aboutgitcodebugslistschat
diff options
context:
space:
mode:
-rw-r--r--conf.c101
-rw-r--r--icmp.c24
-rw-r--r--passt.129
-rw-r--r--passt.h10
-rw-r--r--tcp.c60
-rw-r--r--udp.c54
6 files changed, 243 insertions, 35 deletions
diff --git a/conf.c b/conf.c
index 3aa3314..e2a7d68 100644
--- a/conf.c
+++ b/conf.c
@@ -775,7 +775,15 @@ static void usage(const char *name)
info( " -g, --gateway ADDR Pass IPv4 or IPv6 address as gateway");
info( " default: gateway from interface with default route");
info( " -i, --interface NAME Interface for addresses and routes");
- info( " default: interface with first default route");
+ info( " default: from --outbound-if4 and --outbound-if6, if any");
+ info( " otherwise interface with first default route");
+ info( " -o, --outbound ADDR Bind to address as outbound source");
+ info( " can be specified zero to two times (for IPv4 and IPv6)");
+ info( " default: use source address from routing tables");
+ info( " --outbound-if4 NAME Bind to outbound interface for IPv4");
+ info( " default: use interface from default route");
+ info( " --outbound-if6 NAME Bind to outbound interface for IPv6");
+ info( " default: use interface from default route");
info( " -D, --dns ADDR Use IPv4 or IPv6 address as DNS");
info( " can be specified multiple times");
info( " a single, empty option disables DNS information");
@@ -900,7 +908,7 @@ pasta_opts:
*/
static void conf_print(const struct ctx *c)
{
- char buf4[INET_ADDRSTRLEN], ifn[IFNAMSIZ];
+ char buf4[INET_ADDRSTRLEN], buf6[INET6_ADDRSTRLEN], ifn[IFNAMSIZ];
int i;
info("Template interface: %s%s%s%s%s",
@@ -910,6 +918,26 @@ static void conf_print(const struct ctx *c)
c->ifi6 ? if_indextoname(c->ifi6, ifn) : "",
c->ifi6 ? " (IPv6)" : "");
+ if (*c->ip4.ifname_out || *c->ip6.ifname_out) {
+ info("Outbound interface: %s%s%s%s%s",
+ *c->ip4.ifname_out ? c->ip4.ifname_out : "",
+ *c->ip4.ifname_out ? " (IPv4)" : "",
+ (*c->ip4.ifname_out && *c->ip6.ifname_out) ? ", " : "",
+ *c->ip6.ifname_out ? c->ip6.ifname_out : "",
+ *c->ip6.ifname_out ? " (IPv6)" : "");
+ }
+
+ if (!IN4_IS_ADDR_UNSPECIFIED(&c->ip4.addr_out) ||
+ !IN6_IS_ADDR_UNSPECIFIED(&c->ip6.addr_out)) {
+ info("Outbound address: %s%s%s",
+ IN4_IS_ADDR_UNSPECIFIED(&c->ip4.addr_out) ? "" :
+ inet_ntop(AF_INET, &c->ip4.addr_out, buf4, sizeof(buf4)),
+ (!IN4_IS_ADDR_UNSPECIFIED(&c->ip4.addr_out) &&
+ !IN6_IS_ADDR_UNSPECIFIED(&c->ip6.addr_out)) ? ", " : "",
+ IN6_IS_ADDR_UNSPECIFIED(&c->ip6.addr_out) ? "" :
+ inet_ntop(AF_INET6, &c->ip6.addr_out, buf6, sizeof(buf6)));
+ }
+
if (c->mode == MODE_PASTA)
info("Namespace interface: %s", c->pasta_ifn);
@@ -948,8 +976,6 @@ static void conf_print(const struct ctx *c)
}
if (c->ifi6) {
- char buf6[INET6_ADDRSTRLEN];
-
if (!c->no_ndp && !c->no_dhcpv6)
info("NDP/DHCPv6:");
else if (!c->no_ndp)
@@ -1125,6 +1151,7 @@ void conf(struct ctx *c, int argc, char **argv)
{"mac-addr", required_argument, NULL, 'M' },
{"gateway", required_argument, NULL, 'g' },
{"interface", required_argument, NULL, 'i' },
+ {"outbound", required_argument, NULL, 'o' },
{"dns", required_argument, NULL, 'D' },
{"search", required_argument, NULL, 'S' },
{"no-tcp", no_argument, &c->no_tcp, 1 },
@@ -1157,6 +1184,8 @@ void conf(struct ctx *c, int argc, char **argv)
{"runas", required_argument, NULL, 12 },
{"log-size", required_argument, NULL, 13 },
{"version", no_argument, NULL, 14 },
+ {"outbound-if4", required_argument, NULL, 15 },
+ {"outbound-if6", required_argument, NULL, 16 },
{ 0 },
};
struct get_bound_ports_ns_arg ns_ports_arg = { .c = c };
@@ -1166,8 +1195,8 @@ void conf(struct ctx *c, int argc, char **argv)
struct in6_addr *dns6 = c->ip6.dns;
struct fqdn *dnss = c->dns_search;
struct in_addr *dns4 = c->ip4.dns;
+ unsigned int ifi4 = 0, ifi6 = 0;
const char *optstring;
- unsigned int ifi = 0;
int name, ret, b, i;
size_t logsize = 0;
uid_t uid;
@@ -1175,9 +1204,9 @@ void conf(struct ctx *c, int argc, char **argv)
if (c->mode == MODE_PASTA) {
c->no_dhcp_dns = c->no_dhcp_dns_search = 1;
- optstring = "dqfel:hF:I:p:P:m:a:n:M:g:i:D:S:46t:u:T:U:";
+ optstring = "dqfel:hF:I:p:P:m:a:n:M:g:i:o:D:S:46t:u:T:U:";
} else {
- optstring = "dqfel:hs:F:p:P:m:a:n:M:g:i:D:S:461t:u:";
+ optstring = "dqfel:hs:F:p:P:m:a:n:M:g:i:o:D:S:461t:u:";
}
c->tcp.fwd_in.mode = c->tcp.fwd_out.mode = 0;
@@ -1295,6 +1324,26 @@ void conf(struct ctx *c, int argc, char **argv)
c->mode == MODE_PASST ? "passt " : "pasta ");
fprintf(stdout, VERSION_BLOB);
exit(EXIT_SUCCESS);
+ case 15:
+ if (*c->ip4.ifname_out)
+ die("Redundant outbound interface: %s", optarg);
+
+ ret = snprintf(c->ip4.ifname_out,
+ sizeof(c->ip4.ifname_out), "%s", optarg);
+ if (ret <= 0 || ret >= (int)sizeof(c->ip4.ifname_out))
+ die("Invalid interface name: %s", optarg);
+
+ break;
+ case 16:
+ if (*c->ip6.ifname_out)
+ die("Redundant outbound interface: %s", optarg);
+
+ ret = snprintf(c->ip6.ifname_out,
+ sizeof(c->ip6.ifname_out), "%s", optarg);
+ if (ret <= 0 || ret >= (int)sizeof(c->ip6.ifname_out))
+ die("Invalid interface name: %s", optarg);
+
+ break;
case 'd':
if (c->debug)
die("Multiple --debug options given");
@@ -1459,13 +1508,33 @@ void conf(struct ctx *c, int argc, char **argv)
die("Invalid gateway address: %s", optarg);
break;
case 'i':
- if (ifi)
+ if (ifi4 || ifi6)
die("Redundant interface: %s", optarg);
- if (!(ifi = if_nametoindex(optarg)))
+ if (!(ifi4 = ifi6 = if_nametoindex(optarg)))
die("Invalid interface name %s: %s", optarg,
strerror(errno));
break;
+ case 'o':
+ if (IN6_IS_ADDR_UNSPECIFIED(&c->ip6.addr_out) &&
+ inet_pton(AF_INET6, optarg, &c->ip6.addr_out) &&
+ !IN6_IS_ADDR_UNSPECIFIED(&c->ip6.addr_out) &&
+ !IN6_IS_ADDR_LOOPBACK(&c->ip6.addr_out) &&
+ !IN6_IS_ADDR_V4MAPPED(&c->ip6.addr_out) &&
+ !IN6_IS_ADDR_V4COMPAT(&c->ip6.addr_out) &&
+ !IN6_IS_ADDR_MULTICAST(&c->ip6.addr_out))
+ break;
+
+ if (IN4_IS_ADDR_UNSPECIFIED(&c->ip4.addr_out) &&
+ inet_pton(AF_INET, optarg, &c->ip4.addr_out) &&
+ !IN4_IS_ADDR_UNSPECIFIED(&c->ip4.addr_out) &&
+ !IN4_IS_ADDR_BROADCAST(&c->ip4.addr_out) &&
+ !IN4_IS_ADDR_MULTICAST(&c->ip4.addr_out))
+ break;
+
+ die("Invalid or redundant outbound address: %s",
+ optarg);
+ break;
case 'D':
if (!strcmp(optarg, "none")) {
if (c->no_dns)
@@ -1557,6 +1626,12 @@ void conf(struct ctx *c, int argc, char **argv)
if (*c->sock_path && c->fd_tap >= 0)
die("Options --socket and --fd are mutually exclusive");
+ if (!ifi4 && *c->ip4.ifname_out)
+ ifi4 = if_nametoindex(c->ip4.ifname_out);
+
+ if (!ifi6 && *c->ip6.ifname_out)
+ ifi6 = if_nametoindex(c->ip6.ifname_out);
+
conf_ugid(runas, &uid, &gid);
if (logfile) {
@@ -1566,10 +1641,12 @@ void conf(struct ctx *c, int argc, char **argv)
nl_sock_init(c, false);
if (!v6_only)
- c->ifi4 = conf_ip4(ifi, &c->ip4, c->mac);
+ c->ifi4 = conf_ip4(ifi4, &c->ip4, c->mac);
if (!v4_only)
- c->ifi6 = conf_ip6(ifi, &c->ip6, c->mac);
- if (!c->ifi4 && !c->ifi6)
+ c->ifi6 = conf_ip6(ifi6, &c->ip6, c->mac);
+ if ((!c->ifi4 && !c->ifi6) ||
+ (*c->ip4.ifname_out && !c->ifi4) ||
+ (*c->ip6.ifname_out && !c->ifi6))
die("External interface not usable");
/* Inbound port options can be parsed now (after IPv4/IPv6 settings) */
diff --git a/icmp.c b/icmp.c
index b842fa8..ddf83f8 100644
--- a/icmp.c
+++ b/icmp.c
@@ -170,8 +170,16 @@ int icmp_tap_handler(const struct ctx *c, int af, const void *addr,
iref.icmp.id = id = ntohs(ih->un.echo.id);
if ((s = icmp_id_map[V4][id].sock) <= 0) {
- s = sock_l4(c, AF_INET, IPPROTO_ICMP, NULL, NULL, id,
- iref.u32);
+ const struct in_addr *bind_addr = NULL;
+ const char *bind_if;
+
+ bind_if = *c->ip4.ifname_out ? c->ip4.ifname_out : NULL;
+
+ if (!IN4_IS_ADDR_UNSPECIFIED(&c->ip4.addr_out))
+ bind_addr = &c->ip4.addr_out;
+
+ s = sock_l4(c, AF_INET, IPPROTO_ICMP, bind_addr,
+ bind_if, id, iref.u32);
if (s < 0)
goto fail_sock;
if (s > SOCKET_MAX) {
@@ -216,8 +224,16 @@ int icmp_tap_handler(const struct ctx *c, int af, const void *addr,
iref.icmp.id = id = ntohs(ih->icmp6_identifier);
if ((s = icmp_id_map[V6][id].sock) <= 0) {
- s = sock_l4(c, AF_INET6, IPPROTO_ICMPV6, NULL, NULL, id,
- iref.u32);
+ const struct in6_addr *bind_addr = NULL;
+ const char *bind_if;
+
+ bind_if = *c->ip6.ifname_out ? c->ip6.ifname_out : NULL;
+
+ if (!IN6_IS_ADDR_UNSPECIFIED(&c->ip6.addr_out))
+ bind_addr = &c->ip6.addr_out;
+
+ s = sock_l4(c, AF_INET6, IPPROTO_ICMPV6, bind_addr,
+ bind_if, id, iref.u32);
if (s < 0)
goto fail_sock;
if (s > SOCKET_MAX) {
diff --git a/passt.1 b/passt.1
index f317c33..6136fa5 100644
--- a/passt.1
+++ b/passt.1
@@ -180,8 +180,33 @@ to allow mapping of local traffic to guest and target namespace. See the
.TP
.BR \-i ", " \-\-interface " " \fIname
Use host interface \fIname\fR to derive addresses and routes.
-Default is to use the interfaces with the first default routes for each IP
-version.
+Default is to use the interfaces specified by \fB--outbound-if4\fR and
+\fB--outbound-if6\fR, for IPv4 and IPv6 addresses and routes, respectively. If
+no interfaces are given, the interface with the first default routes for each IP
+version is selected.
+
+.TP
+.BR \-o ", " \-\-outbound " " \fIaddr
+Use an IPv4 \fIaddr\fR as source address for IPv4 outbound TCP connections, UDP
+flows, ICMP requests, or an IPv6 \fIaddr\fR for IPv6 ones, by binding outbound
+sockets to it.
+This option can be specified zero (for defaults) to two times (once for IPv4,
+once for IPv6).
+By default, the source address is selected by the routing tables.
+
+.TP
+.BR \-\-outbound-if4 " " \fIname
+Bind IPv4 outbound sockets to host interface \fIname\fR, and, unless another
+interface is specified via \fB-i\fR, \fB--interface\fR, use this interface to
+derive IPv4 addresses and routes.
+By default, the interface given by the default route is selected.
+
+.TP
+.BR \-\-outbound-if6 " " \fIname
+Bind IPv6 outbound sockets to host interface \fIname\fR, and, unless another
+interface is specified via \fB-i\fR, \fB--interface\fR, use this interface to
+derive IPv6 addresses and routes.
+By default, the interface given by the default route is selected.
.TP
.BR \-D ", " \-\-dns " " \fIaddr
diff --git a/passt.h b/passt.h
index cc60c84..b73f4ff 100644
--- a/passt.h
+++ b/passt.h
@@ -106,6 +106,8 @@ enum passt_modes {
* @dns: DNS addresses for DHCP, zero-terminated, network order
* @dns_match: Forward DNS query if sent to this address, network order
* @dns_host: Use this DNS on the host for forwarding, network order
+ * @addr_out: Optional source address for outbound traffic
+ * @ifname_out: Optional interface name to bind outbound sockets to
*/
struct ip4_ctx {
struct in_addr addr;
@@ -115,6 +117,9 @@ struct ip4_ctx {
struct in_addr dns[MAXNS + 1];
struct in_addr dns_match;
struct in_addr dns_host;
+
+ struct in_addr addr_out;
+ char ifname_out[IFNAMSIZ];
};
/**
@@ -127,6 +132,8 @@ struct ip4_ctx {
* @dns: DNS addresses for DHCPv6 and NDP, zero-terminated
* @dns_match: Forward DNS query if sent to this address
* @dns_host: Use this DNS on the host for forwarding
+ * @addr_out: Optional source address for outbound traffic
+ * @ifname_out: Optional interface name to bind outbound sockets to
*/
struct ip6_ctx {
struct in6_addr addr;
@@ -137,6 +144,9 @@ struct ip6_ctx {
struct in6_addr dns[MAXNS + 1];
struct in6_addr dns_match;
struct in6_addr dns_host;
+
+ struct in6_addr addr_out;
+ char ifname_out[IFNAMSIZ];
};
#include <netinet/if_ether.h>
diff --git a/tcp.c b/tcp.c
index b674311..8e8d653 100644
--- a/tcp.c
+++ b/tcp.c
@@ -1947,6 +1947,61 @@ static uint16_t tcp_conn_tap_mss(const struct ctx *c,
}
/**
+ * tcp_bind_outbound() - Bind socket to outbound address and interface if given
+ * @c: Execution context
+ * @s: Outbound TCP socket
+ * @af: Address family
+ */
+static void tcp_bind_outbound(const struct ctx *c, int s, sa_family_t af)
+{
+ if (af == AF_INET) {
+ if (!IN4_IS_ADDR_UNSPECIFIED(&c->ip4.addr_out)) {
+ struct sockaddr_in addr4 = {
+ .sin_family = AF_INET,
+ .sin_port = 0,
+ .sin_addr = c->ip4.addr_out,
+ };
+
+ if (bind(s, (struct sockaddr *)&addr4, sizeof(addr4))) {
+ debug("Can't bind IPv4 TCP socket address: %s",
+ strerror(errno));
+ }
+ }
+
+ if (*c->ip4.ifname_out) {
+ if (setsockopt(s, SOL_SOCKET, SO_BINDTODEVICE,
+ c->ip4.ifname_out,
+ strlen(c->ip4.ifname_out))) {
+ debug("Can't bind IPv4 TCP socket to interface:"
+ " %s", strerror(errno));
+ }
+ }
+ } else if (af == AF_INET6) {
+ if (!IN6_IS_ADDR_UNSPECIFIED(&c->ip6.addr_out)) {
+ struct sockaddr_in6 addr6 = {
+ .sin6_family = AF_INET6,
+ .sin6_port = 0,
+ .sin6_addr = c->ip6.addr_out,
+ };
+
+ if (bind(s, (struct sockaddr *)&addr6, sizeof(addr6))) {
+ debug("Can't bind IPv6 TCP socket address: %s",
+ strerror(errno));
+ }
+ }
+
+ if (*c->ip6.ifname_out) {
+ if (setsockopt(s, SOL_SOCKET, SO_BINDTODEVICE,
+ c->ip6.ifname_out,
+ strlen(c->ip6.ifname_out))) {
+ debug("Can't bind IPv6 TCP socket to interface:"
+ " %s", strerror(errno));
+ }
+ }
+ }
+}
+
+/**
* tcp_conn_from_tap() - Handle connection request (SYN segment) from tap
* @c: Execution context
* @af: Address family, AF_INET or AF_INET6
@@ -2052,6 +2107,11 @@ static void tcp_conn_from_tap(struct ctx *c, int af, const void *addr,
if (errno != EADDRNOTAVAIL && errno != EACCES)
conn_flag(c, conn, LOCAL);
+ if ((af == AF_INET && !IN4_IS_ADDR_LOOPBACK(&addr4.sin_addr)) ||
+ (af == AF_INET6 && !IN6_IS_ADDR_LOOPBACK(&addr6.sin6_addr) &&
+ !IN6_IS_ADDR_LINKLOCAL(&addr6.sin6_addr)))
+ tcp_bind_outbound(c, s, af);
+
if (connect(s, sa, sl)) {
if (errno != EINPROGRESS) {
tcp_rst(c, conn);
diff --git a/udp.c b/udp.c
index b7cbfdc..ef486fe 100644
--- a/udp.c
+++ b/udp.c
@@ -843,20 +843,6 @@ int udp_tap_handler(struct ctx *c, int af, const void *addr,
sa = (struct sockaddr *)&s_in;
sl = sizeof(s_in);
- if (!(s = udp_tap_map[V4][src].sock)) {
- union udp_epoll_ref uref = { .udp.port = src };
-
- s = sock_l4(c, AF_INET, IPPROTO_UDP, NULL, NULL, src,
- uref.u32);
- if (s < 0)
- return p->count;
-
- udp_tap_map[V4][src].sock = s;
- bitmap_set(udp_act[V4][UDP_ACT_TAP], src);
- }
-
- udp_tap_map[V4][src].ts = now->tv_sec;
-
if (IN4_ARE_ADDR_EQUAL(&s_in.sin_addr, &c->ip4.dns_match) &&
ntohs(s_in.sin_port) == 53) {
s_in.sin_addr = c->ip4.dns_host;
@@ -868,13 +854,37 @@ int udp_tap_handler(struct ctx *c, int af, const void *addr,
else
s_in.sin_addr = c->ip4.addr_seen;
}
+
+ if (!(s = udp_tap_map[V4][src].sock)) {
+ union udp_epoll_ref uref = { .udp.port = src };
+ in_addr_t bind_addr = { 0 };
+ const char *bind_if = NULL;
+
+ if (!IN6_IS_ADDR_LOOPBACK(&s_in.sin_addr) &&
+ *c->ip6.ifname_out)
+ bind_if = c->ip6.ifname_out;
+
+ if (!IN4_IS_ADDR_UNSPECIFIED(&c->ip4.addr_out) &&
+ !IN4_IS_ADDR_LOOPBACK(&s_in.sin_addr))
+ bind_addr = c->ip4.addr_out.s_addr;
+
+ s = sock_l4(c, AF_INET, IPPROTO_UDP, &bind_addr,
+ bind_if, src, uref.u32);
+ if (s < 0)
+ return p->count;
+
+ udp_tap_map[V4][src].sock = s;
+ bitmap_set(udp_act[V4][UDP_ACT_TAP], src);
+ }
+
+ udp_tap_map[V4][src].ts = now->tv_sec;
} else {
s_in6 = (struct sockaddr_in6) {
.sin6_family = AF_INET6,
.sin6_port = uh->dest,
.sin6_addr = *(struct in6_addr *)addr,
};
- const void *bind_addr = &in6addr_any;
+ const struct in6_addr *bind_addr = &in6addr_any;
sa = (struct sockaddr *)&s_in6;
sl = sizeof(s_in6);
@@ -898,9 +908,19 @@ int udp_tap_handler(struct ctx *c, int af, const void *addr,
if (!(s = udp_tap_map[V6][src].sock)) {
union udp_epoll_ref uref = { .udp.v6 = 1,
.udp.port = src };
+ const char *bind_if = NULL;
+
+ if (!IN6_IS_ADDR_LOOPBACK(&s_in6.sin6_addr) &&
+ *c->ip6.ifname_out)
+ bind_if = c->ip6.ifname_out;
+
+ if (!IN6_IS_ADDR_UNSPECIFIED(&c->ip6.addr_out) &&
+ !IN6_IS_ADDR_LOOPBACK(&s_in6.sin6_addr) &&
+ !IN6_IS_ADDR_LINKLOCAL(&s_in6.sin6_addr))
+ bind_addr = &c->ip6.addr_out;
- s = sock_l4(c, AF_INET6, IPPROTO_UDP, bind_addr, NULL,
- src, uref.u32);
+ s = sock_l4(c, AF_INET6, IPPROTO_UDP, bind_addr,
+ bind_if, src, uref.u32);
if (s < 0)
return p->count;