[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH 1/4] slirp: Fix restricted mode
|
From: |
Gleb Natapov |
|
Subject: |
Re: [Qemu-devel] [PATCH 1/4] slirp: Fix restricted mode |
|
Date: |
Tue, 24 May 2011 15:37:21 +0300 |
On Mon, May 23, 2011 at 04:48:16PM +0200, Jan Kiszka wrote:
> This aligns the code to what the documentation claims: Allow everything
> but requests that would have to be routed outside of the virtual LAN.
>
> So we need to drop the unneeded IP-level filter, allow TFTP requests,
> and add the missing protocol-level filter to ICMP.
>
May be I am missing something, but how do you disallow requests by
removing code that actually does filtering.
> CC: Gleb Natapov <address@hidden>
> Signed-off-by: Jan Kiszka <address@hidden>
> ---
> slirp/ip_icmp.c | 2 ++
> slirp/ip_input.c | 21 ---------------------
> slirp/udp.c | 8 ++++----
> 3 files changed, 6 insertions(+), 25 deletions(-)
>
> diff --git a/slirp/ip_icmp.c b/slirp/ip_icmp.c
> index 751a8e2..0cd129c 100644
> --- a/slirp/ip_icmp.c
> +++ b/slirp/ip_icmp.c
> @@ -101,6 +101,8 @@ icmp_input(struct mbuf *m, int hlen)
> ip->ip_len += hlen; /* since ip_input subtracts this */
> if (ip->ip_dst.s_addr == slirp->vhost_addr.s_addr) {
> icmp_reflect(m);
> + } else if (slirp->restricted) {
> + goto freeit;
> } else {
> struct socket *so;
> struct sockaddr_in addr;
> diff --git a/slirp/ip_input.c b/slirp/ip_input.c
> index 768ab0c..2ff6adb 100644
> --- a/slirp/ip_input.c
> +++ b/slirp/ip_input.c
> @@ -118,27 +118,6 @@ ip_input(struct mbuf *m)
> goto bad;
> }
>
> - if (slirp->restricted) {
> - if ((ip->ip_dst.s_addr & slirp->vnetwork_mask.s_addr) ==
> - slirp->vnetwork_addr.s_addr) {
> - if (ip->ip_dst.s_addr == 0xffffffff && ip->ip_p != IPPROTO_UDP)
> - goto bad;
> - } else {
> - uint32_t inv_mask = ~slirp->vnetwork_mask.s_addr;
> - struct ex_list *ex_ptr;
> -
> - if ((ip->ip_dst.s_addr & inv_mask) == inv_mask) {
> - goto bad;
> - }
> - for (ex_ptr = slirp->exec_list; ex_ptr; ex_ptr = ex_ptr->ex_next)
> - if (ex_ptr->ex_addr.s_addr == ip->ip_dst.s_addr)
> - break;
> -
> - if (!ex_ptr)
> - goto bad;
> - }
> - }
> -
> /* Should drop packet if mbuf too long? hmmm... */
> if (m->m_len > ip->ip_len)
> m_adj(m, ip->ip_len - m->m_len);
> diff --git a/slirp/udp.c b/slirp/udp.c
> index 02b3793..f1a9a10 100644
> --- a/slirp/udp.c
> +++ b/slirp/udp.c
> @@ -125,10 +125,6 @@ udp_input(register struct mbuf *m, int iphlen)
> goto bad;
> }
>
> - if (slirp->restricted) {
> - goto bad;
> - }
> -
> /*
> * handle TFTP
> */
> @@ -137,6 +133,10 @@ udp_input(register struct mbuf *m, int iphlen)
> goto bad;
> }
>
> + if (slirp->restricted) {
> + goto bad;
> + }
> +
> /*
> * Locate pcb for datagram.
> */
> --
> 1.7.1
--
Gleb.
- [Qemu-devel] [PATCH 0/4] slirp: Fixes for restricted mode and more, Jan Kiszka, 2011/05/23
- [Qemu-devel] [PATCH 4/4] slirp: Replace m_freem with m_free, Jan Kiszka, 2011/05/23
- [Qemu-devel] [PATCH 1/4] slirp: Fix restricted mode, Jan Kiszka, 2011/05/23
- Re: [Qemu-devel] [PATCH 1/4] slirp: Fix restricted mode,
Gleb Natapov <=
- Re: [Qemu-devel] [PATCH 1/4] slirp: Fix restricted mode, Jan Kiszka, 2011/05/24
- Re: [Qemu-devel] [PATCH 1/4] slirp: Fix restricted mode, Gleb Natapov, 2011/05/24
- Re: [Qemu-devel] [PATCH 1/4] slirp: Fix restricted mode, Jan Kiszka, 2011/05/24
- Re: [Qemu-devel] [PATCH 1/4] slirp: Fix restricted mode, Gleb Natapov, 2011/05/24
- Re: [Qemu-devel] [PATCH 1/4] slirp: Fix restricted mode, Jan Kiszka, 2011/05/24
[Qemu-devel] [PATCH 2/4] slirp: Canonicalize restrict syntax, Jan Kiszka, 2011/05/23
[Qemu-devel] [PATCH 3/4] slirp: Strictly associate DHCP/BOOTP and TFTP with virtual host, Jan Kiszka, 2011/05/23