commit a9ba3a856d8e84f4c32bcfa2b92727b7add4996c
author aliguori <aliguori@c046a42c-6fe2-441c-8c8c-71466251a162> Thu Jan 08 19:24:00 2009 +0000
committer aliguori <aliguori@c046a42c-6fe2-441c-8c8c-71466251a162> Thu Jan 08 19:24:00 2009 +0000
tree e45a11e63905d3a231456c272d0e094d7a869974
parent e1c5a2b33409b9795fa58bf389eac855981330a5

Add slirp_restrict option (Gleb Natapov)

Add "slirp firewall" to permit connection only to vmchannel addresses.

Signed-off-by: Gleb Natapov <gleb@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>



git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@6241 c046a42c-6fe2-441c-8c8c-71466251a162

slirp/ip_input.c

diff --git a/slirp/ip_input.c b/slirp/ip_input.c
index b046840..73cb00e 100644
--- a/slirp/ip_input.c
+++ b/slirp/ip_input.c
@@ -136,6 +136,27 @@
 		STAT(ipstat.ips_tooshort++);
 		goto bad;
 	}
+
+    if (slirp_restrict) {
+        if (memcmp(&ip->ip_dst.s_addr, &special_addr, 3)) {
+            if (ip->ip_dst.s_addr == 0xffffffff && ip->ip_p != IPPROTO_UDP)
+                goto bad;
+        } else {
+            int host = ntohl(ip->ip_dst.s_addr) & 0xff;
+            struct ex_list *ex_ptr;
+
+            if (host == 0xff)
+                goto bad;
+
+            for (ex_ptr = exec_list; ex_ptr; ex_ptr = ex_ptr->ex_next)
+                if (ex_ptr->ex_addr == host)
+                    break;
+
+            if (!ex_ptr)
+                goto bad;
+        }
+    }
+
 	/* Should drop packet if mbuf too long? hmmm... */
 	if (m->m_len > ip->ip_len)
 	   m_adj(m, ip->ip_len - m->m_len);