From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([140.186.70.92]:58120)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <stefanb@linux.vnet.ibm.com>) id 1QASIh-0001lb-SU
	for qemu-devel@nongnu.org; Thu, 14 Apr 2011 15:34:00 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <stefanb@linux.vnet.ibm.com>) id 1QASIg-0002y0-O5
	for qemu-devel@nongnu.org; Thu, 14 Apr 2011 15:33:59 -0400
Received: from e5.ny.us.ibm.com ([32.97.182.145]:39471)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <stefanb@linux.vnet.ibm.com>) id 1QASIg-0002xf-LV
	for qemu-devel@nongnu.org; Thu, 14 Apr 2011 15:33:58 -0400
Received: from d01relay01.pok.ibm.com (d01relay01.pok.ibm.com [9.56.227.233])
	by e5.ny.us.ibm.com (8.14.4/8.13.1) with ESMTP id p3EJ7fT9001545
	for <qemu-devel@nongnu.org>; Thu, 14 Apr 2011 15:07:41 -0400
Received: from d01av01.pok.ibm.com (d01av01.pok.ibm.com [9.56.224.215])
	by d01relay01.pok.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id
	p3EJXcdb406612
	for <qemu-devel@nongnu.org>; Thu, 14 Apr 2011 15:33:39 -0400
Received: from d01av01.pok.ibm.com (loopback [127.0.0.1])
	by d01av01.pok.ibm.com (8.14.4/8.13.1/NCO v10.0 AVout) with ESMTP id
	p3EJXcqU010744
	for <qemu-devel@nongnu.org>; Thu, 14 Apr 2011 15:33:38 -0400
Received: from [9.59.241.154] (d941e-10.watson.ibm.com [9.59.241.154])
	by d01av01.pok.ibm.com (8.14.4/8.13.1/NCO v10.0 AVin) with ESMTP id
	p3EJXct4010733
	for <qemu-devel@nongnu.org>; Thu, 14 Apr 2011 15:33:38 -0400
Message-ID: <4DA74C12.4010502@linux.vnet.ibm.com>
Date: Thu, 14 Apr 2011 15:33:38 -0400
From: Stefan Berger <stefanb@linux.vnet.ibm.com>
MIME-Version: 1.0
References: <BANLkTikaXZHbkEsdqLepQdWqBxLQZr5=-w@mail.gmail.com>
In-Reply-To: <BANLkTikaXZHbkEsdqLepQdWqBxLQZr5=-w@mail.gmail.com>
Content-Type: multipart/alternative;
	boundary="------------070205000907080509070704"
Subject: Re: [Qemu-devel] [PATCH] Slirp reverse UDP firewall
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <http://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: qemu-devel@nongnu.org

This is a multi-part message in MIME format.
--------------070205000907080509070704
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

On 04/12/2011 12:19 PM, Daisuke Nojiri wrote:
> This patch adds: -drop-udp, -allow-udp ADDR:PORT, -drop-log FILE
>
>   e.g.) $ qemu -net user -drop-log qemu.drop -drop-udp -allow-udp 
> 10.0.2.3:53 <http://10.0.2.3:53>
>
> -drop-udp enables usermode firewall for out-going UDP packats from a 
> guest.
> All UDP packets except ones allowed by -allow-udp will be dropped. Dropped
> packets are logged in the file specified by FILE. PORT can be a single 
> number
> (e.g. 53) or a range (e.g. [80-81]). If ADDR is ommitted, all 
> addresses match
> the rule.

If you want to end up providing functionality like ebtables/iptables 
does then you'll need to think of user-defined tables or 'labeled rules' 
along with gotos/jumps -- not just for efficiency reasons but also 
because strictly linear evaluation of rules doesn't cover all the cases.
Besides that you'd probably want a connection tracking system so that 
you can for example enable only a few [UDP] ports of the VM to be 
reachable yet can initiate any kind of traffic... A bigger undertaking 
to say the least.

My $.02,
    Stefan


--------------070205000907080509070704
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#ffffff" text="#000000">
    On 04/12/2011 12:19 PM, Daisuke Nojiri wrote:
    <blockquote
      cite="mid:BANLkTikaXZHbkEsdqLepQdWqBxLQZr5=-w@mail.gmail.com"
      type="cite">
      <meta http-equiv="Context-Type" content="text/html;
        charset=ISO-8859-1">
      <div>
        <div>
          <div>This patch adds: -drop-udp, -allow-udp ADDR:PORT,
            -drop-log FILE</div>
          <div><br>
          </div>
          <div>&nbsp; e.g.) $ qemu -net user -drop-log qemu.drop -drop-udp
            -allow-udp <a moz-do-not-send="true"
              href="http://10.0.2.3:53">10.0.2.3:53</a></div>
          <div><br>
          </div>
          <div>-drop-udp enables usermode firewall for out-going UDP
            packats from a guest.</div>
          <div>All UDP packets except ones allowed by -allow-udp will be
            dropped. Dropped</div>
          <div>packets are logged in the file specified by FILE. PORT
            can be a single number</div>
          <div>(e.g. 53) or a range (e.g. [80-81]). If ADDR is ommitted,
            all addresses match</div>
          <div>the rule.</div>
        </div>
      </div>
    </blockquote>
    <br>
    If you want to end up providing functionality like ebtables/iptables
    does then you'll need to think of user-defined tables or 'labeled
    rules' along with gotos/jumps -- not just for efficiency reasons but
    also because strictly linear evaluation of rules doesn't cover all
    the cases.<br>
    Besides that you'd probably want a connection tracking system so
    that you can for example enable only a few [UDP] ports of the VM to
    be reachable yet can initiate any kind of traffic... A bigger
    undertaking to say the least.<br>
    <br>
    My $.02,<br>
    &nbsp;&nbsp; Stefan<br>
    <br>
  </body>
</html>

--------------070205000907080509070704--