Re: [OE-core] [PATCH 2/2] runqemu: limit slirp host port forwarding to localhost 127.0.0.1

Thu, 17 Nov 2022 05:17:24 -0800 

Hi Mikko,

On 11/14/22 16:50, Mikko Rapeli wrote:

With default slirp port forwarding config qemu listens on TCP ports
2222 and 2323 on all IP addresses available on the build host. Most
use cases with runqemu only need it for localhost and it is not
safe to run qemu images with root login without password enabled
and listening on all available, possibly Internet reachable network
interfaces. Limit qemu port forwarding to localhost 127.0.0.1 IP
address. Now qemu machine SSH and telnet ports are only
reachable from the build host machine, not full Internet.

If qemu machine needs to be reachable from network, then it can
be enabled via local.conf or machine config variable QB_SLIRP_OPT:

QB_SLIRP_OPT = "-netdev user,id=net0,hostfwd=tcp::2222-:22"

Signed-off-by: Mikko Rapeli <[email protected]>
---
  scripts/runqemu | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scripts/runqemu b/scripts/runqemu
index a6ea578564..7bd9465593 100755
--- a/scripts/runqemu
+++ b/scripts/runqemu
@@ -1071,7 +1071,7 @@ class BaseConfig(object):
          logger.info("Network configuration:%s", netconf)
          self.kernel_cmdline_script += netconf
          # Port mapping
-        hostfwd = ",hostfwd=tcp::2222-:22,hostfwd=tcp::2323-:23"
+        hostfwd = 
",hostfwd=tcp:127.0.0.1:2222-:22,hostfwd=tcp:127.0.0.1:2323-:23"
With the additional knowledge we gathered in the last patches, I believe it would be a good thing to say a few words/update the documentation.
See https://lore.kernel.org/yocto-docs/[email protected]/T/#t for a patch I believe might make it to master soon? I think we should say what the default value entails (even if this patch isnt' taken) and maybe point/refer to the QEMU documentation for the meaning of options in QB_SLIRP_OPT. I believe some/all of options listed https://www.qemu.org/docs/master/system/invocation.html are possible? 

What do you think?

Cheers,
Quentin

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#173422): 
https://lists.openembedded.org/g/openembedded-core/message/173422
Mute This Topic: https://lists.openembedded.org/mt/95021917/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to