[PATCH 4/4] arm-autonomy/xenguest-network: Add NAT port forward support

From: "Diego Sueiro" <diego.sueiro@arm.com>
To: meta-arm@lists.yoctoproject.org
Cc: nd@arm.com
Subject: [PATCH 4/4] arm-autonomy/xenguest-network: Add NAT port forward support
Date: Thu, 30 Jul 2020 16:52:18 +0100	[thread overview]
Message-ID: <1596124338-106961-4-git-send-email-diego.sueiro@arm.com> (raw)
In-Reply-To: <1596124338-106961-1-git-send-email-diego.sueiro@arm.com>

When XENGUEST_IMAGE_NETWORK_TYPE="nat", add the option to set NAT port
forward to have access to the guest from the external network.

The port forward is applied per guest by the 00-xenguest-nat-port-forward.hook
script which is called by /etc/xen/scripts/vif-post.d/00-vif-xenguest.hook.
The ports can be customised by the XENGUEST_IMAGE_HOST_PORT and
XENGUEST_IMAGE_GUEST_PORT variables.

Change-Id: I49492f5ac881fd3cc38838ce24d1d4160a4e65df
Issue-Id: SCM-1019
Signed-off-by: Diego Sueiro <diego.sueiro@arm.com>
---
 .../documentation/xenguest-network.md              |  6 +++
 .../xenguest/files/00-vif-xenguest.hook            | 16 ++++++++
 .../files/00-xenguest-nat-port-forward.hook        | 48 ++++++++++++++++++++++
 .../xenguest/xenguest-base-image.bb                | 28 ++++++++++++-
 .../recipes-extended/xenguest/xenguest-network.bb  |  1 +
 5 files changed, 97 insertions(+), 2 deletions(-)
 create mode 100755 meta-arm-autonomy/recipes-extended/xenguest/files/00-xenguest-nat-port-forward.hook

diff --git a/meta-arm-autonomy/documentation/xenguest-network.md b/meta-arm-autonomy/documentation/xenguest-network.md
index c61a11a..b731f3e 100644
--- a/meta-arm-autonomy/documentation/xenguest-network.md
+++ b/meta-arm-autonomy/documentation/xenguest-network.md
@@ -66,5 +66,11 @@ The following parameters are available:
   image is created. It will be consumed by the
   "/etc/xen/scripts/vif-post.d/00-vif-xenguest.hook" script which is called by
   "/etc/xen/scripts/vif-nat" script when starting/stopping the xenguest.
+  In the guest project, the NAT port forward can be customised by changing
+  the XENGUEST_IMAGE_HOST_PORT (default: "1000 + ${domid}") and
+  XENGUEST_IMAGE_GUEST_PORT (default: "22") variables in local.conf or
+  xenguest-base-image.bbappend. This configuration is implemented and installed
+  in "/etc/xenguest/guests/${guestname}/files/00-xenguest-nat-port-forward.hook"
+  script which is called by "/etc/xen/scripts/vif-post.d/00-vif-xenguest.hook".
   The **none** type will not affect any networking setting between on dom0 and
   domU.
diff --git a/meta-arm-autonomy/recipes-extended/xenguest/files/00-vif-xenguest.hook b/meta-arm-autonomy/recipes-extended/xenguest/files/00-vif-xenguest.hook
index 32d5976..7a2fb6f 100755
--- a/meta-arm-autonomy/recipes-extended/xenguest/files/00-vif-xenguest.hook
+++ b/meta-arm-autonomy/recipes-extended/xenguest/files/00-vif-xenguest.hook
@@ -95,6 +95,20 @@ dhcpd_offline(){
                                        # are no vifs.
 }
 
+call_extra_hooks() {
+    for f in /etc/xenguest/guests/${guestname}/files/*.hook; do
+        if [ -x "$f" ]; then
+            log info "Executing $f"
+            . "$f"
+            if [ $? -ne 0 ]; then
+                log err "$f failed."
+            fi
+        else
+            log info "$f is not executable. Skipping."
+        fi
+    done
+}
+
 case "${XENGUEST_NETWORK_TYPE}" in
     nat)
         XENGUEST_DHCPD_PARAMS_FILE=${XENGUEST_DHCPD_PARAMS_FILE:-"/etc/xenguest/guests/${guestname}/files/dhcpd-params.cfg"}
@@ -126,5 +140,7 @@ case "${XENGUEST_NETWORK_TYPE}" in
                ;;
         esac
 
+        # We might have extra configs to be applied (e.g.: NAT port forward).
+        call_extra_hooks
         ;;
 esac
diff --git a/meta-arm-autonomy/recipes-extended/xenguest/files/00-xenguest-nat-port-forward.hook b/meta-arm-autonomy/recipes-extended/xenguest/files/00-xenguest-nat-port-forward.hook
new file mode 100755
index 0000000..875c181
--- /dev/null
+++ b/meta-arm-autonomy/recipes-extended/xenguest/files/00-xenguest-nat-port-forward.hook
@@ -0,0 +1,48 @@
+#============================================================================
+# /etc/xenguest/guests/${guestname}/files/00-xenguest-nat-port-forward.hook
+#
+# Script for performing local configuration related to NAT port forwarding of
+# a vif.
+# This script will be sourced by
+# /etc/xen/scripts/vif-post.d/00-vif-xenguest.hook when
+# XENGUEST_IMAGE_NETWORK_TYPE="nat".
+# The ${bridge} and ${domid} are set in the 00-vif-xenguest.hook context,
+# and ${vip_if} in the vif-nat script context.
+#
+# Environment vars:
+# command     (add|remove|online|offline)
+# dev         vif interface name (required).
+# main_ip     IP address of Dom0
+# ip          list of IP networks for the vif, space-separated
+# XENBUS_PATH path to this device's details in the XenStore (required).
+#============================================================================
+
+host_port="###HOST_PORT###"
+guest_port="###GUEST_PORT###"
+
+port_num_check() {
+    if [ ${host_port} -gt 65535 -o ${guest_port} -gt 65535 ]; then
+        log error "host_port=${host_port} or guest_port=${guest_port} greater than 65535."
+        return 1
+    fi
+    return 0
+}
+
+case "${command}" in
+    online)
+        port_num_check
+        if [ $? -eq 0 ]; then
+            iptables_w -t nat -A PREROUTING -i ${bridge} -p tcp \
+                       --dport ${host_port} -j DNAT \
+                       --to-destination ${vif_ip}:${guest_port} \
+                       -m comment --comment "dom${domid}"
+        fi
+        ;;
+    offline)
+        # Remove the NAT iptables rules created for the dom${domid}
+        guest_ipt_rule=$(iptables_w -t nat -vL PREROUTING -n --line-number \
+                         | grep -w dom${domid} | awk '{print $1}' | tac)
+        for rule in ${guest_ipt_rule}; \
+            do iptables_w -t nat --delete PREROUTING ${rule}; done
+        ;;
+esac
diff --git a/meta-arm-autonomy/recipes-extended/xenguest/xenguest-base-image.bb b/meta-arm-autonomy/recipes-extended/xenguest/xenguest-base-image.bb
index 8516fe8..d164a81 100644
--- a/meta-arm-autonomy/recipes-extended/xenguest/xenguest-base-image.bb
+++ b/meta-arm-autonomy/recipes-extended/xenguest/xenguest-base-image.bb
@@ -23,6 +23,16 @@ LICENSE = "MIT"
 
 LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302"
 
+# When XENGUEST_IMAGE_NETWORK_TYPE="nat", the "00-xenguest-nat-port-forward.hook"
+# is called by "/etc/xen/scripts/vif-post.d/00-vif-xenguest.hook" to apply NAT
+# port forwarding. Both dom0 and domU ports can be be set by changing the
+# XENGUEST_IMAGE_HOST_PORT and XENGUEST_IMAGE_GUEST_PORT variables in local.conf
+# or xenguest-base-image.bbappend. The XENGUEST_IMAGE_NAT_PORT_FORWARD_SCRIPT
+# can also be replaced in a xenguest-base-image.bbappend
+XENGUEST_IMAGE_HOST_PORT ?= "\$( expr 1000 + \${domid} )"
+XENGUEST_IMAGE_GUEST_PORT ?= "22"
+XENGUEST_IMAGE_NAT_PORT_FORWARD_SCRIPT ?= "00-xenguest-nat-port-forward.hook"
+
 #
 # The following variables can contain SRC_URI compatible entries to add
 # files to the xenguest image.
@@ -40,7 +50,12 @@ XENGUEST_IMAGE_SRC_URI_DISK_FILES ??= ""
 # The dhcpd-params.cfg holds the dhcpd configuration for Dom0. And it is used
 # when XENGUEST_IMAGE_NETWORK_TYPE="nat". Any customizations to it should be
 # performed by replacing it via a xenguest-network.bbappend.
-XENGUEST_IMAGE_SRC_URI_XEN_FILES = "file://dhcpd-params.cfg"
+# The XENGUEST_IMAGE_NAT_PORT_FORWARD_SCRIPT file is only added if the
+# variable is set.
+XENGUEST_IMAGE_SRC_URI_XEN_FILES = "file://dhcpd-params.cfg \
+    ${@ "file://" + d.getVar('XENGUEST_IMAGE_NAT_PORT_FORWARD_SCRIPT') \
+      if d.getVar('XENGUEST_IMAGE_NAT_PORT_FORWARD_SCRIPT') else "" } \
+    "
 
 # Add xen configuration elements
 XENGUEST_IMAGE_SRC_URI_XEN_CONFIG ??= ""
@@ -82,8 +97,8 @@ python __anonymous() {
 
 # Make sure we are removing old files before redoing a fetch
 do_fetch[cleandirs] += "${WORKDIR}/extend"
+do_fetch[vardeps] += "XENGUEST_IMAGE_HOST_PORT XENGUEST_IMAGE_GUEST_PORT"
 
-do_configure[noexec] = "1"
 do_compile[noexec] = "1"
 do_install[noexec] = "1"
 
@@ -107,6 +122,15 @@ add_extend_files() {
     fi
 }
 
+do_configure() {
+    if [ -f ${WORKDIR}/extend/files/${XENGUEST_IMAGE_NAT_PORT_FORWARD_SCRIPT} ]; then
+        sed -i "s,###HOST_PORT###,${XENGUEST_IMAGE_HOST_PORT}," \
+               ${WORKDIR}/extend/files/${XENGUEST_IMAGE_NAT_PORT_FORWARD_SCRIPT}
+        sed -i "s,###GUEST_PORT###,${XENGUEST_IMAGE_GUEST_PORT}," \
+               ${WORKDIR}/extend/files/${XENGUEST_IMAGE_NAT_PORT_FORWARD_SCRIPT}
+    fi
+}
+
 do_deploy() {
     # Create a new image
     xenguest_image_create
diff --git a/meta-arm-autonomy/recipes-extended/xenguest/xenguest-network.bb b/meta-arm-autonomy/recipes-extended/xenguest/xenguest-network.bb
index fa4f93f..206a294 100644
--- a/meta-arm-autonomy/recipes-extended/xenguest/xenguest-network.bb
+++ b/meta-arm-autonomy/recipes-extended/xenguest/xenguest-network.bb
@@ -62,6 +62,7 @@ RDEPENDS_${PN} += "bridge-utils \
                    kernel-module-xt-tcpudp \
                    kernel-module-xt-physdev \
                    kernel-module-xt-comment \
+                   kernel-module-xt-nat \
                   "
 FILES_${PN} += "${sysconfdir}/network/interfaces.d/xenguest-network-bridge.cfg"
 FILES_${PN} += "${sysconfdir}/xenguest/init.pre/network-bridge.sh"
-- 
2.7.4

