diff --git a/rdkPlugins/Networking/include/PortForwarding.h b/rdkPlugins/Networking/include/PortForwarding.h index 5f12d6db..6740041a 100644 --- a/rdkPlugins/Networking/include/PortForwarding.h +++ b/rdkPlugins/Networking/include/PortForwarding.h @@ -68,6 +68,9 @@ bool removePortForwards(const std::shared_ptr &netfilter, bool addLocalhostMasquerading(const std::shared_ptr &helper, const std::shared_ptr &utils, rt_defs_plugins_networking_data_port_forwarding *portsConfig); + +bool addLocalhostMasqueradingThunder(const std::shared_ptr &helper, + const std::shared_ptr &utils); }; typedef struct PortForward diff --git a/rdkPlugins/Networking/source/PortForwarding.cpp b/rdkPlugins/Networking/source/PortForwarding.cpp index 2778d245..3c111f95 100644 --- a/rdkPlugins/Networking/source/PortForwarding.cpp +++ b/rdkPlugins/Networking/source/PortForwarding.cpp @@ -288,13 +288,78 @@ bool PortForwarding::addLocalhostMasquerading(const std::shared_ptrwriteTextFile(routingFilename, "1", O_TRUNC | O_WRONLY, 0); AI_LOG_FN_EXIT(); return true; } +// ----------------------------------------------------------------------------- +/** + * @brief Adds iptables rules for Thunder plugin to forward packets from the + * container localhost to the host's localhost on specific ports. + * + * This must be run inside the container's network namespace + * + * @param[in] helper Instance of NetworkingHelper. + * @param[in] utils Instance of DobbyRdkPluginUtils. + * @param[in] nsNetfilter Instance of Netfilter + * + * @return true on success, otherwise false. + */ +bool PortForwarding::addLocalhostMasqueradingThunder(const std::shared_ptr &helper, + const std::shared_ptr &utils) +{ + AI_LOG_FN_ENTRY(); + + const std::string containerId = utils->getContainerId(); + Netfilter nsNetfilter; + PortForwards portForwards; + portForwards.isValid = true; + portForwards.containerToHost.push_back(PortForward{"tcp", "9998"}); + + std::vector ipv4Rules = constructMasqueradeRules(helper, + containerId, + portForwards, + AF_INET); + if (ipv4Rules.empty()) + { + AI_LOG_ERROR_EXIT("failed to construct localhost masquerade iptables rules"); + return false; + } + + // insert vector index 0 of constructed rules + if (!nsNetfilter.addRules(ipv4Rules[0], AF_INET, Netfilter::Operation::Insert)) + { + AI_LOG_ERROR_EXIT("failed to insert localhost masquerade rules to iptables"); + return false; + } + + // Apply the iptables rules + if (!nsNetfilter.applyRules(AF_INET)) + { + AI_LOG_ERROR_EXIT("failed to apply iptables rules"); + return false; + } + + // Enable route_localnet inside the container + std::string routingFilename; +#if defined(DEV_VM) + routingFilename = "/proc/sys/net/ipv4/conf/enp0s3/route_localnet"; +#else + routingFilename = "/proc/sys/net/ipv4/conf/eth0/route_localnet"; +#endif + utils->writeTextFile(routingFilename, "1", O_TRUNC | O_WRONLY, 0); + + AI_LOG_FN_EXIT(); + return true; +} // ----------------------------------------------------------------------------- /** diff --git a/rdkPlugins/Thunder/CMakeLists.txt b/rdkPlugins/Thunder/CMakeLists.txt index f4c1b70f..d7666a34 100644 --- a/rdkPlugins/Thunder/CMakeLists.txt +++ b/rdkPlugins/Thunder/CMakeLists.txt @@ -27,6 +27,9 @@ add_library(${PROJECT_NAME} ../Networking/source/Netfilter.cpp ../Networking/source/StdStreamPipe.cpp + ../Networking/source/NetworkingHelper.cpp + ../Networking/source/PortForwarding.cpp + ../Networking/source/IPAllocator.cpp ) if(securityagent_FOUND) diff --git a/rdkPlugins/Thunder/source/ThunderPlugin.cpp b/rdkPlugins/Thunder/source/ThunderPlugin.cpp index 3ee8dec5..de57473b 100644 --- a/rdkPlugins/Thunder/source/ThunderPlugin.cpp +++ b/rdkPlugins/Thunder/source/ThunderPlugin.cpp @@ -17,6 +17,7 @@ * limitations under the License. */ +#include "PortForwarding.h" #include "ThunderPlugin.h" #ifdef HAS_SECURITY_AGENT @@ -52,7 +53,8 @@ ThunderPlugin::ThunderPlugin(std::shared_ptr &containerConfig, mThunderPort(9998), // Change this if Thunder runs on non-standard port mEnableConnLimit(false), mSocketDirectory("/tmp/SecurityAgent"), - mSocketPath(mSocketDirectory + "/token") + mSocketPath(mSocketDirectory + "/token"), + mHelper(std::make_shared(true, false)) { AI_LOG_FN_ENTRY(); @@ -287,6 +289,16 @@ bool ThunderPlugin::createRuntime() return false; } + // Add localhost masquerade + if (!mUtils->callInNamespace(mUtils->getContainerPid(), CLONE_NEWNET, + &PortForwarding::addLocalhostMasqueradingThunder, + mHelper, + mUtils)) + { + AI_LOG_ERROR_EXIT("Failed to add localhost masquerade iptables rules inside container"); + return false; + } + AI_LOG_FN_EXIT(); return true; } @@ -368,6 +380,8 @@ Netfilter::RuleSet ThunderPlugin::constructRules() const const std::string &ipAddress = networkInfo.ipAddress; const std::string &vethName = networkInfo.vethName; + mHelper->storeContainerInterface(networkInfo.ipAddressRaw, vethName); + // add the Thunder iptables rules std::list acceptRules; std::list natRules; diff --git a/rdkPlugins/Thunder/source/ThunderPlugin.h b/rdkPlugins/Thunder/source/ThunderPlugin.h index 7cd509a4..906ed93c 100644 --- a/rdkPlugins/Thunder/source/ThunderPlugin.h +++ b/rdkPlugins/Thunder/source/ThunderPlugin.h @@ -20,6 +20,8 @@ #ifndef THUNDERPLUGIN_H #define THUNDERPLUGIN_H +#include "NetworkingHelper.h" + #include #if defined (DOBBY_BUILD) #include @@ -109,6 +111,7 @@ class ThunderPlugin : public RdkPluginBase const bool mEnableConnLimit; const std::string mSocketDirectory; const std::string mSocketPath; + std::shared_ptr mHelper; bool mSocketExists; }; #endif // !defined(THUNDERPLUGIN_H) \ No newline at end of file