VirtualBox

Changeset 92093 in vbox for trunk/src/VBox/Devices/Network


Ignore:
Timestamp:
Oct 27, 2021 8:18:16 AM (3 years ago)
Author:
vboxsync
Message:

Devices/Network/NAT: Add option to disallow traffic from the guest to reach the host's loopback interface, bugref:9896

Location:
trunk/src/VBox/Devices/Network
Files:
7 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/VBox/Devices/Network/DrvNAT.cpp

    r91897 r92093  
    15991599                                  "|ICMPCacheLimit"
    16001600                                  "|SoMaxConnection"
     1601                                  "|LocalhostReachable"
    16011602//#ifdef VBOX_WITH_DNSMAPPING_IN_HOSTRESOLVER
    16021603                                  "|HostResolverMappings"
     
    16261627    int iIcmpCacheLimit = 100;
    16271628    GET_S32(rc, pDrvIns, pCfg, "ICMPCacheLimit", iIcmpCacheLimit);
     1629    bool fLocalhostReachable = false;
     1630    GET_BOOL(rc, pDrvIns, pCfg, "LocalhostReachable", fLocalhostReachable);
    16281631
    16291632    i32AliasMode |= (i32MainAliasMode & 0x1 ? 0x1 : 0);
     
    16661669    rc = slirp_init(&pThis->pNATState, RT_H2N_U32(Network.u), Netmask.u,
    16671670                    fPassDomain, !!fUseHostResolver, i32AliasMode,
    1668                     iIcmpCacheLimit, pThis);
     1671                    iIcmpCacheLimit, fLocalhostReachable, pThis);
    16691672    if (RT_SUCCESS(rc))
    16701673    {
  • trunk/src/VBox/Devices/Network/slirp/ip_icmp.c

    r85082 r92093  
    481481                || CTL_CHECK(dst, CTL_TFTP))
    482482            {
     483                /* Don't reply to ping requests for the hosts loopback interface if it is disabled. */
     484                if (   CTL_CHECK(dst, CTL_ALIAS)
     485                    && !pData->fLocalhostReachable)
     486                    goto done;
     487
    483488                uint8_t echo_reply = ICMP_ECHOREPLY;
    484489                m_copyback(pData, m, hlen + RT_OFFSETOF(struct icmp, icmp_type),
  • trunk/src/VBox/Devices/Network/slirp/libslirp.h

    r82968 r92093  
    4747#endif
    4848
    49 int slirp_init(PNATState *, uint32_t, uint32_t, bool, bool, int, int, void *);
     49int slirp_init(PNATState *, uint32_t, uint32_t, bool, bool, int, int, bool, void *);
    5050void slirp_register_statistics(PNATState pData, PPDMDRVINS pDrvIns);
    5151void slirp_deregister_statistics(PNATState pData, PPDMDRVINS pDrvIns);
  • trunk/src/VBox/Devices/Network/slirp/slirp.c

    r87126 r92093  
    299299int slirp_init(PNATState *ppData, uint32_t u32NetAddr, uint32_t u32Netmask,
    300300               bool fPassDomain, bool fUseHostResolver, int i32AliasMode,
    301                int iIcmpCacheLimit, void *pvUser)
     301               int iIcmpCacheLimit, bool fLocalhostReachable, void *pvUser)
    302302{
    303303    int rc;
     
    316316    pData->fUseHostResolver = fUseHostResolver;
    317317    pData->fUseHostResolverPermanent = fUseHostResolver;
     318    pData->fLocalhostReachable = fLocalhostReachable;
    318319    pData->pvUser = pvUser;
    319320    pData->netmask = u32Netmask;
     
    13531354                || CTL_CHECK(ip4TargetAddress, CTL_TFTP))
    13541355            {
     1356#if 0 /* Dropping ARP requests destined for CTL_ALIAS breaks all outgoing traffic completely, so don't do that... */
     1357                /* Don't reply to ARP requests for the hosts loopback interface if it is disabled. */
     1358                if (   CTL_CHECK(ip4TargetAddress, CTL_ALIAS)
     1359                    && !pData->fLocalhostReachable)
     1360                    break;
     1361#endif
    13551362                slirp_update_guest_addr_guess(pData, *(uint32_t *)pARPHeader->ar_sip, "arp request");
    13561363                arp_output(pData, pEtherHeader->h_source, pARPHeader, ip4TargetAddress);
  • trunk/src/VBox/Devices/Network/slirp/slirp_state.h

    r82968 r92093  
    287287    /* this field control behaviour of DHCP server */
    288288    bool fUseDnsProxy;
     289    /** Flag whether the guest can contact services on the host's
     290     * loopback interface (127.0.0.1/localhost). */
     291    bool fLocalhostReachable;
    289292
    290293    LIST_HEAD(RT_NOTHING, libalias) instancehead;
  • trunk/src/VBox/Devices/Network/slirp/tcp_input.c

    r86843 r92093  
    502502    }
    503503    LogFlowFunc(("(leave) findso: %R[natsock]\n", so));
     504
     505    /*
     506     * Check whether the packet is targeting CTL_ALIAS and drop it if the connection wasn't
     507     * initiated by localhost (so == NULL), see @bugref{9896}.
     508     */
     509    if (   (RT_N2H_U32(ti->ti_dst.s_addr) & ~pData->netmask) == CTL_ALIAS
     510        && !pData->fLocalhostReachable
     511        && !so)
     512    {
     513        LogFlowFunc(("Packet for CTL_ALIAS and fLocalhostReachable=false so=NULL -> drop\n"));
     514        goto drop;
     515    }
    504516
    505517    /*
  • trunk/src/VBox/Devices/Network/slirp/udp.c

    r82968 r92093  
    233233
    234234    /*
     235     * Drop UDP packets destind for CTL_ALIAS (i.e. the hosts loopback interface)
     236     * if it is disabled.
     237     */
     238    if (   CTL_CHECK(ip->ip_dst.s_addr, CTL_ALIAS)
     239        && !pData->fLocalhostReachable)
     240        goto done_free_mbuf;
     241
     242    /*
    235243     * Locate pcb for datagram.
    236244     */
Note: See TracChangeset for help on using the changeset viewer.

© 2024 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette