<html dir="ltr"><head></head><body style="text-align:left; direction:ltr;"><div>Hi</div><div><br></div><div>El mié, 14-11-2018 a las 12:49 +0100, Victor Toso escribió:</div><blockquote type="cite" style="margin:0 0 0 .8ex; border-left:2px #729fcf solid;padding-left:1ex"><pre>Hi,</pre><pre><br></pre><pre>On Wed, Nov 14, 2018 at 11:38:23AM +0900, Boris Morozov wrote:</pre><pre><blockquote type="cite" style="margin:0 0 0 .8ex; border-left:2px #729fcf solid;padding-left:1ex"></blockquote></pre><pre>Hello, dear friends. I would like a share idea with you about</pre><pre>new feature. Please forgive me if i wrong.</pre><pre><br></pre><pre>Current approach to publish ports from virtual machine is</pre><pre>connecting it to network by network adapter.</pre><pre><br></pre><pre>In this case administrator should to write:</pre><pre>- Routes</pre><pre>- DNS-records</pre><pre>- Firewall rules</pre><pre><br></pre><pre>In final result: </pre><pre>- Virtual machine start going to Internet from host local or</pre><pre> ISP network.</pre><pre>- Virtual machine user can attack gateways and peer nodes in</pre><pre> host network.</pre><pre>- Virtual machine user can attack global sites, services and</pre><pre> leave host IP it will raise problems with owners of attacked</pre><pre> sites and services, authorities.</pre><pre>- Virtual machine user can download illegal or forbidden</pre><pre> content and leave host IP it will raise problems with</pre><pre> authorities.</pre><pre>- Virtual machine can be attacked from other nodes in host</pre><pre> network and internet.</pre><pre>Internet gateway on host network should open extra ports to</pre><pre>perform access to virtual machine.</pre><pre>- Some computing power of host is begin to spent on NIC and</pre><pre> network emulation. </pre><pre>- Some time of administrator was spent to configuring and</pre><pre> testing routing, dns, firewall.</pre><pre><br></pre><pre>To avoid this responibility and performance problems and reduce</pre><pre>time on configuration when public access to virtual machine not</pre><pre>needed it's better way to tunnel ports on virtual machine from</pre><pre>guest and vice-versa by SPICE.</pre><pre></pre><pre><br></pre><pre>I think that was implemented at some point in the past, we do</pre><pre>have the deprecated type SPICE_CHANNEL_TUNNEL and AFAIK,</pre><pre>something like using client's internet in the guest was</pre><pre>supported.</pre><pre><br></pre><pre><blockquote type="cite" style="margin:0 0 0 .8ex; border-left:2px #729fcf solid;padding-left:1ex"></blockquote></pre><pre>In case of port tunneling over SPICE </pre><pre><br></pre><pre>1. In virtual machine running services and they opened ports</pre><pre> (HTTP, SSH for example) on localhost (127.0.0.1). </pre><pre>2. Spice guest agent in virtual machine open client-port and</pre><pre> become ready to connect to services ports from client-port and</pre><pre> redirect data to spice channel. </pre><pre>3. In other end of spice channel on client spice client open</pre><pre> ports for listening incoming connections on client localhost</pre><pre> (127.0.0.1). </pre><pre>4. Client user connect to tunneled ports on client-side</pre><pre> localhost and start working with tunneled ports as with local</pre><pre> ones. </pre><pre>5. Spice client & guest agent perform traffic redirection.</pre><pre><br></pre><pre>As we can see offered approach is more simple. It can't be used</pre><pre>against traditional approach in public access but in personal</pre><pre>access it's look better. Also it's looks possible to tunnel not</pre><pre>only localhost ports on virtual machine and others nodes ones</pre><pre>if network is working. </pre><pre><br></pre><pre>Use cases:</pre><pre>- Web-browsing virtual machine sites on client machine</pre><pre>- Web-sites, network services (daemons) development</pre><pre>- Internet access in virtual machine via proxies on client</pre><pre> (TOR, VPN, SOCKS, HTTP)</pre><pre>- Monitoring (getting access to API and dashboards) of various</pre><pre> services: printers, miners, solar power chargers, UPS and</pre><pre> others. </pre><pre>- File transfer between client and virtual machine via FTP,</pre><pre> SFTP, HTTP</pre><pre>- Stream transfer between client and virtual machine video,</pre><pre> audio and others.</pre><pre>- VDI-hosting (Isolated preinstalled VM without NIC)</pre><pre></pre><pre><br></pre><pre>Are you only suggesting the feature or do you plan to implement</pre><pre>it? If the later, the best way to make guest talk to client</pre><pre>nowadays is by using port channel. We do have a spice-webdavd</pre><pre>daemon that works in windows and linux guest that makes sharing a</pre><pre>folder possible (with WebDAV protocol).</pre></blockquote><div><br></div><div>FYI, in flexVDI we have already implemented this feature. We just had not the time to split it into meaningful patches and share it with the list. If you are really interested, we can try to dedicate some time to it.</div><div><br></div><div>Our implementation allows to redirect local and remote TCP ports, just like -L and -R options in ssh. A SOCKS proxy shouldn't be hard to implement too. However, we did not use a separate channel. We use the main channel, like with file transfers, because the client communicates with the vdagent in the guest. Our changes affect spice-gtk, spice-protocol, vdagent-linux and vdagent-win32. Maybe it would be a better idea to have a separate channel+virtio_port+agent for this, what do you think?</div><div><br></div><div>You can have a look at our implementation in our spice-* repos at GitHub:</div><div><a href="https://github.com/flexvdi">https://github.com/flexvdi</a></div><div>The vdagent-part is not there, but I could share the code with you if you are interested.</div><div><br></div><div>Best regards</div><div><br></div><blockquote type="cite" style="margin:0 0 0 .8ex; border-left:2px #729fcf solid;padding-left:1ex"><pre><br></pre><pre>Cheers,</pre><pre>Victor</pre><pre><br></pre><pre>_______________________________________________</pre><pre>Spice-devel mailing list</pre><pre><a href="mailto:Spice-devel@lists.freedesktop.org">Spice-devel@lists.freedesktop.org</a></pre><pre><a href="https://lists.freedesktop.org/mailman/listinfo/spice-devel">https://lists.freedesktop.org/mailman/listinfo/spice-devel</a></pre><pre><br></pre></blockquote><div><span><pre>-- <br></pre>
<br>
<br>
<table id="sig" width="480" cellspacing="0" cellpadding="0" border-spacing="0" style="width:480px;margin:0;padding:0;"><tbody><tr><td text-align="right" style="border-right:2px solid #4a4b4a;padding-right:10px;" valign="top">
<p style="padding: 0px; text-align: right;">
<a href="http://www.flexvdi.com" title="flexVDI"><img src="https://www.flexvdi.com/signature/logo.flexvdi.png" moz-do-not-send="true" alt="flexVDI" border="0" height="45" width="151">
</a>
</p>
<p style="padding: 5px 10px 0px 0px; font-size: 15px; font-weight: bold; color: rgb(62, 93, 107); line-height: 17px; height: 17px; text-align: right;">
<span style="float:right">Javier Celaya Alastrué</span>
</p>
<p style="padding: 0px 10px 0px 0px; font-size: 13px; font-style: italic; color: rgb(0, 161, 193); line-height: 17px; height: 17px; text-align: right;">Chief Technology Officer</p>
</td>
<td style="padding-left:18px;display:block;">
<p style="padding: 5px 0px 0px;">
<img src="https://flexvdi.com/signature/mail.png" moz-do-not-send="true" style="margin:1px 7px 0 0;" alt="email" align="left" height="17" width="17">
<a href="mailto:javier.celaya@flexvdi.com" style="font-size:14px;color:#727272;line-height:17px;height:17px;">javier.celaya@flexvdi.com</a>
</p>
<p style="padding: 5px 0px 0px;">
<img src="https://flexvdi.com/signature/phone.png" moz-do-not-send="true" style="margin:0 7px 0 0;" alt="Phone" align="left" height="17" width="17">
<span style="font-size:14px;color:#727272;line-height:17px;height:17px;">+34696969959</span>
</p>
<p style="padding: 5px 0px 0px;"> <img src="https://flexvdi.com/signature/skype.png" moz-do-not-send="true" style="margin:0 7px 0 0;" alt="Skype" align="left" height="17" width="17">
<span style="font-size:14px;color:#727272;line-height:17px;height:17px;">j_celaya</span>
</p>
<p style="padding: 5px 0px 0px;">
<img src="https://flexvdi.com/signature/legal.png" moz-do-not-send="true" style="margin:0 7px 0 0;" alt="Legal" align="left" height="17" width="17">
<a href="https://flexvdi.com/es/legal" style="font-size:14px;font-style:italic;color:#727272;line-height:17px;height:17px;">Legal Information and Privacy Policy</a>
</p>
</td>
</tr>
<tr>
<td colspan="2" height="300">
<p style="font-family:Helvetica,Arial;font-size:14px;font-style:italic;color:#313131;text-align: center; font-weight: bold">Política de confidencialidad</p>
<p style="font-family:Helvetica,Arial;font-size:10px;font-style:italic;color:#313131;text-align: justify">Este mensaje y los ficheros anexos son confidenciales dirigiéndose exclusivamente al destinatario mencionado en el encabezamiento. Si usted ha recibido este correo por error, tenga la amabilidad de eliminarlo de su sistema y no divulgar el contenido a terceros. Los datos personales facilitados por usted o por terceros serán tratados por FLEXIBLE SOFTWARE SOLUTIONS S.L.U. con la finalidad de gestionar y mantener los contactos y relaciones que se produzcan como consecuencia de la relación que mantiene con FLEXIBLE SOFTWARE SOLUTIONS S.L.U. Normalmente, la base jurídica que legitima este tratamiento, será su consentimiento, el interés legítimo o la necesidad para gestionar una relación contractual o similar. El plazo de conservación de sus datos vendrá determinado por la relación que mantiene con nosotros. Para más información al respecto, o para ejercer sus derechos de acceso, rectificación, supresión, oposición, limitación o portabilidad, dirija una comunicación por escrito a FLEXIBLE SOFTWARE SOLUTIONS S.L.U: Avenida de Ranillas 1D, Planta 3, Oficina 3G, Zaragoza o al correo electrónico <a href="mailto:pdo@flexvdi.com" style="color:#313131">pdo@flexvdi.com</a>. En caso de considerar vulnerado su derecho a la protección de datos personales, podrá interponer una reclamación ante la Agencia Española de Protección de Datos (<a href="http://www.agpd.es" style="color:#313131">www.agpd.es</a>). </p>
</td>
</tr>
</tbody></table></span></div></body></html>