Re: [Qemu-devel] [PATCH 1/1] slirp: add SOCKS5 support

[Laurent Vivier]

Le 03/04/2017 à 13:41, Daniel P. Berrange a écrit :
> On Mon, Mar 27, 2017 at 01:41:36PM -0500, Eric Blake wrote:
>> On 03/27/2017 01:21 PM, Laurent Vivier wrote:
>>> When the VM is used behind a firewall, This allows
>>> to use a SOCKS5 proxy server to connect the VM IP stack
>>
>> "allows to $verb" is not idiomatic English; the correct forms are
>> generally "allows $subject to $verb" or "allows ${verb}ing".  In this
>> case, I'd lean towards "this allows the use of a SOCKS5 proxy server"
>>
>>> directly to the Internet.
>>>
>>> This implementation doesn't manage UDP packets, so they
>>> are simply dropped (as with restrict=on), except for
>>> the localhost as we need it for DNS.
>>>
>>> Signed-off-by: Laurent Vivier <address@hidden>
>>> ---
>>
>>> +++ b/qapi-schema.json
>>> @@ -3680,6 +3680,9 @@
>>>      '*ipv6-dns':         'str',
>>>      '*smb':       'str',
>>>      '*smbserver': 'str',
>>> +    '*proxy-server': 'str',
>>> +    '*proxy-user':   'str',
>>> +    '*proxy-passwd': 'str',
>>
>> Why can't we spell this out as password, instead of abbreviating?
>> Should this hook into the "secrets object" framework so that someone
>> does not have to pass the password in plaintext?
> 
> Yes.
> 
>>> address@hidden address@hidden:@var{port}[,address@hidden,address@hidden
>>
>> Yes, you DEFINITELY need to hook into the "secrets object" framework to
>> avoid having to pass a password in plaintext on the command line.  Dan
>> Berrange may have more advice on doing that.
> 
> Agreed, this needs to use the secrets framework.
> 
> Rename 'proxy-password' to 'proxy-password-secret'. It'll provide the ID of
> a secret's object. Given that you can use qcrypto_secret_lookup_as_utf8()
> to get the associated password data. There's a few examples in the code
> eg crypto/tlscredsx509.c is a fairly simple example. Ping me if you want
> more help

Please see the v2: https://patchwork.ozlabs.org/patch/744497/

I forgot the to cc' you and Eric.

Laurent