On Fri, 16 Aug 2024 15:39:57 +1000 David Gibson <david(a)gibson.dropbear.id.au> wrote:We usually avoid NAT, but in a few cases we need to apply address translations. For inbound connections that happens for addresses which make sense to the host but are either inaccessible, or mean a different location from the guest's point of view. Add some helper functions to determine such addresses, and use them in fwd_nat_from_host(). In doing so clarify some of the reasons for the logic. We'll also have further use for these helpers in future. While we're there fix one unneccessary inconsistency between IPv4 and IPv6. We always translated the guest's observed address, but for IPv4 we didn't translate the guest's assigned address, whereas for IPv6 we did. Change this to translate both in all cases for consistency. Signed-off-by: David Gibson <david(a)gibson.dropbear.id.au> --- fwd.c | 98 ++++++++++++++++++++++++++++++++++++++++++++++++++++------- 1 file changed, 87 insertions(+), 11 deletions(-) diff --git a/fwd.c b/fwd.c index 75dc0151..1baae338 100644 --- a/fwd.c +++ b/fwd.c @@ -170,6 +170,85 @@ static bool is_dns_flow(uint8_t proto, const struct flowside *ini) ((ini->oport == 53) || (ini->oport == 853)); } +/** + * fwd_guest_accessible4() - Is IPv4 address guest accessibleNit: I wonder if we should say "guest-accessible" in all these cases, it's a bit easier for me to decode, but not necessarily more correct. It's fine by me either way. -- Stefano