FMO-69: Update fmo-tool with DDP and DPF fixes

- Update fmo-tool with DDP and DPF fixes - FIX: remove DPF rules to avoid duplicates - FIX: fix DPF read issue - Add psk distribution service to dockervm Signed-off-by: Ivan Kuznetsov <[email protected]>
tiiuae · Oct 23, 2024 · 5af7fc5 · 5af7fc5
1 parent e90920b
commit 5af7fc5
Show file tree

Hide file tree

Showing 4 changed files with 48 additions and 6 deletions.
diff --git a/hardware/fmo-os-rugged-laptop-7330.nix b/hardware/fmo-os-rugged-laptop-7330.nix
@@ -273,13 +273,22 @@
                 proto = "virtiofs";
                 socket = "fogdata.sock";
               }
+              {
+                tag = "ssh-public-key";
+                source = "/run/ssh-public-key";
+                mountPoint = "/run/ssh-public-key";
+              }
             ]; # microvm.shares
           };# microvm
+          fileSystems."/run/ssh-public-key".options = ["ro"];
           services = {
             fmo-hostname-service = {
               enable = true;
               hostname-path = "/var/lib/fogdata/hostname";
             }; # services.fmo-hostnam-service
+            fmo-psk-distribution-service-vm = {
+              enable = true;
+            }; # fmo-psk-distribution-service-vm
             fmo-dynamic-device-passthrough = {
               enable = true;
               devices = [

diff --git a/hardware/fmo-os-rugged-tablet-7230.nix b/hardware/fmo-os-rugged-tablet-7230.nix
@@ -253,13 +253,22 @@
                 proto = "virtiofs";
                 socket = "fogdata.sock";
               }
+              {
+                tag = "ssh-public-key";
+                source = "/run/ssh-public-key";
+                mountPoint = "/run/ssh-public-key";
+              }
             ]; # microvm.shares
           };# microvm
+          fileSystems."/run/ssh-public-key".options = ["ro"];
           services = {
             fmo-hostname-service = {
               enable = true;
               hostname-path = "/var/lib/fogdata/hostname";
             }; # services.fmo-hostnam-service
+            fmo-psk-distribution-service-vm = {
+              enable = true;
+            }; # fmo-psk-distribution-service-vm
             fmo-dynamic-device-passthrough = {
               enable = true;
               devices = [

diff --git a/modules/custom-packages/fmo-tool/fmo-tool.nix b/modules/custom-packages/fmo-tool/fmo-tool.nix
@@ -43,7 +43,7 @@ pkgs.python3Packages.buildPythonApplication {
 
   src = builtins.fetchGit {
     url = "[email protected]:tiiuae/fmo-tool.git";
-    rev = "40ca851d4f51af7ecf48939394609c6520b5d549";
-    ref = "refs/heads/integrate_ddp";
+    rev = "f04417455b89a1555259b2af29ed34d681cda358";
+    ref = "refs/heads/main";
   };
 }
diff --git a/modules/dynamic-portforwarding-service/default.nix b/modules/dynamic-portforwarding-service/default.nix
@@ -45,21 +45,45 @@ in {
   config = mkIf cfg.enable {
     systemd.services.fmo-dynamic-portforwarding-service = {
       script = ''
+          CHAIN_N="fmo-os-fw"
           IP=$(${pkgs.gawk}/bin/gawk '{print $1}' ${cfg.ipaddress-path} || echo ${cfg.ipaddress})
+          sync
+          lines=$(cat ${cfg.config-path})
 
+          # Delete old rules if exist
+          while ${pkgs.iptables}/bin/iptables -L $CHAIN_N -n --line-numbers | grep -q -E '^[0-9]+'; do
+            ${pkgs.iptables}/bin/iptables -D $CHAIN_N 1 || echo "$CHAIN_N rule 1 does not exist. skip.."
+          done
+
+          while ${pkgs.iptables}/bin/iptables -t nat -L $CHAIN_N -n --line-numbers | grep -q -E '^[0-9]+'; do
+            ${pkgs.iptables}/bin/iptables -t nat -D $CHAIN_N 1 || echo "$CHAIN_N -t nat rule 1 does not exist. skip.."
+          done
+
+          # Delete old chains
+          ${pkgs.iptables}/bin/iptables -D INPUT -j $CHAIN_N || echo "chain does not exist. skip.."
+          ${pkgs.iptables}/bin/iptables -t nat -D PREROUTING -j $CHAIN_N || echo "chain does not exist. skip.."
+          ${pkgs.iptables}/bin/iptables -X $CHAIN_N || echo "chain does not exist. skip.."
+          ${pkgs.iptables}/bin/iptables -t nat -X $CHAIN_N || echo "chain does not exist. skip.."
+
+          # Create new chains
+          ${pkgs.iptables}/bin/iptables -N $CHAIN_N
+          ${pkgs.iptables}/bin/iptables -t nat -N $CHAIN_N
+          ${pkgs.iptables}/bin/iptables -I INPUT -j $CHAIN_N
+          ${pkgs.iptables}/bin/iptables -t nat -I PREROUTING -j $CHAIN_N
+
+          # Add new rules
           while IFS= read -r line; do
             SRC_IP=$(echo $line | ${pkgs.gawk}/bin/gawk '{print $1}')
             SRC_PORT=$(echo $line | ${pkgs.gawk}/bin/gawk '{print $2}')
             DST_PORT=$(echo $line | ${pkgs.gawk}/bin/gawk '{print $3}')
             DST_IP=$(echo $line | ${pkgs.gawk}/bin/gawk '{print $4}')
             PROTO=$(echo $line | ${pkgs.gawk}/bin/gawk '{print $5}')
-
             SRC_IP=$([[ "$SRC_IP" = "NA" ]] && echo $IP || echo $SRC_IP)
 
             echo "Apply a new port forwarding: $SRC_IP:$SRC_PORT to $DST_IP:$DST_PORT proto: $PROTO"
-            ${pkgs.iptables}/bin/iptables -I INPUT -p $PROTO --dport $SRC_PORT -j ACCEPT
-            ${pkgs.iptables}/bin/iptables -t nat -I PREROUTING -p $PROTO -d $SRC_IP --dport $SRC_PORT -j DNAT --to-destination $DST_IP:$DST_PORT
-          done < ${cfg.config-path}
+            ${pkgs.iptables}/bin/iptables -I $CHAIN_N -p $PROTO --dport $SRC_PORT -j ACCEPT
+            ${pkgs.iptables}/bin/iptables -t nat -I $CHAIN_N -p $PROTO -d $SRC_IP --dport $SRC_PORT -j DNAT --to-destination $DST_IP:$DST_PORT
+          done <<< "$lines"
       '';
 
       wantedBy = ["network.target"];