diff options
| author | Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp> | 2019-07-10 15:16:58 +0900 |
|---|---|---|
| committer | Marc-André Lureau <marcandre.lureau@redhat.com> | 2019-08-01 10:57:57 +0400 |
| commit | 95932a682a9b855e861e4f3faa5e71d852035422 (patch) | |
| tree | a85849878db75a840360d679fa3743d790632476 /src/socket.c | |
| parent | 09d410adbff5422b7ba7596bce0ca71f9f807ea9 (diff) | |
| download | slirp-95932a682a9b855e861e4f3faa5e71d852035422.zip slirp-95932a682a9b855e861e4f3faa5e71d852035422.tar.gz slirp-95932a682a9b855e861e4f3faa5e71d852035422.tar.bz2 | |
add disable_host_loopback (prohibit connections to 127.0.0.1)
From https://github.com/rootless-containers/slirp4netns/blob/4889f5299f407d7d7566c76a3b8b5f71c99b6db5/qemu_patches/0003-slirp-add-disable_host_loopback-prohibit-connections.patch
Original commits:
* https://github.com/rootless-containers/slirp4netns/commit/6325473781bb344c225f54e2d28800fb0619d7ee
* https://github.com/rootless-containers/slirp4netns/commit/13b24026867d4c30d5d1465ac82e3bb890bf4caa
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Diffstat (limited to 'src/socket.c')
| -rw-r--r-- | src/socket.c | 30 |
1 files changed, 20 insertions, 10 deletions
diff --git a/src/socket.c b/src/socket.c index 34daffc..d96d8c4 100644 --- a/src/socket.c +++ b/src/socket.c @@ -657,7 +657,9 @@ int sosendto(struct socket *so, struct mbuf *m) addr = so->fhost.ss; DEBUG_CALL(" sendto()ing)"); - sotranslate_out(so, &addr); + if (sotranslate_out(so, &addr) < 0) { + return -1; + } /* Don't care what port we get */ ret = sendto(so->s, m->m_data, m->m_len, 0, (struct sockaddr *)&addr, @@ -818,8 +820,9 @@ void sofwdrain(struct socket *so) /* * Translate addr in host addr when it is a virtual address */ -void sotranslate_out(struct socket *so, struct sockaddr_storage *addr) +int sotranslate_out(struct socket *so, struct sockaddr_storage *addr) { + int rc = 0; Slirp *slirp = so->slirp; struct sockaddr_in *sin = (struct sockaddr_in *)addr; struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)addr; @@ -830,18 +833,19 @@ void sotranslate_out(struct socket *so, struct sockaddr_storage *addr) slirp->vnetwork_addr.s_addr) { /* It's an alias */ if (so->so_faddr.s_addr == slirp->vnameserver_addr.s_addr) { - if (get_dns_addr(&sin->sin_addr) < 0) { - sin->sin_addr = loopback_addr; + if (get_dns_addr(&sin->sin_addr) >= 0) { + goto ret; } + } + if (slirp->disable_host_loopback) { + rc = -1; + errno = EPERM; + goto ret; } else { sin->sin_addr = loopback_addr; } } - - DEBUG_MISC(" addr.sin_port=%d, addr.sin_addr.s_addr=%.16s", - ntohs(sin->sin_port), inet_ntoa(sin->sin_addr)); break; - case AF_INET6: if (in6_equal_net(&so->so_faddr6, &slirp->vprefix_addr6, slirp->vprefix_len)) { @@ -849,9 +853,13 @@ void sotranslate_out(struct socket *so, struct sockaddr_storage *addr) uint32_t scope_id; if (get_dns6_addr(&sin6->sin6_addr, &scope_id) >= 0) { sin6->sin6_scope_id = scope_id; - } else { - sin6->sin6_addr = in6addr_loopback; + goto ret; } + } + if (slirp->disable_host_loopback) { + rc = -1; + errno = EPERM; + goto ret; } else { sin6->sin6_addr = in6addr_loopback; } @@ -861,6 +869,8 @@ void sotranslate_out(struct socket *so, struct sockaddr_storage *addr) default: break; } +ret: + return rc; } void sotranslate_in(struct socket *so, struct sockaddr_storage *addr) |