qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCH] Slirp reverse UDP firewall

From: Stefan Berger
Subject: Re: [Qemu-devel] [PATCH] Slirp reverse UDP firewall
Date: Thu, 14 Apr 2011 15:33:38 -0400
User-agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.13) Gecko/20101209 Fedora/3.1.7-0.35.b3pre.fc14 Lightning/1.0b3pre Thunderbird/3.1.7
On 04/12/2011 12:19 PM, Daisuke Nojiri wrote:
This patch adds: -drop-udp, -allow-udp ADDR:PORT, -drop-log FILE

  e.g.) $ qemu -net user -drop-log qemu.drop -drop-udp -allow-udp 10.0.2.3:53

-drop-udp enables usermode firewall for out-going UDP packats from a guest.
All UDP packets except ones allowed by -allow-udp will be dropped. Dropped
packets are logged in the file specified by FILE. PORT can be a single number
(e.g. 53) or a range (e.g. [80-81]). If ADDR is ommitted, all addresses match
the rule.

If you want to end up providing functionality like ebtables/iptables does then you'll need to think of user-defined tables or 'labeled rules' along with gotos/jumps -- not just for efficiency reasons but also because strictly linear evaluation of rules doesn't cover all the cases.
Besides that you'd probably want a connection tracking system so that you can for example enable only a few [UDP] ports of the VM to be reachable yet can initiate any kind of traffic... A bigger undertaking to say the least.

My $.02,
   Stefan

reply via email to
[Prev in Thread] Current Thread [Next in Thread]