[Qemu-devel] [PATCH 0/2] [PULL] slirp: various fixes

[Qemu-devel] [PATCH 0/2] [PULL] slirp: various fixes

[Jan Kiszka]

The following changes since commit c1990468d5a13c8f1d9111fcca0a78a6adad062b:

  wdt_i6300esb: fix vmstate versioning (2013-06-18 13:44:37 -0500)

are available in the git repository at:
  git://git.kiszka.org/qemu.git queues/slirp

Bas van Sisseren (1):
      fix -net user checks by reordering checks

Gertjan Halkes (1):
      make user networking hostfwd work with restrict=y

 net/slirp.c       |   12 ++++++------
 slirp/tcp_input.c |   26 ++++++++++++++++----------
 2 files changed, 22 insertions(+), 16 deletions(-)


CC: Bas van Sisseren <bas@quarantainenet.nl>
CC: Gertjan Halkes <qemu@ghalkes.nl>

Bas van Sisseren (1):
  fix -net user checks by reordering checks

Gertjan Halkes (1):
  make user networking hostfwd work with restrict=y

 net/slirp.c       |   12 ++++++------
 slirp/tcp_input.c |   26 ++++++++++++++++----------
 2 files changed, 22 insertions(+), 16 deletions(-)

-- 
1.7.3.4

[Qemu-devel] [PATCH 1/2] fix -net user checks by reordering checks

[Jan Kiszka]

From: Bas van Sisseren <bas@quarantainenet.nl>

reorder slirp config options. first check the dns-server-address,
then check the first-dhcp-address. the original code was comparing
the first-dhcp-address with the default dns-server-address, not
the configured dns-server-address.

Signed-off-by: Bas van Sisseren <bas@quarantainenet.nl>
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 net/slirp.c |   12 ++++++------
 1 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/net/slirp.c b/net/slirp.c
index b3f35d5..124e953 100644
--- a/net/slirp.c
+++ b/net/slirp.c
@@ -212,19 +212,19 @@ static int net_slirp_init(NetClientState *peer, const char *model,
         return -1;
     }
 
-    if (vdhcp_start && !inet_aton(vdhcp_start, &dhcp)) {
+    if (vnameserver && !inet_aton(vnameserver, &dns)) {
         return -1;
     }
-    if ((dhcp.s_addr & mask.s_addr) != net.s_addr ||
-        dhcp.s_addr == host.s_addr || dhcp.s_addr == dns.s_addr) {
+    if ((dns.s_addr & mask.s_addr) != net.s_addr ||
+        dns.s_addr == host.s_addr) {
         return -1;
     }
 
-    if (vnameserver && !inet_aton(vnameserver, &dns)) {
+    if (vdhcp_start && !inet_aton(vdhcp_start, &dhcp)) {
         return -1;
     }
-    if ((dns.s_addr & mask.s_addr) != net.s_addr ||
-        dns.s_addr == host.s_addr) {
+    if ((dhcp.s_addr & mask.s_addr) != net.s_addr ||
+        dhcp.s_addr == host.s_addr || dhcp.s_addr == dns.s_addr) {
         return -1;
     }
 
-- 
1.7.3.4

[Qemu-devel] [PATCH 2/2] make user networking hostfwd work with restrict=y

[Jan Kiszka]

From: Gertjan Halkes <qemu@ghalkes.nl>

This patch allows the hostfwd option to override the restrict=y setting in
the user network stack, as explicitly stated in the documentation on the
restrict option:

     restrict=on|off
         If this option is enabled, the guest will be isolated, i.e. it
         will not be able to contact the host and no guest IP packets
         will be routed over the host to the outside. This option does
         not affect any explicitly set forwarding rules.

Qemu bug tracker:
https://bugs.launchpad.net/qemu/+bug/829455

Signed-off-by: Gertjan Halkes <qemu@ghalkes.nl>
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 slirp/tcp_input.c |   26 ++++++++++++++++----------
 1 files changed, 16 insertions(+), 10 deletions(-)

diff --git a/slirp/tcp_input.c b/slirp/tcp_input.c
index 6440eae..f946db8 100644
--- a/slirp/tcp_input.c
+++ b/slirp/tcp_input.c
@@ -316,16 +316,6 @@ tcp_input(struct mbuf *m, int iphlen, struct socket *inso)
 	m->m_data += sizeof(struct tcpiphdr)+off-sizeof(struct tcphdr);
 	m->m_len  -= sizeof(struct tcpiphdr)+off-sizeof(struct tcphdr);
 
-    if (slirp->restricted) {
-        for (ex_ptr = slirp->exec_list; ex_ptr; ex_ptr = ex_ptr->ex_next) {
-            if (ex_ptr->ex_fport == ti->ti_dport &&
-                ti->ti_dst.s_addr == ex_ptr->ex_addr.s_addr) {
-                break;
-            }
-        }
-        if (!ex_ptr)
-            goto drop;
-    }
 	/*
 	 * Locate pcb for segment.
 	 */
@@ -355,6 +345,22 @@ findso:
 	 * as if it was LISTENING, and continue...
 	 */
         if (so == NULL) {
+          if (slirp->restricted) {
+            /* Any hostfwds will have an existing socket, so we only get here
+             * for non-hostfwd connections. These should be dropped, unless it
+             * happens to be a guestfwd.
+             */
+            for (ex_ptr = slirp->exec_list; ex_ptr; ex_ptr = ex_ptr->ex_next) {
+                if (ex_ptr->ex_fport == ti->ti_dport &&
+                    ti->ti_dst.s_addr == ex_ptr->ex_addr.s_addr) {
+                    break;
+                }
+            }
+            if (!ex_ptr) {
+                goto dropwithreset;
+            }
+          }
+
 	  if ((tiflags & (TH_SYN|TH_FIN|TH_RST|TH_URG|TH_ACK)) != TH_SYN)
 	    goto dropwithreset;
 
-- 
1.7.3.4