var networkConfigKeys = map[string]func(value string) error{
 	"ipv6.nat.order": func(value string) error {
 		return shared.IsOneOf(value, []string{"before", "after"})
 	},
+	"ipv6.nat.address":   networkValidAddressV6,
 	"ipv6.dhcp":          shared.IsBool,
 	"ipv6.dhcp.expiry":   shared.IsAny,
 	"ipv6.dhcp.stateful": shared.IsBool,

From 972dbafe6ee85fe8ddf7c40fc349480bae19767e Mon Sep 17 00:00:00 2001
From: tomponline <tomp at tomp.uk>
Date: Sun, 14 Apr 2019 15:42:41 +0000
Subject: [PATCH 2/2] Allow setting the NAT source address (SNAT instead of
 MASQUERADE).

Uses the following network settings:

ipv4.nat.address
ipv6.nat.address

Fixes #5648

Signed-off-by: tomponline <tomp at tomp.uk>
---
 lxd/networks.go | 19 +++++++++++++++----
 1 file changed, 15 insertions(+), 4 deletions(-)

diff --git a/lxd/networks.go b/lxd/networks.go
index b957452301..f7bf561220 100644
--- a/lxd/networks.go
+++ b/lxd/networks.go
@@ -1276,13 +1276,19 @@ func (n *network) Start() error {
 
 		// Configure NAT
 		if shared.IsTrue(n.config["ipv4.nat"]) {
+			//If a SNAT source address is specified, use that, otherwise default to using MASQUERADE mode.
+			args := []string{"-s", subnet.String(), "!", "-d", subnet.String(), "-j", "MASQUERADE"}
+			if n.config["ipv4.nat.address"] != "" {
+				args = []string{"-s", subnet.String(), "!", "-d", subnet.String(), "-j", "SNAT", "--to", n.config["ipv4.nat.address"]}
+			}
+
 			if n.config["ipv4.nat.order"] == "after" {
-				err = networkIptablesAppend("ipv4", n.name, "nat", "POSTROUTING", "-s", subnet.String(), "!", "-d", subnet.String(), "-j", "MASQUERADE")
+				err = networkIptablesAppend("ipv4", n.name, "nat", "POSTROUTING", args...)
 				if err != nil {
 					return err
 				}
 			} else {
-				err = networkIptablesPrepend("ipv4", n.name, "nat", "POSTROUTING", "-s", subnet.String(), "!", "-d", subnet.String(), "-j", "MASQUERADE")
+				err = networkIptablesPrepend("ipv4", n.name, "nat", "POSTROUTING", args...)
 				if err != nil {
 					return err
 				}
@@ -1445,13 +1451,18 @@ func (n *network) Start() error {
 
 		// Configure NAT
 		if shared.IsTrue(n.config["ipv6.nat"]) {
+			args := []string{"-s", subnet.String(), "!", "-d", subnet.String(), "-j", "MASQUERADE"}
+			if n.config["ipv6.nat.address"] != "" {
+				args = []string{"-s", subnet.String(), "!", "-d", subnet.String(), "-j", "SNAT", "--to", n.config["ipv6.nat.address"]}
+			}
+
 			if n.config["ipv6.nat.order"] == "after" {
-				err = networkIptablesAppend("ipv6", n.name, "nat", "POSTROUTING", "-s", subnet.String(), "!", "-d", subnet.String(), "-j", "MASQUERADE")
+				err = networkIptablesAppend("ipv6", n.name, "nat", "POSTROUTING", args...)
 				if err != nil {
 					return err
 				}
 			} else {
-				err = networkIptablesPrepend("ipv6", n.name, "nat", "POSTROUTING", "-s", subnet.String(), "!", "-d", subnet.String(), "-j", "MASQUERADE")
+				err = networkIptablesPrepend("ipv6", n.name, "nat", "POSTROUTING", args...)
 				if err != nil {
 					return err
 				}
