Localhost access to server

[Aptimex]

Currently there doesn't seem to be any way to access the localhost interface (127.0.0.1) of a server. It would be really handy to be able to do so, since it's common for some services to only listen on localhost interfaces.

But adding AllowedIP routes for localhost addresses probably isn't a great idea; might mess up the client's networking.

@luker983 would it be possible (with how Wiretap's networking stack works) to let users specify a "localhost" access IP for each server, which the receiving server would then just send to 127.0.0.1 instead? For example:

wiretap configure -e 192.168.1.2:51820 -r 10.0.0.0/8 --localhost-ip 1.2.3.4

This would add something like localhost-ip = 1.2.3.4 to the server config, and 1.2.3.4 to the AllowedIPs of the client config. Then once setup, curl 1.2.3.4 would actually get connected to 127.0.0.1 of the associated server.

It would be up to the user to make sure they pick a mock localhost IP that they don't otherwise need to be able to actually talk to.

[Aptimex]

Was able to get a PoC of this working using gvisor's IPTables functionality in the localhost-server branch. PoC only works for TCP, and uses 192.168.137.137 as the hard-coded IP that will redirect to localhost on the server. This has to be manually added as an allowedIP to the wiretap.conf file, so it also will only work on whatever server that allowedIP is assigned to.

Unfortunately gvisor doesn't provide the exported functions needed to do DNAT for a range of ports, so I had to do some unsafe stuff with compiler directives to get access the un-exported function that facilitates the desired behavior.

Might alternatively be able to create 65536 rules for each individual port using a loop, but not sure if that would be better or worse than using an unsafe compiler option.

[Aptimex]

Actually support for address-only NAT was added to gvisor in this commit, just need to get our gvisor module import updated to a newer version.