From a9ba3a856d8e84f4c32bcfa2b92727b7add4996c Mon Sep 17 00:00:00 2001
From: aliguori <aliguori@c046a42c-6fe2-441c-8c8c-71466251a162>
Date: Thu, 8 Jan 2009 19:24:00 +0000
Subject: Add slirp_restrict option (Gleb Natapov)

Add "slirp firewall" to permit connection only to vmchannel addresses.

Signed-off-by: Gleb Natapov <gleb@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>



git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@6241 c046a42c-6fe2-441c-8c8c-71466251a162
---
 slirp/tcp_input.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

(limited to 'slirp/tcp_input.c')

diff --git a/slirp/tcp_input.c b/slirp/tcp_input.c
index 17a9387..408875e 100644
--- a/slirp/tcp_input.c
+++ b/slirp/tcp_input.c
@@ -253,6 +253,7 @@ tcp_input(m, iphlen, inso)
 	u_long tiwin;
 	int ret;
 /*	int ts_present = 0; */
+    struct ex_list *ex_ptr;
 
 	DEBUG_CALL("tcp_input");
 	DEBUG_ARGS((dfd," m = %8lx  iphlen = %2d  inso = %lx\n",
@@ -363,6 +364,15 @@ tcp_input(m, iphlen, inso)
 	m->m_data += sizeof(struct tcpiphdr)+off-sizeof(struct tcphdr);
 	m->m_len  -= sizeof(struct tcpiphdr)+off-sizeof(struct tcphdr);
 
+    if (slirp_restrict) {
+        for (ex_ptr = exec_list; ex_ptr; ex_ptr = ex_ptr->ex_next)
+            if (ex_ptr->ex_fport == ti->ti_dport &&
+                    (ntohl(ti->ti_dst.s_addr) & 0xff) == ex_ptr->ex_addr)
+                break;
+
+        if (!ex_ptr)
+            goto drop;
+    }
 	/*
 	 * Locate pcb for segment.
 	 */
@@ -646,7 +656,6 @@ findso:
 #endif
               {
 		/* May be an add exec */
-		struct ex_list *ex_ptr;
 		for(ex_ptr = exec_list; ex_ptr; ex_ptr = ex_ptr->ex_next) {
 		  if(ex_ptr->ex_fport == so->so_fport &&
 		     lastbyte == ex_ptr->ex_addr) {
-- 
cgit v1.1