From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mail.ozlabs.org (gandalf.ozlabs.org [150.107.74.76])
	by passt.top (Postfix) with ESMTPS id 313AD5A031D
	for <passt-dev@passt.top>; Tue, 16 Jul 2024 07:29:46 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gibson.dropbear.id.au; s=202312; t=1721107778;
	bh=s5LnMQu1smj4TD6ZoY4lbeXj1efEAQC4fUtE0WQe6ZE=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
	b=IQAo/Rmc3MCtnxMxVp4xtbRG3aCKJrN/ZaXEuXztgluAYQGeKooKQlPtyJDgIYRTq
	 3vpiC+Xh6yvC6EQ4m3e03M8/lPcgWwGGK7hXqajYuyaDGeek1Nq231JWOTtvwhpJ9f
	 yfowWm+BzbGUdhQ0wSgjcKgmMvW5oheRBVpf0NAG0EoSUQza/DVnOjqQEKbJxSi6ps
	 8wZUmOObFt4LSwy6qgviN178IBqjvEErYzPWExBDplwgbfasaHlFR9cHVfDbb0xrYv
	 ppSlp78xrY0GnMsb9GNor+t/26Vm1ALir49Di9JOB4MtF4ls1CLaxf/+6sNEip09mj
	 eBll1stNc29TA==
Received: by gandalf.ozlabs.org (Postfix, from userid 1007)
	id 4WNSLV4b30z4wcR; Tue, 16 Jul 2024 15:29:38 +1000 (AEST)
From: David Gibson <david@gibson.dropbear.id.au>
To: Stefano Brivio <sbrivio@redhat.com>,
	passt-dev@passt.top
Subject: [PATCH 1/5] conf: Don't configure port forwarding for a disabled protocol
Date: Tue, 16 Jul 2024 15:29:32 +1000
Message-ID: <20240716052936.1204164-2-david@gibson.dropbear.id.au>
X-Mailer: git-send-email 2.45.2
In-Reply-To: <20240716052936.1204164-1-david@gibson.dropbear.id.au>
References: <20240716052936.1204164-1-david@gibson.dropbear.id.au>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Message-ID-Hash: BZOMAEMCOROLAHHZQUWPJIO6HZILPS7U
X-Message-ID-Hash: BZOMAEMCOROLAHHZQUWPJIO6HZILPS7U
X-MailFrom: dgibson@gandalf.ozlabs.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: David Gibson <david@gibson.dropbear.id.au>
X-Mailman-Version: 3.3.8
Precedence: list
List-Id: Development discussion and patches for passt <passt-dev.passt.top>
Archived-At: <https://archives.passt.top/passt-dev/20240716052936.1204164-2-david@gibson.dropbear.id.au/>
Archived-At: <https://passt.top/hyperkitty/list/passt-dev@passt.top/message/BZOMAEMCOROLAHHZQUWPJIO6HZILPS7U/>
List-Archive: <https://archives.passt.top/passt-dev/>
List-Archive: <https://passt.top/hyperkitty/list/passt-dev@passt.top/>
List-Help: <mailto:passt-dev-request@passt.top?subject=help>
List-Owner: <mailto:passt-dev-owner@passt.top>
List-Post: <mailto:passt-dev@passt.top>
List-Subscribe: <mailto:passt-dev-join@passt.top>
List-Unsubscribe: <mailto:passt-dev-leave@passt.top>

UDP and/or TCP can be disabled with the --no-udp and --no-tcp options.
However, when this is specified, it's still possible to configure forwarded
ports for the disabled protocol.  In some cases this will open sockets and
perform other actions, which might not be safe since the entire protocol
won't be initialised.

Check for this case, and explicitly forbid it.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
---
 conf.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/conf.c b/conf.c
index 3c38cebc..629eb897 100644
--- a/conf.c
+++ b/conf.c
@@ -132,6 +132,11 @@ static void conf_ports(const struct ctx *c, char optname, const char *optarg,
 		return;
 	}
 
+	if ((optname == 't' || optname == 'T') && c->no_tcp)
+		die("TCP port forwarding requested but TCP is disabled");
+	if ((optname == 'u' || optname == 'U') && c->no_udp)
+		die("UDP port forwarding requested but UDP is disabled");
+
 	if (!strcmp(optarg, "auto")) {
 		if (fwd->mode)
 			goto mode_conflict;
-- 
2.45.2