[libvirt] [PATCH 3/5] qemu: Add configuration options to enable TCP tunelling

Thu Dec 6 18:36:22 UTC 2012

This patch adds configuration options for the qemu driver to control the
behavior of the TCP tunelling API. The behavior can be configured
separately for read-write connections and for read-only connections
enabling finer granularity of control.
---
 src/qemu/qemu.conf   | 16 ++++++++++++++++
 src/qemu/qemu_conf.c | 26 ++++++++++++++++++++++++++
 src/qemu/qemu_conf.h | 13 +++++++++++++
 3 files changed, 55 insertions(+)

diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf
index dd853c8..3378a01 100644
--- a/src/qemu/qemu.conf
+++ b/src/qemu/qemu.conf
@@ -153,6 +153,22 @@
 #remote_display_port_min = 5900
 #remote_display_port_max = 65535

+##
+# TCP tunneling
+#
+# Libvirt supports TCP tunneling using libvirt's streams. This can be used
+# to forward graphical display and other connections from remote clients
+# to the host machine. This might pose a security risk so the tunneling
+# option is disabled by default.
+#
+# Possible values are: "disable" - don't allow any tcp tunnels
+#                      "local" - allow connections only to the host node
+#                      "enable" - allow tunneling to any node
+#
+# Configuration of forwarding for read-write connections:
+#tunnel_tcp_rw = "enable"
+# Configuration of forwarding for read-only connections:
+#tunnel_tcp_ro = "local"

 # The default security driver is SELinux. If SELinux is disabled
 # on the host, then the security driver will automatically disable
diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c
index 8d380a1..396e5d9 100644
--- a/src/qemu/qemu_conf.c
+++ b/src/qemu/qemu_conf.c
@@ -57,6 +57,11 @@

 #define VIR_FROM_THIS VIR_FROM_QEMU

+VIR_ENUM_IMPL(qemuTunnelTcpConfig, QEMU_TCP_TUNNEL_LAST,
+              "disable",
+              "local",
+              "enable");
+
 struct _qemuDriverCloseDef {
     virConnectPtr conn;
     qemuDriverCloseCallback cb;
@@ -78,6 +83,7 @@ int qemuLoadDriverConfig(virQEMUDriverPtr driver,
     virConfValuePtr p;
     char *user = NULL;
     char *group = NULL;
+    char *tmp;
     int ret = -1;
     int i;

@@ -375,6 +381,26 @@ int qemuLoadDriverConfig(virQEMUDriverPtr driver,
     GET_VALUE_LONG("keepalive_count", driver->keepAliveCount);
     GET_VALUE_LONG("seccomp_sandbox", driver->seccompSandbox);

+    tmp = NULL;
+    GET_VALUE_STR("tunnel_tcp_ro", tmp);
+    if (tmp &&
+        (driver->tunnelTcpRo = qemuTunnelTcpConfigTypeFromString(tmp)) < 0) {
+        virReportError(VIR_ERR_CONF_SYNTAX,
+                       _("Invalid value '%s' for config option tunnel_tcp_ro"),
+                       tmp);
+        goto cleanup;
+    }
+
+    tmp = NULL;
+    GET_VALUE_STR("tunnel_tcp_rw", tmp);
+    if (tmp &&
+        (driver->tunnelTcpRw = qemuTunnelTcpConfigTypeFromString(tmp)) < 0) {
+        virReportError(VIR_ERR_CONF_SYNTAX,
+                       _("Invalid value '%s' for config option tunnel_tcp_rw"),
+                       tmp);
+        goto cleanup;
+    }
+
     ret = 0;

 cleanup:
diff --git a/src/qemu/qemu_conf.h b/src/qemu/qemu_conf.h
index d0d25ce..0d2d66b 100644
--- a/src/qemu/qemu_conf.h
+++ b/src/qemu/qemu_conf.h
@@ -163,8 +163,21 @@ struct _virQEMUDriver {
     int keepAliveInterval;
     unsigned int keepAliveCount;
     int seccompSandbox;
+
+    int tunnelTcpRo;
+    int tunnelTcpRw;
 };

+enum qemuTunnelTcpConfigType {
+    QEMU_TCP_TUNNEL_DISABLE = 0,
+    QEMU_TCP_TUNNEL_LOCAL,
+    QEMU_TCP_TUNNEL_ENABLE,
+
+    QEMU_TCP_TUNNEL_LAST
+};
+
+VIR_ENUM_DECL(qemuTunnelTcpConfig);
+
 typedef struct _qemuDomainCmdlineDef qemuDomainCmdlineDef;
 typedef qemuDomainCmdlineDef *qemuDomainCmdlineDefPtr;
 struct _qemuDomainCmdlineDef {
-- 
1.8.0


