From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([140.186.70.92]:48571)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <anthony@codemonkey.ws>) id 1ROs1d-0006hp-BY
	for qemu-devel@nongnu.org; Fri, 11 Nov 2011 09:24:27 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <anthony@codemonkey.ws>) id 1ROs1Y-0006Ig-1l
	for qemu-devel@nongnu.org; Fri, 11 Nov 2011 09:24:12 -0500
Message-ID: <4EBD3004.3080301@codemonkey.ws>
Date: Fri, 11 Nov 2011 08:24:04 -0600
From: Anthony Liguori <anthony@codemonkey.ws>
MIME-Version: 1.0
References: <20111111125818.444e400b@revolver>
In-Reply-To: <20111111125818.444e400b@revolver>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [Qemu-devel] [PATCH] make user networking hostfwd work with
	restrict=y
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Gertjan Halkes <qemu@ghalkes.nl>
Cc: qemu-trivial@nongnu.org, qemu-devel@nongnu.org

On 11/11/2011 05:58 AM, Gertjan Halkes wrote:
> This patch allows the hostfwd option to override the restrict=y setting in
> the user network stack, as explicitly stated in the documentation on the
> restrict option:
>
>       restrict=on|off
>           If this option is enabled, the guest will be isolated, i.e. it
>           will not be able to contact the host and no guest IP packets
>           will be routed over the host to the outside. This option does
>           not affect any explicitly set forwarding rules.
>
> Qemu bug tracker:
> https://bugs.launchpad.net/qemu/+bug/829455

Please submit against qemu.git master with a Signed-off-by.

Regards,

Anthony Liguori

>
> diff -aur qemu-kvm-0.15.0+noroms/slirp/tcp_input.c qemu-kvm-0.15.0+noromsnew/slirp/tcp_input.c
> --- qemu-kvm-0.15.0+noroms/slirp/tcp_input.c	2011-08-09 14:40:29.000000000 +0200
> +++ qemu-kvm-0.15.0+noromsnew/slirp/tcp_input.c	2011-11-11 12:42:31.000000000 +0100
> @@ -316,16 +316,6 @@
>   	m->m_data += sizeof(struct tcpiphdr)+off-sizeof(struct tcphdr);
>   	m->m_len  -= sizeof(struct tcpiphdr)+off-sizeof(struct tcphdr);
>
> -    if (slirp->restricted) {
> -        for (ex_ptr = slirp->exec_list; ex_ptr; ex_ptr = ex_ptr->ex_next) {
> -            if (ex_ptr->ex_fport == ti->ti_dport&&
> -                ti->ti_dst.s_addr == ex_ptr->ex_addr.s_addr) {
> -                break;
> -            }
> -        }
> -        if (!ex_ptr)
> -            goto drop;
> -    }
>   	/*
>   	 * Locate pcb for segment.
>   	 */
> @@ -354,7 +344,23 @@
>   	 * the only flag set, then create a session, mark it
>   	 * as if it was LISTENING, and continue...
>   	 */
> -        if (so == NULL) {
> +    if (so == NULL) {
> +        if (slirp->restricted) {
> +            /* Any hostfwds will have an existing socket, so we only get here
> +             * for non-hostfwd connections. These should be dropped, unless it
> +             * happens to be a guestfwd.
> +             */
> +            for (ex_ptr = slirp->exec_list; ex_ptr; ex_ptr = ex_ptr->ex_next) {
> +                if (ex_ptr->ex_fport == ti->ti_dport&&
> +                    ti->ti_dst.s_addr == ex_ptr->ex_addr.s_addr) {
> +                    break;
> +                }
> +            }
> +            if (!ex_ptr) {
> +                goto dropwithreset;
> +            }
> +        }
> +
>   	  if ((tiflags&  (TH_SYN|TH_FIN|TH_RST|TH_URG|TH_ACK)) != TH_SYN)
>   	    goto dropwithreset;
>
> Signed-off-by: Gertjan Halkes<qemu@ghalkes.nl>
>
>