Rationalised firewall rules syntax

Added explicit NAT target, allowing NAT even within client net and
making it clear that NAT is used externally.

Changed Redirect_to_netvm to NAT_to, and allow specifying any target
host.

client_net.ml

@@ -10,9 +10,10 @@ module ClientEth = Ethif.Make(Netback)
 let src = Logs.Src.create "net" ~doc:"Client networking"
 module Log = (val Logs.src_log src : Logs.LOG)
 
-class client_iface eth client_ip client_mac : client_link = object
+class client_iface eth ~gateway_ip ~client_ip client_mac : client_link = object
   method my_mac = ClientEth.mac eth
   method other_mac = client_mac
+  method my_ip = gateway_ip
   method other_ip = client_ip
   method writev ip =
     let eth_hdr = eth_header_ipv4 ~src:(ClientEth.mac eth) ~dst:client_mac in
@@ -44,10 +45,12 @@ let add_vif { Dao.domid; device_id; client_ip } ~router ~cleanup_tasks =
     f domid (Ipaddr.V4.to_string client_ip));
   ClientEth.connect backend >>= or_fail "Can't make Ethernet device" >>= fun eth ->
   let client_mac = Netback.mac backend in
-  let iface = new client_iface eth client_ip client_mac in
+  let client_eth = router.Router.client_eth in
+  let gateway_ip = Client_eth.client_gw client_eth in
+  let iface = new client_iface eth ~gateway_ip ~client_ip client_mac in
   Router.add_client router iface;
   Cleanup.on_cleanup cleanup_tasks (fun () -> Router.remove_client router iface);
-  let fixed_arp = Client_eth.ARP.create ~net:router.Router.client_eth iface in
+  let fixed_arp = Client_eth.ARP.create ~net:client_eth iface in
   Netback.listen backend (fun frame ->
     match Wire_structs.parse_ethernet_frame frame with
     | None -> Log.warn "Invalid Ethernet frame" Logs.unit; return ()