lab-ops_natmap 0.1.3

iptables NAT mapping daemon with CLI control over Unix socket
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163

use std::process::Command;

use color_eyre::Result;
use color_eyre::eyre::WrapErr;

use crate::models::PolicyRouteConfig;

pub struct PolicyRouteManager;

impl PolicyRouteManager {
    pub fn new() -> Self {
        Self
    }

    fn check_rule_exists(&self, config: &PolicyRouteConfig) -> Result<bool> {
        let output = Command::new("ip")
            .args(["rule", "show"])
            .output()
            .wrap_err("Failed to execute ip rule show")?;

        let stdout = String::from_utf8_lossy(&output.stdout);
        // Format: "32765:  from <src_ip> lookup <table>"
        let expected = format!("from {} lookup {}", config.src_ip, config.table);
        Ok(stdout.contains(&expected))
    }

    fn check_route_exists(&self, config: &PolicyRouteConfig) -> Result<bool> {
        let output = Command::new("ip")
            .args(["route", "show", "table", &config.table.to_string()])
            .output()
            .wrap_err("Failed to execute ip route show")?;

        let stdout = String::from_utf8_lossy(&output.stdout);
        let expected = format!("default via {}", config.via);
        Ok(stdout.contains(&expected))
    }

    /// Check if an exact route line already exists in a given table.
    fn route_line_in_table(&self, route_line: &str, table: u32) -> Result<bool> {
        let output = Command::new("ip")
            .args(["route", "show", "table", &table.to_string()])
            .output()?;
        let stdout = String::from_utf8_lossy(&output.stdout);
        Ok(stdout.lines().any(|l| l.trim() == route_line.trim()))
    }

    /// Collect routes from the main table that should be cloned into the
    /// policy routing table: non-default, non-local, non-broadcast routes
    /// for local subnets (Docker bridges, LAN, etc.).
    fn get_cloneable_routes(&self) -> Result<Vec<String>> {
        let output = Command::new("ip")
            .args(["route", "show", "table", "main"])
            .output()?;
        let routes = String::from_utf8_lossy(&output.stdout)
            .lines()
            .filter(|l| {
                let t = l.trim();
                !t.is_empty()
                    && !t.starts_with("default ")
                    && !t.starts_with("broadcast ")
                    && !t.starts_with("local ")
                    && !t.starts_with("unreachable ")
                    && !t.starts_with("fe80::")
                    && !t.starts_with("ff00::")
            })
            .map(|l| l.trim().to_string())
            .filter(|l| !l.is_empty())
            .collect();
        Ok(routes)
    }

    pub fn install(&self, config: &PolicyRouteConfig) -> Result<()> {
        if !self.check_route_exists(config)? {
            let status = Command::new("ip")
                .args([
                    "route",
                    "add",
                    "default",
                    "via",
                    &config.via,
                    "table",
                    &config.table.to_string(),
                ])
                .status()
                .wrap_err("Failed to execute ip route add")?;

            if !status.success() {
                color_eyre::eyre::bail!("ip route add failed with status: {}", status);
            }
        }

        if !self.check_rule_exists(config)? {
            let status = Command::new("ip")
                .args([
                    "rule",
                    "add",
                    "from",
                    &config.src_ip,
                    "table",
                    &config.table.to_string(),
                ])
                .status()
                .wrap_err("Failed to execute ip rule add")?;

            if !status.success() {
                color_eyre::eyre::bail!("ip rule add failed with status: {}", status);
            }
        }

        // Clone local-subnet routes from the main table so traffic from
        // src_ip to Docker bridges, the LAN, etc. uses the correct interface
        // instead of the proxy gateway (which would break local connectivity).
        let table = config.table;
        for route_line in self.get_cloneable_routes()? {
            if !self.route_line_in_table(&route_line, table)? {
                let status = Command::new("sh")
                    .args(["-c", &format!("ip route add {route_line} table {table}")])
                    .status()
                    .wrap_err("Failed to execute ip route add")?;
                if !status.success() {
                    tracing::warn!("failed to clone route to table {table}: {route_line}");
                }
            }
        }

        Ok(())
    }

    pub fn remove(&self, config: &PolicyRouteConfig) -> Result<()> {
        // We ignore errors on remove, in case the rules are already gone.
        let _ = Command::new("ip")
            .args([
                "rule",
                "del",
                "from",
                &config.src_ip,
                "table",
                &config.table.to_string(),
            ])
            .status();

        let _ = Command::new("ip")
            .args([
                "route",
                "del",
                "default",
                "via",
                &config.via,
                "table",
                &config.table.to_string(),
            ])
            .status();

        Ok(())
    }

    pub fn flush_all(&self, policy_routes: &[PolicyRouteConfig]) -> Result<()> {
        for config in policy_routes {
            self.remove(config)?;
        }
        Ok(())
    }
}