From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([140.186.70.92]:54163)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <gleb@redhat.com>) id 1QOrF9-0008Fr-Do
	for qemu-devel@nongnu.org; Tue, 24 May 2011 09:01:55 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <gleb@redhat.com>) id 1QOrF8-0001Yv-Bm
	for qemu-devel@nongnu.org; Tue, 24 May 2011 09:01:51 -0400
Received: from mx1.redhat.com ([209.132.183.28]:58625)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <gleb@redhat.com>) id 1QOrF8-0001Yn-3J
	for qemu-devel@nongnu.org; Tue, 24 May 2011 09:01:50 -0400
Date: Tue, 24 May 2011 16:01:47 +0300
From: Gleb Natapov <gleb@redhat.com>
Message-ID: <20110524130147.GT28399@redhat.com>
References: <cover.1306162095.git.jan.kiszka@siemens.com>
	<dc319a30e52f38f412d7b31d4be5569bf4f5ebad.1306162095.git.jan.kiszka@siemens.com>
	<20110524123721.GS28399@redhat.com> <4DDBA7CF.5090400@siemens.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <4DDBA7CF.5090400@siemens.com>
Subject: Re: [Qemu-devel] [PATCH 1/4] slirp: Fix restricted mode
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Jan Kiszka <jan.kiszka@siemens.com>
Cc: "qemu-devel@nongnu.org" <qemu-devel@nongnu.org>

On Tue, May 24, 2011 at 02:42:55PM +0200, Jan Kiszka wrote:
> On 2011-05-24 14:37, Gleb Natapov wrote:
> > On Mon, May 23, 2011 at 04:48:16PM +0200, Jan Kiszka wrote:
> >> This aligns the code to what the documentation claims: Allow everything
> >> but requests that would have to be routed outside of the virtual LAN.
> >>
> >> So we need to drop the unneeded IP-level filter, allow TFTP requests,
> >> and add the missing protocol-level filter to ICMP.
> >>
> > May be I am missing something, but how do you disallow requests by
> > removing code that actually does filtering.
> 
> All we need to filter are the per-IP-protocol parts that do the
> forwarding via the host IP stack. That does not need to happen at IP level.
> 
> Moreover, the existing code contained some practically dead bits anyway:
> 
>         if ((ip->ip_dst.s_addr & slirp->vnetwork_mask.s_addr) ==
>             slirp->vnetwork_addr.s_addr) {
>             if (ip->ip_dst.s_addr == 0xffffffff && ip->ip_p !=
>                 IPPROTO_UDP)
>                 goto bad;
> 
> This could only trigger if vnetwork_mask.s_addr was 0 (the same applied
> to the original code before my refactoring in 2009).
> 
Not sure what do you mean by that. This checks that the ip_dst.s_addr is in
the vnetwork range. It does this by comparing net mask bits of ip_dst.s_addr with
vnetwork_addr.s_addr. Grep for vnetwork_mask.s_addr. This idiom is used
many times throughout the code.

--
			Gleb.