diff options
2 files changed, 80 insertions, 0 deletions
diff --git a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/iptables/NATCommand.java b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/iptables/NATCommand.java new file mode 100644 index 00000000000..87bb5fddf23 --- /dev/null +++ b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/iptables/NATCommand.java @@ -0,0 +1,42 @@ +// Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. +package com.yahoo.vespa.hosted.node.admin.maintenance.acl.iptables; + +import java.net.Inet6Address; +import java.net.InetAddress; + +/** + * Creates two commands that: + * + * 1. replaces an external/public destination ip to an internal/private ip before routing it (pre-routing) + * 2. replaces an internal/private source ip to an external/public ip before writing it on the wire (post-routing) + * + * @author smorgrav + */ +public class NATCommand implements Command { + + private final String snatCommand; + private final String dnatCommand; + + NATCommand(InetAddress externalIp, InetAddress internalIp, String iface) { + String command = externalIp instanceof Inet6Address ? "ip6tables" : "iptables"; + this.snatCommand = String.format("%s -t nat -A POSTROUTING -o %s -s %s -j SNAT --to %s", + command, + iface, + internalIp.getHostAddress(), + externalIp.getHostAddress()); + + this.dnatCommand = String.format("%s -t nat -A PREROUTING -i %s -d %s -j DNAT --to-destination %s", + command, + iface, + externalIp.getHostAddress(), + internalIp.getHostAddress()); + } + + @Override + public String asString() { + return snatCommand + "; " + dnatCommand; + } + + @Override + public String asString(String commandName) { return asString(); } +} diff --git a/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/iptables/NATCommandTest.java b/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/iptables/NATCommandTest.java new file mode 100644 index 00000000000..c2a2575f6b1 --- /dev/null +++ b/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/iptables/NATCommandTest.java @@ -0,0 +1,38 @@ +// Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. +package com.yahoo.vespa.hosted.node.admin.maintenance.acl.iptables; + +import org.junit.Assert; +import org.junit.Test; + +import java.net.Inet4Address; +import java.net.Inet6Address; +import java.net.InetAddress; +import java.net.UnknownHostException; + +/** + * Test DNAT and SNAT Commands + * + * @author smorgrav + */ +public class NATCommandTest { + + @Test + public void sampleNATCommandIPv6() throws UnknownHostException{ + InetAddress externalIP = Inet6Address.getByName("2001:db8::1"); + InetAddress internalIP = Inet6Address.getByName("2001:db8::2"); + String iface = "eth0"; + + NATCommand command = new NATCommand(externalIP, internalIP, iface); + Assert.assertEquals("ip6tables -t nat -A POSTROUTING -o eth0 -s 2001:db8:0:0:0:0:0:2 -j SNAT --to 2001:db8:0:0:0:0:0:1; ip6tables -t nat -A PREROUTING -i eth0 -d 2001:db8:0:0:0:0:0:1 -j DNAT --to-destination 2001:db8:0:0:0:0:0:2", command.asString()); + } + + @Test + public void sampleNATCommandIPv4() throws UnknownHostException{ + InetAddress externalIP = Inet4Address.getByName("192.168.0.1"); + InetAddress internalIP = Inet4Address.getByName("192.168.0.2"); + String iface = "eth0"; + + NATCommand command = new NATCommand(externalIP, internalIP, iface); + Assert.assertEquals("iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.2 -j SNAT --to 192.168.0.1; iptables -t nat -A PREROUTING -i eth0 -d 192.168.0.1 -j DNAT --to-destination 192.168.0.2", command.asString()); + } +} |