From 36a12736f39da72dba98b843def645e5e4ed0afb Mon Sep 17 00:00:00 2001
Message-Id: <36a12736f39da72dba98b843def645e5e4ed0afb@dist-git>
From: Laine Stump <laine@redhat.com>
Date: Fri, 15 Jan 2021 22:51:49 -0500
Subject: [PATCH] util: always check for ebtables/iptables binaries, even when
using firewalld
Even though *we* don't call ebtables/iptables/ip6tables (yet) when the
firewalld backend is selected, firewalld does, so these binaries need
to be there; let's check for them. (Also, the patch after this one is
going to start execing those binaries directly rather than via
firewalld).
https://bugzilla.redhat.com/1607929
Signed-off-by: Laine Stump <laine@redhat.com>
Reviewed-by: Daniel Henrique Barboza <danielhb413@gmail.com>
(cherry picked from commit 56dd128bd06c38fab4256a098124d47d803e919a)
Message-Id: <20210116035151.1066734-7-laine@redhat.com>
Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
---
src/util/virfirewall.c | 56 ++++++++++++++++++++----------------------
1 file changed, 26 insertions(+), 30 deletions(-)
diff --git a/src/util/virfirewall.c b/src/util/virfirewall.c
index 2e3b02402e..520d515c11 100644
--- a/src/util/virfirewall.c
+++ b/src/util/virfirewall.c
@@ -100,24 +100,38 @@ VIR_ONCE_GLOBAL_INIT(virFirewall);
static int
virFirewallValidateBackend(virFirewallBackend backend)
{
- VIR_DEBUG("Validating backend %d", backend);
+ const char *commands[] = {
+ IPTABLES_PATH, IP6TABLES_PATH, EBTABLES_PATH
+ };
+ size_t i;
+
+ for (i = 0; i < G_N_ELEMENTS(commands); i++) {
+ if (!virFileIsExecutable(commands[i])) {
+ virReportSystemError(errno,
+ _("%s not available, firewall backend will not function"),
+ commands[i]);
+ return -1;
+ }
+ }
+ VIR_DEBUG("found iptables/ip6tables/ebtables");
+
if (backend == VIR_FIREWALL_BACKEND_AUTOMATIC ||
backend == VIR_FIREWALL_BACKEND_FIREWALLD) {
int rv = virFirewallDIsRegistered();
VIR_DEBUG("Firewalld is registered ? %d", rv);
- if (rv < 0) {
- if (rv == -2) {
- if (backend == VIR_FIREWALL_BACKEND_FIREWALLD) {
- virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
- _("firewalld firewall backend requested, but service is not running"));
- return -1;
- } else {
- VIR_DEBUG("firewalld service not running, trying direct backend");
- backend = VIR_FIREWALL_BACKEND_DIRECT;
- }
- } else {
+
+ if (rv == -1)
+ return -1;
+
+ if (rv == -2) {
+ if (backend == VIR_FIREWALL_BACKEND_FIREWALLD) {
+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
+ _("firewalld backend requested, but service is not running"));
return -1;
+ } else {
+ VIR_DEBUG("firewalld service not running, using direct backend");
+ backend = VIR_FIREWALL_BACKEND_DIRECT;
}
} else {
VIR_DEBUG("firewalld service running, using firewalld backend");
@@ -125,25 +139,7 @@ virFirewallValidateBackend(virFirewallBackend backend)
}
}
- if (backend == VIR_FIREWALL_BACKEND_DIRECT) {
- const char *commands[] = {
- IPTABLES_PATH, IP6TABLES_PATH, EBTABLES_PATH
- };
- size_t i;
-
- for (i = 0; i < G_N_ELEMENTS(commands); i++) {
- if (!virFileIsExecutable(commands[i])) {
- virReportSystemError(errno,
- _("direct firewall backend requested, but %s is not available"),
- commands[i]);
- return -1;
- }
- }
- VIR_DEBUG("found iptables/ip6tables/ebtables, using direct backend");
- }
-
currentBackend = backend;
-
return 0;
}
--
2.30.0