Add slirp_restrict option (Gleb Natapov)

Add "slirp firewall" to permit connection only to vmchannel addresses. Signed-off-by: Gleb Natapov <gleb@redhat.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com> git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@6241 c046a42c-6fe2-441c-8c8c-71466251a162
author: aliguori <aliguori@c046a42c-6fe2-441c-8c8c-71466251a162> 2009-01-08 19:24:00 +0000
committer: aliguori <aliguori@c046a42c-6fe2-441c-8c8c-71466251a162> 2009-01-08 19:24:00 +0000
commit: a9ba3a856d8e84f4c32bcfa2b92727b7add4996c (patch)
tree: e45a11e63905d3a231456c272d0e094d7a869974 /slirp/ip_input.c
parent: e1c5a2b33409b9795fa58bf389eac855981330a5 (diff)
1 files changed, 21 insertions, 0 deletions
diff --git a/slirp/ip_input.c b/slirp/ip_input.c
index b04684027d..73cb00ea94 100644
--- a/slirp/ip_input.c
+++ b/slirp/ip_input.c
@@ -136,6 +136,27 @@ ip_input(m)
 		STAT(ipstat.ips_tooshort++);
 		goto bad;
 	}
+
+    if (slirp_restrict) {
+        if (memcmp(&ip->ip_dst.s_addr, &special_addr, 3)) {
+            if (ip->ip_dst.s_addr == 0xffffffff && ip->ip_p != IPPROTO_UDP)
+                goto bad;
+        } else {
+            int host = ntohl(ip->ip_dst.s_addr) & 0xff;
+            struct ex_list *ex_ptr;
+
+            if (host == 0xff)
+                goto bad;
+
+            for (ex_ptr = exec_list; ex_ptr; ex_ptr = ex_ptr->ex_next)
+                if (ex_ptr->ex_addr == host)
+                    break;
+
+            if (!ex_ptr)
+                goto bad;
+        }
+    }
+
 	/* Should drop packet if mbuf too long? hmmm... */
 	if (m->m_len > ip->ip_len)
 	   m_adj(m, ip->ip_len - m->m_len);
author	aliguori <aliguori@c046a42c-6fe2-441c-8c8c-71466251a162>	2009-01-08 19:24:00 +0000
committer	aliguori <aliguori@c046a42c-6fe2-441c-8c8c-71466251a162>	2009-01-08 19:24:00 +0000
commit	a9ba3a856d8e84f4c32bcfa2b92727b7add4996c (patch)
tree	e45a11e63905d3a231456c272d0e094d7a869974 /slirp/ip_input.c
parent	e1c5a2b33409b9795fa58bf389eac855981330a5 (diff)