From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([140.186.70.92]:45371) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1QAryI-0001JA-SK for qemu-devel@nongnu.org; Fri, 15 Apr 2011 18:58:40 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1QAryG-0006L5-Sn for qemu-devel@nongnu.org; Fri, 15 Apr 2011 18:58:38 -0400 Received: from smtp-out.google.com ([74.125.121.67]:14641) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1QAryG-0006Kx-EV for qemu-devel@nongnu.org; Fri, 15 Apr 2011 18:58:36 -0400 Received: from wpaz21.hot.corp.google.com (wpaz21.hot.corp.google.com [172.24.198.85]) by smtp-out.google.com with ESMTP id p3FMwZS0028331 for ; Fri, 15 Apr 2011 15:58:35 -0700 Received: from pxi11 (pxi11.prod.google.com [10.243.27.11]) by wpaz21.hot.corp.google.com with ESMTP id p3FMwXGh025069 (version=TLSv1/SSLv3 cipher=RC4-SHA bits=128 verify=NOT) for ; Fri, 15 Apr 2011 15:58:33 -0700 Received: by pxi11 with SMTP id 11so6211942pxi.21 for ; Fri, 15 Apr 2011 15:58:33 -0700 (PDT) MIME-Version: 1.0 Date: Fri, 15 Apr 2011 15:58:32 -0700 Message-ID: From: Daisuke Nojiri Content-Type: multipart/alternative; boundary=001636e0ae0f258c2004a0fcfba2 Subject: [Qemu-devel] [PATCH 2/4] Slirp Reverse UDP Firewall List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: qemu-devel@nongnu.org, Blue Swirl , Jan Kiszka --001636e0ae0f258c2004a0fcfba2 Content-Type: text/plain; charset=ISO-8859-1 This patch series adds a simple reverse UDP firewall functionality to Slirp. The series consists of three patches. Each adds one -net user option: 1. drop=udp|all - enables the firewall 2. droplog=FILE - sets the drop log filename 3. allow=PROTO:ADDR:PORT - adds an allow rule e.g.) $ qemu -net user,drop=udp,droplog=qemu.drop,allow=udp:10.0.2.3:53 All UDP packets except ones allowed by allow rules will be dropped. The source and the destination of the dropped packets are logged in the file specified by FILE. PORT can be a single number (e.g. 53) or a range (e.g. [80-81]). ADDR can be a single address (e.g. 1.2.3.4) or a range (e.g. 1.2.3.4/24). If ADDR is ommitted, all addresses match the rule. If PROTO is omitted, all protocols match the rule. TCP support will follow in another patch series. Signed-off-by: Daisuke Nojiri diff --git a/net.c b/net.c index 2742741..0707188 100644 --- a/net.c +++ b/net.c @@ -929,6 +929,10 @@ static const struct { .name = "drop", .type = QEMU_OPT_STRING, .help = "Enable the simple reverse firewall", + }, { + .name = "droplog", + .type = QEMU_OPT_STRING, + .help = "Set log filename for the reverse firewall", }, { /* end of list */ } }, diff --git a/net/slirp.c b/net/slirp.c index c0a3740..07e1353 100644 --- a/net/slirp.c +++ b/net/slirp.c @@ -141,7 +141,8 @@ static int net_slirp_init(VLANState *vlan, const char *model, const char *vhostname, const char *tftp_export, const char *bootfile, const char *vdhcp_start, const char *vnameserver, const char *smb_export, - const char *vsmbserver, unsigned char drop) + const char *vsmbserver, unsigned char drop, + FILE *drop_log) { /* default settings according to historic slirp */ struct in_addr net = { .s_addr = htonl(0x0a000200) }; /* 10.0.2.0 */ @@ -245,8 +246,8 @@ static int net_slirp_init(VLANState *vlan, const char *model, s = DO_UPCAST(SlirpState, nc, nc); - s->slirp = slirp_init(restricted, net, mask, host, vhostname, - tftp_export, bootfile, dhcp, dns, drop, s); + s->slirp = slirp_init(restricted, net, mask, host, vhostname, tftp_export, + bootfile, dhcp, dns, drop, drop_log, s); QTAILQ_INSERT_TAIL(&slirp_stacks, s, entry); for (config = slirp_configs; config; config = config->next) { @@ -690,10 +691,12 @@ int net_init_slirp(QemuOpts *opts, const char *bootfile; const char *smb_export; const char *vsmbsrv; + const char *droplog_filename; char *vnet = NULL; int restricted = 0; int ret; unsigned char drop = 0; + FILE *drop_log = NULL; vhost = qemu_opt_get(opts, "host"); vhostname = qemu_opt_get(opts, "hostname"); @@ -741,11 +744,20 @@ int net_init_slirp(QemuOpts *opts, } } + droplog_filename = qemu_opt_get(opts, "droplog"); + if (droplog_filename) { + drop_log = fopen(droplog_filename, "w"); + if (!drop_log) { + error_report("Unable to open reverse firewall log"); + return -1; + } + } + qemu_opt_foreach(opts, net_init_slirp_configs, NULL, 0); ret = net_slirp_init(vlan, "user", name, restricted, vnet, vhost, vhostname, tftp_export, bootfile, vdhcp_start, - vnamesrv, smb_export, vsmbsrv, drop); + vnamesrv, smb_export, vsmbsrv, drop, drop_log); while (slirp_configs) { config = slirp_configs; diff --git a/qemu-options.hx b/qemu-options.hx index ef3e726..7a8872b 100644 --- a/qemu-options.hx +++ b/qemu-options.hx @@ -1067,7 +1067,7 @@ DEF("net", HAS_ARG, QEMU_OPTION_net, #ifdef CONFIG_SLIRP "-net user[,vlan=n][,name=str][,net=addr[/mask]][,host=addr][,restrict=y|n]\n" " [,hostname=host][,dhcpstart=addr][,dns=addr][,tftp=dir][,bootfile=f]\n" - " [,hostfwd=rule][,guestfwd=rule][,drop=udp|all]" + " [,hostfwd=rule][,guestfwd=rule][,drop=udp|all][,droplog=file]" #ifndef _WIN32 "[,smb=dir[,smbserver=addr]]\n" #endif diff --git a/slirp/libslirp.h b/slirp/libslirp.h index 5778bf4..f1e48a7 100644 --- a/slirp/libslirp.h +++ b/slirp/libslirp.h @@ -15,7 +15,7 @@ Slirp *slirp_init(int restricted, struct in_addr vnetwork, const char *vhostname, const char *tftp_path, const char *bootfile, struct in_addr vdhcp_start, struct in_addr vnameserver, unsigned char drop, - void *opaque); + FILE *drop_log, void *opaque); void slirp_cleanup(Slirp *slirp); void slirp_select_fill(int *pnfds, @@ -48,6 +48,7 @@ size_t slirp_socket_can_recv(Slirp *slirp, struct in_addr guest_addr, /* Reverse Firewall */ #define SLIRP_DROP_UDP 1 +int slirp_drop_log(FILE *drop_log, const char *format, ...); int slirp_should_drop(Slirp *slirp, struct in_addr dst_addr, unsigned short dst_port, diff --git a/slirp/slirp.c b/slirp/slirp.c index 298ccb4..81fd85b 100644 --- a/slirp/slirp.c +++ b/slirp/slirp.c @@ -200,7 +200,8 @@ Slirp *slirp_init(int restricted, struct in_addr vnetwork, struct in_addr vnetmask, struct in_addr vhost, const char *vhostname, const char *tftp_path, const char *bootfile, struct in_addr vdhcp_start, - struct in_addr vnameserver, unsigned char drop, void *opaque) + struct in_addr vnameserver, unsigned char drop, + FILE *drop_log, void *opaque) { Slirp *slirp = qemu_mallocz(sizeof(Slirp)); @@ -231,6 +232,7 @@ Slirp *slirp_init(int restricted, struct in_addr vnetwork, slirp->vnameserver_addr = vnameserver; slirp->drop = drop; + slirp->drop_log = drop_log; slirp->opaque = opaque; @@ -248,6 +250,9 @@ void slirp_cleanup(Slirp *slirp) unregister_savevm(NULL, "slirp", slirp); + if (slirp->drop_log) { + fclose(slirp->drop_log); + } qemu_free(slirp->tftp_prefix); qemu_free(slirp->bootp_filename); qemu_free(slirp); @@ -1114,6 +1119,9 @@ static int slirp_state_load(QEMUFile *f, void *opaque, int version_id) return 0; } +/* + * Returns 1 if the packet should be dropped. + */ int slirp_should_drop(Slirp *slirp, struct in_addr dst_addr, unsigned short dst_port, @@ -1130,3 +1138,23 @@ int slirp_should_drop(Slirp *slirp, return 1; } + +/* + * Write to drop-log + */ +int slirp_drop_log(FILE *drop_log, const char *format, ...) +{ + va_list args; + + if (!drop_log) { + return 0; + } + + va_start(args, format); + vfprintf(drop_log, format, args); + va_end(args); + + fflush(drop_log); + + return 1; +} diff --git a/slirp/slirp.h b/slirp/slirp.h index bfea30d..d95953c 100644 --- a/slirp/slirp.h +++ b/slirp/slirp.h @@ -182,6 +182,7 @@ struct Slirp { /* Reverse Firewall configuration */ unsigned char drop; + FILE *drop_log; /* ARP cache for the guest IP addresses (XXX: allow many entries) */ uint8_t client_ethaddr[6]; diff --git a/slirp/udp.c b/slirp/udp.c index 95c4af0..6519d36 100644 --- a/slirp/udp.c +++ b/slirp/udp.c @@ -67,6 +67,8 @@ udp_input(register struct mbuf *m, int iphlen) DEBUG_ARG("m = %lx", (long)m); DEBUG_ARG("iphlen = %d", iphlen); + time_t timestamp = time(NULL); + /* * Strip IP options, if any; should skip this, * make available to user, and use on returned packets, @@ -104,6 +106,14 @@ udp_input(register struct mbuf *m, int iphlen) if (slirp_should_drop( slirp, ip->ip_dst, uh->uh_dport, IPPROTO_UDP)) { /* DROP */ + slirp_drop_log( + slirp->drop_log, + "Dropped UDP: src:0x%08x:0x%04hx dst:0x%08x:0x%04hx %ld\n", + ntohl(ip->ip_src.s_addr), + ntohs(uh->uh_sport), + ntohl(ip->ip_dst.s_addr), + ntohs(uh->uh_dport), + timestamp); goto bad; } else { /* PASS */ --001636e0ae0f258c2004a0fcfba2 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable
This patch series adds a simple reverse UDP firewall functionality to = Slirp.
The series consists of three patches. Each adds one -net u= ser option:

=A0 =A0 1. drop=3Dudp|all - enables th= e firewall
=A0 =A0 2. droplog=3DFILE - sets the drop log filename
=A0 = =A0 3. allow=3DPROTO:ADDR:PORT - adds an allow rule

=A0 e.g.) $ qemu -net user,drop=3Dudp,droplog=3Dqemu.drop,allow=3Dudp:10.0.2.3:53

All UDP packets except ones allowed by allow rules will= be dropped.
The source and the destination of the dropped packet= s are logged in the file
specified by FILE. PORT can be a single = number (e.g. 53) or a range
(e.g. [80-81]). ADDR can be a single address (e.g. 1.2.3.4) or a range=
(e.g. 1.2.3.4/24). If ADDR is = ommitted, all addresses match the rule.
If PROTO is omitted, all = protocols match the rule.

TCP support will follow in another patch series.
<= div>
Signed-off-by: Daisuke Nojiri <dnojiri@google.com>

diff --git a/net.c b/net.c
index 2742741..0707188 100644
--- a/net.c
+++ b/net.c
@@ -929,6 +929,10 @@ static c= onst struct {
=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0.name =3D "= drop",
=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0.type =3D QEMU_OPT_STRING,
=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0.help =3D "Enable the simple reve= rse firewall",
+ =A0 =A0 =A0 =A0 =A0 =A0}, {
+ =A0= =A0 =A0 =A0 =A0 =A0 =A0 =A0.name =3D "droplog",
+ =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0.type =3D QEMU_OPT_STRING,
+ =A0= =A0 =A0 =A0 =A0 =A0 =A0 =A0.help =3D "Set log filename for the revers= e firewall",
=A0 =A0 =A0 =A0 =A0 =A0 =A0},
=A0 =A0= =A0 =A0 =A0 =A0 =A0{ /* end of list */ }
=A0 =A0 =A0 =A0 =A0},
diff --git a/net/slirp.c b/net/slirp.c
index c0a3740..07e135= 3 100644
--- a/net/slirp.c
+++ b/net/slirp.c
= @@ -141,7 +141,8 @@ static int net_slirp_init(VLANState *vlan, const char *= model,
=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0const char *vho= stname, const char *tftp_export,
=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 =A0const char *bootfile, const char *vdhcp_start,
=
=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0const char *vna= meserver, const char *smb_export,
- =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0const char *vsmbs= erver, unsigned char drop)
+ =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0const char *vsmbserver, unsigned char drop,
+ =A0 = =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0FILE *drop_log)
= =A0{
=A0 =A0 =A0/* default settings according to historic slirp */
=A0 =A0 =A0struct in_addr net =A0=3D { .s_addr =3D htonl(0x0a000200) }; /= * 10.0.2.0 */
@@ -245,8 +246,8 @@ static int net_slirp_init(VLANS= tate *vlan, const char *model,
=A0
=A0 =A0 =A0s =3D DO_UPCAST(SlirpState, nc, nc);
=A0
- =A0 =A0s->slirp =3D slirp_init(restricted, net, mask, = host, vhostname,
- =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0tftp_export, bootfile, dhcp, dns, drop, s);
+ =A0 =A0s->slirp =3D slirp_init(restricted, net, mask, host, vhost= name, tftp_export,
+ =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0bootfile, dhcp, dns, drop, drop_log, s);
=A0 =A0 =A0QTAILQ= _INSERT_TAIL(&slirp_stacks, s, entry);
=A0
=A0 =A0 =A0for (config =3D slirp_configs; config; config= =3D config->next) {
@@ -690,10 +691,12 @@ int net_init_slirp(= QemuOpts *opts,
=A0 =A0 =A0const char *bootfile;
=A0 = =A0 =A0const char *smb_export;
=A0 =A0 =A0const char *vsmbsrv;
+ =A0 =A0const char *droplog= _filename;
=A0 =A0 =A0char *vnet =3D NULL;
=A0 =A0 =A0i= nt restricted =3D 0;
=A0 =A0 =A0int ret;
=A0 =A0 =A0uns= igned char drop =3D 0;
+ =A0 =A0FILE *drop_log =3D NULL;
=A0
=A0 =A0 =A0vhost =A0 =A0 =A0 =3D qemu_opt_get(opts, &quo= t;host");
=A0 =A0 =A0vhostname =A0 =3D qemu_opt_get(opts, &q= uot;hostname");
@@ -741,11 +744,20 @@ int net_init_slirp(Qem= uOpts *opts,
=A0 =A0 =A0 =A0 =A0}
=A0 =A0 =A0}
=A0
+ =A0 = =A0droplog_filename =3D qemu_opt_get(opts, "droplog");
= + =A0 =A0if (droplog_filename) {
+ =A0 =A0 =A0 =A0drop_log =3D fo= pen(droplog_filename, "w");
+ =A0 =A0 =A0 =A0if (!drop_log) {
+ =A0 =A0 =A0 =A0 =A0 =A0e= rror_report("Unable to open reverse firewall log");
+ = =A0 =A0 =A0 =A0 =A0 =A0return -1;
+ =A0 =A0 =A0 =A0}
+ = =A0 =A0}
+
=A0 =A0 =A0qemu_opt_foreach(opts, net_init_s= lirp_configs, NULL, 0);
=A0
=A0 =A0 =A0ret =3D net_slirp_init(vlan, "user"= , name, restricted, vnet, vhost,
=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 vhostname, tftp_export, bootfile, vdhcp_start,
- =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 vnamesrv, smb_export, v= smbsrv, drop);
+ =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 vnamesrv, smb_export= , vsmbsrv, drop, drop_log);
=A0
=A0 =A0 =A0while (slirp= _configs) {
=A0 =A0 =A0 =A0 =A0config =3D slirp_configs;
diff --git a/qemu-options.hx b/qemu-options.hx
index ef3e726..7a8872b 100644
--- a/qemu-options.hx
+++ b/qemu-options.hx
@@ -1067,7 +1067,7 @@ DEF("net"= , HAS_ARG, QEMU_OPTION_net,
=A0#ifdef CONFIG_SLIRP
=A0 = =A0 =A0"-net user[,vlan=3Dn][,name=3Dstr][,net=3Daddr[/mask]][,host=3D= addr][,restrict=3Dy|n]\n"
=A0 =A0 =A0" =A0 =A0 =A0 =A0 [,hostname=3Dhost][,dhcpstart=3Daddr= ][,dns=3Daddr][,tftp=3Ddir][,bootfile=3Df]\n"
- =A0 =A0"= ; =A0 =A0 =A0 =A0 [,hostfwd=3Drule][,guestfwd=3Drule][,drop=3Dudp|all]"= ;
+ =A0 =A0" =A0 =A0 =A0 =A0 [,hostfwd=3Drule][,guestfwd=3Dr= ule][,drop=3Dudp|all][,droplog=3Dfile]"
=A0#ifndef _WIN32
=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 "[,smb=3Ddir[,smbs= erver=3Daddr]]\n"
=A0#endif
diff --git a/slirp/lib= slirp.h b/slirp/libslirp.h
index 5778bf4..f1e48a7 100644
--- a/slirp/libslirp.h
+++ b/slirp/libslirp.h
@@ -= 15,7 +15,7 @@ Slirp *slirp_init(int restricted, struct in_addr vnetwork,
=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0const char *vhostname, const= char *tftp_path,
=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0const char *bootfile, struct in= _addr vdhcp_start,
=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0struct = in_addr vnameserver, unsigned char drop,
- =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0void *opaque);
+ =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0FILE *drop_log, void *opaque);
=A0void slirp_cleanup(Slirp *slirp);
=A0
=A0void s= lirp_select_fill(int *pnfds,
@@ -48,6 +48,7 @@ size_t slirp_socke= t_can_recv(Slirp *slirp, struct in_addr guest_addr,
=A0/* Reverse= Firewall */
=A0#define SLIRP_DROP_UDP =A0 =A01
=A0
+int slirp_= drop_log(FILE *drop_log, const char *format, ...);
=A0int slirp_s= hould_drop(Slirp *slirp,
=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0struct in_addr dst_addr,
=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0unsigned short dst_port= ,
diff --git a/slirp/slirp.c b/slirp/slirp.c
index 298c= cb4..81fd85b 100644
--- a/slirp/slirp.c
+++ b/slirp/sli= rp.c
@@ -200,7 +200,8 @@ Slirp *slirp_init(int restricted, struct= in_addr vnetwork,
=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0struct in_addr vnetmask, struct= in_addr vhost,
=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0const char= *vhostname, const char *tftp_path,
=A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0const char *bootfile, struct in_addr vdhcp_start,
- =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0struct in_addr vnameserver, unsig= ned char drop, void *opaque)
+ =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0struct in_addr vnameserver, unsigned char drop,
+ =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 =A0FILE *drop_log, void *opaque)
=A0{
=A0 =A0 =A0Slirp *slirp =3D qemu_mallocz(sizeof(Slirp))= ;
=A0
@@ -231,6 +232,7 @@ Slirp *slirp_init(int restric= ted, struct in_addr vnetwork,
=A0 =A0 =A0slirp->vnameserver_ad= dr =3D vnameserver;
=A0
=A0 =A0 =A0slirp->drop =3D drop;
+ =A0 =A0s= lirp->drop_log =3D drop_log;
=A0
=A0 =A0 =A0slirp-&g= t;opaque =3D opaque;
=A0
@@ -248,6 +250,9 @@ void slirp= _cleanup(Slirp *slirp)
=A0
=A0 =A0 =A0unregister_savevm(NULL, "slirp", sl= irp);
=A0
+ =A0 =A0if (slirp->drop_log) {
= + =A0 =A0 =A0 =A0fclose(slirp->drop_log);
+ =A0 =A0}
=A0 =A0 =A0qemu_free(slirp->tftp_prefix);
=A0 =A0 =A0qemu_free(slirp->bootp_filename);
=A0 =A0 =A0q= emu_free(slirp);
@@ -1114,6 +1119,9 @@ static int slirp_state_loa= d(QEMUFile *f, void *opaque, int version_id)
=A0 =A0 =A0return 0;=
=A0}
=A0
+/*
+ * Returns 1 if the packet should be drop= ped.
+ */
=A0int slirp_should_drop(Slirp *slirp,
<= div>=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0struct in_addr dst_addr,=
=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0unsigned short ds= t_port,
@@ -1130,3 +1138,23 @@ int slirp_should_drop(Slirp *slirp,
= =A0
=A0 =A0 =A0return 1;
=A0}
+
+/*=
+ * Write to drop-log
+ */
+int slirp_drop_l= og(FILE *drop_log, const char *format, ...)
+{
+ =A0 =A0va_list args;
+
+ =A0 =A0if = (!drop_log) {
+ =A0 =A0 =A0 =A0return 0;
+ =A0 =A0}
+
+ =A0 =A0va_start(args, format);
+ =A0 =A0vfpr= intf(drop_log, format, args);
+ =A0 =A0va_end(args);
+
+ =A0 =A0fflush(drop_log)= ;
+
+ =A0 =A0return 1;
+}
diff --gi= t a/slirp/slirp.h b/slirp/slirp.h
index bfea30d..d95953c 100644
--- a/slirp/slirp.h
+++ b/slirp/slirp.h
@@ -182,6 +182,= 7 @@ struct Slirp {
=A0
=A0 =A0 =A0/* Reverse Firewall = configuration */
=A0 =A0 =A0unsigned char drop;
+ =A0 = =A0FILE *drop_log;
=A0
=A0 =A0 =A0/* ARP cache for the guest IP addresses (XXX:= allow many entries) */
=A0 =A0 =A0uint8_t client_ethaddr[6];
diff --git a/slirp/udp.c b/slirp/udp.c
index 95c4af0..6519= d36 100644
--- a/slirp/udp.c
+++ b/slirp/udp.c
@@ -67,6 +67,8= @@ udp_input(register struct mbuf *m, int iphlen)
=A0 DEBUG_ARG("m =3D= %lx", (long)m);
=A0 DE= BUG_ARG("iphlen =3D %d", iphlen);
=A0
+ =A0 = =A0 =A0 =A0time_t timestamp =3D time(NULL);
+
=A0 /*
=A0 *= Strip IP options, if any; should skip this,
=A0 * make available to user, = and use on returned packets,
@@ -104,6 +106,14 @@ udp_input(register struct mbuf *m, int iphlen)
=A0 =A0 =A0 =A0 =A0if (slirp_should_drop(
=A0 =A0 =A0 =A0= =A0 =A0 =A0slirp, ip->ip_dst, uh->uh_dport, IPPROTO_UDP)) {
=A0 =A0 =A0 =A0 =A0 =A0 =A0/* DROP */
+ =A0 =A0 =A0 =A0 =A0 =A0slirp_drop_log(
+ =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0slirp->drop_log,
+ =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0"Dropped UDP: src:0x%08x:0x%04hx dst:0x%08x:0x%04hx %ld\n",
+ =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0ntohl(ip->ip_src.s_addr),
+ =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0ntohs(uh->uh_sport),
+ = =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0ntohl(ip->ip_dst.s_addr),
+ =A0= =A0 =A0 =A0 =A0 =A0 =A0 =A0ntohs(uh->uh_dport),
+ =A0 =A0 =A0= =A0 =A0 =A0 =A0 =A0timestamp);
=A0 =A0 =A0 =A0 =A0 =A0 =A0goto b= ad;
=A0 =A0 =A0 =A0 =A0} else {
=A0 =A0 =A0 =A0 =A0 =A0 =A0/* PA= SS */

--001636e0ae0f258c2004a0fcfba2--