tstest/natlab: respect NATTable interface's invalid-means-drop everywhere

And sprinkle some more docs around. Updates #13038 Change-Id: Ia2dcf567b68170481cc2094d64b085c6b94a778a Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2025-02-19 19:38:40 +00:00 · 2024-08-23 14:14:28 -07:00 · 2024-08-23 14:14:28 -07:00 · e5fd36ad78
commit e5fd36ad78
parent 03acab2639
1 changed files with 9 additions and 0 deletions
--- a/tstest/natlab/vnet/vnet.go
+++ b/tstest/natlab/vnet/vnet.go
@ -1065,7 +1065,12 @@ func (n *network) HandleEthernetIPv4PacketForRouter(ep EthernetPacket) {
 			InterfaceIndex: n.lanInterfaceID,
 		}, buf)

+		lanSrc := src // the original src, before NAT (for logging only)
 		src = n.doNATOut(src, dst)
+		if !src.IsValid() {
+			n.logf("warning: NAT dropped packet; no NAT out mapping for %v=>%v", lanSrc, dst)
+			return
+		}
 		buf, err = n.serializedUDPPacket(src, dst, udp.Payload, nil)
 		if err != nil {
 			n.logf("serializing UDP packet: %v", err)
@ -1401,6 +1406,8 @@ func (s *Server) createDNSResponse(pkt gopacket.Packet) ([]byte, error) {
 // src is a LAN IP and dst is a WAN IP.
 //
 // It returns the source WAN ip:port to use.
+//
+// If newSrc is invalid, the packet should be dropped.
 func (n *network) doNATOut(src, dst netip.AddrPort) (newSrc netip.AddrPort) {
 	n.natMu.Lock()
 	defer n.natMu.Unlock()
@ -1423,6 +1430,8 @@ type portmapFlowKey struct {

 // doNATIn performs NAT on an incoming packet from WAN src to WAN dst, returning
 // a new destination LAN ip:port to use.
+//
+// If newDst is invalid, the packet should be dropped.
 func (n *network) doNATIn(src, dst netip.AddrPort) (newDst netip.AddrPort) {
 	n.natMu.Lock()
 	defer n.natMu.Unlock()