qemu/0023-slirp-nooutgoing.patch
Olaf Hering 7adb207e17 Accepting request 383004 from home:olh:qemu
- Update to v2.6.0-rc0: See http://wiki.qemu-project.org/ChangeLog/2.6
* Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.6
* Accept every size in DISCARD request from a guest (bsc#964427)
  0039-block-split-large-discard-requests-.patch
* Recognize libxl flag to disable flush in block device (bsc#879425)
  0040-xen_disk-Add-suse-specific-flush-di.patch
* Use correct flag for crypto tests
  0041-tests-Use-correct-config-param-for-.patch
* Fix build on powerpc:
  0042-build-link-with-libatomic-on-powerp.patch
* Patches dropped (upstreamed):
  seabios_checkrom_typo.patch
  seabios_avoid_smbios_signature_string.patch

OBS-URL: https://build.opensuse.org/request/show/383004
OBS-URL: https://build.opensuse.org/package/show/Virtualization/qemu?expand=0&rev=289
2016-04-05 13:18:15 +00:00

125 lines
3.7 KiB
Diff

From 12cbdd512787707b791787b93f5c5af677d9b571 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andreas=20F=C3=A4rber?= <afaerber@suse.de>
Date: Wed, 29 Aug 2012 18:42:56 +0200
Subject: [PATCH] slirp: -nooutgoing
TBD (from SUSE Studio team)
---
qemu-options.hx | 10 ++++++++++
slirp/socket.c | 8 ++++++++
slirp/tcp_subr.c | 12 ++++++++++++
vl.c | 9 +++++++++
4 files changed, 39 insertions(+)
diff --git a/qemu-options.hx b/qemu-options.hx
index a770086..df60351 100644
--- a/qemu-options.hx
+++ b/qemu-options.hx
@@ -3084,6 +3084,16 @@ Store the QEMU process PID in @var{file}. It is useful if you launch QEMU
from a script.
ETEXI
+DEF("nooutgoing", HAS_ARG, QEMU_OPTION_nooutgoing, \
+ "-nooutgoing <IP>\n" \
+ " incoming traffic only from IP, no outgoing\n", \
+ QEMU_ARCH_ALL)
+STEXI
+@item -nooutgoing
+Forbid userspace networking to make outgoing connections. Only accept incoming
+connections from ip address IP.
+ETEXI
+
DEF("singlestep", 0, QEMU_OPTION_singlestep, \
"-singlestep always run in singlestep mode\n", QEMU_ARCH_ALL)
STEXI
diff --git a/slirp/socket.c b/slirp/socket.c
index b836c42..13ec0c0 100644
--- a/slirp/socket.c
+++ b/slirp/socket.c
@@ -588,6 +588,8 @@ sorecvfrom(struct socket *so)
} /* if ping packet */
}
+extern int slirp_nooutgoing;
+
/*
* sendto() a socket
*/
@@ -605,6 +607,12 @@ sosendto(struct socket *so, struct mbuf *m)
DEBUG_CALL(" sendto()ing)");
sotranslate_out(so, &addr);
+ /* Only allow DNS requests */
+ if (slirp_nooutgoing && ntohs(((struct sockaddr_in *)&addr)->sin_port) != 53) {
+ errno = EHOSTUNREACH;
+ return -1;
+ }
+
/* Don't care what port we get */
ret = sendto(so->s, m->m_data, m->m_len, 0,
(struct sockaddr *)&addr, sizeof(addr));
diff --git a/slirp/tcp_subr.c b/slirp/tcp_subr.c
index dbfd2c6..94126bd 100644
--- a/slirp/tcp_subr.c
+++ b/slirp/tcp_subr.c
@@ -388,6 +388,8 @@ tcp_sockclosed(struct tcpcb *tp)
* nonblocking. Connect returns after the SYN is sent, and does
* not wait for ACK+SYN.
*/
+extern int slirp_nooutgoing;
+
int tcp_fconnect(struct socket *so, unsigned short af)
{
int ret=0;
@@ -395,6 +397,11 @@ int tcp_fconnect(struct socket *so, unsigned short af)
DEBUG_CALL("tcp_fconnect");
DEBUG_ARG("so = %p", so);
+ if (slirp_nooutgoing) {
+ errno = EHOSTUNREACH;
+ return -1;
+ }
+
ret = so->s = qemu_socket(af, SOCK_STREAM, 0);
if (ret >= 0) {
int opt, s=so->s;
@@ -475,6 +482,11 @@ void tcp_connect(struct socket *inso)
tcp_close(sototcpcb(so)); /* This will sofree() as well */
return;
}
+ if (slirp_nooutgoing && ((struct sockaddr_in *)&addr)->sin_addr.s_addr != slirp_nooutgoing) {
+ tcp_close(sototcpcb(so)); /* This will sofree() as well */
+ closesocket(s);
+ return;
+ }
qemu_set_nonblock(s);
socket_set_fast_reuse(s);
opt = 1;
diff --git a/vl.c b/vl.c
index bd81ea9..a8f1338 100644
--- a/vl.c
+++ b/vl.c
@@ -162,6 +162,7 @@ int smp_threads = 1;
int acpi_enabled = 1;
int no_hpet = 0;
int fd_bootchk = 1;
+int slirp_nooutgoing = 0;
static int no_reboot;
int no_shutdown = 0;
int cursor_hide = 1;
@@ -3378,6 +3379,14 @@ int main(int argc, char **argv, char **envp)
case QEMU_OPTION_singlestep:
singlestep = 1;
break;
+ case QEMU_OPTION_nooutgoing:
+ slirp_nooutgoing = inet_addr(optarg);
+ if (slirp_nooutgoing == INADDR_NONE) {
+ printf("Invalid address: %s.\nOnly addresses of the format "
+ "xxx.xxx.xxx.xxx are supported.\n", optarg);
+ exit(1);
+ }
+ break;
case QEMU_OPTION_S:
autostart = 0;
break;