From: "Diego Sueiro" <diego.sueiro@arm.com>
To: meta-arm@lists.yoctoproject.org
Cc: nd@arm.com
Subject: [PATCH 4/4] arm-autonomy/xenguest-network: Add NAT port forward support
Date: Thu, 30 Jul 2020 16:52:18 +0100 [thread overview]
Message-ID: <1596124338-106961-4-git-send-email-diego.sueiro@arm.com> (raw)
In-Reply-To: <1596124338-106961-1-git-send-email-diego.sueiro@arm.com>
When XENGUEST_IMAGE_NETWORK_TYPE="nat", add the option to set NAT port
forward to have access to the guest from the external network.
The port forward is applied per guest by the 00-xenguest-nat-port-forward.hook
script which is called by /etc/xen/scripts/vif-post.d/00-vif-xenguest.hook.
The ports can be customised by the XENGUEST_IMAGE_HOST_PORT and
XENGUEST_IMAGE_GUEST_PORT variables.
Change-Id: I49492f5ac881fd3cc38838ce24d1d4160a4e65df
Issue-Id: SCM-1019
Signed-off-by: Diego Sueiro <diego.sueiro@arm.com>
---
.../documentation/xenguest-network.md | 6 +++
.../xenguest/files/00-vif-xenguest.hook | 16 ++++++++
.../files/00-xenguest-nat-port-forward.hook | 48 ++++++++++++++++++++++
.../xenguest/xenguest-base-image.bb | 28 ++++++++++++-
.../recipes-extended/xenguest/xenguest-network.bb | 1 +
5 files changed, 97 insertions(+), 2 deletions(-)
create mode 100755 meta-arm-autonomy/recipes-extended/xenguest/files/00-xenguest-nat-port-forward.hook
diff --git a/meta-arm-autonomy/documentation/xenguest-network.md b/meta-arm-autonomy/documentation/xenguest-network.md
index c61a11a..b731f3e 100644
--- a/meta-arm-autonomy/documentation/xenguest-network.md
+++ b/meta-arm-autonomy/documentation/xenguest-network.md
@@ -66,5 +66,11 @@ The following parameters are available:
image is created. It will be consumed by the
"/etc/xen/scripts/vif-post.d/00-vif-xenguest.hook" script which is called by
"/etc/xen/scripts/vif-nat" script when starting/stopping the xenguest.
+ In the guest project, the NAT port forward can be customised by changing
+ the XENGUEST_IMAGE_HOST_PORT (default: "1000 + ${domid}") and
+ XENGUEST_IMAGE_GUEST_PORT (default: "22") variables in local.conf or
+ xenguest-base-image.bbappend. This configuration is implemented and installed
+ in "/etc/xenguest/guests/${guestname}/files/00-xenguest-nat-port-forward.hook"
+ script which is called by "/etc/xen/scripts/vif-post.d/00-vif-xenguest.hook".
The **none** type will not affect any networking setting between on dom0 and
domU.
diff --git a/meta-arm-autonomy/recipes-extended/xenguest/files/00-vif-xenguest.hook b/meta-arm-autonomy/recipes-extended/xenguest/files/00-vif-xenguest.hook
index 32d5976..7a2fb6f 100755
--- a/meta-arm-autonomy/recipes-extended/xenguest/files/00-vif-xenguest.hook
+++ b/meta-arm-autonomy/recipes-extended/xenguest/files/00-vif-xenguest.hook
@@ -95,6 +95,20 @@ dhcpd_offline(){
# are no vifs.
}
+call_extra_hooks() {
+ for f in /etc/xenguest/guests/${guestname}/files/*.hook; do
+ if [ -x "$f" ]; then
+ log info "Executing $f"
+ . "$f"
+ if [ $? -ne 0 ]; then
+ log err "$f failed."
+ fi
+ else
+ log info "$f is not executable. Skipping."
+ fi
+ done
+}
+
case "${XENGUEST_NETWORK_TYPE}" in
nat)
XENGUEST_DHCPD_PARAMS_FILE=${XENGUEST_DHCPD_PARAMS_FILE:-"/etc/xenguest/guests/${guestname}/files/dhcpd-params.cfg"}
@@ -126,5 +140,7 @@ case "${XENGUEST_NETWORK_TYPE}" in
;;
esac
+ # We might have extra configs to be applied (e.g.: NAT port forward).
+ call_extra_hooks
;;
esac
diff --git a/meta-arm-autonomy/recipes-extended/xenguest/files/00-xenguest-nat-port-forward.hook b/meta-arm-autonomy/recipes-extended/xenguest/files/00-xenguest-nat-port-forward.hook
new file mode 100755
index 0000000..875c181
--- /dev/null
+++ b/meta-arm-autonomy/recipes-extended/xenguest/files/00-xenguest-nat-port-forward.hook
@@ -0,0 +1,48 @@
+#============================================================================
+# /etc/xenguest/guests/${guestname}/files/00-xenguest-nat-port-forward.hook
+#
+# Script for performing local configuration related to NAT port forwarding of
+# a vif.
+# This script will be sourced by
+# /etc/xen/scripts/vif-post.d/00-vif-xenguest.hook when
+# XENGUEST_IMAGE_NETWORK_TYPE="nat".
+# The ${bridge} and ${domid} are set in the 00-vif-xenguest.hook context,
+# and ${vip_if} in the vif-nat script context.
+#
+# Environment vars:
+# command (add|remove|online|offline)
+# dev vif interface name (required).
+# main_ip IP address of Dom0
+# ip list of IP networks for the vif, space-separated
+# XENBUS_PATH path to this device's details in the XenStore (required).
+#============================================================================
+
+host_port="###HOST_PORT###"
+guest_port="###GUEST_PORT###"
+
+port_num_check() {
+ if [ ${host_port} -gt 65535 -o ${guest_port} -gt 65535 ]; then
+ log error "host_port=${host_port} or guest_port=${guest_port} greater than 65535."
+ return 1
+ fi
+ return 0
+}
+
+case "${command}" in
+ online)
+ port_num_check
+ if [ $? -eq 0 ]; then
+ iptables_w -t nat -A PREROUTING -i ${bridge} -p tcp \
+ --dport ${host_port} -j DNAT \
+ --to-destination ${vif_ip}:${guest_port} \
+ -m comment --comment "dom${domid}"
+ fi
+ ;;
+ offline)
+ # Remove the NAT iptables rules created for the dom${domid}
+ guest_ipt_rule=$(iptables_w -t nat -vL PREROUTING -n --line-number \
+ | grep -w dom${domid} | awk '{print $1}' | tac)
+ for rule in ${guest_ipt_rule}; \
+ do iptables_w -t nat --delete PREROUTING ${rule}; done
+ ;;
+esac
diff --git a/meta-arm-autonomy/recipes-extended/xenguest/xenguest-base-image.bb b/meta-arm-autonomy/recipes-extended/xenguest/xenguest-base-image.bb
index 8516fe8..d164a81 100644
--- a/meta-arm-autonomy/recipes-extended/xenguest/xenguest-base-image.bb
+++ b/meta-arm-autonomy/recipes-extended/xenguest/xenguest-base-image.bb
@@ -23,6 +23,16 @@ LICENSE = "MIT"
LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302"
+# When XENGUEST_IMAGE_NETWORK_TYPE="nat", the "00-xenguest-nat-port-forward.hook"
+# is called by "/etc/xen/scripts/vif-post.d/00-vif-xenguest.hook" to apply NAT
+# port forwarding. Both dom0 and domU ports can be be set by changing the
+# XENGUEST_IMAGE_HOST_PORT and XENGUEST_IMAGE_GUEST_PORT variables in local.conf
+# or xenguest-base-image.bbappend. The XENGUEST_IMAGE_NAT_PORT_FORWARD_SCRIPT
+# can also be replaced in a xenguest-base-image.bbappend
+XENGUEST_IMAGE_HOST_PORT ?= "\$( expr 1000 + \${domid} )"
+XENGUEST_IMAGE_GUEST_PORT ?= "22"
+XENGUEST_IMAGE_NAT_PORT_FORWARD_SCRIPT ?= "00-xenguest-nat-port-forward.hook"
+
#
# The following variables can contain SRC_URI compatible entries to add
# files to the xenguest image.
@@ -40,7 +50,12 @@ XENGUEST_IMAGE_SRC_URI_DISK_FILES ??= ""
# The dhcpd-params.cfg holds the dhcpd configuration for Dom0. And it is used
# when XENGUEST_IMAGE_NETWORK_TYPE="nat". Any customizations to it should be
# performed by replacing it via a xenguest-network.bbappend.
-XENGUEST_IMAGE_SRC_URI_XEN_FILES = "file://dhcpd-params.cfg"
+# The XENGUEST_IMAGE_NAT_PORT_FORWARD_SCRIPT file is only added if the
+# variable is set.
+XENGUEST_IMAGE_SRC_URI_XEN_FILES = "file://dhcpd-params.cfg \
+ ${@ "file://" + d.getVar('XENGUEST_IMAGE_NAT_PORT_FORWARD_SCRIPT') \
+ if d.getVar('XENGUEST_IMAGE_NAT_PORT_FORWARD_SCRIPT') else "" } \
+ "
# Add xen configuration elements
XENGUEST_IMAGE_SRC_URI_XEN_CONFIG ??= ""
@@ -82,8 +97,8 @@ python __anonymous() {
# Make sure we are removing old files before redoing a fetch
do_fetch[cleandirs] += "${WORKDIR}/extend"
+do_fetch[vardeps] += "XENGUEST_IMAGE_HOST_PORT XENGUEST_IMAGE_GUEST_PORT"
-do_configure[noexec] = "1"
do_compile[noexec] = "1"
do_install[noexec] = "1"
@@ -107,6 +122,15 @@ add_extend_files() {
fi
}
+do_configure() {
+ if [ -f ${WORKDIR}/extend/files/${XENGUEST_IMAGE_NAT_PORT_FORWARD_SCRIPT} ]; then
+ sed -i "s,###HOST_PORT###,${XENGUEST_IMAGE_HOST_PORT}," \
+ ${WORKDIR}/extend/files/${XENGUEST_IMAGE_NAT_PORT_FORWARD_SCRIPT}
+ sed -i "s,###GUEST_PORT###,${XENGUEST_IMAGE_GUEST_PORT}," \
+ ${WORKDIR}/extend/files/${XENGUEST_IMAGE_NAT_PORT_FORWARD_SCRIPT}
+ fi
+}
+
do_deploy() {
# Create a new image
xenguest_image_create
diff --git a/meta-arm-autonomy/recipes-extended/xenguest/xenguest-network.bb b/meta-arm-autonomy/recipes-extended/xenguest/xenguest-network.bb
index fa4f93f..206a294 100644
--- a/meta-arm-autonomy/recipes-extended/xenguest/xenguest-network.bb
+++ b/meta-arm-autonomy/recipes-extended/xenguest/xenguest-network.bb
@@ -62,6 +62,7 @@ RDEPENDS_${PN} += "bridge-utils \
kernel-module-xt-tcpudp \
kernel-module-xt-physdev \
kernel-module-xt-comment \
+ kernel-module-xt-nat \
"
FILES_${PN} += "${sysconfdir}/network/interfaces.d/xenguest-network-bridge.cfg"
FILES_${PN} += "${sysconfdir}/xenguest/init.pre/network-bridge.sh"
--
2.7.4
next prev parent reply other threads:[~2020-07-30 15:52 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-30 15:52 [PATCH 1/4] arm-autonomy/xen-tools: vif-nat script fixes Diego Sueiro
2020-07-30 15:52 ` [PATCH 2/4] arm-autonomy/linux-arm-autonomy: Extend netfilter config for host Diego Sueiro
2020-07-30 15:55 ` [meta-arm] " Bertrand Marquis
2020-07-30 15:52 ` [PATCH 3/4] arm-autonomy/xenguest-network: Add private network support for xenguest Diego Sueiro
2020-07-30 15:55 ` [meta-arm] " Bertrand Marquis
2020-07-30 15:52 ` Diego Sueiro [this message]
2020-07-30 15:56 ` [meta-arm] [PATCH 4/4] arm-autonomy/xenguest-network: Add NAT port forward support Bertrand Marquis
2020-07-30 15:55 ` [meta-arm] [PATCH 1/4] arm-autonomy/xen-tools: vif-nat script fixes Bertrand Marquis
2020-07-30 20:25 ` Jon Mason
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1596124338-106961-4-git-send-email-diego.sueiro@arm.com \
--to=diego.sueiro@arm.com \
--cc=meta-arm@lists.yoctoproject.org \
--cc=nd@arm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.