[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH 1/4] slirp: Fix restricted mode
From: |
Jan Kiszka |
Subject: |
Re: [Qemu-devel] [PATCH 1/4] slirp: Fix restricted mode |
Date: |
Tue, 24 May 2011 14:42:55 +0200 |
User-agent: |
Mozilla/5.0 (X11; U; Linux i686 (x86_64); de; rv:1.8.1.12) Gecko/20080226 SUSE/2.0.0.12-1.1 Thunderbird/2.0.0.12 Mnenhy/0.7.5.666 |
On 2011-05-24 14:37, Gleb Natapov wrote:
> On Mon, May 23, 2011 at 04:48:16PM +0200, Jan Kiszka wrote:
>> This aligns the code to what the documentation claims: Allow everything
>> but requests that would have to be routed outside of the virtual LAN.
>>
>> So we need to drop the unneeded IP-level filter, allow TFTP requests,
>> and add the missing protocol-level filter to ICMP.
>>
> May be I am missing something, but how do you disallow requests by
> removing code that actually does filtering.
All we need to filter are the per-IP-protocol parts that do the
forwarding via the host IP stack. That does not need to happen at IP level.
Moreover, the existing code contained some practically dead bits anyway:
if ((ip->ip_dst.s_addr & slirp->vnetwork_mask.s_addr) ==
slirp->vnetwork_addr.s_addr) {
if (ip->ip_dst.s_addr == 0xffffffff && ip->ip_p !=
IPPROTO_UDP)
goto bad;
This could only trigger if vnetwork_mask.s_addr was 0 (the same applied
to the original code before my refactoring in 2009).
Jan
--
Siemens AG, Corporate Technology, CT T DE IT 1
Corporate Competence Center Embedded Linux
[Qemu-devel] [PATCH 2/4] slirp: Canonicalize restrict syntax, Jan Kiszka, 2011/05/23
[Qemu-devel] [PATCH 3/4] slirp: Strictly associate DHCP/BOOTP and TFTP with virtual host, Jan Kiszka, 2011/05/23