From: Anthony Liguori <anthony@codemonkey.ws>
To: Gertjan Halkes <qemu@ghalkes.nl>
Cc: qemu-trivial@nongnu.org, qemu-devel@nongnu.org
Subject: Re: [Qemu-devel] [PATCH] make user networking hostfwd work with restrict=y
Date: Fri, 11 Nov 2011 08:24:04 -0600 [thread overview]
Message-ID: <4EBD3004.3080301@codemonkey.ws> (raw)
In-Reply-To: <20111111125818.444e400b@revolver>
On 11/11/2011 05:58 AM, Gertjan Halkes wrote:
> This patch allows the hostfwd option to override the restrict=y setting in
> the user network stack, as explicitly stated in the documentation on the
> restrict option:
>
> restrict=on|off
> If this option is enabled, the guest will be isolated, i.e. it
> will not be able to contact the host and no guest IP packets
> will be routed over the host to the outside. This option does
> not affect any explicitly set forwarding rules.
>
> Qemu bug tracker:
> https://bugs.launchpad.net/qemu/+bug/829455
Please submit against qemu.git master with a Signed-off-by.
Regards,
Anthony Liguori
>
> diff -aur qemu-kvm-0.15.0+noroms/slirp/tcp_input.c qemu-kvm-0.15.0+noromsnew/slirp/tcp_input.c
> --- qemu-kvm-0.15.0+noroms/slirp/tcp_input.c 2011-08-09 14:40:29.000000000 +0200
> +++ qemu-kvm-0.15.0+noromsnew/slirp/tcp_input.c 2011-11-11 12:42:31.000000000 +0100
> @@ -316,16 +316,6 @@
> m->m_data += sizeof(struct tcpiphdr)+off-sizeof(struct tcphdr);
> m->m_len -= sizeof(struct tcpiphdr)+off-sizeof(struct tcphdr);
>
> - if (slirp->restricted) {
> - for (ex_ptr = slirp->exec_list; ex_ptr; ex_ptr = ex_ptr->ex_next) {
> - if (ex_ptr->ex_fport == ti->ti_dport&&
> - ti->ti_dst.s_addr == ex_ptr->ex_addr.s_addr) {
> - break;
> - }
> - }
> - if (!ex_ptr)
> - goto drop;
> - }
> /*
> * Locate pcb for segment.
> */
> @@ -354,7 +344,23 @@
> * the only flag set, then create a session, mark it
> * as if it was LISTENING, and continue...
> */
> - if (so == NULL) {
> + if (so == NULL) {
> + if (slirp->restricted) {
> + /* Any hostfwds will have an existing socket, so we only get here
> + * for non-hostfwd connections. These should be dropped, unless it
> + * happens to be a guestfwd.
> + */
> + for (ex_ptr = slirp->exec_list; ex_ptr; ex_ptr = ex_ptr->ex_next) {
> + if (ex_ptr->ex_fport == ti->ti_dport&&
> + ti->ti_dst.s_addr == ex_ptr->ex_addr.s_addr) {
> + break;
> + }
> + }
> + if (!ex_ptr) {
> + goto dropwithreset;
> + }
> + }
> +
> if ((tiflags& (TH_SYN|TH_FIN|TH_RST|TH_URG|TH_ACK)) != TH_SYN)
> goto dropwithreset;
>
> Signed-off-by: Gertjan Halkes<qemu@ghalkes.nl>
>
>
next prev parent reply other threads:[~2011-11-11 14:24 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-11-11 11:58 [Qemu-devel] [PATCH] make user networking hostfwd work with restrict=y Gertjan Halkes
2011-11-11 14:24 ` Anthony Liguori [this message]
2011-11-11 15:04 ` Gertjan Halkes
2011-11-14 13:56 ` [Qemu-devel] [Qemu-trivial] " Stefan Hajnoczi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4EBD3004.3080301@codemonkey.ws \
--to=anthony@codemonkey.ws \
--cc=qemu-devel@nongnu.org \
--cc=qemu-trivial@nongnu.org \
--cc=qemu@ghalkes.nl \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).