diff options
| author | rich cannings <richc@google.com> | 2011-02-16 13:43:44 -0800 |
|---|---|---|
| committer | rich cannings <richc@google.com> | 2011-02-16 16:18:33 -0800 |
| commit | 7339b55944e97077e4f74c4be34cd956ae44198b (patch) | |
| tree | fa4d61112a5144ac4932e90693b2b0b281787d69 /slirp-android/udp.c | |
| parent | bdedc85ca0c7ae3dcb9771595d196e6f533f4492 (diff) | |
| download | external_qemu-7339b55944e97077e4f74c4be34cd956ae44198b.zip external_qemu-7339b55944e97077e4f74c4be34cd956ae44198b.tar.gz external_qemu-7339b55944e97077e4f74c4be34cd956ae44198b.tar.bz2 | |
Add user mode networking restrictions: a firewall
Command line options added and code is supported for:
QEMU_OPTION_drop_udp
QEMU_OPTION_drop_tcp
QEMU_OPTION_allow_tcp
QEMU_OPTION_drop_log
QEMU_OPTION_net_forward
QEMU_OPTION_max_dns_conns
QEMU_OPTION_allow_udp
QEMU_OPTION_dns_log
Also, this change makes the default max DNS connections unlimited.
Change-Id: I887213149956dda155ef514418365bd80d8f1236
Diffstat (limited to 'slirp-android/udp.c')
| -rw-r--r-- | slirp-android/udp.c | 51 |
1 files changed, 51 insertions, 0 deletions
diff --git a/slirp-android/udp.c b/slirp-android/udp.c index 9091505..a9c9a82 100644 --- a/slirp-android/udp.c +++ b/slirp-android/udp.c @@ -47,6 +47,10 @@ struct udpstat udpstat; #endif +/* Keeps track of the number of DNS requests. Used to implement the firewall + * option that restricts the number of DNS requests (-max_dns_conns). */ +u_int dns_num_conns; + struct socket udb; static u_int8_t udp_tos(struct socket *so); @@ -68,6 +72,7 @@ void udp_init(void) { udb.so_next = udb.so_prev = &udb; + dns_num_conns = 0; } /* m->m_data points at ip packet header * m->m_len length ip packet @@ -121,6 +126,33 @@ udp_input(register struct mbuf *m, int iphlen) ip->ip_len = len; } + /* ------------------------------------------------------*/ + /* User mode network stack restrictions */ + /* slirp_should_drop requires host byte ordering in arguments */ + if (slirp_should_drop(ntohl(ip->ip_dst.addr), ntohs(uh->uh_dport.port), + IPPROTO_UDP)) { + slirp_drop_log( + "Dropped UDP: src: 0x%08lx:0x%04x dst: 0x%08lx:0x%04x\n", + ip->ip_src.addr, + uh->uh_sport.port, + ip->ip_dst.addr, + uh->uh_dport.port + ); + goto bad; /* drop the packet */ + } + else { + slirp_drop_log( + "Allowed UDP: src: 0x%08lx:0x%04x dst: 0x%08lx:0x%04x\n", + ip->ip_src.addr, + uh->uh_sport.port, + ip->ip_dst.addr, + uh->uh_dport.port + ); + } + /* ------------------------------------------------------*/ + + + /* * Save a copy of the IP header in case we want restore it * for sending an ICMP error message in response. @@ -164,6 +196,18 @@ udp_input(register struct mbuf *m, int iphlen) goto bad; } + // DNS logging and FW rules + if (ntohs(uh->uh_dport.port) == 53) { + if (!slirp_dump_dns(m)) { + DEBUG_MISC((dfd,"Error logging DNS packet")); + } + dns_num_conns++; + if (slirp_get_max_dns_conns() != -1 && + dns_num_conns > slirp_get_max_dns_conns()) + goto bad; + } + + /* * Locate pcb for datagram. */ @@ -309,6 +353,13 @@ int udp_output2_(struct socket *so, struct mbuf *m, STAT(udpstat.udps_opackets++); + // DNS logging + if (so != NULL && so->so_faddr_port == htons(53)) { + if (!slirp_dump_dns(m)) { + DEBUG_MISC((dfd,"Error logging DNS packet")); + } + } + error = ip_output(so, m); return (error); |