[lxc-devel] [lxd/master] Allow setting the NAT source address (SNAT instead of MASQUERADE)
tomponline on Github
lxc-bot at linuxcontainers.org
Sun Apr 14 15:46:47 UTC 2019
A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 435 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20190414/9442873d/attachment.bin>
-------------- next part --------------
From 6b6d0fb22632c23aadbab27d7588f5badfaa1bb6 Mon Sep 17 00:00:00 2001
From: tomponline <tomp at tomp.uk>
Date: Sun, 14 Apr 2019 15:01:34 +0000
Subject: [PATCH 1/2] Adds network config options to specify outbound SNAT
source addresses:
ipv4.nat.address
ipv6.nat.address
Signed-off-by: tomponline <tomp at tomp.uk>
---
lxd/networks_config.go | 2 ++
1 file changed, 2 insertions(+)
diff --git a/lxd/networks_config.go b/lxd/networks_config.go
index e2a31e4e2e..ae9194eaf0 100644
--- a/lxd/networks_config.go
+++ b/lxd/networks_config.go
@@ -67,6 +67,7 @@ var networkConfigKeys = map[string]func(value string) error{
"ipv4.nat.order": func(value string) error {
return shared.IsOneOf(value, []string{"before", "after"})
},
+ "ipv4.nat.address": networkValidAddressV4,
"ipv4.dhcp": shared.IsBool,
"ipv4.dhcp.gateway": networkValidAddressV4,
"ipv4.dhcp.expiry": shared.IsAny,
@@ -86,6 +87,7 @@ var networkConfigKeys = map[string]func(value string) error{
"ipv6.nat.order": func(value string) error {
return shared.IsOneOf(value, []string{"before", "after"})
},
+ "ipv6.nat.address": networkValidAddressV6,
"ipv6.dhcp": shared.IsBool,
"ipv6.dhcp.expiry": shared.IsAny,
"ipv6.dhcp.stateful": shared.IsBool,
From 972dbafe6ee85fe8ddf7c40fc349480bae19767e Mon Sep 17 00:00:00 2001
From: tomponline <tomp at tomp.uk>
Date: Sun, 14 Apr 2019 15:42:41 +0000
Subject: [PATCH 2/2] Allow setting the NAT source address (SNAT instead of
MASQUERADE).
Uses the following network settings:
ipv4.nat.address
ipv6.nat.address
Fixes #5648
Signed-off-by: tomponline <tomp at tomp.uk>
---
lxd/networks.go | 19 +++++++++++++++----
1 file changed, 15 insertions(+), 4 deletions(-)
diff --git a/lxd/networks.go b/lxd/networks.go
index b957452301..f7bf561220 100644
--- a/lxd/networks.go
+++ b/lxd/networks.go
@@ -1276,13 +1276,19 @@ func (n *network) Start() error {
// Configure NAT
if shared.IsTrue(n.config["ipv4.nat"]) {
+ //If a SNAT source address is specified, use that, otherwise default to using MASQUERADE mode.
+ args := []string{"-s", subnet.String(), "!", "-d", subnet.String(), "-j", "MASQUERADE"}
+ if n.config["ipv4.nat.address"] != "" {
+ args = []string{"-s", subnet.String(), "!", "-d", subnet.String(), "-j", "SNAT", "--to", n.config["ipv4.nat.address"]}
+ }
+
if n.config["ipv4.nat.order"] == "after" {
- err = networkIptablesAppend("ipv4", n.name, "nat", "POSTROUTING", "-s", subnet.String(), "!", "-d", subnet.String(), "-j", "MASQUERADE")
+ err = networkIptablesAppend("ipv4", n.name, "nat", "POSTROUTING", args...)
if err != nil {
return err
}
} else {
- err = networkIptablesPrepend("ipv4", n.name, "nat", "POSTROUTING", "-s", subnet.String(), "!", "-d", subnet.String(), "-j", "MASQUERADE")
+ err = networkIptablesPrepend("ipv4", n.name, "nat", "POSTROUTING", args...)
if err != nil {
return err
}
@@ -1445,13 +1451,18 @@ func (n *network) Start() error {
// Configure NAT
if shared.IsTrue(n.config["ipv6.nat"]) {
+ args := []string{"-s", subnet.String(), "!", "-d", subnet.String(), "-j", "MASQUERADE"}
+ if n.config["ipv6.nat.address"] != "" {
+ args = []string{"-s", subnet.String(), "!", "-d", subnet.String(), "-j", "SNAT", "--to", n.config["ipv6.nat.address"]}
+ }
+
if n.config["ipv6.nat.order"] == "after" {
- err = networkIptablesAppend("ipv6", n.name, "nat", "POSTROUTING", "-s", subnet.String(), "!", "-d", subnet.String(), "-j", "MASQUERADE")
+ err = networkIptablesAppend("ipv6", n.name, "nat", "POSTROUTING", args...)
if err != nil {
return err
}
} else {
- err = networkIptablesPrepend("ipv6", n.name, "nat", "POSTROUTING", "-s", subnet.String(), "!", "-d", subnet.String(), "-j", "MASQUERADE")
+ err = networkIptablesPrepend("ipv6", n.name, "nat", "POSTROUTING", args...)
if err != nil {
return err
}
More information about the lxc-devel
mailing list