From 0ad8a1495c5c7eb0cb60d99902e2e04f801f7449 Mon Sep 17 00:00:00 2001 From: Diego Sueiro Date: Thu, 30 Jul 2020 16:52:18 +0100 Subject: [PATCH] arm-autonomy/xenguest-network: Add NAT port forward support When XENGUEST_IMAGE_NETWORK_TYPE="nat", add the option to set NAT port forward to have access to the guest from the external network. The port forward is applied per guest by the 00-xenguest-nat-port-forward.hook script which is called by /etc/xen/scripts/vif-post.d/00-vif-xenguest.hook. The ports can be customised by the XENGUEST_IMAGE_HOST_PORT and XENGUEST_IMAGE_GUEST_PORT variables. Change-Id: I49492f5ac881fd3cc38838ce24d1d4160a4e65df Issue-Id: SCM-1019 Signed-off-by: Diego Sueiro Reviewed-by: Bertrand Marquis Signed-off-by: Jon Mason --- .../documentation/xenguest-network.md | 6 +++ .../xenguest/files/00-vif-xenguest.hook | 16 +++++++ .../files/00-xenguest-nat-port-forward.hook | 48 +++++++++++++++++++ .../xenguest/xenguest-base-image.bb | 28 ++++++++++- .../xenguest/xenguest-network.bb | 1 + 5 files changed, 97 insertions(+), 2 deletions(-) create mode 100755 meta-arm-autonomy/recipes-extended/xenguest/files/00-xenguest-nat-port-forward.hook diff --git a/meta-arm-autonomy/documentation/xenguest-network.md b/meta-arm-autonomy/documentation/xenguest-network.md index c61a11a2..b731f3ed 100644 --- a/meta-arm-autonomy/documentation/xenguest-network.md +++ b/meta-arm-autonomy/documentation/xenguest-network.md @@ -66,5 +66,11 @@ The following parameters are available: image is created. It will be consumed by the "/etc/xen/scripts/vif-post.d/00-vif-xenguest.hook" script which is called by "/etc/xen/scripts/vif-nat" script when starting/stopping the xenguest. + In the guest project, the NAT port forward can be customised by changing + the XENGUEST_IMAGE_HOST_PORT (default: "1000 + ${domid}") and + XENGUEST_IMAGE_GUEST_PORT (default: "22") variables in local.conf or + xenguest-base-image.bbappend. This configuration is implemented and installed + in "/etc/xenguest/guests/${guestname}/files/00-xenguest-nat-port-forward.hook" + script which is called by "/etc/xen/scripts/vif-post.d/00-vif-xenguest.hook". The **none** type will not affect any networking setting between on dom0 and domU. diff --git a/meta-arm-autonomy/recipes-extended/xenguest/files/00-vif-xenguest.hook b/meta-arm-autonomy/recipes-extended/xenguest/files/00-vif-xenguest.hook index 32d5976f..7a2fb6ff 100755 --- a/meta-arm-autonomy/recipes-extended/xenguest/files/00-vif-xenguest.hook +++ b/meta-arm-autonomy/recipes-extended/xenguest/files/00-vif-xenguest.hook @@ -95,6 +95,20 @@ dhcpd_offline(){ # are no vifs. } +call_extra_hooks() { + for f in /etc/xenguest/guests/${guestname}/files/*.hook; do + if [ -x "$f" ]; then + log info "Executing $f" + . "$f" + if [ $? -ne 0 ]; then + log err "$f failed." + fi + else + log info "$f is not executable. Skipping." + fi + done +} + case "${XENGUEST_NETWORK_TYPE}" in nat) XENGUEST_DHCPD_PARAMS_FILE=${XENGUEST_DHCPD_PARAMS_FILE:-"/etc/xenguest/guests/${guestname}/files/dhcpd-params.cfg"} @@ -126,5 +140,7 @@ case "${XENGUEST_NETWORK_TYPE}" in ;; esac + # We might have extra configs to be applied (e.g.: NAT port forward). + call_extra_hooks ;; esac diff --git a/meta-arm-autonomy/recipes-extended/xenguest/files/00-xenguest-nat-port-forward.hook b/meta-arm-autonomy/recipes-extended/xenguest/files/00-xenguest-nat-port-forward.hook new file mode 100755 index 00000000..875c1810 --- /dev/null +++ b/meta-arm-autonomy/recipes-extended/xenguest/files/00-xenguest-nat-port-forward.hook @@ -0,0 +1,48 @@ +#============================================================================ +# /etc/xenguest/guests/${guestname}/files/00-xenguest-nat-port-forward.hook +# +# Script for performing local configuration related to NAT port forwarding of +# a vif. +# This script will be sourced by +# /etc/xen/scripts/vif-post.d/00-vif-xenguest.hook when +# XENGUEST_IMAGE_NETWORK_TYPE="nat". +# The ${bridge} and ${domid} are set in the 00-vif-xenguest.hook context, +# and ${vip_if} in the vif-nat script context. +# +# Environment vars: +# command (add|remove|online|offline) +# dev vif interface name (required). +# main_ip IP address of Dom0 +# ip list of IP networks for the vif, space-separated +# XENBUS_PATH path to this device's details in the XenStore (required). +#============================================================================ + +host_port="###HOST_PORT###" +guest_port="###GUEST_PORT###" + +port_num_check() { + if [ ${host_port} -gt 65535 -o ${guest_port} -gt 65535 ]; then + log error "host_port=${host_port} or guest_port=${guest_port} greater than 65535." + return 1 + fi + return 0 +} + +case "${command}" in + online) + port_num_check + if [ $? -eq 0 ]; then + iptables_w -t nat -A PREROUTING -i ${bridge} -p tcp \ + --dport ${host_port} -j DNAT \ + --to-destination ${vif_ip}:${guest_port} \ + -m comment --comment "dom${domid}" + fi + ;; + offline) + # Remove the NAT iptables rules created for the dom${domid} + guest_ipt_rule=$(iptables_w -t nat -vL PREROUTING -n --line-number \ + | grep -w dom${domid} | awk '{print $1}' | tac) + for rule in ${guest_ipt_rule}; \ + do iptables_w -t nat --delete PREROUTING ${rule}; done + ;; +esac diff --git a/meta-arm-autonomy/recipes-extended/xenguest/xenguest-base-image.bb b/meta-arm-autonomy/recipes-extended/xenguest/xenguest-base-image.bb index 8516fe87..d164a811 100644 --- a/meta-arm-autonomy/recipes-extended/xenguest/xenguest-base-image.bb +++ b/meta-arm-autonomy/recipes-extended/xenguest/xenguest-base-image.bb @@ -23,6 +23,16 @@ LICENSE = "MIT" LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302" +# When XENGUEST_IMAGE_NETWORK_TYPE="nat", the "00-xenguest-nat-port-forward.hook" +# is called by "/etc/xen/scripts/vif-post.d/00-vif-xenguest.hook" to apply NAT +# port forwarding. Both dom0 and domU ports can be be set by changing the +# XENGUEST_IMAGE_HOST_PORT and XENGUEST_IMAGE_GUEST_PORT variables in local.conf +# or xenguest-base-image.bbappend. The XENGUEST_IMAGE_NAT_PORT_FORWARD_SCRIPT +# can also be replaced in a xenguest-base-image.bbappend +XENGUEST_IMAGE_HOST_PORT ?= "\$( expr 1000 + \${domid} )" +XENGUEST_IMAGE_GUEST_PORT ?= "22" +XENGUEST_IMAGE_NAT_PORT_FORWARD_SCRIPT ?= "00-xenguest-nat-port-forward.hook" + # # The following variables can contain SRC_URI compatible entries to add # files to the xenguest image. @@ -40,7 +50,12 @@ XENGUEST_IMAGE_SRC_URI_DISK_FILES ??= "" # The dhcpd-params.cfg holds the dhcpd configuration for Dom0. And it is used # when XENGUEST_IMAGE_NETWORK_TYPE="nat". Any customizations to it should be # performed by replacing it via a xenguest-network.bbappend. -XENGUEST_IMAGE_SRC_URI_XEN_FILES = "file://dhcpd-params.cfg" +# The XENGUEST_IMAGE_NAT_PORT_FORWARD_SCRIPT file is only added if the +# variable is set. +XENGUEST_IMAGE_SRC_URI_XEN_FILES = "file://dhcpd-params.cfg \ + ${@ "file://" + d.getVar('XENGUEST_IMAGE_NAT_PORT_FORWARD_SCRIPT') \ + if d.getVar('XENGUEST_IMAGE_NAT_PORT_FORWARD_SCRIPT') else "" } \ + " # Add xen configuration elements XENGUEST_IMAGE_SRC_URI_XEN_CONFIG ??= "" @@ -82,8 +97,8 @@ python __anonymous() { # Make sure we are removing old files before redoing a fetch do_fetch[cleandirs] += "${WORKDIR}/extend" +do_fetch[vardeps] += "XENGUEST_IMAGE_HOST_PORT XENGUEST_IMAGE_GUEST_PORT" -do_configure[noexec] = "1" do_compile[noexec] = "1" do_install[noexec] = "1" @@ -107,6 +122,15 @@ add_extend_files() { fi } +do_configure() { + if [ -f ${WORKDIR}/extend/files/${XENGUEST_IMAGE_NAT_PORT_FORWARD_SCRIPT} ]; then + sed -i "s,###HOST_PORT###,${XENGUEST_IMAGE_HOST_PORT}," \ + ${WORKDIR}/extend/files/${XENGUEST_IMAGE_NAT_PORT_FORWARD_SCRIPT} + sed -i "s,###GUEST_PORT###,${XENGUEST_IMAGE_GUEST_PORT}," \ + ${WORKDIR}/extend/files/${XENGUEST_IMAGE_NAT_PORT_FORWARD_SCRIPT} + fi +} + do_deploy() { # Create a new image xenguest_image_create diff --git a/meta-arm-autonomy/recipes-extended/xenguest/xenguest-network.bb b/meta-arm-autonomy/recipes-extended/xenguest/xenguest-network.bb index fa4f93fe..206a2943 100644 --- a/meta-arm-autonomy/recipes-extended/xenguest/xenguest-network.bb +++ b/meta-arm-autonomy/recipes-extended/xenguest/xenguest-network.bb @@ -62,6 +62,7 @@ RDEPENDS_${PN} += "bridge-utils \ kernel-module-xt-tcpudp \ kernel-module-xt-physdev \ kernel-module-xt-comment \ + kernel-module-xt-nat \ " FILES_${PN} += "${sysconfdir}/network/interfaces.d/xenguest-network-bridge.cfg" FILES_${PN} += "${sysconfdir}/xenguest/init.pre/network-bridge.sh"