Separate the gateway services from localhost passthrough

Previously we used the gateway IP for everything:
- DNS
- NTP
- HTTP proxy
- pass through to localhost services

As we add more services of our own we mask ports potentially used
by localhost services. This patch separates the "localhost" IP which
does only passthrough, from the "gateway" IP which provides vpnkit
services.

The new commandline argument `--host-ip` defines the host IP.

Signed-off-by: David Scott <dave.scott@docker.com>

Author: djs55

src/bin/main.ml

@@ -341,7 +341,7 @@ let hvsock_addr_of_uri ~default_serviceid uri =
       socket_url port_control_url introspection_url diagnostics_url
       max_connections vsock_path db_path db_branch dns http hosts host_names
       listen_backlog port_max_idle_time debug
-      server_macaddr domain allowed_bind_addresses gateway_ip lowest_ip highest_ip
+      server_macaddr domain allowed_bind_addresses gateway_ip host_ip lowest_ip highest_ip
       dhcp_json_path mtu log_destination
     =
     let level =
@@ -364,6 +364,7 @@ let hvsock_addr_of_uri ~default_serviceid uri =
     let server_macaddr = Macaddr.of_string_exn server_macaddr in
     let allowed_bind_addresses = Configuration.Parse.ipv4_list [] allowed_bind_addresses in
     let gateway_ip = Ipaddr.V4.of_string_exn gateway_ip in
+    let host_ip = Ipaddr.V4.of_string_exn host_ip in
     let lowest_ip = Ipaddr.V4.of_string_exn lowest_ip in
     let highest_ip = Ipaddr.V4.of_string_exn highest_ip in
     let configuration = {
@@ -379,6 +380,7 @@ let hvsock_addr_of_uri ~default_serviceid uri =
       domain;
       allowed_bind_addresses;
       gateway_ip;
+      host_ip;
       lowest_ip;
       highest_ip;
       dhcp_json_path;
@@ -567,6 +569,14 @@ let gateway_ip =
   in
   Arg.(value & opt string (Ipaddr.V4.to_string Configuration.default_gateway_ip) doc)
 
+let host_ip =
+  let doc =
+    Arg.info ~doc:
+      "IP address which represents the host. Connections to this IP will be forwarded to localhost on the host."
+      [ "host-ip" ]
+  in
+  Arg.(value & opt string (Ipaddr.V4.to_string Configuration.default_host_ip) doc)
+
 let lowest_ip =
   let doc =
     Arg.info ~doc:
@@ -610,7 +620,7 @@ let command =
         $ socket $ port_control_path $ introspection_path $ diagnostics_path
         $ max_connections $ vsock_path $ db_path $ db_branch $ dns $ http $ hosts
         $ host_names $ listen_backlog $ port_max_idle_time $ debug
-        $ server_macaddr $ domain $ allowed_bind_addresses $ gateway_ip
+        $ server_macaddr $ domain $ allowed_bind_addresses $ gateway_ip $ host_ip
         $ lowest_ip $ highest_ip $ dhcp_json_path $ mtu $ Logging.log_destination),
   Term.info (Filename.basename Sys.argv.(0)) ~version:"%%VERSION%%" ~doc ~man
 

src/hostnet/configuration.ml

@@ -41,6 +41,7 @@ type t = {
   domain: string option;
   allowed_bind_addresses: Ipaddr.V4.t list;
   gateway_ip: Ipaddr.V4.t;
+  host_ip: Ipaddr.V4.t;
   (* TODO: remove this from the record since it is not constant across all clients *)
   lowest_ip: Ipaddr.V4.t;
   highest_ip: Ipaddr.V4.t;
@@ -54,7 +55,7 @@ type t = {
 }
 
 let to_string t =
-  Printf.sprintf "server_macaddr = %s; max_connection = %s; dns_path = %s; dns = %s; resolver = %s; domain = %s; allowed_bind_addresses = %s; gateway_ip = %s; lowest_ip = %s; highest_ip = %s; dhcp_json_path = %s; dhcp_configuration = %s; mtu = %d; http_intercept = %s; http_intercept_path = %s; port_max_idle_time = %s; host_names = %s"
+  Printf.sprintf "server_macaddr = %s; max_connection = %s; dns_path = %s; dns = %s; resolver = %s; domain = %s; allowed_bind_addresses = %s; gateway_ip = %s; host_ip = %s; lowest_ip = %s; highest_ip = %s; dhcp_json_path = %s; dhcp_configuration = %s; mtu = %d; http_intercept = %s; http_intercept_path = %s; port_max_idle_time = %s; host_names = %s"
     (Macaddr.to_string t.server_macaddr)
     (match t.max_connections with None -> "None" | Some x -> string_of_int x)
     (match t.dns_path with None -> "None" | Some x -> x)
@@ -63,6 +64,7 @@ let to_string t =
     (match t.domain with None -> "None" | Some x -> x)
     (String.concat ", " (List.map Ipaddr.V4.to_string t.allowed_bind_addresses))
     (Ipaddr.V4.to_string t.gateway_ip)
+    (Ipaddr.V4.to_string t.host_ip)
     (Ipaddr.V4.to_string t.lowest_ip)
     (Ipaddr.V4.to_string t.highest_ip)
     (match t.dhcp_json_path with None -> "None" | Some x -> x)
@@ -76,8 +78,9 @@ let to_string t =
 let no_dns_servers =
   Dns_forward.Config.({ servers = Server.Set.empty; search = []; assume_offline_after_drops = None })
 
-let default_lowest_ip = Ipaddr.V4.of_string_exn "192.168.65.2"
+let default_lowest_ip = Ipaddr.V4.of_string_exn "192.168.65.3"
 let default_gateway_ip = Ipaddr.V4.of_string_exn "192.168.65.1"
+let default_host_ip = Ipaddr.V4.of_string_exn "192.168.65.2"
 let default_highest_ip = Ipaddr.V4.of_string_exn "192.168.65.254"
 (* The default MTU is limited by the maximum message size on a Hyper-V
    socket. On currently available windows versions, we need to stay
@@ -98,6 +101,7 @@ let default = {
   domain = None;
   allowed_bind_addresses = [];
   gateway_ip = default_gateway_ip;
+  host_ip = default_host_ip;
   lowest_ip = default_lowest_ip;
   highest_ip = default_highest_ip;
   dhcp_json_path = None;

src/hostnet/slirp.ml

@@ -441,18 +441,105 @@ struct
 
   let ok () = Ok ()
 
-  module Local = struct
+  module Localhost = struct
     type t = {
       clock: Clock.t;
       endpoint: Endpoint.t;
       udp_nat: Udp_nat.t;
       dns_ips: Ipaddr.V4.t list;
     }
-    (** Represents the local machine including NTP and DNS servers *)
+    (** Proxies connections to services on localhost on the host *)
 
     (** Handle IPv4 datagrams by proxying them to a remote system *)
     let input_ipv4 t ipv4 = match ipv4 with
 
+    (* Respond to ICMP *)
+    | Ipv4 { raw; payload = Icmp _; _ } ->
+      let none ~src:_ ~dst:_ _ = Lwt.return_unit in
+      let default ~proto ~src ~dst buf = match proto with
+      | 1 (* ICMP *) ->
+        Stack_icmpv4.input t.endpoint.Endpoint.icmpv4 ~src ~dst buf
+      | _ ->
+        Lwt.return_unit in
+      Stack_ipv4.input t.endpoint.Endpoint.ipv4 ~tcp:none ~udp:none ~default raw
+      >|= ok
+
+    (* UDP to localhost *)
+    | Ipv4 { src; dst; ihl; dnf; raw; ttl;
+             payload = Udp { src = src_port; dst = dst_port; len;
+                             payload = Payload payload; _ }; _ } ->
+      let description =
+        Fmt.strf "%a:%d -> %a:%d" Ipaddr.V4.pp_hum src src_port Ipaddr.V4.pp_hum
+          dst dst_port
+      in
+      if Cstruct.len payload < len then begin
+        Log.err (fun f -> f "%s: dropping because reported len %d actual len %d"
+                    description len (Cstruct.len payload));
+        Lwt.return (Ok ())
+      end else if dnf && (Cstruct.len payload > safe_outgoing_mtu) then begin
+        Endpoint.send_icmp_dst_unreachable t.endpoint ~src ~dst ~src_port
+          ~dst_port ~ihl raw
+        >|= lift_ipv4_error
+      end else begin
+        (* [1] For UDP to our local address, rewrite the destination
+           to localhost.  This is the inverse of the rewrite
+           below[2] *)
+        let datagram =
+          { Hostnet_udp.src = Ipaddr.V4 src, src_port;
+            dst = Ipaddr.(V4 V4.localhost), dst_port; payload }
+        in
+        Udp_nat.input ~t:t.udp_nat ~datagram ~ttl ()
+        >|= ok
+      end
+
+    (* TCP to local ports *)
+    | Ipv4 { src; dst;
+             payload = Tcp { src = src_port; dst = dst_port; syn; raw;
+                             payload = Payload _; _ }; _ } ->
+      let id =
+        Stack_tcp_wire.v ~src_port:dst_port ~dst:src ~src:dst ~dst_port:src_port
+      in
+      Endpoint.input_tcp t.endpoint ~id ~syn
+        (Ipaddr.V4 Ipaddr.V4.localhost, dst_port) raw
+      >|= ok
+    | _ ->
+      Lwt.return (Ok ())
+
+    let create clock endpoint udp_nat dns_ips =
+      let tcp_stack = { clock; endpoint; udp_nat; dns_ips } in
+      let open Lwt.Infix in
+      (* Wire up the listeners to receive future packets: *)
+      Switch.Port.listen endpoint.Endpoint.netif
+        (fun buf ->
+           let open Frame in
+           match parse [ buf ] with
+           | Ok (Ethernet { payload = Ipv4 ipv4; _ }) ->
+             Endpoint.touch endpoint;
+             (input_ipv4 tcp_stack (Ipv4 ipv4) >|= function
+               | Ok ()   -> ()
+               | Error e ->
+                 Log.err (fun l ->
+                     l "error while reading IPv4 input: %a" pp_error e))
+           | _ ->
+             Lwt.return_unit
+        )
+      >|= function
+      | Ok ()         -> Ok tcp_stack
+      | Error _ as e -> e
+
+  end
+
+  module Gateway = struct
+    type t = {
+      clock: Clock.t;
+      endpoint: Endpoint.t;
+      udp_nat: Udp_nat.t;
+      dns_ips: Ipaddr.V4.t list;
+    }
+    (** Services offered by vpnkit to the internal network *)
+
+    let input_ipv4 t ipv4 = match ipv4 with
+
     (* Respond to ICMP *)
     | Ipv4 { raw; payload = Icmp _; _ } ->
       let none ~src:_ ~dst:_ _ = Lwt.return_unit in
@@ -501,54 +588,22 @@ struct
       Udp_nat.input ~t:t.udp_nat ~datagram ~ttl ()
       >|= ok
 
-    (* UDP to any other port: localhost *)
-    | Ipv4 { src; dst; ihl; dnf; raw; ttl;
-             payload = Udp { src = src_port; dst = dst_port; len;
-                             payload = Payload payload; _ }; _ } ->
-      let description =
-        Fmt.strf "%a:%d -> %a:%d" Ipaddr.V4.pp_hum src src_port Ipaddr.V4.pp_hum
-          dst dst_port
-      in
-      if Cstruct.len payload < len then begin
-        Log.err (fun f -> f "%s: dropping because reported len %d actual len %d"
-                    description len (Cstruct.len payload));
-        Lwt.return (Ok ())
-      end else if dnf && (Cstruct.len payload > safe_outgoing_mtu) then begin
-        Endpoint.send_icmp_dst_unreachable t.endpoint ~src ~dst ~src_port
-          ~dst_port ~ihl raw
-        >|= lift_ipv4_error
-      end else begin
-        (* [1] For UDP to our local address, rewrite the destination
-           to localhost.  This is the inverse of the rewrite
-           below[2] *)
-        let datagram =
-          { Hostnet_udp.src = Ipaddr.V4 src, src_port;
-            dst = Ipaddr.(V4 V4.localhost), dst_port; payload }
-        in
-        Udp_nat.input ~t:t.udp_nat ~datagram ~ttl ()
-        >|= ok
-      end
-
-    (* TCP to local ports *)
+    (* HTTP proxy *)
     | Ipv4 { src; dst;
              payload = Tcp { src = src_port; dst = dst_port; syn; raw;
                              payload = Payload _; _ }; _ } ->
       let id =
         Stack_tcp_wire.v ~src_port:dst_port ~dst:src ~src:dst ~dst_port:src_port
       in
-      (* local HTTP proxy *)
-      let callback = match !http with
-      | None -> None
-      | Some http -> Http_forwarder.explicit_proxy_handler ~dst:(dst, dst_port) ~t:http
-      in
-      begin match callback with
-      | None ->
-        Endpoint.input_tcp t.endpoint ~id ~syn
-          (Ipaddr.V4 Ipaddr.V4.localhost, dst_port) raw
-        >|= ok
-      | Some cb ->
-        Endpoint.intercept_tcp_syn t.endpoint ~id ~syn (fun _ -> cb) raw
-        >|= ok
+      begin match !http with
+      | None -> Lwt.return (Ok ())
+      | Some http ->
+        begin match Http_forwarder.explicit_proxy_handler ~dst:(dst, dst_port) ~t:http with
+        | None -> Lwt.return (Ok ())
+        | Some cb ->
+          Endpoint.intercept_tcp_syn t.endpoint ~id ~syn (fun _ -> cb) raw
+          >|= ok
+        end
       end
     | _ ->
       Lwt.return (Ok ())
@@ -862,13 +917,11 @@ struct
     let local_arp_table = [
       c.Configuration.lowest_ip, client_macaddr;
       c.Configuration.gateway_ip, c.Configuration.server_macaddr;
+      c.Configuration.host_ip, c.Configuration.server_macaddr;
     ] in
     Global_arp_ethif.connect switch
     >>= fun global_arp_ethif ->
 
-    (* Listen on local IPs *)
-    let local_ips = [ c.Configuration.gateway_ip ] in
-
     let dhcp = Dhcp.make ~configuration:c clock switch in
 
     let endpoints = IPMap.empty in
@@ -915,7 +968,7 @@ struct
          virtual IP. This is the inverse of the rewrite above[1] *)
       let src =
         if Ipaddr.V4.compare src Ipaddr.V4.localhost = 0
-        then c.Configuration.gateway_ip
+        then c.Configuration.host_ip
         else src in
       begin
         find_endpoint src >>= function
@@ -1027,21 +1080,39 @@ struct
         | Ok (Ethernet { payload = Ipv4 ({ dst; _ } as ipv4 ); _ }) ->
           (* For any new IP destination, create a stack to proxy for
              the remote system *)
-          if List.mem dst local_ips then begin
+          if dst = c.Configuration.gateway_ip then begin
             begin
               let open Lwt_result.Infix in
               find_endpoint dst >>= fun endpoint ->
               Log.debug (fun f ->
-                  f "creating local TCP/IP proxy for %a" Ipaddr.V4.pp_hum dst);
-              Local.create clock endpoint udp_nat local_ips
+                  f "creating gateway TCP/IP proxy for %a" Ipaddr.V4.pp_hum dst);
+              Gateway.create clock endpoint udp_nat [ c.Configuration.gateway_ip ]
             end >>= function
             | Error e ->
               Log.err (fun f ->
                   f "Failed to create a TCP/IP stack: %a" Switch.Port.pp_error e);
               Lwt.return_unit
             | Ok tcp_stack ->
               (* inject the ethernet frame into the new stack *)
-              Local.input_ipv4 tcp_stack (Ipv4 ipv4) >|= function
+              Gateway.input_ipv4 tcp_stack (Ipv4 ipv4) >|= function
+              | Ok ()   -> ()
+              | Error e ->
+                Log.err (fun f -> f "failed to read TCP/IP input: %a" pp_error e);
+          end else if dst = c.Configuration.host_ip then begin
+            begin
+              let open Lwt_result.Infix in
+              find_endpoint dst >>= fun endpoint ->
+              Log.debug (fun f ->
+                  f "creating localhost TCP/IP proxy for %a" Ipaddr.V4.pp_hum dst);
+              Localhost.create clock endpoint udp_nat [ c.Configuration.host_ip ]
+            end >>= function
+            | Error e ->
+              Log.err (fun f ->
+                  f "Failed to create a TCP/IP stack: %a" Switch.Port.pp_error e);
+              Lwt.return_unit
+            | Ok tcp_stack ->
+              (* inject the ethernet frame into the new stack *)
+              Localhost.input_ipv4 tcp_stack (Ipv4 ipv4) >|= function
               | Ok ()   -> ()
               | Error e ->
                 Log.err (fun f -> f "failed to read TCP/IP input: %a" pp_error e);
@@ -1245,7 +1316,11 @@ struct
     Log.info (fun f -> f "Configuration %s" (Configuration.to_string c));
     let global_arp_table : arp_table = {
       mutex = Lwt_mutex.create();
-      table = [c.Configuration.gateway_ip, c.Configuration.server_macaddr];
+      table = [
+        c.Configuration.gateway_ip, c.Configuration.server_macaddr;
+        c.Configuration.host_ip,    c.Configuration.server_macaddr;
+      ];
+
     } in
     let client_uuids : uuid_table = {
       mutex = Lwt_mutex.create();