If a <interface> includes a filter name but the nwfilter driver is not
present we silently do nothing. This is very bad, because an application
that thinks it is protected by malicious guest traffic will in fact be
vulnerable. Reporting an error gives the administrator the ability to
know there is a problem and fix it.

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
 src/conf/domain_nwfilter.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/src/conf/domain_nwfilter.c b/src/conf/domain_nwfilter.c
index e360aceeba..7570e0ae83 100644
--- a/src/conf/domain_nwfilter.c
+++ b/src/conf/domain_nwfilter.c
@@ -28,6 +28,9 @@
 #include "datatypes.h"
 #include "domain_conf.h"
 #include "domain_nwfilter.h"
+#include "virerror.h"
+
+#define VIR_FROM_THIS VIR_FROM_NWFILTER
 
 static virDomainConfNWFilterDriverPtr nwfilterDriver;
 
@@ -44,8 +47,10 @@ virDomainConfNWFilterInstantiate(const char *vmname,
 {
     if (nwfilterDriver != NULL)
         return nwfilterDriver->instantiateFilter(vmname, vmuuid, net);
-    /* driver module not available -- don't indicate failure */
-    return 0;
+
+    virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
+                   _("No network filter driver available"));
+    return -1;
 }
 
 void
-- 
2.17.0

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

$SUBJ:

s/by/but


On 06/14/2018 08:33 AM, Daniel P. Berrangé wrote:
> If a <interface> includes a filter name but the nwfilter driver is not
> present we silently do nothing. This is very bad, because an application
> that thinks it is protected by malicious guest traffic will in fact be
> vulnerable. Reporting an error gives the administrator the ability to
> know there is a problem and fix it.
> 
> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
> ---
>  src/conf/domain_nwfilter.c | 9 +++++++--
>  1 file changed, 7 insertions(+), 2 deletions(-)
> 

Reviewed-by: John Ferlan <jferlan@redhat.com>

John

However/But/FWIW:
I know this method changes again in patch 20; however, it's easier to
describe now... All callers except 1 will only call here if net->filter
is true. The one outlier is the error path in qemuDomainChangeNetFilter
which will call with olddev before checking if olddev->filter was true.

Looking at qemuDomainChangeNet the STRNEQ_NULLABLE is used on
olddev->filter and newdev->filter, so I think we could currently end up
in a fairly strange place - although there will be errors eventually
from virNWFilterInstantiateFilterUpdate when @filtername is not found.

I'm tempted to suggest moving the net->filter check into here, but I
know that by patch 20 all that changes again. It's fine to do things
later, but figured while it was fresh in my mind - I'd note it.

> diff --git a/src/conf/domain_nwfilter.c b/src/conf/domain_nwfilter.c
> index e360aceeba..7570e0ae83 100644
> --- a/src/conf/domain_nwfilter.c
> +++ b/src/conf/domain_nwfilter.c
> @@ -28,6 +28,9 @@
>  #include "datatypes.h"
>  #include "domain_conf.h"
>  #include "domain_nwfilter.h"
> +#include "virerror.h"
> +
> +#define VIR_FROM_THIS VIR_FROM_NWFILTER
>  
>  static virDomainConfNWFilterDriverPtr nwfilterDriver;
>  
> @@ -44,8 +47,10 @@ virDomainConfNWFilterInstantiate(const char *vmname,
>  {
>      if (nwfilterDriver != NULL)
>          return nwfilterDriver->instantiateFilter(vmname, vmuuid, net);
> -    /* driver module not available -- don't indicate failure */
> -    return 0;
> +
> +    virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
> +                   _("No network filter driver available"));
> +    return -1;
>  }
>  
>  void
> 

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list