slirp: Fix restricted mode

This aligns the code to what the documentation claims: Allow everything but requests that would have to be routed outside of the virtual LAN. So we need to drop the unneeded IP-level filter, allow TFTP requests, and add the missing protocol-level filter to ICMP. CC: Gleb Natapov <gleb@redhat.com> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
2025-01-31 09:02:37 +00:00 · 2011-07-20 12:20:13 +02:00 · 2011-07-20 12:20:13 +02:00 · 12b513d837
commit 12b513d837
parent 80f52a6694
3 changed files with 6 additions and 25 deletions
--- a/slirp/ip_icmp.c
+++ b/slirp/ip_icmp.c
@ -101,6 +101,8 @@ icmp_input(struct mbuf *m, int hlen)
    ip->ip_len += hlen;	             /* since ip_input subtracts this */
    if (ip->ip_dst.s_addr == slirp->vhost_addr.s_addr) {
      icmp_reflect(m);
+    } else if (slirp->restricted) {
+        goto freeit;
    } else {
      struct socket *so;
      struct sockaddr_in addr;
--- a/slirp/ip_input.c
+++ b/slirp/ip_input.c
@ -118,27 +118,6 @@ ip_input(struct mbuf *m)
 		goto bad;
 	}

-    if (slirp->restricted) {
-        if ((ip->ip_dst.s_addr & slirp->vnetwork_mask.s_addr) ==
-            slirp->vnetwork_addr.s_addr) {
-            if (ip->ip_dst.s_addr == 0xffffffff && ip->ip_p != IPPROTO_UDP)
-                goto bad;
-        } else {
-            uint32_t inv_mask = ~slirp->vnetwork_mask.s_addr;
-            struct ex_list *ex_ptr;
-
-            if ((ip->ip_dst.s_addr & inv_mask) == inv_mask) {
-                goto bad;
-            }
-            for (ex_ptr = slirp->exec_list; ex_ptr; ex_ptr = ex_ptr->ex_next)
-                if (ex_ptr->ex_addr.s_addr == ip->ip_dst.s_addr)
-                    break;
-
-            if (!ex_ptr)
-                goto bad;
-        }
-    }
-
 	/* Should drop packet if mbuf too long? hmmm... */
 	if (m->m_len > ip->ip_len)
 	   m_adj(m, ip->ip_len - m->m_len);
--- a/slirp/udp.c
+++ b/slirp/udp.c
@ -125,10 +125,6 @@ udp_input(register struct mbuf *m, int iphlen)
            goto bad;
        }

-        if (slirp->restricted) {
-            goto bad;
-        }
-
        /*
         *  handle TFTP
         */
@ -137,6 +133,10 @@ udp_input(register struct mbuf *m, int iphlen)
            goto bad;
        }

+        if (slirp->restricted) {
+            goto bad;
+        }
+
 	/*
 	 * Locate pcb for datagram.
 	 */