Merge pull request #4559 from vespa-engine/smorgrav/iptables_nat_command

Add a iptable command for snat/dnat

2 files changed, 80 insertions, 0 deletions

diff --git a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/iptables/NATCommand.java b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/iptables/NATCommand.java
new file mode 100644
index 00000000000..87bb5fddf23
--- /dev/null
+++ b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/iptables/NATCommand.java
@@ -0,0 +1,42 @@
+// Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+package com.yahoo.vespa.hosted.node.admin.maintenance.acl.iptables;
+
+import java.net.Inet6Address;
+import java.net.InetAddress;
+
+/**
+ * Creates two commands that:
+ *
+ *  1. replaces an external/public destination ip to an internal/private ip before routing it (pre-routing)
+ *  2. replaces an internal/private source ip to an external/public ip before writing it on the wire (post-routing)
+ *
+ * @author smorgrav
+ */
+public class NATCommand implements Command {
+
+    private final String snatCommand;
+    private final String dnatCommand;
+
+    NATCommand(InetAddress externalIp, InetAddress internalIp, String iface) {
+        String command = externalIp instanceof Inet6Address ? "ip6tables" : "iptables";
+        this.snatCommand = String.format("%s -t nat -A POSTROUTING -o %s -s %s -j SNAT --to %s",
+                command,
+                iface,
+                internalIp.getHostAddress(),
+                externalIp.getHostAddress());
+
+        this.dnatCommand = String.format("%s -t nat -A PREROUTING -i %s -d %s -j DNAT --to-destination %s",
+                command,
+                iface,
+                externalIp.getHostAddress(),
+                internalIp.getHostAddress());
+    }
+
+    @Override
+    public String asString() {
+        return snatCommand + "; " + dnatCommand;
+    }
+
+    @Override
+    public String asString(String commandName) { return asString(); }
+}
diff --git a/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/iptables/NATCommandTest.java b/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/iptables/NATCommandTest.java
new file mode 100644
index 00000000000..c2a2575f6b1
--- /dev/null
+++ b/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/iptables/NATCommandTest.java
@@ -0,0 +1,38 @@
+// Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+package com.yahoo.vespa.hosted.node.admin.maintenance.acl.iptables;
+
+import org.junit.Assert;
+import org.junit.Test;
+
+import java.net.Inet4Address;
+import java.net.Inet6Address;
+import java.net.InetAddress;
+import java.net.UnknownHostException;
+
+/**
+ * Test DNAT and SNAT Commands
+ *
+ * @author smorgrav
+ */
+public class NATCommandTest {
+
+    @Test
+    public void sampleNATCommandIPv6() throws UnknownHostException{
+        InetAddress externalIP = Inet6Address.getByName("2001:db8::1");
+        InetAddress internalIP = Inet6Address.getByName("2001:db8::2");
+        String iface = "eth0";
+
+        NATCommand command = new NATCommand(externalIP, internalIP, iface);
+        Assert.assertEquals("ip6tables -t nat -A POSTROUTING -o eth0 -s 2001:db8:0:0:0:0:0:2 -j SNAT --to 2001:db8:0:0:0:0:0:1; ip6tables -t nat -A PREROUTING -i eth0 -d 2001:db8:0:0:0:0:0:1 -j DNAT --to-destination 2001:db8:0:0:0:0:0:2", command.asString());
+    }
+
+    @Test
+    public void sampleNATCommandIPv4() throws UnknownHostException{
+        InetAddress externalIP = Inet4Address.getByName("192.168.0.1");
+        InetAddress internalIP = Inet4Address.getByName("192.168.0.2");
+        String iface = "eth0";
+
+        NATCommand command = new NATCommand(externalIP, internalIP, iface);
+        Assert.assertEquals("iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.2 -j SNAT --to 192.168.0.1; iptables -t nat -A PREROUTING -i eth0 -d 192.168.0.1 -j DNAT --to-destination 192.168.0.2", command.asString());
+    }
+}