arm-autonomy/xenguest-network: Add NAT port forward support

When XENGUEST_IMAGE_NETWORK_TYPE="nat", add the option to set NAT port forward to have access to the guest from the external network. The port forward is applied per guest by the 00-xenguest-nat-port-forward.hook script which is called by /etc/xen/scripts/vif-post.d/00-vif-xenguest.hook. The ports can be customised by the XENGUEST_IMAGE_HOST_PORT and XENGUEST_IMAGE_GUEST_PORT variables. Change-Id: I49492f5ac881fd3cc38838ce24d1d4160a4e65df Issue-Id: SCM-1019 Signed-off-by: Diego Sueiro <diego.sueiro@arm.com> Reviewed-by: Bertrand Marquis <bertrand.marquis@arm.com> Signed-off-by: Jon Mason <jon.mason@arm.com>
2026-06-06 14:50:03 +00:00 · 2020-07-30 16:52:18 +01:00
parent 7318d9ac3c
commit 0ad8a1495c
5 changed files with 97 additions and 2 deletions
@@ -66,5 +66,11 @@ The following parameters are available:
  image is created. It will be consumed by the
  "/etc/xen/scripts/vif-post.d/00-vif-xenguest.hook" script which is called by
  "/etc/xen/scripts/vif-nat" script when starting/stopping the xenguest.
+  In the guest project, the NAT port forward can be customised by changing
+  the XENGUEST_IMAGE_HOST_PORT (default: "1000 + ${domid}") and
+  XENGUEST_IMAGE_GUEST_PORT (default: "22") variables in local.conf or
+  xenguest-base-image.bbappend. This configuration is implemented and installed
+  in "/etc/xenguest/guests/${guestname}/files/00-xenguest-nat-port-forward.hook"
+  script which is called by "/etc/xen/scripts/vif-post.d/00-vif-xenguest.hook".
  The **none** type will not affect any networking setting between on dom0 and
  domU.
@@ -95,6 +95,20 @@ dhcpd_offline(){
                                       # are no vifs.
 }

+call_extra_hooks() {
+    for f in /etc/xenguest/guests/${guestname}/files/*.hook; do
+        if [ -x "$f" ]; then
+            log info "Executing $f"
+            . "$f"
+            if [ $? -ne 0 ]; then
+                log err "$f failed."
+            fi
+        else
+            log info "$f is not executable. Skipping."
+        fi
+    done
+}
+
 case "${XENGUEST_NETWORK_TYPE}" in
    nat)
        XENGUEST_DHCPD_PARAMS_FILE=${XENGUEST_DHCPD_PARAMS_FILE:-"/etc/xenguest/guests/${guestname}/files/dhcpd-params.cfg"}
@@ -126,5 +140,7 @@ case "${XENGUEST_NETWORK_TYPE}" in
               ;;
        esac

+        # We might have extra configs to be applied (e.g.: NAT port forward).
+        call_extra_hooks
        ;;
 esac
@@ -0,0 +1,48 @@
+#============================================================================
+# /etc/xenguest/guests/${guestname}/files/00-xenguest-nat-port-forward.hook
+#
+# Script for performing local configuration related to NAT port forwarding of
+# a vif.
+# This script will be sourced by
+# /etc/xen/scripts/vif-post.d/00-vif-xenguest.hook when
+# XENGUEST_IMAGE_NETWORK_TYPE="nat".
+# The ${bridge} and ${domid} are set in the 00-vif-xenguest.hook context,
+# and ${vip_if} in the vif-nat script context.
+#
+# Environment vars:
+# command     (add|remove|online|offline)
+# dev         vif interface name (required).
+# main_ip     IP address of Dom0
+# ip          list of IP networks for the vif, space-separated
+# XENBUS_PATH path to this device's details in the XenStore (required).
+#============================================================================
+
+host_port="###HOST_PORT###"
+guest_port="###GUEST_PORT###"
+
+port_num_check() {
+    if [ ${host_port} -gt 65535 -o ${guest_port} -gt 65535 ]; then
+        log error "host_port=${host_port} or guest_port=${guest_port} greater than 65535."
+        return 1
+    fi
+    return 0
+}
+
+case "${command}" in
+    online)
+        port_num_check
+        if [ $? -eq 0 ]; then
+            iptables_w -t nat -A PREROUTING -i ${bridge} -p tcp \
+                       --dport ${host_port} -j DNAT \
+                       --to-destination ${vif_ip}:${guest_port} \
+                       -m comment --comment "dom${domid}"
+        fi
+        ;;
+    offline)
+        # Remove the NAT iptables rules created for the dom${domid}
+        guest_ipt_rule=$(iptables_w -t nat -vL PREROUTING -n --line-number \
+                         | grep -w dom${domid} | awk '{print $1}' | tac)
+        for rule in ${guest_ipt_rule}; \
+            do iptables_w -t nat --delete PREROUTING ${rule}; done
+        ;;
+esac
@@ -23,6 +23,16 @@ LICENSE = "MIT"

 LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302"

+# When XENGUEST_IMAGE_NETWORK_TYPE="nat", the "00-xenguest-nat-port-forward.hook"
+# is called by "/etc/xen/scripts/vif-post.d/00-vif-xenguest.hook" to apply NAT
+# port forwarding. Both dom0 and domU ports can be be set by changing the
+# XENGUEST_IMAGE_HOST_PORT and XENGUEST_IMAGE_GUEST_PORT variables in local.conf
+# or xenguest-base-image.bbappend. The XENGUEST_IMAGE_NAT_PORT_FORWARD_SCRIPT
+# can also be replaced in a xenguest-base-image.bbappend
+XENGUEST_IMAGE_HOST_PORT ?= "\$( expr 1000 + \${domid} )"
+XENGUEST_IMAGE_GUEST_PORT ?= "22"
+XENGUEST_IMAGE_NAT_PORT_FORWARD_SCRIPT ?= "00-xenguest-nat-port-forward.hook"
+
 #
 # The following variables can contain SRC_URI compatible entries to add
 # files to the xenguest image.
@@ -40,7 +50,12 @@ XENGUEST_IMAGE_SRC_URI_DISK_FILES ??= ""
 # The dhcpd-params.cfg holds the dhcpd configuration for Dom0. And it is used
 # when XENGUEST_IMAGE_NETWORK_TYPE="nat". Any customizations to it should be
 # performed by replacing it via a xenguest-network.bbappend.
-XENGUEST_IMAGE_SRC_URI_XEN_FILES = "file://dhcpd-params.cfg"
+# The XENGUEST_IMAGE_NAT_PORT_FORWARD_SCRIPT file is only added if the
+# variable is set.
+XENGUEST_IMAGE_SRC_URI_XEN_FILES = "file://dhcpd-params.cfg \
+    ${@ "file://" + d.getVar('XENGUEST_IMAGE_NAT_PORT_FORWARD_SCRIPT') \
+      if d.getVar('XENGUEST_IMAGE_NAT_PORT_FORWARD_SCRIPT') else "" } \
+    "

 # Add xen configuration elements
 XENGUEST_IMAGE_SRC_URI_XEN_CONFIG ??= ""
@@ -82,8 +97,8 @@ python __anonymous() {

 # Make sure we are removing old files before redoing a fetch
 do_fetch[cleandirs] += "${WORKDIR}/extend"
+do_fetch[vardeps] += "XENGUEST_IMAGE_HOST_PORT XENGUEST_IMAGE_GUEST_PORT"

-do_configure[noexec] = "1"
 do_compile[noexec] = "1"
 do_install[noexec] = "1"

@@ -107,6 +122,15 @@ add_extend_files() {
    fi
 }

+do_configure() {
+    if [ -f ${WORKDIR}/extend/files/${XENGUEST_IMAGE_NAT_PORT_FORWARD_SCRIPT} ]; then
+        sed -i "s,###HOST_PORT###,${XENGUEST_IMAGE_HOST_PORT}," \
+               ${WORKDIR}/extend/files/${XENGUEST_IMAGE_NAT_PORT_FORWARD_SCRIPT}
+        sed -i "s,###GUEST_PORT###,${XENGUEST_IMAGE_GUEST_PORT}," \
+               ${WORKDIR}/extend/files/${XENGUEST_IMAGE_NAT_PORT_FORWARD_SCRIPT}
+    fi
+}
+
 do_deploy() {
    # Create a new image
    xenguest_image_create
@@ -62,6 +62,7 @@ RDEPENDS_${PN} += "bridge-utils \
                   kernel-module-xt-tcpudp \
                   kernel-module-xt-physdev \
                   kernel-module-xt-comment \
+                   kernel-module-xt-nat \
                  "
 FILES_${PN} += "${sysconfdir}/network/interfaces.d/xenguest-network-bridge.cfg"
 FILES_${PN} += "${sysconfdir}/xenguest/init.pre/network-bridge.sh"