On Thu, Aug 30, 2018 at 12:50:09PM -0400, John Ferlan wrote: > > > On 08/30/2018 12:27 PM, Daniel P. Berrangé wrote: > > On Thu, Aug 30, 2018 at 11:06:07AM -0400, John Ferlan wrote: > >> Similar to nwfilterDefineXML, let's be sure the a filter binding > >> creation is not attempted in session mode and generate the proper > >> error message. > >> > >> Failure to open nwfilter in session mode (nwfilterConnectOpen) > >> fails already, but that doesn't stop the free thinker from using > >> a different connection in order to attempt to attempt to create > >> the binding. Although even doing that would result in a failure: > >> > >> $ virsh nwfilter-binding-create QEMUGuest1-binding.xml > >> error: Failed to create network filter from QEMUGuest1-binding.xml > >> error: internal error: Could not get access to ACL tech driver 'ebiptables' > >> > >> $ > >> > >> Signed-off-by: John Ferlan <jferlan@xxxxxxxxxx> > >> --- > >> src/nwfilter/nwfilter_driver.c | 6 ++++++ > >> 1 file changed, 6 insertions(+) > >> > >> diff --git a/src/nwfilter/nwfilter_driver.c b/src/nwfilter/nwfilter_driver.c > >> index ac3a964388..1ee5162b9a 100644 > >> --- a/src/nwfilter/nwfilter_driver.c > >> +++ b/src/nwfilter/nwfilter_driver.c > >> @@ -745,6 +745,12 @@ nwfilterBindingCreateXML(virConnectPtr conn, > >> > >> virCheckFlags(0, NULL); > >> > >> + if (!driver->privileged) { > >> + virReportError(VIR_ERR_OPERATION_INVALID, "%s", > >> + _("Can't define NWFilter bindings in session mode")); > >> + return NULL; > >> + } > >> + > >> def = virNWFilterBindingDefParseString(xml); > >> if (!def) > >> return NULL; > > > > How do we ever get to this point in a session daemon ? > > Like I noted in the commit message an enterprising user... > > With no guest running: > > $ virsh -c qemu:///session nwfilter-binding-create QEMUGuest1-binding.xml > Network filter binding on tap0 created from QEMUGuest1-binding.xml Oh, i see it is because when using qemu://session, we never actually call the nwfilterConnectOpen method - it is opened implicitly. So Reviewed-by: Daniel P. Berrangé <berrange@xxxxxxxxxx> Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :| -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list