1. Patchew
  2. Libvirt
  3. [libvirt] [PATCH v2 00/21] nwfilter: refactor the driver to make it independent of virt drivers
  4. View patch

[libvirt] [PATCH v2 14/21] conf: report an error if nic needs filtering by no driver is present

Daniel P. Berrangé posted 21 patches 7 years, 7 months ago
There is a newer version of this series
[libvirt] [PATCH v2 14/21] conf: report an error if nic needs filtering by no driver is present
Posted by Daniel P. Berrangé 7 years, 7 months ago 
If a <interface> includes a filter name but the nwfilter driver is not
present we silently do nothing. This is very bad, because an application
that thinks it is protected by malicious guest traffic will in fact be
vulnerable. Reporting an error gives the administrator the ability to
know there is a problem and fix it.

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
 src/conf/domain_nwfilter.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/src/conf/domain_nwfilter.c b/src/conf/domain_nwfilter.c
index e360aceeba..7570e0ae83 100644
--- a/src/conf/domain_nwfilter.c
+++ b/src/conf/domain_nwfilter.c
@@ -28,6 +28,9 @@
 #include "datatypes.h"
 #include "domain_conf.h"
 #include "domain_nwfilter.h"
+#include "virerror.h"
+
+#define VIR_FROM_THIS VIR_FROM_NWFILTER
 
 static virDomainConfNWFilterDriverPtr nwfilterDriver;
 
@@ -44,8 +47,10 @@ virDomainConfNWFilterInstantiate(const char *vmname,
 {
     if (nwfilterDriver != NULL)
         return nwfilterDriver->instantiateFilter(vmname, vmuuid, net);
-    /* driver module not available -- don't indicate failure */
-    return 0;
+
+    virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
+                   _("No network filter driver available"));
+    return -1;
 }
 
 void
-- 
2.17.0

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH v2 14/21] conf: report an error if nic needs filtering by no driver is present
Posted by John Ferlan 7 years, 7 months ago 

On 05/15/2018 01:43 PM, Daniel P. Berrangé wrote:
> If a <interface> includes a filter name but the nwfilter driver is not
> present we silently do nothing. This is very bad, because an application
> that thinks it is protected by malicious guest traffic will in fact be
> vulnerable. Reporting an error gives the administrator the ability to
> know there is a problem and fix it.
> 
> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
> ---
>  src/conf/domain_nwfilter.c | 9 +++++++--
>  1 file changed, 7 insertions(+), 2 deletions(-)
> 

Reviewed-by: John Ferlan <jferlan@redhat.com>

John

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Patchew 2.1-devel-8c64711

© 2016 - 2025 Red Hat, Inc.