Add outbound_addr to allow for SNAT instead of MASQ

Signed-off-by: lto-dev <[email protected]>

Author: lto-dev

src/firewall/iptables.rs

@@ -62,6 +62,7 @@ impl firewall::FirewallDriver for IptablesDriver {
                     network_setup.bridge_name.clone(),
                     network_setup.isolation,
                     network_setup.dns_port,
+                    network_setup.outbound_addr,
                 );
 
                 create_network_chains(chains)?;
@@ -91,6 +92,7 @@ impl firewall::FirewallDriver for IptablesDriver {
                     tear.config.bridge_name.clone(),
                     tear.config.isolation,
                     tear.config.dns_port,
+                    tear.config.outbound_addr,
                 );
 
                 for c in &chains {

src/firewall/nft.rs

@@ -367,18 +367,58 @@ impl firewall::FirewallDriver for Nftables {
                     ],
                 ));
 
-                // Subnet chain: ip daddr != 224.0.0.0/4 masquerade
+                // Subnet chain: ip daddr != 224.0.0.0/4 snat/masquerade
                 let multicast_address: IpNet = match subnet {
                     IpNet::V4(_) => "224.0.0.0/4".parse()?,
                     IpNet::V6(_) => "ff::00/8".parse()?,
                 };
-                batch.add(make_rule(
-                    &chain,
-                    vec![
-                        get_subnet_match(&multicast_address, "daddr", stmt::Operator::NEQ),
-                        stmt::Statement::Masquerade(None),
-                    ],
-                ));
+
+                // If outbound_addr is set and valid IPv4, use SNAT, otherwise use MASQUERADE
+                if let Some(addr) = network_setup.outbound_addr {
+                    if let IpNet::V4(_) = subnet {
+                        if addr.is_ipv4() {
+                            log::trace!("Creating SNAT rule with outbound address {}", addr);
+                            batch.add(make_rule(
+                                &chain,
+                                vec![
+                                    get_subnet_match(&multicast_address, "daddr", stmt::Operator::NEQ),
+                                    stmt::Statement::SNAT(Some(stmt::NAT {
+                                        addr: Some(expr::Expression::String(addr.to_string())),
+                                        family: Some(stmt::NATFamily::IP),
+                                        port: None,
+                                        flags: None,
+                                    })),
+                                ],
+                            ));
+                        } else {
+                            log::trace!("Outbound address {} is not IPv4, using default MASQUERADE rule", addr);
+                            batch.add(make_rule(
+                                &chain,
+                                vec![
+                                    get_subnet_match(&multicast_address, "daddr", stmt::Operator::NEQ),
+                                    stmt::Statement::Masquerade(None),
+                                ],
+                            ));
+                        }
+                    } else {
+                        batch.add(make_rule(
+                            &chain,
+                            vec![
+                                get_subnet_match(&multicast_address, "daddr", stmt::Operator::NEQ),
+                                stmt::Statement::Masquerade(None),
+                            ],
+                        ));
+                    }
+                } else {
+                    log::trace!("No outbound address set, using default MASQUERADE rule");
+                    batch.add(make_rule(
+                        &chain,
+                        vec![
+                            get_subnet_match(&multicast_address, "daddr", stmt::Operator::NEQ),
+                            stmt::Statement::Masquerade(None),
+                        ],
+                    ));
+                }
 
                 // Next, populate basic chains with forwarding rules
                 // Input chain: ip saddr <subnet> udp dport 53 accept

src/firewall/state.rs

@@ -272,8 +272,9 @@ mod tests {
             network_hash_name: "hash".to_string(),
             isolation: IsolateOption::Never,
             dns_port: 53,
+            outbound_addr: None,
         };
-        let net_conf_json = r#"{"subnets":["10.0.0.0/24"],"bridge_name":"bridge","network_id":"c2c8a073252874648259997d53b0a1bffa491e21f04bc1bf8609266359931395","network_hash_name":"hash","isolation":"Never","dns_port":53}"#;
+        let net_conf_json = r#"{"subnets":["10.0.0.0/24"],"bridge_name":"bridge","network_id":"c2c8a073252874648259997d53b0a1bffa491e21f04bc1bf8609266359931395","network_hash_name":"hash","isolation":"Never","dns_port":53,"outbound_addr":null}"#;
 
         let port_conf = PortForwardConfig {
             container_id: container_id.to_string(),

src/firewall/varktables/types.rs

@@ -200,6 +200,7 @@ pub fn get_network_chains<'a>(
     interface_name: String,
     isolation: IsolateOption,
     dns_port: u16,
+    outbound_addr: Option<IpAddr>,
 ) -> Vec<VarkChain<'a>> {
     let mut chains = Vec::new();
     let prefixed_network_hash_name = format!("{}-{}", "NETAVARK", network_hash_name);
@@ -222,10 +223,27 @@ pub fn get_network_chains<'a>(
     if is_ipv6 {
         multicast_dest = MULTICAST_NET_V6;
     }
-    hashed_network_chain.build_rule(VarkRule::new(
-        format!("! -d {multicast_dest} -j {MASQUERADE}"),
-        Some(TeardownPolicy::OnComplete),
-    ));
+    if let Some(addr) = outbound_addr {
+        if !is_ipv6 && addr.is_ipv4() {
+            log::trace!("Creating SNAT rule with outbound address {}", addr);
+            hashed_network_chain.build_rule(VarkRule::new(
+                format!("! -d {multicast_dest} -j SNAT --to-source {}", addr),
+                Some(TeardownPolicy::OnComplete),
+            ));
+        } else {
+            log::trace!("Outbound address {} is not IPv4, using default MASQUERADE rule", addr);
+            hashed_network_chain.build_rule(VarkRule::new(
+                format!("! -d {multicast_dest} -j {MASQUERADE}"),
+                Some(TeardownPolicy::OnComplete),
+            ));
+        }
+    } else {
+        log::trace!("No outbound address set, using default MASQUERADE rule");
+        hashed_network_chain.build_rule(VarkRule::new(
+            format!("! -d {multicast_dest} -j {MASQUERADE}"),
+            Some(TeardownPolicy::OnComplete),
+        ));
+    }
     chains.push(hashed_network_chain);
 
     // POSTROUTING

src/network/bridge.rs

@@ -392,6 +392,7 @@ impl<'a> Bridge<'a> {
             network_hash_name: id_network_hash.clone(),
             isolation: isolate,
             dns_port: self.info.dns_port,
+            outbound_addr: self.info.network.outbound_addr,
         };
 
         let mut has_ipv4 = false;

src/network/constants.rs

@@ -24,6 +24,7 @@ pub const OPTION_BCLIM: &str = "bclim";
 pub const OPTION_VRF: &str = "vrf";
 pub const OPTION_VLAN: &str = "vlan";
 pub const OPTION_HOST_INTERFACE_NAME: &str = "host_interface_name";
+pub const OPTION_OUTBOUND_ADDR: &str = "outbound_addr";
 
 /// 100 is the default metric for most Linux networking tools.
 pub const DEFAULT_METRIC: u32 = 100;

src/network/internal_types.rs

@@ -26,6 +26,8 @@ pub struct SetupNetwork {
     pub isolation: IsolateOption,
     /// port used for the dns server
     pub dns_port: u16,
+    /// outbound address for SNAT
+    pub outbound_addr: Option<IpAddr>,
 }
 
 #[derive(Debug)]

src/network/types.rs

@@ -57,6 +57,10 @@ pub struct Network {
     /// Network DNS servers for aardvark-dns.
     #[serde(rename = "network_dns_servers")]
     pub network_dns_servers: Option<Vec<IpAddr>>,
+
+    /// outbound addr for this network.
+    #[serde(rename = "outbound_addr")]
+    pub outbound_addr: Option<IpAddr>,
 }
 
 /// NetworkOptions for a given container.