On 04/12/2011 12:19 PM, Daisuke Nojiri wrote:
This patch adds: -drop-udp, -allow-udp ADDR:PORT, -drop-log FILE
e.g.) $ qemu -net user -drop-log qemu.drop -drop-udp -allow-udp
10.0.2.3:53 <http://10.0.2.3:53>
-drop-udp enables usermode firewall for out-going UDP packats from a
guest.
All UDP packets except ones allowed by -allow-udp will be dropped. Dropped
packets are logged in the file specified by FILE. PORT can be a single
number
(e.g. 53) or a range (e.g. [80-81]). If ADDR is ommitted, all
addresses match
the rule.
If you want to end up providing functionality like ebtables/iptables
does then you'll need to think of user-defined tables or 'labeled rules'
along with gotos/jumps -- not just for efficiency reasons but also
because strictly linear evaluation of rules doesn't cover all the cases.
Besides that you'd probably want a connection tracking system so that
you can for example enable only a few [UDP] ports of the VM to be
reachable yet can initiate any kind of traffic... A bigger undertaking
to say the least.
My $.02,
Stefan
