fips-core 0.3.1

Reusable FIPS mesh, endpoint, transport, and protocol library
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299

//! NAT rule management.
//!
//! Manages nftables DNAT/SNAT rules via the rustables netlink API
//! for translating between virtual IPs and FIPS mesh addresses.

use std::collections::HashMap;
use std::net::Ipv6Addr;
use tracing::{debug, info};

use rustables::expr::{
    Cmp, CmpOp, HighLevelPayload, IPv6HeaderField, Immediate, Masquerade, Meta, MetaType, Nat,
    NatType, NetworkHeaderField, Register, TCPHeaderField, TransportHeaderField, UDPHeaderField,
};
use rustables::{Batch, Chain, ChainType, Hook, HookClass, MsgType, ProtocolFamily, Rule, Table};

use crate::config::{PortForward, Proto};

const TABLE_NAME: &str = "fips_gateway";
const PREROUTING_CHAIN: &str = "prerouting";
const POSTROUTING_CHAIN: &str = "postrouting";

/// NAT priority constants (matching nftables standard priorities).
const DSTNAT_PRIORITY: i32 = -100;
const SRCNAT_PRIORITY: i32 = 100;

/// Errors from NAT operations.
#[derive(Debug, thiserror::Error)]
pub enum NatError {
    #[error("nftables error: {0}")]
    Nftables(String),
    #[error("rule not found for virtual IP {0}")]
    RuleNotFound(Ipv6Addr),
}

impl From<rustables::error::QueryError> for NatError {
    fn from(e: rustables::error::QueryError) -> Self {
        NatError::Nftables(e.to_string())
    }
}

impl From<rustables::error::BuilderError> for NatError {
    fn from(e: rustables::error::BuilderError) -> Self {
        NatError::Nftables(e.to_string())
    }
}

/// A virtual IP ↔ mesh address mapping for NAT rule generation.
#[derive(Clone)]
struct NatMapping {
    virtual_ip: Ipv6Addr,
    mesh_addr: Ipv6Addr,
}

/// NAT rule manager using nftables via rustables netlink API.
///
/// Rebuilds the entire nftables table atomically on every change to
/// avoid relying on kernel rule handle tracking (which rustables
/// doesn't expose). The table is small (one masquerade + two rules
/// per mapping) so this is cheap.
pub struct NatManager {
    table: Table,
    pre_chain: Chain,
    post_chain: Chain,
    /// LAN interface name, used to gate the port-forward LAN-side
    /// masquerade rule (distinct from the fips0 egress masquerade).
    lan_interface: String,
    /// Active mappings keyed by virtual IP.
    mappings: HashMap<Ipv6Addr, NatMapping>,
    /// Inbound port-forward rules (TASK-2026-0061).
    port_forwards: Vec<PortForward>,
}

impl NatManager {
    /// Create the nftables table and NAT chains.
    ///
    /// Installs a masquerade rule for traffic exiting via `fips0` so that
    /// LAN client source addresses are rewritten to the gateway's mesh
    /// address, allowing return traffic to route back through the mesh.
    ///
    /// `lan_interface` is the gateway's LAN-facing interface name,
    /// needed by the port-forward LAN-side masquerade rule.
    pub fn new(lan_interface: String) -> Result<Self, NatError> {
        let table = Table::new(ProtocolFamily::Inet).with_name(TABLE_NAME);
        let pre_chain = Chain::new(&table)
            .with_name(PREROUTING_CHAIN)
            .with_type(ChainType::Nat)
            .with_hook(Hook::new(HookClass::PreRouting, DSTNAT_PRIORITY));
        let post_chain = Chain::new(&table)
            .with_name(POSTROUTING_CHAIN)
            .with_type(ChainType::Nat)
            .with_hook(Hook::new(HookClass::PostRouting, SRCNAT_PRIORITY));

        let mgr = Self {
            table,
            pre_chain,
            post_chain,
            lan_interface,
            mappings: HashMap::new(),
            port_forwards: Vec::new(),
        };
        mgr.rebuild()?;

        info!("Created nftables table '{TABLE_NAME}' with NAT chains and fips0 masquerade");
        Ok(mgr)
    }

    /// Replace the current inbound port-forward rule set and rebuild
    /// the nftables table atomically. Pass an empty slice to clear.
    pub fn set_port_forwards(&mut self, forwards: &[PortForward]) -> Result<(), NatError> {
        self.port_forwards = forwards.to_vec();
        self.rebuild()?;
        info!(
            count = self.port_forwards.len(),
            "Applied inbound port forwards"
        );
        Ok(())
    }

    /// Add DNAT and SNAT rules for a virtual IP ↔ mesh address mapping.
    pub fn add_mapping(
        &mut self,
        virtual_ip: Ipv6Addr,
        mesh_addr: Ipv6Addr,
    ) -> Result<(), NatError> {
        self.mappings.insert(
            virtual_ip,
            NatMapping {
                virtual_ip,
                mesh_addr,
            },
        );
        self.rebuild()?;

        debug!(
            virtual_ip = %virtual_ip,
            mesh_addr = %mesh_addr,
            "Added DNAT/SNAT rules"
        );
        Ok(())
    }

    /// Remove DNAT and SNAT rules for a virtual IP mapping.
    pub fn remove_mapping(&mut self, virtual_ip: Ipv6Addr) -> Result<(), NatError> {
        if self.mappings.remove(&virtual_ip).is_none() {
            return Err(NatError::RuleNotFound(virtual_ip));
        }
        self.rebuild()?;

        debug!(virtual_ip = %virtual_ip, "Removed DNAT/SNAT rules");
        Ok(())
    }

    /// Flush all rules and delete the nftables table.
    pub fn cleanup(self) -> Result<(), NatError> {
        let mut batch = Batch::new();
        batch.add(&self.table, MsgType::Del);
        batch
            .send()
            .map_err(|e| NatError::Nftables(e.to_string()))?;

        info!("Deleted nftables table '{TABLE_NAME}'");
        Ok(())
    }

    /// Number of active NAT mappings.
    pub fn mapping_count(&self) -> usize {
        self.mappings.len()
    }

    /// Atomically rebuild the entire nftables table with all current
    /// rules. Deletes and recreates the table, chains, masquerade rule,
    /// and all per-mapping DNAT/SNAT rules in a single netlink batch.
    fn rebuild(&self) -> Result<(), NatError> {
        // Delete existing table in a separate batch — ignore ENOENT on
        // first call when the table doesn't exist yet.
        let mut del_batch = Batch::new();
        del_batch.add(&self.table, MsgType::Del);
        let _ = del_batch.send();

        // Recreate table, chains, and all rules atomically.
        let mut batch = Batch::new();
        batch.add(&self.table, MsgType::Add);
        batch.add(&self.pre_chain, MsgType::Add);
        batch.add(&self.post_chain, MsgType::Add);

        // Masquerade rule: rewrite source address for traffic exiting fips0.
        // Without this, LAN clients' source addresses (e.g. fd02::20) are
        // not routable on the mesh, so return traffic would be black-holed.
        let masq_rule = Rule::new(&self.post_chain)?
            .with_expr(Meta::new(MetaType::OifName))
            .with_expr(Cmp::new(CmpOp::Eq, b"fips0\0".to_vec()))
            .with_expr(Masquerade::default());
        batch.add(&masq_rule, MsgType::Add);

        // Per-mapping DNAT/SNAT rules.
        for mapping in self.mappings.values() {
            let dnat_rule = Rule::new(&self.pre_chain)?
                .with_expr(Meta::new(MetaType::NfProto))
                .with_expr(Cmp::new(CmpOp::Eq, [libc::NFPROTO_IPV6 as u8]))
                .with_expr(
                    HighLevelPayload::Network(NetworkHeaderField::IPv6(IPv6HeaderField::Daddr))
                        .build(),
                )
                .with_expr(Cmp::new(CmpOp::Eq, mapping.virtual_ip.octets()))
                .with_expr(Immediate::new_data(
                    mapping.mesh_addr.octets().to_vec(),
                    Register::Reg1,
                ))
                .with_expr(
                    Nat::default()
                        .with_nat_type(NatType::DNat)
                        .with_family(ProtocolFamily::Ipv6)
                        .with_ip_register(Register::Reg1),
                );
            batch.add(&dnat_rule, MsgType::Add);

            let snat_rule = Rule::new(&self.post_chain)?
                .with_expr(Meta::new(MetaType::NfProto))
                .with_expr(Cmp::new(CmpOp::Eq, [libc::NFPROTO_IPV6 as u8]))
                .with_expr(
                    HighLevelPayload::Network(NetworkHeaderField::IPv6(IPv6HeaderField::Saddr))
                        .build(),
                )
                .with_expr(Cmp::new(CmpOp::Eq, mapping.mesh_addr.octets()))
                .with_expr(Immediate::new_data(
                    mapping.virtual_ip.octets().to_vec(),
                    Register::Reg1,
                ))
                .with_expr(
                    Nat::default()
                        .with_nat_type(NatType::SNat)
                        .with_family(ProtocolFamily::Ipv6)
                        .with_ip_register(Register::Reg1),
                );
            batch.add(&snat_rule, MsgType::Add);
        }

        // Inbound port-forward rules (TASK-2026-0061). Each forward is
        // one DNAT rule in prerouting keyed on (iif fips0, nfproto ipv6,
        // l4proto, th dport). When any forwards are configured, emit a
        // single LAN-side masquerade in postrouting so the LAN target
        // host sees the gateway's LAN address as source and replies
        // flow back through conntrack.
        for pf in &self.port_forwards {
            let l4proto: u8 = match pf.proto {
                Proto::Tcp => libc::IPPROTO_TCP as u8,
                Proto::Udp => libc::IPPROTO_UDP as u8,
            };
            let dport_field = match pf.proto {
                Proto::Tcp => TransportHeaderField::Tcp(TCPHeaderField::Dport),
                Proto::Udp => TransportHeaderField::Udp(UDPHeaderField::Dport),
            };
            let target_ip = *pf.target.ip();
            let target_port_be = pf.target.port().to_be_bytes();

            let dnat_rule = Rule::new(&self.pre_chain)?
                .with_expr(Meta::new(MetaType::IifName))
                .with_expr(Cmp::new(CmpOp::Eq, b"fips0\0".to_vec()))
                .with_expr(Meta::new(MetaType::NfProto))
                .with_expr(Cmp::new(CmpOp::Eq, [libc::NFPROTO_IPV6 as u8]))
                .with_expr(Meta::new(MetaType::L4Proto))
                .with_expr(Cmp::new(CmpOp::Eq, [l4proto]))
                .with_expr(HighLevelPayload::Transport(dport_field).build())
                .with_expr(Cmp::new(CmpOp::Eq, pf.listen_port.to_be_bytes().to_vec()))
                .with_expr(Immediate::new_data(
                    target_ip.octets().to_vec(),
                    Register::Reg1,
                ))
                .with_expr(Immediate::new_data(target_port_be.to_vec(), Register::Reg2))
                .with_expr(
                    Nat::default()
                        .with_nat_type(NatType::DNat)
                        .with_family(ProtocolFamily::Ipv6)
                        .with_ip_register(Register::Reg1)
                        .with_port_register(Register::Reg2),
                );
            batch.add(&dnat_rule, MsgType::Add);
        }

        if !self.port_forwards.is_empty() {
            let mut lan_iface = self.lan_interface.clone().into_bytes();
            lan_iface.push(0);
            let lan_masq = Rule::new(&self.post_chain)?
                .with_expr(Meta::new(MetaType::IifName))
                .with_expr(Cmp::new(CmpOp::Eq, b"fips0\0".to_vec()))
                .with_expr(Meta::new(MetaType::OifName))
                .with_expr(Cmp::new(CmpOp::Eq, lan_iface))
                .with_expr(Meta::new(MetaType::NfProto))
                .with_expr(Cmp::new(CmpOp::Eq, [libc::NFPROTO_IPV6 as u8]))
                .with_expr(Masquerade::default());
            batch.add(&lan_masq, MsgType::Add);
        }

        batch
            .send()
            .map_err(|e| NatError::Nftables(e.to_string()))?;
        Ok(())
    }
}