Add slirp_restrict option (Gleb Natapov)

Add "slirp firewall" to permit connection only to vmchannel addresses. Signed-off-by: Gleb Natapov <gleb@redhat.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com> git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@6241 c046a42c-6fe2-441c-8c8c-71466251a162

Add slirp_restrict option (Gleb Natapov)
Add "slirp firewall" to permit connection only to vmchannel addresses. Signed-off-by: Gleb Natapov <gleb@redhat.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com> git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@6241 c046a42c-6fe2-441c-8c8c-71466251a162
aliguori
1 parent e1c5a2b3
Showing 8 changed files with 60 additions and 17 deletions
net.c
slirp/bootp.c
slirp/ip_input.c
slirp/libslirp.h
slirp/main.h
slirp/slirp.c
slirp/tcp_input.c
slirp/udp.c
@@ -483,7 +483,7 @@ static int net_slirp_init(VLANState *vlan, const char *model, const char *name)
 {
     if (!slirp_inited) {
         slirp_inited = 1;
-        slirp_init();
+        slirp_init(0, NULL);
     }
     slirp_vc = qemu_new_vlan_client(vlan, model, name,
                                     slirp_receive, NULL, NULL);
@@ -501,7 +501,7 @@ void net_slirp_redir(const char *redir_str)
     if (!slirp_inited) {
         slirp_inited = 1;
-        slirp_init();
+        slirp_init(0, NULL);
     }
     p = redir_str;
@@ -587,7 +587,7 @@ void net_slirp_smb(const char *exported_dir)
     if (!slirp_inited) {
         slirp_inited = 1;
-        slirp_init();
+        slirp_init(0, NULL);
     }
     /* XXX: better tmp dir construction */
@@ -219,16 +219,18 @@ static void bootp_reply(struct bootp_t *bp)
         *q++ = 0xff;
         *q++ = 0x00;
-        *q++ = RFC1533_GATEWAY;
-        *q++ = 4;
-        memcpy(q, &saddr.sin_addr, 4);
-        q += 4;
-
-        *q++ = RFC1533_DNS;
-        *q++ = 4;
-        dns_addr.s_addr = htonl(ntohl(special_addr.s_addr) | CTL_DNS);
-        memcpy(q, &dns_addr, 4);
-        q += 4;
+        if (!slirp_restrict) {
+            *q++ = RFC1533_GATEWAY;
+            *q++ = 4;
+            memcpy(q, &saddr.sin_addr, 4);
+            q += 4;
+
+            *q++ = RFC1533_DNS;
+            *q++ = 4;
+            dns_addr.s_addr = htonl(ntohl(special_addr.s_addr) | CTL_DNS);
+            memcpy(q, &dns_addr, 4);
+            q += 4;
+        }
         *q++ = RFC2132_LEASE_TIME;
         *q++ = 4;
@@ -136,6 +136,27 @@ ip_input(m)
 		STAT(ipstat.ips_tooshort++);
 		goto bad;
 	}
+
+    if (slirp_restrict) {
+        if (memcmp(&ip->ip_dst.s_addr, &special_addr, 3)) {
+            if (ip->ip_dst.s_addr == 0xffffffff && ip->ip_p != IPPROTO_UDP)
+                goto bad;
+        } else {
+            int host = ntohl(ip->ip_dst.s_addr) & 0xff;
+            struct ex_list *ex_ptr;
+
+            if (host == 0xff)
+                goto bad;
+
+            for (ex_ptr = exec_list; ex_ptr; ex_ptr = ex_ptr->ex_next)
+                if (ex_ptr->ex_addr == host)
+                    break;
+
+            if (!ex_ptr)
+                goto bad;
+        }
+    }
+
 	/* Should drop packet if mbuf too long? hmmm... */
 	if (m->m_len > ip->ip_len)
 	   m_adj(m, ip->ip_len - m->m_len);
@@ -5,7 +5,7 @@
 extern "C" {
 #endif
-void slirp_init(void);
+void slirp_init(int restrict, char *special_ip);
 void slirp_select_fill(int *pnfds,
                        fd_set *readfds, fd_set *writefds, fd_set *xfds);
@@ -44,6 +44,8 @@ extern int towrite_max;
 extern int ppp_exit;
 extern int tcp_keepintvl;
 extern uint8_t client_ethaddr[6];
+extern char *slirp_special_ip;
+extern int slirp_restrict;
 #define PROTO_SLIP 0x1
 #ifdef USE_PPP
@@ -46,6 +46,8 @@ static struct in_addr client_ipaddr;
 static const uint8_t zero_ethaddr[6] = { 0, 0, 0, 0, 0, 0 };
+char *slirp_special_ip = CTL_SPECIAL;
+int slirp_restrict;
 int do_slowtimo;
 int link_up;
 struct timeval tt;
@@ -164,7 +166,7 @@ static void slirp_cleanup(void)
 }
 #endif
-void slirp_init(void)
+void slirp_init(int restrict, char *special_ip)
 {
     //    debug_init("/tmp/slirp.log", DEBUG_DEFAULT);
@@ -177,6 +179,7 @@ void slirp_init(void)
 #endif
     link_up = 1;
+    slirp_restrict = restrict;
     if_init();
     ip_init();
@@ -192,7 +195,10 @@ void slirp_init(void)
         fprintf (stderr, "Warning: No DNS servers found\n");
     }
-    inet_aton(CTL_SPECIAL, &special_addr);
+    if (special_ip)
+        slirp_special_ip = special_ip;
+
+    inet_aton(slirp_special_ip, &special_addr);
     alias_addr.s_addr = special_addr.s_addr | htonl(CTL_ALIAS);
     getouraddr();
 }
@@ -253,6 +253,7 @@ tcp_input(m, iphlen, inso)
 	u_long tiwin;
 	int ret;
 /*	int ts_present = 0; */
+    struct ex_list *ex_ptr;
 	DEBUG_CALL("tcp_input");
 	DEBUG_ARGS((dfd," m = %8lx  iphlen = %2d  inso = %lx\n",
@@ -363,6 +364,15 @@ tcp_input(m, iphlen, inso)
 	m->m_data += sizeof(struct tcpiphdr)+off-sizeof(struct tcphdr);
 	m->m_len  -= sizeof(struct tcpiphdr)+off-sizeof(struct tcphdr);
+    if (slirp_restrict) {
+        for (ex_ptr = exec_list; ex_ptr; ex_ptr = ex_ptr->ex_next)
+            if (ex_ptr->ex_fport == ti->ti_dport &&
+                    (ntohl(ti->ti_dst.s_addr) & 0xff) == ex_ptr->ex_addr)
+                break;
+
+        if (!ex_ptr)
+            goto drop;
+    }
 	/*
 	 * Locate pcb for segment.
 	 */
@@ -646,7 +656,6 @@ findso:
 #endif
               {
 		/* May be an add exec */
-		struct ex_list *ex_ptr;
 		for(ex_ptr = exec_list; ex_ptr; ex_ptr = ex_ptr->ex_next) {
 		  if(ex_ptr->ex_fport == so->so_fport &&
 		     lastbyte == ex_ptr->ex_addr) {
@@ -158,6 +158,9 @@ udp_input(m, iphlen)
             goto bad;
         }
+        if (slirp_restrict)
+            goto bad;
+
         /*
          *  handle TFTP
          */