Updated code as suggested.

Added tests for nftables and iptables

Signed-off-by: lto-dev <[email protected]>

Author: lto-dev

src/firewall/iptables.rs

@@ -3,7 +3,8 @@ use crate::firewall;
 use crate::firewall::firewalld;
 use crate::firewall::varktables::types::TeardownPolicy::OnComplete;
 use crate::firewall::varktables::types::{
-    create_network_chains, get_network_chains, get_port_forwarding_chains, TeardownPolicy,
+    create_network_chains, get_network_chains, get_port_forwarding_chains, NetworkChainConfig,
+    TeardownPolicy,
 };
 use crate::network::internal_types::{
     PortForwardConfig, SetupNetwork, TearDownNetwork, TeardownPortForward,
@@ -54,16 +55,15 @@ impl firewall::FirewallDriver for IptablesDriver {
                     conn = &self.conn6;
                 }
 
-                let chains = get_network_chains(
-                    conn,
+                let config = NetworkChainConfig {
                     network,
-                    &network_setup.network_hash_name,
-                    is_ipv6,
-                    network_setup.bridge_name.clone(),
-                    network_setup.isolation,
-                    network_setup.dns_port,
-                    network_setup.outbound_addr,
-                );
+                    network_hash_name: network_setup.network_hash_name.clone(),
+                    interface_name: network_setup.bridge_name.clone(),
+                    isolation: network_setup.isolation,
+                    dns_port: network_setup.dns_port,
+                    outbound_addr: network_setup.outbound_addr,
+                };
+                let chains = get_network_chains(conn, config);
 
                 create_network_chains(chains)?;
 
@@ -84,16 +84,15 @@ impl firewall::FirewallDriver for IptablesDriver {
                 if is_ipv6 {
                     conn = &self.conn6;
                 }
-                let chains = get_network_chains(
-                    conn,
+                let config = NetworkChainConfig {
                     network,
-                    &tear.config.network_hash_name,
-                    is_ipv6,
-                    tear.config.bridge_name.clone(),
-                    tear.config.isolation,
-                    tear.config.dns_port,
-                    tear.config.outbound_addr,
-                );
+                    network_hash_name: tear.config.network_hash_name.clone(),
+                    interface_name: tear.config.bridge_name.clone(),
+                    isolation: tear.config.isolation,
+                    dns_port: tear.config.dns_port,
+                    outbound_addr: tear.config.outbound_addr,
+                };
+                let chains = get_network_chains(conn, config);
 
                 for c in &chains {
                     c.remove_rules(tear.complete_teardown)?;

src/firewall/state.rs

@@ -274,7 +274,7 @@ mod tests {
             dns_port: 53,
             outbound_addr: None,
         };
-        let net_conf_json = r#"{"subnets":["10.0.0.0/24"],"bridge_name":"bridge","network_id":"c2c8a073252874648259997d53b0a1bffa491e21f04bc1bf8609266359931395","network_hash_name":"hash","isolation":"Never","dns_port":53,"outbound_addr":null}"#;
+        let net_conf_json = r#"{"subnets":["10.0.0.0/24"],"bridge_name":"bridge","network_id":"c2c8a073252874648259997d53b0a1bffa491e21f04bc1bf8609266359931395","network_hash_name":"hash","isolation":"Never","dns_port":53}"#;
 
         let port_conf = PortForwardConfig {
             container_id: container_id.to_string(),

src/firewall/varktables/types.rs

@@ -66,6 +66,7 @@ impl VarkRule {
         &self.rule
     }
 }
+
 // Varkchain is an iptable chain with extra info
 pub struct VarkChain<'a> {
     // name of chain
@@ -192,19 +193,23 @@ pub fn create_network_chains(chains: Vec<VarkChain<'_>>) -> NetavarkResult<()> {
     Ok(())
 }
 
-#[allow(clippy::too_many_arguments)]
-pub fn get_network_chains<'a>(
-    conn: &'a IPTables,
-    network: IpNet,
-    network_hash_name: &'a str,
-    is_ipv6: bool,
-    interface_name: String,
-    isolation: IsolateOption,
-    dns_port: u16,
-    outbound_addr: Option<IpAddr>,
-) -> Vec<VarkChain<'a>> {
+pub struct NetworkChainConfig {
+    pub network: IpNet,
+    pub network_hash_name: String,
+    pub interface_name: String,
+    pub isolation: IsolateOption,
+    pub dns_port: u16,
+    pub outbound_addr: Option<IpAddr>,
+}
+
+pub fn get_network_chains(conn: &IPTables, config: NetworkChainConfig) -> Vec<VarkChain<'_>> {
     let mut chains = Vec::new();
-    let prefixed_network_hash_name = format!("{}-{}", "NETAVARK", network_hash_name);
+    let prefixed_network_hash_name = format!("{}-{}", "NETAVARK", config.network_hash_name);
+
+    let is_ipv6 = match config.network {
+        IpNet::V4(_) => false,
+        IpNet::V6(_) => true,
+    };
 
     // NETAVARK-HASH
     let mut hashed_network_chain = VarkChain::new(
@@ -216,15 +221,15 @@ pub fn get_network_chains<'a>(
     hashed_network_chain.create = true;
 
     hashed_network_chain.build_rule(VarkRule::new(
-        format!("-d {network} -j {ACCEPT}"),
+        format!("-d {} -j {}", config.network, ACCEPT),
         Some(TeardownPolicy::OnComplete),
     ));
 
     let mut multicast_dest = MULTICAST_NET_V4;
     if is_ipv6 {
         multicast_dest = MULTICAST_NET_V6;
     }
-    if let Some(addr) = outbound_addr {
+    if let Some(addr) = config.outbound_addr {
         if !is_ipv6 && addr.is_ipv4() {
             log::trace!("Creating SNAT rule with outbound address {}", addr);
             hashed_network_chain.build_rule(VarkRule::new(
@@ -254,7 +259,7 @@ pub fn get_network_chains<'a>(
     let mut postrouting_chain =
         VarkChain::new(conn, NAT.to_string(), POSTROUTING.to_string(), None);
     postrouting_chain.build_rule(VarkRule::new(
-        format!("-s {network} -j {prefixed_network_hash_name}"),
+        format!("-s {} -j {}", config.network, prefixed_network_hash_name),
         Some(TeardownPolicy::OnComplete),
     ));
     chains.push(postrouting_chain);
@@ -294,7 +299,7 @@ pub fn get_network_chains<'a>(
     );
     netavark_isolation_chain_3.create = true;
 
-    if let IsolateOption::Normal | IsolateOption::Strict = isolation {
+    if let IsolateOption::Normal | IsolateOption::Strict = config.isolation {
         debug!("Add extra isolate rules");
         // NETAVARK_ISOLATION_1
         let mut netavark_isolation_chain_1 = VarkChain::new(
@@ -312,7 +317,7 @@ pub fn get_network_chains<'a>(
             td_policy: Some(TeardownPolicy::OnComplete),
         });
 
-        let netavark_isolation_1_target = if let IsolateOption::Strict = isolation {
+        let netavark_isolation_1_target = if let IsolateOption::Strict = config.isolation {
             // NETAVARK_ISOLATION_1 -i bridge_name ! -o bridge_name -j NETAVARK_ISOLATION_3
             NETAVARK_ISOLATION_3
         } else {
@@ -321,15 +326,16 @@ pub fn get_network_chains<'a>(
         };
         netavark_isolation_chain_1.build_rule(VarkRule {
             rule: format!(
-                "-i {interface_name} ! -o {interface_name} -j {netavark_isolation_1_target}"
+                "-i {} ! -o {} -j {}",
+                config.interface_name, config.interface_name, netavark_isolation_1_target
             ),
             position: Some(ind),
             td_policy: Some(TeardownPolicy::OnComplete),
         });
 
         // NETAVARK_ISOLATION_2 -o bridge_name -j DROP
         netavark_isolation_chain_2.build_rule(VarkRule {
-            rule: format!("-o {} -j {}", interface_name, "DROP"),
+            rule: format!("-o {} -j {}", config.interface_name, "DROP"),
             position: Some(ind),
             td_policy: Some(TeardownPolicy::OnComplete),
         });
@@ -350,7 +356,7 @@ pub fn get_network_chains<'a>(
 
         // NETAVARK_ISOLATION_3 -o bridge_name -j DROP
         netavark_isolation_chain_3.build_rule(VarkRule {
-            rule: format!("-o {} -j {}", interface_name, "DROP"),
+            rule: format!("-o {} -j {}", config.interface_name, "DROP"),
             position: Some(ind),
             td_policy: Some(TeardownPolicy::OnComplete),
         });
@@ -399,7 +405,7 @@ pub fn get_network_chains<'a>(
         netavark_input_chain.build_rule(VarkRule::new(
             format!(
                 "-p {} -s {} --dport {} -j {}",
-                proto, network, dns_port, ACCEPT
+                proto, config.network, config.dns_port, ACCEPT
             ),
             Some(TeardownPolicy::OnComplete),
         ));
@@ -417,14 +423,17 @@ pub fn get_network_chains<'a>(
     // Create incoming traffic rule
     // CNI did this by IP address, this is implemented per subnet
     netavark_forward_chain.build_rule(VarkRule::new(
-        format!("-d {network} -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT"),
+        format!(
+            "-d {} -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT",
+            config.network
+        ),
         Some(TeardownPolicy::OnComplete),
     ));
 
     // Create outgoing traffic rule
     // CNI did this by IP address, this is implemented per subnet
     netavark_forward_chain.build_rule(VarkRule::new(
-        format!("-s {network} -j ACCEPT"),
+        format!("-s {} -j ACCEPT", config.network),
         Some(TeardownPolicy::OnComplete),
     ));
     chains.push(netavark_forward_chain);

src/network/bridge.rs

@@ -23,7 +23,8 @@ use super::{
     constants::{
         ISOLATE_OPTION_FALSE, ISOLATE_OPTION_STRICT, ISOLATE_OPTION_TRUE,
         NO_CONTAINER_INTERFACE_ERROR, OPTION_HOST_INTERFACE_NAME, OPTION_ISOLATE, OPTION_METRIC,
-        OPTION_MODE, OPTION_MTU, OPTION_NO_DEFAULT_ROUTE, OPTION_VLAN, OPTION_VRF,
+        OPTION_MODE, OPTION_MTU, OPTION_NO_DEFAULT_ROUTE, OPTION_OUTBOUND_ADDR, OPTION_VLAN,
+        OPTION_VRF,
     },
     core_utils::{self, get_ipam_addresses, join_netns, parse_option, CoreUtils},
     driver::{self, DriverInfo},
@@ -392,7 +393,10 @@ impl<'a> Bridge<'a> {
             network_hash_name: id_network_hash.clone(),
             isolation: isolate,
             dns_port: self.info.dns_port,
-            outbound_addr: self.info.network.outbound_addr,
+            outbound_addr: parse_option::<IpAddr>(
+                &self.info.network.options,
+                OPTION_OUTBOUND_ADDR,
+            )?,
         };
 
         let mut has_ipv4 = false;

src/network/internal_types.rs

@@ -27,6 +27,8 @@ pub struct SetupNetwork {
     /// port used for the dns server
     pub dns_port: u16,
     /// outbound address for SNAT
+    #[serde(skip_serializing_if = "Option::is_none")]
+    #[serde(default)]
     pub outbound_addr: Option<IpAddr>,
 }
 

src/network/types.rs

@@ -57,10 +57,6 @@ pub struct Network {
     /// Network DNS servers for aardvark-dns.
     #[serde(rename = "network_dns_servers")]
     pub network_dns_servers: Option<Vec<IpAddr>>,
-
-    /// outbound addr for this network.
-    #[serde(rename = "outbound_addr")]
-    pub outbound_addr: Option<IpAddr>,
 }
 
 /// NetworkOptions for a given container.

test/100-bridge-iptables.bats

@@ -1093,6 +1093,19 @@ function check_simple_bridge_iptables() {
     assert "${#lines[@]}" = 4 "too many NETAVARK_FORWARD rules"
 }
 
+@test "$fw_driver - bridge with outbound addr" {
+    run_netavark --file ${TESTSDIR}/testfiles/bridge-outbound-addr.json setup $(get_container_netns_path)
+
+    # Check that the iptables rules were created with SNAT
+    run_in_host_netns iptables -t nat -S NETAVARK-2F259BAB93AAAAA
+    assert "${lines[2]}" == "-A NETAVARK-2F259BAB93AAAAA ! -d 224.0.0.0/4 -j SNAT --to-source 100.1.100.1" "SNAT rule with outbound address"
+
+    run_netavark --file ${TESTSDIR}/testfiles/bridge-outbound-addr.json teardown $(get_container_netns_path)
+
+    # Check that the chain is removed
+    expected_rc=1 run_in_host_netns iptables -t nat -nvL NETAVARK-2F259BAB93AAAAA
+}
+
 @test "$fw_driver - aardvark-dns error cleanup" {
     expected_rc=1 run_netavark -a /usr/bin/false --file ${TESTSDIR}/testfiles/dualstack-bridge-custom-dns-server.json setup $(get_container_netns_path)
     assert_json ".error" "error while applying dns entries: IO error: aardvark-dns exited unexpectedly without error message" "aardvark-dns error"

test/250-bridge-nftables.bats

@@ -1032,6 +1032,19 @@ function check_simple_bridge_nftables() {
     assert "$output" == $'table inet netavark {\n\tchain NETAVARK-HOSTPORT-DNAT {\n\t}\n}' "NETAVARK-HOSTPORT-DNAT chain must be empty"
 }
 
+@test "$fw_driver - bridge with outbound addr" {
+    run_netavark --file ${TESTSDIR}/testfiles/bridge-outbound-addr.json setup $(get_container_netns_path)
+
+    # Check that the nftables rules were created with SNAT
+    run_in_host_netns nft list chain inet netavark nv_2f259bab_10_89_0_0_nm24
+    assert "${lines[3]}" =~ "ip daddr != 224.0.0.0/4 snat ip to 100.1.100.1" "SNAT rule with outbound address"
+
+    run_netavark --file ${TESTSDIR}/testfiles/bridge-outbound-addr.json teardown $(get_container_netns_path)
+
+    # Check that the chain is removed
+    expected_rc=1 run_in_host_netns nft list chain inet netavark nv_2f259bab_10_89_0_0_nm24
+}
+
 @test "$fw_driver - aardvark-dns error cleanup" {
     expected_rc=1 run_netavark -a /usr/bin/false --file ${TESTSDIR}/testfiles/dualstack-bridge-custom-dns-server.json setup $(get_container_netns_path)
     assert_json ".error" "error while applying dns entries: IO error: aardvark-dns exited unexpectedly without error message" "aardvark-dns error"

test/testfiles/bridge-outbound-addr.json

@@ -0,0 +1,32 @@
+{
+    "container_id": "someID",
+    "container_name": "someName",
+    "networks": {
+        "podman1": {
+            "interface_name": "eth0",
+            "static_ips": [
+                "10.89.0.2"
+            ]        
+        }
+    },
+    "network_info": {
+        "podman1": {
+            "name": "podman1",
+            "id": "2f259bab93aaaaa2542ba43ef33eb990d0999ee1b9924b557b7be53c0b7a9fc6",
+            "driver": "bridge",
+            "network_interface": "podman1",
+            "subnets": [
+                {
+                    "gateway": "10.89.0.1",
+                    "subnet": "10.89.0.0/24"
+                }
+            ],
+            "ipv6_enabled": false,
+            "internal": false,
+            "dns_enabled": true,
+            "options": {
+                "outbound_addr": "100.1.100.1"
+            }
+        }
+    }
+}