Add localhost masquerade for Thunder plugin

rdkPlugins/Networking/include/PortForwarding.h

@@ -68,6 +68,9 @@ bool removePortForwards(const std::shared_ptr<Netfilter> &netfilter,
 bool addLocalhostMasquerading(const std::shared_ptr<NetworkingHelper> &helper,
                               const std::shared_ptr<DobbyRdkPluginUtils> &utils,
                               rt_defs_plugins_networking_data_port_forwarding *portsConfig);
+
+bool addLocalhostMasqueradingThunder(const std::shared_ptr<NetworkingHelper> &helper,
+                                     const std::shared_ptr<DobbyRdkPluginUtils> &utils);
 };
 
 typedef struct PortForward

rdkPlugins/Networking/source/PortForwarding.cpp

@@ -288,13 +288,78 @@ bool PortForwarding::addLocalhostMasquerading(const std::shared_ptr<NetworkingHe
     }
 
     // Enable route_localnet inside the container
-    const std::string routingFilename = "/proc/sys/net/ipv4/conf/eth0/route_localnet";
+    std::string routingFilename;
+#if defined(DEV_VM)
+    routingFilename = "/proc/sys/net/ipv4/conf/enp0s3/route_localnet";
+#else
+    routingFilename = "/proc/sys/net/ipv4/conf/eth0/route_localnet";
+#endif
     utils->writeTextFile(routingFilename, "1", O_TRUNC | O_WRONLY, 0);
 
     AI_LOG_FN_EXIT();
     return true;
 }
 
+// -----------------------------------------------------------------------------
+/**
+ * @brief Adds iptables rules for Thunder plugin to forward packets from the 
+ * container localhost to the host's localhost on specific ports.
+ *
+ * This must be run inside the container's network namespace
+ *
+ *  @param[in]  helper              Instance of NetworkingHelper.
+ *  @param[in]  utils               Instance of DobbyRdkPluginUtils.
+ *  @param[in]  nsNetfilter         Instance of Netfilter
+ *
+ *  @return true on success, otherwise false.
+ */
+bool PortForwarding::addLocalhostMasqueradingThunder(const std::shared_ptr<NetworkingHelper> &helper,
+                                                     const std::shared_ptr<DobbyRdkPluginUtils> &utils)
+{
+    AI_LOG_FN_ENTRY();
+
+    const std::string containerId = utils->getContainerId();
+    Netfilter nsNetfilter;
+    PortForwards portForwards;
+    portForwards.isValid = true;
+    portForwards.containerToHost.push_back(PortForward{"tcp", "9998"});
+
+    std::vector<Netfilter::RuleSet> ipv4Rules = constructMasqueradeRules(helper,
+                                                                         containerId,
+                                                                         portForwards,
+                                                                         AF_INET);
+    if (ipv4Rules.empty())
+    {
+        AI_LOG_ERROR_EXIT("failed to construct localhost masquerade iptables rules");
+        return false;
+    }
+
+    // insert vector index 0 of constructed rules
+    if (!nsNetfilter.addRules(ipv4Rules[0], AF_INET, Netfilter::Operation::Insert))
+    {
+        AI_LOG_ERROR_EXIT("failed to insert localhost masquerade rules to iptables");
+        return false;
+    }
+
+    // Apply the iptables rules
+    if (!nsNetfilter.applyRules(AF_INET))
+    {
+        AI_LOG_ERROR_EXIT("failed to apply iptables rules");
+        return false;
+    }
+
+    // Enable route_localnet inside the container
+    std::string routingFilename;
+#if defined(DEV_VM)
+    routingFilename = "/proc/sys/net/ipv4/conf/enp0s3/route_localnet";
+#else
+    routingFilename = "/proc/sys/net/ipv4/conf/eth0/route_localnet";
+#endif
+    utils->writeTextFile(routingFilename, "1", O_TRUNC | O_WRONLY, 0);
+
+    AI_LOG_FN_EXIT();
+    return true;
+}
 
 // -----------------------------------------------------------------------------
 /**

rdkPlugins/Thunder/CMakeLists.txt

@@ -27,6 +27,9 @@ add_library(${PROJECT_NAME}
 
         ../Networking/source/Netfilter.cpp
         ../Networking/source/StdStreamPipe.cpp
+        ../Networking/source/NetworkingHelper.cpp
+        ../Networking/source/PortForwarding.cpp
+        ../Networking/source/IPAllocator.cpp
         )
 
 if(securityagent_FOUND)

rdkPlugins/Thunder/source/ThunderPlugin.cpp

@@ -17,6 +17,7 @@
 * limitations under the License.
 */
 
+#include "PortForwarding.h"
 #include "ThunderPlugin.h"
 
 #ifdef HAS_SECURITY_AGENT
@@ -52,7 +53,8 @@ ThunderPlugin::ThunderPlugin(std::shared_ptr<rt_dobby_schema> &containerConfig,
       mThunderPort(9998), // Change this if Thunder runs on non-standard port
       mEnableConnLimit(false),
       mSocketDirectory("/tmp/SecurityAgent"),
-      mSocketPath(mSocketDirectory + "/token")
+      mSocketPath(mSocketDirectory + "/token"),
+      mHelper(std::make_shared<NetworkingHelper>(true, false))
 {
     AI_LOG_FN_ENTRY();
 
@@ -287,6 +289,16 @@ bool ThunderPlugin::createRuntime()
         return false;
     }
 
+    // Add localhost masquerade 
+    if (!mUtils->callInNamespace(mUtils->getContainerPid(), CLONE_NEWNET,
+                                 &PortForwarding::addLocalhostMasqueradingThunder,
+                                 mHelper,
+                                 mUtils))
+    {
+        AI_LOG_ERROR_EXIT("Failed to add localhost masquerade iptables rules inside container");
+        return false;
+    }
+
     AI_LOG_FN_EXIT();
     return true;
 }
@@ -368,6 +380,8 @@ Netfilter::RuleSet ThunderPlugin::constructRules() const
     const std::string &ipAddress = networkInfo.ipAddress;
     const std::string &vethName = networkInfo.vethName;
 
+    mHelper->storeContainerInterface(networkInfo.ipAddressRaw, vethName);
+
     // add the Thunder iptables rules
     std::list<std::string> acceptRules;
     std::list<std::string> natRules;

rdkPlugins/Thunder/source/ThunderPlugin.h

@@ -20,6 +20,8 @@
 #ifndef THUNDERPLUGIN_H
 #define THUNDERPLUGIN_H
 
+#include "NetworkingHelper.h"
+
 #include <Netfilter.h>
 #if defined (DOBBY_BUILD)
     #include <RdkPluginBase.h>
@@ -109,6 +111,7 @@ class ThunderPlugin : public RdkPluginBase
     const bool mEnableConnLimit;
     const std::string mSocketDirectory;
     const std::string mSocketPath;
+    std::shared_ptr<NetworkingHelper> mHelper;
     bool mSocketExists;
 };
 #endif // !defined(THUNDERPLUGIN_H)