[meta-arm,4/4] arm-autonomy/xenguest-network: Add NAT port forward support

Submitted by Diego Sueiro on July 30, 2020, 3:52 p.m. | Patch ID: 174908

Details

Message ID 1596124338-106961-4-git-send-email-diego.sueiro@arm.com
State New
Headers show

Commit Message

Diego Sueiro July 30, 2020, 3:52 p.m.
When XENGUEST_IMAGE_NETWORK_TYPE="nat", add the option to set NAT port
forward to have access to the guest from the external network.

The port forward is applied per guest by the 00-xenguest-nat-port-forward.hook
script which is called by /etc/xen/scripts/vif-post.d/00-vif-xenguest.hook.
The ports can be customised by the XENGUEST_IMAGE_HOST_PORT and
XENGUEST_IMAGE_GUEST_PORT variables.

Change-Id: I49492f5ac881fd3cc38838ce24d1d4160a4e65df
Issue-Id: SCM-1019
Signed-off-by: Diego Sueiro <diego.sueiro@arm.com>
---
 .../documentation/xenguest-network.md              |  6 +++
 .../xenguest/files/00-vif-xenguest.hook            | 16 ++++++++
 .../files/00-xenguest-nat-port-forward.hook        | 48 ++++++++++++++++++++++
 .../xenguest/xenguest-base-image.bb                | 28 ++++++++++++-
 .../recipes-extended/xenguest/xenguest-network.bb  |  1 +
 5 files changed, 97 insertions(+), 2 deletions(-)
 create mode 100755 meta-arm-autonomy/recipes-extended/xenguest/files/00-xenguest-nat-port-forward.hook

Patch hide | download patch | download mbox

diff --git a/meta-arm-autonomy/documentation/xenguest-network.md b/meta-arm-autonomy/documentation/xenguest-network.md
index c61a11a..b731f3e 100644
--- a/meta-arm-autonomy/documentation/xenguest-network.md
+++ b/meta-arm-autonomy/documentation/xenguest-network.md
@@ -66,5 +66,11 @@  The following parameters are available:
   image is created. It will be consumed by the
   "/etc/xen/scripts/vif-post.d/00-vif-xenguest.hook" script which is called by
   "/etc/xen/scripts/vif-nat" script when starting/stopping the xenguest.
+  In the guest project, the NAT port forward can be customised by changing
+  the XENGUEST_IMAGE_HOST_PORT (default: "1000 + ${domid}") and
+  XENGUEST_IMAGE_GUEST_PORT (default: "22") variables in local.conf or
+  xenguest-base-image.bbappend. This configuration is implemented and installed
+  in "/etc/xenguest/guests/${guestname}/files/00-xenguest-nat-port-forward.hook"
+  script which is called by "/etc/xen/scripts/vif-post.d/00-vif-xenguest.hook".
   The **none** type will not affect any networking setting between on dom0 and
   domU.
diff --git a/meta-arm-autonomy/recipes-extended/xenguest/files/00-vif-xenguest.hook b/meta-arm-autonomy/recipes-extended/xenguest/files/00-vif-xenguest.hook
index 32d5976..7a2fb6f 100755
--- a/meta-arm-autonomy/recipes-extended/xenguest/files/00-vif-xenguest.hook
+++ b/meta-arm-autonomy/recipes-extended/xenguest/files/00-vif-xenguest.hook
@@ -95,6 +95,20 @@  dhcpd_offline(){
                                        # are no vifs.
 }
 
+call_extra_hooks() {
+    for f in /etc/xenguest/guests/${guestname}/files/*.hook; do
+        if [ -x "$f" ]; then
+            log info "Executing $f"
+            . "$f"
+            if [ $? -ne 0 ]; then
+                log err "$f failed."
+            fi
+        else
+            log info "$f is not executable. Skipping."
+        fi
+    done
+}
+
 case "${XENGUEST_NETWORK_TYPE}" in
     nat)
         XENGUEST_DHCPD_PARAMS_FILE=${XENGUEST_DHCPD_PARAMS_FILE:-"/etc/xenguest/guests/${guestname}/files/dhcpd-params.cfg"}
@@ -126,5 +140,7 @@  case "${XENGUEST_NETWORK_TYPE}" in
                ;;
         esac
 
+        # We might have extra configs to be applied (e.g.: NAT port forward).
+        call_extra_hooks
         ;;
 esac
diff --git a/meta-arm-autonomy/recipes-extended/xenguest/files/00-xenguest-nat-port-forward.hook b/meta-arm-autonomy/recipes-extended/xenguest/files/00-xenguest-nat-port-forward.hook
new file mode 100755
index 0000000..875c181
--- /dev/null
+++ b/meta-arm-autonomy/recipes-extended/xenguest/files/00-xenguest-nat-port-forward.hook
@@ -0,0 +1,48 @@ 
+#============================================================================
+# /etc/xenguest/guests/${guestname}/files/00-xenguest-nat-port-forward.hook
+#
+# Script for performing local configuration related to NAT port forwarding of
+# a vif.
+# This script will be sourced by
+# /etc/xen/scripts/vif-post.d/00-vif-xenguest.hook when
+# XENGUEST_IMAGE_NETWORK_TYPE="nat".
+# The ${bridge} and ${domid} are set in the 00-vif-xenguest.hook context,
+# and ${vip_if} in the vif-nat script context.
+#
+# Environment vars:
+# command     (add|remove|online|offline)
+# dev         vif interface name (required).
+# main_ip     IP address of Dom0
+# ip          list of IP networks for the vif, space-separated
+# XENBUS_PATH path to this device's details in the XenStore (required).
+#============================================================================
+
+host_port="###HOST_PORT###"
+guest_port="###GUEST_PORT###"
+
+port_num_check() {
+    if [ ${host_port} -gt 65535 -o ${guest_port} -gt 65535 ]; then
+        log error "host_port=${host_port} or guest_port=${guest_port} greater than 65535."
+        return 1
+    fi
+    return 0
+}
+
+case "${command}" in
+    online)
+        port_num_check
+        if [ $? -eq 0 ]; then
+            iptables_w -t nat -A PREROUTING -i ${bridge} -p tcp \
+                       --dport ${host_port} -j DNAT \
+                       --to-destination ${vif_ip}:${guest_port} \
+                       -m comment --comment "dom${domid}"
+        fi
+        ;;
+    offline)
+        # Remove the NAT iptables rules created for the dom${domid}
+        guest_ipt_rule=$(iptables_w -t nat -vL PREROUTING -n --line-number \
+                         | grep -w dom${domid} | awk '{print $1}' | tac)
+        for rule in ${guest_ipt_rule}; \
+            do iptables_w -t nat --delete PREROUTING ${rule}; done
+        ;;
+esac
diff --git a/meta-arm-autonomy/recipes-extended/xenguest/xenguest-base-image.bb b/meta-arm-autonomy/recipes-extended/xenguest/xenguest-base-image.bb
index 8516fe8..d164a81 100644
--- a/meta-arm-autonomy/recipes-extended/xenguest/xenguest-base-image.bb
+++ b/meta-arm-autonomy/recipes-extended/xenguest/xenguest-base-image.bb
@@ -23,6 +23,16 @@  LICENSE = "MIT"
 
 LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302"
 
+# When XENGUEST_IMAGE_NETWORK_TYPE="nat", the "00-xenguest-nat-port-forward.hook"
+# is called by "/etc/xen/scripts/vif-post.d/00-vif-xenguest.hook" to apply NAT
+# port forwarding. Both dom0 and domU ports can be be set by changing the
+# XENGUEST_IMAGE_HOST_PORT and XENGUEST_IMAGE_GUEST_PORT variables in local.conf
+# or xenguest-base-image.bbappend. The XENGUEST_IMAGE_NAT_PORT_FORWARD_SCRIPT
+# can also be replaced in a xenguest-base-image.bbappend
+XENGUEST_IMAGE_HOST_PORT ?= "\$( expr 1000 + \${domid} )"
+XENGUEST_IMAGE_GUEST_PORT ?= "22"
+XENGUEST_IMAGE_NAT_PORT_FORWARD_SCRIPT ?= "00-xenguest-nat-port-forward.hook"
+
 #
 # The following variables can contain SRC_URI compatible entries to add
 # files to the xenguest image.
@@ -40,7 +50,12 @@  XENGUEST_IMAGE_SRC_URI_DISK_FILES ??= ""
 # The dhcpd-params.cfg holds the dhcpd configuration for Dom0. And it is used
 # when XENGUEST_IMAGE_NETWORK_TYPE="nat". Any customizations to it should be
 # performed by replacing it via a xenguest-network.bbappend.
-XENGUEST_IMAGE_SRC_URI_XEN_FILES = "file://dhcpd-params.cfg"
+# The XENGUEST_IMAGE_NAT_PORT_FORWARD_SCRIPT file is only added if the
+# variable is set.
+XENGUEST_IMAGE_SRC_URI_XEN_FILES = "file://dhcpd-params.cfg \
+    ${@ "file://" + d.getVar('XENGUEST_IMAGE_NAT_PORT_FORWARD_SCRIPT') \
+      if d.getVar('XENGUEST_IMAGE_NAT_PORT_FORWARD_SCRIPT') else "" } \
+    "
 
 # Add xen configuration elements
 XENGUEST_IMAGE_SRC_URI_XEN_CONFIG ??= ""
@@ -82,8 +97,8 @@  python __anonymous() {
 
 # Make sure we are removing old files before redoing a fetch
 do_fetch[cleandirs] += "${WORKDIR}/extend"
+do_fetch[vardeps] += "XENGUEST_IMAGE_HOST_PORT XENGUEST_IMAGE_GUEST_PORT"
 
-do_configure[noexec] = "1"
 do_compile[noexec] = "1"
 do_install[noexec] = "1"
 
@@ -107,6 +122,15 @@  add_extend_files() {
     fi
 }
 
+do_configure() {
+    if [ -f ${WORKDIR}/extend/files/${XENGUEST_IMAGE_NAT_PORT_FORWARD_SCRIPT} ]; then
+        sed -i "s,###HOST_PORT###,${XENGUEST_IMAGE_HOST_PORT}," \
+               ${WORKDIR}/extend/files/${XENGUEST_IMAGE_NAT_PORT_FORWARD_SCRIPT}
+        sed -i "s,###GUEST_PORT###,${XENGUEST_IMAGE_GUEST_PORT}," \
+               ${WORKDIR}/extend/files/${XENGUEST_IMAGE_NAT_PORT_FORWARD_SCRIPT}
+    fi
+}
+
 do_deploy() {
     # Create a new image
     xenguest_image_create
diff --git a/meta-arm-autonomy/recipes-extended/xenguest/xenguest-network.bb b/meta-arm-autonomy/recipes-extended/xenguest/xenguest-network.bb
index fa4f93f..206a294 100644
--- a/meta-arm-autonomy/recipes-extended/xenguest/xenguest-network.bb
+++ b/meta-arm-autonomy/recipes-extended/xenguest/xenguest-network.bb
@@ -62,6 +62,7 @@  RDEPENDS_${PN} += "bridge-utils \
                    kernel-module-xt-tcpudp \
                    kernel-module-xt-physdev \
                    kernel-module-xt-comment \
+                   kernel-module-xt-nat \
                   "
 FILES_${PN} += "${sysconfdir}/network/interfaces.d/xenguest-network-bridge.cfg"
 FILES_${PN} += "${sysconfdir}/xenguest/init.pre/network-bridge.sh"

Comments

Bertrand Marquis July 30, 2020, 3:56 p.m.
> On 30 Jul 2020, at 17:52, Diego Sueiro via lists.yoctoproject.org <diego.sueiro=arm.com@lists.yoctoproject.org> wrote:
> 
> When XENGUEST_IMAGE_NETWORK_TYPE="nat", add the option to set NAT port
> forward to have access to the guest from the external network.
> 
> The port forward is applied per guest by the 00-xenguest-nat-port-forward.hook
> script which is called by /etc/xen/scripts/vif-post.d/00-vif-xenguest.hook.
> The ports can be customised by the XENGUEST_IMAGE_HOST_PORT and
> XENGUEST_IMAGE_GUEST_PORT variables.
> 
> Change-Id: I49492f5ac881fd3cc38838ce24d1d4160a4e65df
> Issue-Id: SCM-1019
> Signed-off-by: Diego Sueiro <diego.sueiro@arm.com>
Reviewed-by: Bertrand Marquis <bertrand.marquis@arm.com>

> ---
> .../documentation/xenguest-network.md              |  6 +++
> .../xenguest/files/00-vif-xenguest.hook            | 16 ++++++++
> .../files/00-xenguest-nat-port-forward.hook        | 48 ++++++++++++++++++++++
> .../xenguest/xenguest-base-image.bb                | 28 ++++++++++++-
> .../recipes-extended/xenguest/xenguest-network.bb  |  1 +
> 5 files changed, 97 insertions(+), 2 deletions(-)
> create mode 100755 meta-arm-autonomy/recipes-extended/xenguest/files/00-xenguest-nat-port-forward.hook
> 
> diff --git a/meta-arm-autonomy/documentation/xenguest-network.md b/meta-arm-autonomy/documentation/xenguest-network.md
> index c61a11a..b731f3e 100644
> --- a/meta-arm-autonomy/documentation/xenguest-network.md
> +++ b/meta-arm-autonomy/documentation/xenguest-network.md
> @@ -66,5 +66,11 @@ The following parameters are available:
>   image is created. It will be consumed by the
>   "/etc/xen/scripts/vif-post.d/00-vif-xenguest.hook" script which is called by
>   "/etc/xen/scripts/vif-nat" script when starting/stopping the xenguest.
> +  In the guest project, the NAT port forward can be customised by changing
> +  the XENGUEST_IMAGE_HOST_PORT (default: "1000 + ${domid}") and
> +  XENGUEST_IMAGE_GUEST_PORT (default: "22") variables in local.conf or
> +  xenguest-base-image.bbappend. This configuration is implemented and installed
> +  in "/etc/xenguest/guests/${guestname}/files/00-xenguest-nat-port-forward.hook"
> +  script which is called by "/etc/xen/scripts/vif-post.d/00-vif-xenguest.hook".
>   The **none** type will not affect any networking setting between on dom0 and
>   domU.
> diff --git a/meta-arm-autonomy/recipes-extended/xenguest/files/00-vif-xenguest.hook b/meta-arm-autonomy/recipes-extended/xenguest/files/00-vif-xenguest.hook
> index 32d5976..7a2fb6f 100755
> --- a/meta-arm-autonomy/recipes-extended/xenguest/files/00-vif-xenguest.hook
> +++ b/meta-arm-autonomy/recipes-extended/xenguest/files/00-vif-xenguest.hook
> @@ -95,6 +95,20 @@ dhcpd_offline(){
>                                        # are no vifs.
> }
> 
> +call_extra_hooks() {
> +    for f in /etc/xenguest/guests/${guestname}/files/*.hook; do
> +        if [ -x "$f" ]; then
> +            log info "Executing $f"
> +            . "$f"
> +            if [ $? -ne 0 ]; then
> +                log err "$f failed."
> +            fi
> +        else
> +            log info "$f is not executable. Skipping."
> +        fi
> +    done
> +}
> +
> case "${XENGUEST_NETWORK_TYPE}" in
>     nat)
>         XENGUEST_DHCPD_PARAMS_FILE=${XENGUEST_DHCPD_PARAMS_FILE:-"/etc/xenguest/guests/${guestname}/files/dhcpd-params.cfg"}
> @@ -126,5 +140,7 @@ case "${XENGUEST_NETWORK_TYPE}" in
>                ;;
>         esac
> 
> +        # We might have extra configs to be applied (e.g.: NAT port forward).
> +        call_extra_hooks
>         ;;
> esac
> diff --git a/meta-arm-autonomy/recipes-extended/xenguest/files/00-xenguest-nat-port-forward.hook b/meta-arm-autonomy/recipes-extended/xenguest/files/00-xenguest-nat-port-forward.hook
> new file mode 100755
> index 0000000..875c181
> --- /dev/null
> +++ b/meta-arm-autonomy/recipes-extended/xenguest/files/00-xenguest-nat-port-forward.hook
> @@ -0,0 +1,48 @@
> +#============================================================================
> +# /etc/xenguest/guests/${guestname}/files/00-xenguest-nat-port-forward.hook
> +#
> +# Script for performing local configuration related to NAT port forwarding of
> +# a vif.
> +# This script will be sourced by
> +# /etc/xen/scripts/vif-post.d/00-vif-xenguest.hook when
> +# XENGUEST_IMAGE_NETWORK_TYPE="nat".
> +# The ${bridge} and ${domid} are set in the 00-vif-xenguest.hook context,
> +# and ${vip_if} in the vif-nat script context.
> +#
> +# Environment vars:
> +# command     (add|remove|online|offline)
> +# dev         vif interface name (required).
> +# main_ip     IP address of Dom0
> +# ip          list of IP networks for the vif, space-separated
> +# XENBUS_PATH path to this device's details in the XenStore (required).
> +#============================================================================
> +
> +host_port="###HOST_PORT###"
> +guest_port="###GUEST_PORT###"
> +
> +port_num_check() {
> +    if [ ${host_port} -gt 65535 -o ${guest_port} -gt 65535 ]; then
> +        log error "host_port=${host_port} or guest_port=${guest_port} greater than 65535."
> +        return 1
> +    fi
> +    return 0
> +}
> +
> +case "${command}" in
> +    online)
> +        port_num_check
> +        if [ $? -eq 0 ]; then
> +            iptables_w -t nat -A PREROUTING -i ${bridge} -p tcp \
> +                       --dport ${host_port} -j DNAT \
> +                       --to-destination ${vif_ip}:${guest_port} \
> +                       -m comment --comment "dom${domid}"
> +        fi
> +        ;;
> +    offline)
> +        # Remove the NAT iptables rules created for the dom${domid}
> +        guest_ipt_rule=$(iptables_w -t nat -vL PREROUTING -n --line-number \
> +                         | grep -w dom${domid} | awk '{print $1}' | tac)
> +        for rule in ${guest_ipt_rule}; \
> +            do iptables_w -t nat --delete PREROUTING ${rule}; done
> +        ;;
> +esac
> diff --git a/meta-arm-autonomy/recipes-extended/xenguest/xenguest-base-image.bb b/meta-arm-autonomy/recipes-extended/xenguest/xenguest-base-image.bb
> index 8516fe8..d164a81 100644
> --- a/meta-arm-autonomy/recipes-extended/xenguest/xenguest-base-image.bb
> +++ b/meta-arm-autonomy/recipes-extended/xenguest/xenguest-base-image.bb
> @@ -23,6 +23,16 @@ LICENSE = "MIT"
> 
> LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302"
> 
> +# When XENGUEST_IMAGE_NETWORK_TYPE="nat", the "00-xenguest-nat-port-forward.hook"
> +# is called by "/etc/xen/scripts/vif-post.d/00-vif-xenguest.hook" to apply NAT
> +# port forwarding. Both dom0 and domU ports can be be set by changing the
> +# XENGUEST_IMAGE_HOST_PORT and XENGUEST_IMAGE_GUEST_PORT variables in local.conf
> +# or xenguest-base-image.bbappend. The XENGUEST_IMAGE_NAT_PORT_FORWARD_SCRIPT
> +# can also be replaced in a xenguest-base-image.bbappend
> +XENGUEST_IMAGE_HOST_PORT ?= "\$( expr 1000 + \${domid} )"
> +XENGUEST_IMAGE_GUEST_PORT ?= "22"
> +XENGUEST_IMAGE_NAT_PORT_FORWARD_SCRIPT ?= "00-xenguest-nat-port-forward.hook"
> +
> #
> # The following variables can contain SRC_URI compatible entries to add
> # files to the xenguest image.
> @@ -40,7 +50,12 @@ XENGUEST_IMAGE_SRC_URI_DISK_FILES ??= ""
> # The dhcpd-params.cfg holds the dhcpd configuration for Dom0. And it is used
> # when XENGUEST_IMAGE_NETWORK_TYPE="nat". Any customizations to it should be
> # performed by replacing it via a xenguest-network.bbappend.
> -XENGUEST_IMAGE_SRC_URI_XEN_FILES = "file://dhcpd-params.cfg"
> +# The XENGUEST_IMAGE_NAT_PORT_FORWARD_SCRIPT file is only added if the
> +# variable is set.
> +XENGUEST_IMAGE_SRC_URI_XEN_FILES = "file://dhcpd-params.cfg \
> +    ${@ "file://" + d.getVar('XENGUEST_IMAGE_NAT_PORT_FORWARD_SCRIPT') \
> +      if d.getVar('XENGUEST_IMAGE_NAT_PORT_FORWARD_SCRIPT') else "" } \
> +    "
> 
> # Add xen configuration elements
> XENGUEST_IMAGE_SRC_URI_XEN_CONFIG ??= ""
> @@ -82,8 +97,8 @@ python __anonymous() {
> 
> # Make sure we are removing old files before redoing a fetch
> do_fetch[cleandirs] += "${WORKDIR}/extend"
> +do_fetch[vardeps] += "XENGUEST_IMAGE_HOST_PORT XENGUEST_IMAGE_GUEST_PORT"
> 
> -do_configure[noexec] = "1"
> do_compile[noexec] = "1"
> do_install[noexec] = "1"
> 
> @@ -107,6 +122,15 @@ add_extend_files() {
>     fi
> }
> 
> +do_configure() {
> +    if [ -f ${WORKDIR}/extend/files/${XENGUEST_IMAGE_NAT_PORT_FORWARD_SCRIPT} ]; then
> +        sed -i "s,###HOST_PORT###,${XENGUEST_IMAGE_HOST_PORT}," \
> +               ${WORKDIR}/extend/files/${XENGUEST_IMAGE_NAT_PORT_FORWARD_SCRIPT}
> +        sed -i "s,###GUEST_PORT###,${XENGUEST_IMAGE_GUEST_PORT}," \
> +               ${WORKDIR}/extend/files/${XENGUEST_IMAGE_NAT_PORT_FORWARD_SCRIPT}
> +    fi
> +}
> +
> do_deploy() {
>     # Create a new image
>     xenguest_image_create
> diff --git a/meta-arm-autonomy/recipes-extended/xenguest/xenguest-network.bb b/meta-arm-autonomy/recipes-extended/xenguest/xenguest-network.bb
> index fa4f93f..206a294 100644
> --- a/meta-arm-autonomy/recipes-extended/xenguest/xenguest-network.bb
> +++ b/meta-arm-autonomy/recipes-extended/xenguest/xenguest-network.bb
> @@ -62,6 +62,7 @@ RDEPENDS_${PN} += "bridge-utils \
>                    kernel-module-xt-tcpudp \
>                    kernel-module-xt-physdev \
>                    kernel-module-xt-comment \
> +                   kernel-module-xt-nat \
>                   "
> FILES_${PN} += "${sysconfdir}/network/interfaces.d/xenguest-network-bridge.cfg"
> FILES_${PN} += "${sysconfdir}/xenguest/init.pre/network-bridge.sh"
> -- 
> 2.7.4
> 
>
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#928): https://lists.yoctoproject.org/g/meta-arm/message/928
Mute This Topic: https://lists.yoctoproject.org/mt/75888989/3617530
Group Owner: meta-arm+owner@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/meta-arm/unsub  [oe-patchwork@oe-patch.openembedded.org]
-=-=-=-=-=-=-=-=-=-=-=-