net: Dynamic NAT (WIP)

Author: AndreasAakesson

api/net/nat/napt.hpp

@@ -0,0 +1,84 @@
+// This file is a part of the IncludeOS unikernel - www.includeos.org
+//
+// Copyright 2017 Oslo and Akershus University College of Applied Sciences
+// and Alfred Bratterud
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#pragma once
+#ifndef NET_NAT_NAPT_HPP
+#define NET_NAT_NAPT_HPP
+
+#include <map>
+#include <net/port_util.hpp>
+#include <net/inet>
+#include <net/tcp/tcp.hpp>
+
+namespace net {
+namespace nat {
+
+/**
+ * @brief      Network Address Port Translator
+ */
+class NAPT {
+public:
+  using Stack = Inet<IP4>;
+  using Translation_table = std::map<uint16_t, Socket>;
+
+public:
+
+  // NAT
+  IP4::IP_packet_ptr nat(IP4::IP_packet_ptr pkt, const Stack& inet);
+
+  // Replace source socket with external (this) address and random port
+  IP4::IP_packet_ptr snat(IP4::IP_packet_ptr pkt, const Stack& inet);
+
+  // Replace source address with external address from table
+  IP4::IP_packet_ptr dnat(IP4::IP_packet_ptr pkt, const Stack& inet);
+
+  void add_entry(uint16_t port, Socket sock)
+  {
+    // Bind the port
+    tcp_ports.bind(port);
+    // Add the entry
+    tcp_trans.emplace(port, sock);
+
+    //printf("NAT entry: %s => %u\n", sock.to_string().c_str(), port);
+  }
+
+private:
+  Port_util tcp_ports;
+  Port_util udp_ports;
+
+  Translation_table tcp_trans;
+  Translation_table udp_trans;
+
+  // Source NAT
+  void snat(tcp::Packet& pkt, ip4::Addr src_ip);
+
+  // Destination NAT
+  void dnat(tcp::Packet& pkt);
+
+  void recalculate_checksum(tcp::Packet& pkt) noexcept
+  {
+    pkt.set_checksum(0);
+    pkt.set_ip_checksum();
+    pkt.set_checksum(TCP::checksum(pkt));
+  }
+
+}; // < class NAPT
+
+} // < namespace nat
+} // < namespace net
+
+#endif

src/CMakeLists.txt

@@ -59,7 +59,7 @@ set(OS_OBJECTS
   net/http/mime_types.cpp net/http/cookie.cpp net/http/secure_server.cpp
   net/http/client_connection.cpp net/http/client.cpp
   net/http/server_connection.cpp net/http/server.cpp net/http/response_writer.cpp
-  net/ws/websocket.cpp
+  net/ws/websocket.cpp net/nat/napt.cpp
   fs/disk.cpp fs/filesystem.cpp fs/dirent.cpp fs/mbr.cpp fs/path.cpp
   fs/fat.cpp fs/fat_async.cpp fs/fat_sync.cpp fs/memdisk.cpp
   posix/fd.cpp posix/tcp_fd.cpp posix/udp_fd.cpp posix/unistd.cpp posix/fcntl.cpp posix/syslog.cpp

src/net/nat/napt.cpp

@@ -0,0 +1,127 @@
+// This file is a part of the IncludeOS unikernel - www.includeos.org
+//
+// Copyright 2017 Oslo and Akershus University College of Applied Sciences
+// and Alfred Bratterud
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include <net/nat/napt.hpp>
+
+namespace net {
+namespace nat {
+
+IP4::IP_packet_ptr NAPT::nat(IP4::IP_packet_ptr pkt, const Stack& inet)
+{
+  if(pkt->ip_dst() != inet.ip_addr())
+  {
+    pkt = snat(std::move(pkt), inet);
+  }
+  else
+  {
+    pkt = dnat(std::move(pkt), inet);
+  }
+
+  return pkt;
+}
+
+// Replace source socket with external (this) address and random port
+IP4::IP_packet_ptr NAPT::snat(IP4::IP_packet_ptr pkt, const Stack& inet)
+{
+  // Early return if the packet is for me
+  if(UNLIKELY(pkt->ip_dst() == inet.ip_addr()))
+    return pkt;
+
+  if(pkt->ip_protocol() == Protocol::TCP)
+  {
+    snat(*static_cast<tcp::Packet*>(pkt.get()), inet.ip_addr());
+  }
+
+  return pkt;
+}
+
+// Replace source address with external address from table
+IP4::IP_packet_ptr NAPT::dnat(IP4::IP_packet_ptr pkt, const Stack& inet)
+{
+  // Early return if the packet isn't for me
+  if(UNLIKELY(pkt->ip_dst() != inet.ip_addr()))
+    return pkt;
+
+  if(pkt->ip_protocol() == Protocol::TCP)
+  {
+    dnat(*static_cast<tcp::Packet*>(pkt.get()));
+  }
+
+  return pkt;
+}
+
+void NAPT::snat(tcp::Packet& pkt, ip4::Addr src_ip)
+{
+  // Get the Socket
+  Socket socket = pkt.source();
+
+  // Is there an entry?
+  auto it = std::find_if(tcp_trans.begin(), tcp_trans.end(),
+    [socket] (auto& ent) {
+      return ent.second == socket;
+    });
+
+  // If there already is an entry
+  if(it != tcp_trans.end())
+  {
+    // Replace the source port with the already translated one
+    pkt.set_src_port(it->first);
+  }
+  // If not
+  else
+  {
+    // Generate a new port
+    auto port = tcp_ports.get_next_ephemeral();
+
+    // Replace the source port
+    pkt.set_src_port(port);
+
+    add_entry(port, socket);
+  }
+
+  // At last, replace the source address
+  pkt.set_ip_src(src_ip);
+
+  printf("SNAT %s => %s\n", socket.to_string().c_str(), pkt.source().to_string().c_str());
+
+  // Recalculate checksum
+  recalculate_checksum(pkt);
+}
+
+void NAPT::dnat(tcp::Packet& pkt)
+{
+  auto dst_port = pkt.dst_port();
+
+  // Is there an entry?
+  auto it = tcp_trans.find(dst_port);
+
+  // If there already is an entry
+  if(it != tcp_trans.end())
+  {
+    // Get the Socket
+    auto socket = it->second;
+    printf("DNAT %s => %s\n", pkt.destination().to_string().c_str(), socket.to_string().c_str());
+    // Replace the destination port with the original one
+    pkt.set_destination(socket);
+
+    // Recalculate checksum
+    recalculate_checksum(pkt);
+  }
+}
+
+}
+}

test/net/integration/nat/CMakeLists.txt

@@ -0,0 +1,33 @@
+cmake_minimum_required(VERSION 2.8.9)
+
+# IncludeOS install location
+if (NOT DEFINED ENV{INCLUDEOS_PREFIX})
+  set(ENV{INCLUDEOS_PREFIX} /usr/local)
+endif()
+
+include($ENV{INCLUDEOS_PREFIX}/includeos/pre.service.cmake)
+
+project(test_nat)
+
+# Human-readable name of your service
+set(SERVICE_NAME "IncludeOS NAT test")
+
+# Name of your service binary
+set(BINARY       "test_nat")
+
+# Maximum memory can be hard-coded into the binary
+set(MAX_MEM 128)
+
+# Source files to be linked with OS library parts to form bootable image
+set(SOURCES
+    service.cpp
+  )
+
+# DRIVERS / PLUGINS:
+
+set(DRIVERS
+  virtionet
+  )
+
+# include service build script
+include($ENV{INCLUDEOS_PREFIX}/includeos/post.service.cmake)

test/net/integration/nat/README.md

@@ -0,0 +1 @@
+# Test NAT

test/net/integration/nat/service.cpp

@@ -0,0 +1,67 @@
+// This file is a part of the IncludeOS unikernel - www.includeos.org
+//
+// Copyright 2016-2017 Oslo and Akershus University College of Applied Sciences
+// and Alfred Bratterud
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include <service>
+#include <net/inet4>
+#include <net/nat/napt.hpp>
+
+using namespace net;
+
+
+void ip_forward(Inet<IP4>& stack,  IP4::IP_packet_ptr pckt) {
+  stack.ip_obj().ship(std::move(pckt));
+}
+
+void Service::start()
+{
+  auto& router = Inet4::ifconfig<0>(
+    { 10, 0, 10, 1 }, { 255, 255, 0, 0 }, { 10, 0, 0, 1 });
+
+  auto& laptop1 = Inet4::ifconfig<1>(
+    { 10, 0, 10, 43 }, { 255, 255, 255, 0 }, router.ip_addr());
+
+  auto& internet_host = Inet4::ifconfig<2>(
+    { 10, 0, 1, 44 }, { 255, 255, 255, 0 }, router.ip_addr());
+
+  auto& internet_client = Inet4::ifconfig<3>(
+    { 10, 0, 1, 45 }, { 255, 255, 255, 0 }, router.ip_addr());
+
+  static nat::NAPT nat;
+
+  router.prerouting_chain().chain.push_back({nat, &nat::NAPT::nat});
+  //router.postrouting_chain().chain.push_back({nat, &nat::NAPT::receive});
+
+  router.ip_obj().set_packet_forwarding(ip_forward);
+
+  internet_host.tcp().listen(80, [](auto conn) {
+    printf("Internet page received a new connection! (%s)\n", conn->to_string().c_str());
+  });
+
+  laptop1.tcp().connect({ internet_host.ip_addr(), 80 }, [](auto conn) {
+    printf("Laptop1 connected to internet web page! (%s)\n", conn->to_string().c_str());
+  });
+
+  nat.add_entry(8080, { laptop1.ip_addr(), 80 });
+
+  laptop1.tcp().listen(80, [](auto conn) {
+    printf("Laptop1 received a new connection! (%s)\n", conn->to_string().c_str());
+  });
+
+  internet_client.tcp().connect({ laptop1.ip_addr(), 80 }, [](auto conn) {
+    printf("Bob (internet) connected to Laptop1! (%s)\n", conn->to_string().c_str());
+  });
+}

test/net/integration/nat/vm.json

@@ -0,0 +1,8 @@
+{
+  "image" : "test_dhcp_server.img",
+  "net" : [{"device" : "virtio", "mac" : "c0:01:0a:00:00:2a"},
+          {"device" : "virtio", "mac" : "c0:01:0a:00:00:2f"},
+          {"device" : "virtio", "mac" : "c0:01:0a:00:00:20"},
+          {"device" : "virtio", "mac" : "c0:01:0a:00:00:23"}],
+  "mem" : 128
+}