From: Mikko Rapeli <mikko.rapeli@linaro.org>
To: openembedded-core@lists.openembedded.org
Cc: Mikko Rapeli <mikko.rapeli@linaro.org>
Subject: [PATCH 2/2] runqemu: limit slirp host port forwarding to localhost 127.0.0.1
Date: Mon, 14 Nov 2022 17:50:38 +0200 [thread overview]
Message-ID: <20221114155038.3654499-2-mikko.rapeli@linaro.org> (raw)
In-Reply-To: <20221114155038.3654499-1-mikko.rapeli@linaro.org>
With default slirp port forwarding config qemu listens on TCP ports
2222 and 2323 on all IP addresses available on the build host. Most
use cases with runqemu only need it for localhost and it is not
safe to run qemu images with root login without password enabled
and listening on all available, possibly Internet reachable network
interfaces. Limit qemu port forwarding to localhost 127.0.0.1 IP
address. Now qemu machine SSH and telnet ports are only
reachable from the build host machine, not full Internet.
If qemu machine needs to be reachable from network, then it can
be enabled via local.conf or machine config variable QB_SLIRP_OPT:
QB_SLIRP_OPT = "-netdev user,id=net0,hostfwd=tcp::2222-:22"
Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
---
scripts/runqemu | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/scripts/runqemu b/scripts/runqemu
index a6ea578564..7bd9465593 100755
--- a/scripts/runqemu
+++ b/scripts/runqemu
@@ -1071,7 +1071,7 @@ class BaseConfig(object):
logger.info("Network configuration:%s", netconf)
self.kernel_cmdline_script += netconf
# Port mapping
- hostfwd = ",hostfwd=tcp::2222-:22,hostfwd=tcp::2323-:23"
+ hostfwd = ",hostfwd=tcp:127.0.0.1:2222-:22,hostfwd=tcp:127.0.0.1:2323-:23"
qb_slirp_opt_default = "-netdev user,id=net0%s,tftp=%s" % (hostfwd, self.get('DEPLOY_DIR_IMAGE'))
qb_slirp_opt = self.get('QB_SLIRP_OPT') or qb_slirp_opt_default
# Figure out the port
--
2.34.1
next prev parent reply other threads:[~2022-11-14 15:51 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-11-14 15:50 [PATCH v2 1/2] qemurunner.py: support setting slirp host IP address Mikko Rapeli
2022-11-14 15:50 ` Mikko Rapeli [this message]
2022-11-17 13:17 ` [OE-core] [PATCH 2/2] runqemu: limit slirp host port forwarding to localhost 127.0.0.1 Quentin Schulz
2022-11-17 14:20 ` Mikko Rapeli
2022-11-17 13:13 ` [OE-core] [PATCH v2 1/2] qemurunner.py: support setting slirp host IP address Quentin Schulz
2022-11-17 13:17 ` Mikko Rapeli
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221114155038.3654499-2-mikko.rapeli@linaro.org \
--to=mikko.rapeli@linaro.org \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox