On 04/12/2011 12:19 PM, Daisuke Nojiri wrote: > This patch adds: -drop-udp, -allow-udp ADDR:PORT, -drop-log FILE > > e.g.) $ qemu -net user -drop-log qemu.drop -drop-udp -allow-udp > 10.0.2.3:53 > > -drop-udp enables usermode firewall for out-going UDP packats from a > guest. > All UDP packets except ones allowed by -allow-udp will be dropped. Dropped > packets are logged in the file specified by FILE. PORT can be a single > number > (e.g. 53) or a range (e.g. [80-81]). If ADDR is ommitted, all > addresses match > the rule. If you want to end up providing functionality like ebtables/iptables does then you'll need to think of user-defined tables or 'labeled rules' along with gotos/jumps -- not just for efficiency reasons but also because strictly linear evaluation of rules doesn't cover all the cases. Besides that you'd probably want a connection tracking system so that you can for example enable only a few [UDP] ports of the VM to be reachable yet can initiate any kind of traffic... A bigger undertaking to say the least. My $.02, Stefan