|
|
397dc2 |
From 36a12736f39da72dba98b843def645e5e4ed0afb Mon Sep 17 00:00:00 2001
|
|
|
397dc2 |
Message-Id: <36a12736f39da72dba98b843def645e5e4ed0afb@dist-git>
|
|
|
397dc2 |
From: Laine Stump <laine@redhat.com>
|
|
|
397dc2 |
Date: Fri, 15 Jan 2021 22:51:49 -0500
|
|
|
397dc2 |
Subject: [PATCH] util: always check for ebtables/iptables binaries, even when
|
|
|
397dc2 |
using firewalld
|
|
|
397dc2 |
|
|
|
397dc2 |
Even though *we* don't call ebtables/iptables/ip6tables (yet) when the
|
|
|
397dc2 |
firewalld backend is selected, firewalld does, so these binaries need
|
|
|
397dc2 |
to be there; let's check for them. (Also, the patch after this one is
|
|
|
397dc2 |
going to start execing those binaries directly rather than via
|
|
|
397dc2 |
firewalld).
|
|
|
397dc2 |
|
|
|
397dc2 |
https://bugzilla.redhat.com/1607929
|
|
|
397dc2 |
|
|
|
397dc2 |
Signed-off-by: Laine Stump <laine@redhat.com>
|
|
|
397dc2 |
Reviewed-by: Daniel Henrique Barboza <danielhb413@gmail.com>
|
|
|
397dc2 |
(cherry picked from commit 56dd128bd06c38fab4256a098124d47d803e919a)
|
|
|
397dc2 |
Message-Id: <20210116035151.1066734-7-laine@redhat.com>
|
|
|
397dc2 |
Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
|
|
|
397dc2 |
---
|
|
|
397dc2 |
src/util/virfirewall.c | 56 ++++++++++++++++++++----------------------
|
|
|
397dc2 |
1 file changed, 26 insertions(+), 30 deletions(-)
|
|
|
397dc2 |
|
|
|
397dc2 |
diff --git a/src/util/virfirewall.c b/src/util/virfirewall.c
|
|
|
397dc2 |
index 2e3b02402e..520d515c11 100644
|
|
|
397dc2 |
--- a/src/util/virfirewall.c
|
|
|
397dc2 |
+++ b/src/util/virfirewall.c
|
|
|
397dc2 |
@@ -100,24 +100,38 @@ VIR_ONCE_GLOBAL_INIT(virFirewall);
|
|
|
397dc2 |
static int
|
|
|
397dc2 |
virFirewallValidateBackend(virFirewallBackend backend)
|
|
|
397dc2 |
{
|
|
|
397dc2 |
- VIR_DEBUG("Validating backend %d", backend);
|
|
|
397dc2 |
+ const char *commands[] = {
|
|
|
397dc2 |
+ IPTABLES_PATH, IP6TABLES_PATH, EBTABLES_PATH
|
|
|
397dc2 |
+ };
|
|
|
397dc2 |
+ size_t i;
|
|
|
397dc2 |
+
|
|
|
397dc2 |
+ for (i = 0; i < G_N_ELEMENTS(commands); i++) {
|
|
|
397dc2 |
+ if (!virFileIsExecutable(commands[i])) {
|
|
|
397dc2 |
+ virReportSystemError(errno,
|
|
|
397dc2 |
+ _("%s not available, firewall backend will not function"),
|
|
|
397dc2 |
+ commands[i]);
|
|
|
397dc2 |
+ return -1;
|
|
|
397dc2 |
+ }
|
|
|
397dc2 |
+ }
|
|
|
397dc2 |
+ VIR_DEBUG("found iptables/ip6tables/ebtables");
|
|
|
397dc2 |
+
|
|
|
397dc2 |
if (backend == VIR_FIREWALL_BACKEND_AUTOMATIC ||
|
|
|
397dc2 |
backend == VIR_FIREWALL_BACKEND_FIREWALLD) {
|
|
|
397dc2 |
int rv = virFirewallDIsRegistered();
|
|
|
397dc2 |
|
|
|
397dc2 |
VIR_DEBUG("Firewalld is registered ? %d", rv);
|
|
|
397dc2 |
- if (rv < 0) {
|
|
|
397dc2 |
- if (rv == -2) {
|
|
|
397dc2 |
- if (backend == VIR_FIREWALL_BACKEND_FIREWALLD) {
|
|
|
397dc2 |
- virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
|
|
|
397dc2 |
- _("firewalld firewall backend requested, but service is not running"));
|
|
|
397dc2 |
- return -1;
|
|
|
397dc2 |
- } else {
|
|
|
397dc2 |
- VIR_DEBUG("firewalld service not running, trying direct backend");
|
|
|
397dc2 |
- backend = VIR_FIREWALL_BACKEND_DIRECT;
|
|
|
397dc2 |
- }
|
|
|
397dc2 |
- } else {
|
|
|
397dc2 |
+
|
|
|
397dc2 |
+ if (rv == -1)
|
|
|
397dc2 |
+ return -1;
|
|
|
397dc2 |
+
|
|
|
397dc2 |
+ if (rv == -2) {
|
|
|
397dc2 |
+ if (backend == VIR_FIREWALL_BACKEND_FIREWALLD) {
|
|
|
397dc2 |
+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
|
|
|
397dc2 |
+ _("firewalld backend requested, but service is not running"));
|
|
|
397dc2 |
return -1;
|
|
|
397dc2 |
+ } else {
|
|
|
397dc2 |
+ VIR_DEBUG("firewalld service not running, using direct backend");
|
|
|
397dc2 |
+ backend = VIR_FIREWALL_BACKEND_DIRECT;
|
|
|
397dc2 |
}
|
|
|
397dc2 |
} else {
|
|
|
397dc2 |
VIR_DEBUG("firewalld service running, using firewalld backend");
|
|
|
397dc2 |
@@ -125,25 +139,7 @@ virFirewallValidateBackend(virFirewallBackend backend)
|
|
|
397dc2 |
}
|
|
|
397dc2 |
}
|
|
|
397dc2 |
|
|
|
397dc2 |
- if (backend == VIR_FIREWALL_BACKEND_DIRECT) {
|
|
|
397dc2 |
- const char *commands[] = {
|
|
|
397dc2 |
- IPTABLES_PATH, IP6TABLES_PATH, EBTABLES_PATH
|
|
|
397dc2 |
- };
|
|
|
397dc2 |
- size_t i;
|
|
|
397dc2 |
-
|
|
|
397dc2 |
- for (i = 0; i < G_N_ELEMENTS(commands); i++) {
|
|
|
397dc2 |
- if (!virFileIsExecutable(commands[i])) {
|
|
|
397dc2 |
- virReportSystemError(errno,
|
|
|
397dc2 |
- _("direct firewall backend requested, but %s is not available"),
|
|
|
397dc2 |
- commands[i]);
|
|
|
397dc2 |
- return -1;
|
|
|
397dc2 |
- }
|
|
|
397dc2 |
- }
|
|
|
397dc2 |
- VIR_DEBUG("found iptables/ip6tables/ebtables, using direct backend");
|
|
|
397dc2 |
- }
|
|
|
397dc2 |
-
|
|
|
397dc2 |
currentBackend = backend;
|
|
|
397dc2 |
-
|
|
|
397dc2 |
return 0;
|
|
|
397dc2 |
}
|
|
|
397dc2 |
|
|
|
397dc2 |
--
|
|
|
397dc2 |
2.30.0
|
|
|
397dc2 |
|