From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mail.ozlabs.org (gandalf.ozlabs.org [150.107.74.76])
	by passt.top (Postfix) with ESMTPS id E29265A0319
	for <passt-dev@passt.top>; Wed, 17 Jul 2024 02:36:15 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gibson.dropbear.id.au; s=202312; t=1721176565;
	bh=s5LnMQu1smj4TD6ZoY4lbeXj1efEAQC4fUtE0WQe6ZE=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
	b=GRAGJOMBavTsckrkeC+pkDzvaQRpz945JYan0/yebOK/aWksoosB7fZDpGyftMMj5
	 BZ7ImVG6oRAWAlc62gPwZagE7Y8JONHwsp7fC5pdhEouZQoAfQ5jDVCzdfU7T+sxrG
	 RhHO3Y35NYjgWHxyEczRzBPO6QKyYLhPnWPayXxVnAmwjSwZBUJs8hNiv0eGTEx3ae
	 3l9z7RDZKxcbx24qSmzOp2S9tb+b25ooVLU2YzT2gz4CBpKePp+E+Ph2XXo0jg4SB+
	 8hWKaHHIbNJHPW+bbDnf07lDVCFFy0E6j1drfNCjdzTFH5f0FjfiF1UWTnZsRfbig2
	 Dls+1MNhIQ9sg==
Received: by gandalf.ozlabs.org (Postfix, from userid 1007)
	id 4WNxnK6rvhz4w2R; Wed, 17 Jul 2024 10:36:05 +1000 (AEST)
From: David Gibson <david@gibson.dropbear.id.au>
To: Stefano Brivio <sbrivio@redhat.com>,
	passt-dev@passt.top
Subject: [PATCH v2 1/5] conf: Don't configure port forwarding for a disabled protocol
Date: Wed, 17 Jul 2024 10:36:00 +1000
Message-ID: <20240717003604.1577052-2-david@gibson.dropbear.id.au>
X-Mailer: git-send-email 2.45.2
In-Reply-To: <20240717003604.1577052-1-david@gibson.dropbear.id.au>
References: <20240717003604.1577052-1-david@gibson.dropbear.id.au>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Message-ID-Hash: UVFXGQZU5MX7JIOVK3IDGAJLJKO3C4IZ
X-Message-ID-Hash: UVFXGQZU5MX7JIOVK3IDGAJLJKO3C4IZ
X-MailFrom: dgibson@gandalf.ozlabs.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: David Gibson <david@gibson.dropbear.id.au>
X-Mailman-Version: 3.3.8
Precedence: list
List-Id: Development discussion and patches for passt <passt-dev.passt.top>
Archived-At: <https://archives.passt.top/passt-dev/20240717003604.1577052-2-david@gibson.dropbear.id.au/>
Archived-At: <https://passt.top/hyperkitty/list/passt-dev@passt.top/message/UVFXGQZU5MX7JIOVK3IDGAJLJKO3C4IZ/>
List-Archive: <https://archives.passt.top/passt-dev/>
List-Archive: <https://passt.top/hyperkitty/list/passt-dev@passt.top/>
List-Help: <mailto:passt-dev-request@passt.top?subject=help>
List-Owner: <mailto:passt-dev-owner@passt.top>
List-Post: <mailto:passt-dev@passt.top>
List-Subscribe: <mailto:passt-dev-join@passt.top>
List-Unsubscribe: <mailto:passt-dev-leave@passt.top>

UDP and/or TCP can be disabled with the --no-udp and --no-tcp options.
However, when this is specified, it's still possible to configure forwarded
ports for the disabled protocol.  In some cases this will open sockets and
perform other actions, which might not be safe since the entire protocol
won't be initialised.

Check for this case, and explicitly forbid it.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
---
 conf.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/conf.c b/conf.c
index 3c38cebc..629eb897 100644
--- a/conf.c
+++ b/conf.c
@@ -132,6 +132,11 @@ static void conf_ports(const struct ctx *c, char optname, const char *optarg,
 		return;
 	}
 
+	if ((optname == 't' || optname == 'T') && c->no_tcp)
+		die("TCP port forwarding requested but TCP is disabled");
+	if ((optname == 'u' || optname == 'U') && c->no_udp)
+		die("UDP port forwarding requested but UDP is disabled");
+
 	if (!strcmp(optarg, "auto")) {
 		if (fwd->mode)
 			goto mode_conflict;
-- 
2.45.2