From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([140.186.70.92]:40358)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <jan.kiszka@siemens.com>) id 1QOqww-0004L1-Jd
	for qemu-devel@nongnu.org; Tue, 24 May 2011 08:43:06 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <jan.kiszka@siemens.com>) id 1QOqwv-0006eR-Nj
	for qemu-devel@nongnu.org; Tue, 24 May 2011 08:43:02 -0400
Received: from goliath.siemens.de ([192.35.17.28]:25205)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <jan.kiszka@siemens.com>) id 1QOqwv-0006eF-Bp
	for qemu-devel@nongnu.org; Tue, 24 May 2011 08:43:01 -0400
Message-ID: <4DDBA7CF.5090400@siemens.com>
Date: Tue, 24 May 2011 14:42:55 +0200
From: Jan Kiszka <jan.kiszka@siemens.com>
MIME-Version: 1.0
References: <cover.1306162095.git.jan.kiszka@siemens.com>
	<dc319a30e52f38f412d7b31d4be5569bf4f5ebad.1306162095.git.jan.kiszka@siemens.com>
	<20110524123721.GS28399@redhat.com>
In-Reply-To: <20110524123721.GS28399@redhat.com>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Subject: Re: [Qemu-devel] [PATCH 1/4] slirp: Fix restricted mode
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Gleb Natapov <gleb@redhat.com>
Cc: "qemu-devel@nongnu.org" <qemu-devel@nongnu.org>

On 2011-05-24 14:37, Gleb Natapov wrote:
> On Mon, May 23, 2011 at 04:48:16PM +0200, Jan Kiszka wrote:
>> This aligns the code to what the documentation claims: Allow everything
>> but requests that would have to be routed outside of the virtual LAN.
>>
>> So we need to drop the unneeded IP-level filter, allow TFTP requests,
>> and add the missing protocol-level filter to ICMP.
>>
> May be I am missing something, but how do you disallow requests by
> removing code that actually does filtering.

All we need to filter are the per-IP-protocol parts that do the
forwarding via the host IP stack. That does not need to happen at IP level.

Moreover, the existing code contained some practically dead bits anyway:

        if ((ip->ip_dst.s_addr & slirp->vnetwork_mask.s_addr) ==
            slirp->vnetwork_addr.s_addr) {
            if (ip->ip_dst.s_addr == 0xffffffff && ip->ip_p !=
                IPPROTO_UDP)
                goto bad;

This could only trigger if vnetwork_mask.s_addr was 0 (the same applied
to the original code before my refactoring in 2009).

Jan

-- 
Siemens AG, Corporate Technology, CT T DE IT 1
Corporate Competence Center Embedded Linux