On 2011-05-24 14:37, Gleb Natapov wrote: > On Mon, May 23, 2011 at 04:48:16PM +0200, Jan Kiszka wrote: >> This aligns the code to what the documentation claims: Allow everything >> but requests that would have to be routed outside of the virtual LAN. >> >> So we need to drop the unneeded IP-level filter, allow TFTP requests, >> and add the missing protocol-level filter to ICMP. >> > May be I am missing something, but how do you disallow requests by > removing code that actually does filtering.
All we need to filter are the per-IP-protocol parts that do the forwarding via the host IP stack. That does not need to happen at IP level. Moreover, the existing code contained some practically dead bits anyway: if ((ip->ip_dst.s_addr & slirp->vnetwork_mask.s_addr) == slirp->vnetwork_addr.s_addr) { if (ip->ip_dst.s_addr == 0xffffffff && ip->ip_p != IPPROTO_UDP) goto bad; This could only trigger if vnetwork_mask.s_addr was 0 (the same applied to the original code before my refactoring in 2009). Jan -- Siemens AG, Corporate Technology, CT T DE IT 1 Corporate Competence Center Embedded Linux