From patchwork Tue Apr 12 16:19:34 2011 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Daisuke Nojiri X-Patchwork-Id: 90833 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.gnu.org (lists.gnu.org [140.186.70.17]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) by ozlabs.org (Postfix) with ESMTPS id 84A1FB6F1E for ; Wed, 13 Apr 2011 02:20:05 +1000 (EST) Received: from localhost ([::1]:39592 helo=lists2.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Q9gJu-0003bJ-Nk for incoming@patchwork.ozlabs.org; Tue, 12 Apr 2011 12:20:02 -0400 Received: from eggs.gnu.org ([140.186.70.92]:37223) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Q9gJb-0003ZM-Pb for qemu-devel@nongnu.org; Tue, 12 Apr 2011 12:19:45 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Q9gJV-0006ZJ-R5 for qemu-devel@nongnu.org; Tue, 12 Apr 2011 12:19:43 -0400 Received: from smtp-out.google.com ([216.239.44.51]:53950) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Q9gJV-0006Yq-Ge for qemu-devel@nongnu.org; Tue, 12 Apr 2011 12:19:37 -0400 Received: from wpaz1.hot.corp.google.com (wpaz1.hot.corp.google.com [172.24.198.65]) by smtp-out.google.com with ESMTP id p3CGJaLT028014 for ; Tue, 12 Apr 2011 09:19:36 -0700 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1302625176; bh=/m1NyIy1V1jWcm62DByzqzP8WfM=; h=MIME-Version:Date:Message-ID:Subject:From:To:Content-Type; b=Po2Iszu4HLYjs3Ry6SUzZ8bU+/wLBt2EVQC1aQLj3XkfgjHy/tRO0WfG+AXwipb8v QBgGZ69Kwq8WZI2J55QCQ== Received: from pwj7 (pwj7.prod.google.com [10.241.219.71]) by wpaz1.hot.corp.google.com with ESMTP id p3CGIXv3017330 (version=TLSv1/SSLv3 cipher=RC4-SHA bits=128 verify=NOT) for ; Tue, 12 Apr 2011 09:19:35 -0700 Received: by pwj7 with SMTP id 7so3112458pwj.12 for ; Tue, 12 Apr 2011 09:19:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=beta; h=domainkey-signature:mime-version:date:message-id:subject:from:to :content-type; bh=7yrAQ6YVTaeMZbAQNP0Hodb2t5WW6qybpusxVCqLzXE=; b=nmMVnJbKO98MyBM5IJb/b8rn5MS5vn3mphIArTC8kxD6qtFHEoh5eyUe60Q6R7UnfO nYLQxMv4skTpccmyWkcg== DomainKey-Signature: a=rsa-sha1; c=nofws; d=google.com; s=beta; h=mime-version:date:message-id:subject:from:to:content-type; b=OEdiudwI2opC9LbGFtvDTtIkqz+rZO8hInNz2Iczcg8g77+X6E11TxfWRey6QVHTn/ AnF5onkLJix4EkdJ/CIg== MIME-Version: 1.0 Received: by 10.143.26.8 with SMTP id d8mr332514wfj.343.1302625174739; Tue, 12 Apr 2011 09:19:34 -0700 (PDT) Received: by 10.142.188.11 with HTTP; Tue, 12 Apr 2011 09:19:34 -0700 (PDT) Date: Tue, 12 Apr 2011 09:19:34 -0700 Message-ID: From: Daisuke Nojiri To: qemu-devel@nongnu.org X-System-Of-Record: true X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 3) X-Received-From: 216.239.44.51 Subject: [Qemu-devel] [PATCH] Slirp reverse UDP firewall X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org This patch adds: -drop-udp, -allow-udp ADDR:PORT, -drop-log FILE e.g.) $ qemu -net user -drop-log qemu.drop -drop-udp -allow-udp 10.0.2.3:53 -drop-udp enables usermode firewall for out-going UDP packats from a guest. All UDP packets except ones allowed by -allow-udp will be dropped. Dropped packets are logged in the file specified by FILE. PORT can be a single number (e.g. 53) or a range (e.g. [80-81]). If ADDR is ommitted, all addresses match the rule. Signed-off-by: Daisuke Nojiri break; --- a/qemu-options.hx +++ b/qemu-options.hx @@ -1119,6 +1119,24 @@ DEF("netdev", HAS_ARG, QEMU_OPTION_netdev, "vde|" #endif "socket],id=str[,option][,option][,...]\n", QEMU_ARCH_ALL) + +DEF("drop-udp", 0, QEMU_OPTION_drop_udp, +"-drop-udp\tDrop UDP packets by usermode firewall\n", +QEMU_ARCH_ALL) + +DEF("allow-udp", HAS_ARG, QEMU_OPTION_allow_udp, + "-allow-udp addr:port\n" + " Add an allowed rule for -drop-udp. If destination matches\n" + " the rule, the packet won't be dropped. 'port' can be a single\n" + " number (e.g. 53) or a range (e.g. [80-81]. If 'addr' is omitted, + " all addresses match.\n", + QEMU_ARCH_ALL) + +DEF("drop-log", HAS_ARG, QEMU_OPTION_drop_log, + "-drop-log file\n" + " Set usermode firewall log filename to 'file'.\n", + QEMU_ARCH_ALL) + STEXI @item -net nic[,vlan=@var{n}][,macaddr=@var{mac}][,model=@var{type}] [,name=@var{name}][,addr=@var{addr}][,vectors=@var{v}] @findex -net diff --git a/slirp/libslirp.h b/slirp/libslirp.h index 67c70e3..1ce5d68 100644 --- a/slirp/libslirp.h +++ b/slirp/libslirp.h @@ -44,6 +44,15 @@ void slirp_socket_recv(Slirp *slirp, struct in_addr guest_addr, size_t slirp_socket_can_recv(Slirp *slirp, struct in_addr guest_addr, int guest_port); +/* Usermode firewall functions */ +void slirp_enable_drop_udp(void); +void slirp_set_drop_log_fd(FILE *fd); +void slirp_add_allow(const char *optarg, u_int8_t proto); +int slirp_drop_log(const char *format, ...); +int slirp_should_drop(unsigned long dst_addr, + unsigned short dst_port, + u_int8_t proto); + #else /* !CONFIG_SLIRP */ static inline void slirp_select_fill(int *pnfds, fd_set *readfds, diff --git a/slirp/slirp.c b/slirp/slirp.c index 1593be1..d321316 100644 --- a/slirp/slirp.c +++ b/slirp/slirp.c @@ -1111,3 +1111,192 @@ static int slirp_state_load(QEMUFile *f, void *opaque, int version_id) return 0; } + +/* + * Allow rule for the usermode firewall + */ +struct ufw_allowed { + struct ufw_allowed *next; + unsigned long dst_addr; + /* Port range. For a single port, dst_lport = dst_hport. */ + unsigned short dst_lport; /* in host byte order */ + unsigned short dst_hport; /* in host byte order */ +}; + +/* + * Global variables for the usermode firewall + */ +static int drop_udp = 0; +static FILE *drop_log_fd = NULL; +static struct ufw_allowed *fw_allowed_udp = NULL; + +void slirp_enable_drop_udp(void) +{ + drop_udp = 1; +} + +void slirp_set_drop_log_fd(FILE *fd) +{ + drop_log_fd = fd; +} + +int slirp_should_drop(unsigned long dst_addr, + unsigned short dst_port, + u_int8_t proto) { + struct ufw_allowed *fwa = NULL; + unsigned short dport; /* host byte order */ + + switch (proto) { + case IPPROTO_UDP: + if (drop_udp == 0) { + return 0; + } else { + fwa = fw_allowed_udp; + } + break; + case IPPROTO_TCP: + default: + return 1; /* unrecognized protocol. default drop. */ + } + + /* Find matching allow rule. 0 works as a wildcard for address. */ + for (; fwa; fwa = fwa->next) { + dport = ntohs(dst_port); + if ((fwa->dst_lport <= dport) && (dport <= fwa->dst_hport)) { + /* allow any destination if 0 */ + if (fwa->dst_addr == 0 || fwa->dst_addr == dst_addr) { + return 0; + } + } + } + return 1; +} + +/* + * Register an allow rule for user mode firewall + */ +void slirp_add_allow_internal(unsigned long dst_addr, + unsigned short dst_lport, + unsigned short dst_hport, + u_int8_t proto) { + struct ufw_allowed *fwa; + + fwa = (struct ufw_allowed *)malloc(sizeof(struct ufw_allowed)); + if (!fwa) { + DEBUG_MISC((dfd, "Unabled to create a new firewall rule " + "due to malloc failure\n")); + exit(-1); + } + + fwa->dst_addr = dst_addr; + fwa->dst_lport = dst_lport; + fwa->dst_hport = dst_hport; + + switch (proto) { + case IPPROTO_UDP: + fwa->next = fw_allowed_udp; + fw_allowed_udp = fwa; + break; + case IPPROTO_TCP: + default: + free(fwa); + return; /* unrecognized protocol */ + } +} + +/* + * Parse a null-terminated string specifying a network port or port range (e.g. + * "[1024-65535]"). In case of a single port, lport and hport are the same. + * Returns 0 on success and -1 on error. + */ +int parse_port_range(const char *str, + unsigned short *lport, + unsigned short *hport) { + unsigned int low = 0, high = 0; + char *p, *arg = strdup(str); + + p = rindex(arg, ']'); + if ((*arg == '[') & (p != NULL)) { + p = arg + 1; /* skip '[' */ + low = atoi(strsep(&p, "-")); + high = atoi(p); + } else { + low = atoi(arg); + high = low; + } + + free(arg); + + if ((low > 0) && (high > 0) && (low <= high) && (high < 65536)) { + *lport = low; + *hport = high; + return 0; + } + + return -1; +} + +/* + * Add allow rules for the usermode firewall. + */ +void slirp_add_allow(const char *optarg, u_int8_t proto) +{ + /* + * we expect the following format: + * dst_addr:dst_port OR dst_addr:[dst_lport-dst_hport] + */ + char *argument = strdup(optarg), *p = argument; + char *dst_addr_str, *dst_port_str; + struct in_addr dst_addr; + unsigned short dst_lport, dst_hport; + + dst_addr_str = strsep(&p, ":"); + dst_port_str = p; + + if (dst_addr_str == NULL || dst_port_str == NULL) { + fprintf(stderr, + "Invalid argument %s for -allow. We expect " + "dst_addr:dst_port or dst_addr:[dst_lport-dst_hport]\n", + optarg); + exit(1); + } + + /* handling ":port" notation (when IP address is omitted entirely). */ + if (*dst_addr_str == '\0') { + dst_addr.s_addr = 0; + } + /* inet_aton returns 0 on failure. */ + else if (inet_aton(dst_addr_str, &dst_addr) == 0) { + fprintf(stderr, "Invalid destination IP address: %s\n", dst_addr_str); + exit(1); + } + + if (parse_port_range(dst_port_str, &dst_lport, &dst_hport) == -1) { + fprintf(stderr, "Invalid destination port or port range\n"); + exit(1); + } + + slirp_add_allow_internal(dst_addr.s_addr, dst_lport, dst_hport, proto); + + free(argument); +} + +/* + * Write to drop-log + */ +int slirp_drop_log(const char *format, ...) +{ + va_list args; + + if (!drop_log_fd) { + return 0; + } + + va_start(args, format); + vfprintf(drop_log_fd, format, args); + va_end(args); + + fflush(drop_log_fd); + + return 1; +} diff --git a/slirp/slirp.h b/slirp/slirp.h index 954289a..29ee425 100644 --- a/slirp/slirp.h +++ b/slirp/slirp.h @@ -299,6 +299,15 @@ int tcp_emu(struct socket *, struct mbuf *); int tcp_ctl(struct socket *); struct tcpcb *tcp_drop(struct tcpcb *tp, int err); +/* slirp.c */ +void slirp_add_allow_internal(unsigned long dst_addr, + unsigned short dst_lport, + unsigned short dst_hport, + u_int8_t proto); +int parse_port_range(const char *str, + unsigned short *lport, + unsigned short *hport); + #ifdef USE_PPP #define MIN_MRU MINMRU #define MAX_MRU MAXMRU diff --git a/slirp/udp.c b/slirp/udp.c index 02b3793..db7e4ca 100644 --- a/slirp/udp.c +++ b/slirp/udp.c @@ -67,6 +67,8 @@ udp_input(register struct mbuf *m, int iphlen) DEBUG_ARG("m = %lx", (long)m); DEBUG_ARG("iphlen = %d", iphlen); + time_t timestamp = time(NULL); + /* * Strip IP options, if any; should skip this, * make available to user, and use on returned packets, @@ -98,6 +100,28 @@ udp_input(register struct mbuf *m, int iphlen) ip->ip_len = len; } + /* + * User mode firewall + */ + if (slirp_should_drop(ip->ip_dst.s_addr, uh->uh_dport, IPPROTO_UDP)) { + slirp_drop_log( + "Dropped UDP: src:0x%08x:0x%04hx dst:0x%08x:0x%04hx %ld\n", + ntohl(ip->ip_src.s_addr), + ntohs(uh->uh_sport), + ntohl(ip->ip_dst.s_addr), + ntohs(uh->uh_dport), + timestamp); + goto bad; + } else { + slirp_drop_log( + "Allowed UDP: src:0x%08x:0x%04hx dst:0x%08x:0x%04hx %ld\n", + ntohl(ip->ip_src.s_addr), + ntohs(uh->uh_sport), + ntohl(ip->ip_dst.s_addr), + ntohs(uh->uh_dport), + timestamp); + } + /* * Save a copy of the IP header in case we want restore it * for sending an ICMP error message in response. diff --git a/vl.c b/vl.c index 68c3b53..b0583e3 100644 --- a/vl.c +++ b/vl.c @@ -2287,6 +2287,24 @@ int main(int argc, char **argv, char **envp) exit(1); break; #endif + case QEMU_OPTION_drop_udp: + slirp_enable_drop_udp(); + break; + case QEMU_OPTION_allow_udp: + slirp_add_allow(optarg, IPPROTO_UDP); + break; + case QEMU_OPTION_drop_log: + { + FILE *drop_log_fd; + drop_log_fd = fopen(optarg, "w"); + + if (!drop_log_fd) { + fprintf(stderr, "Cannot open drop log: %s\n", optarg); + exit(1); + } + slirp_set_drop_log_fd(drop_log_fd); + } + break; case QEMU_OPTION_bt: add_device_config(DEV_BT, optarg);