[PATCH 6/8] util: always check for ebtables/iptables binaries, even when using firewalld

Laine Stump <laine@xxxxxxxxxx> · Mon, 23 Nov 2020 22:30:02 -0500

Even though *we* don't call ebtables/iptables/ip6tables (yet) when the
firewalld backend is selected, firewalld does, so these binaries need
to be there; let's check for them. (Also, the patch after this one is
going to start execing those binaries directly rather than via
firewalld).

Signed-off-by: Laine Stump <laine@xxxxxxxxxx>
---
 src/util/virfirewall.c | 56 ++++++++++++++++++++----------------------
 1 file changed, 26 insertions(+), 30 deletions(-)

diff --git a/src/util/virfirewall.c b/src/util/virfirewall.c
index 694bb32f62..0b022b14af 100644
--- a/src/util/virfirewall.c
+++ b/src/util/virfirewall.c
@@ -99,24 +99,38 @@ VIR_ONCE_GLOBAL_INIT(virFirewall);
 static int
 virFirewallValidateBackend(virFirewallBackend backend)
 {
-    VIR_DEBUG("Validating backend %d", backend);
+    const char *commands[] = {
+        IPTABLES_PATH, IP6TABLES_PATH, EBTABLES_PATH
+    };
+    size_t i;
+
+    for (i = 0; i < G_N_ELEMENTS(commands); i++) {
+        if (!virFileIsExecutable(commands[i])) {
+            virReportSystemError(errno,
+                                 _("%s not available, firewall backend will not function"),
+                                 commands[i]);
+            return -1;
+        }
+    }
+    VIR_DEBUG("found iptables/ip6tables/ebtables");
+
     if (backend == VIR_FIREWALL_BACKEND_AUTOMATIC ||
         backend == VIR_FIREWALL_BACKEND_FIREWALLD) {
         int rv = virFirewallDIsRegistered();
 
         VIR_DEBUG("Firewalld is registered ? %d", rv);
-        if (rv < 0) {
-            if (rv == -2) {
-                if (backend == VIR_FIREWALL_BACKEND_FIREWALLD) {
-                    virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
-                                   _("firewalld firewall backend requested, but service is not running"));
-                    return -1;
-                } else {
-                    VIR_DEBUG("firewalld service not running, trying direct backend");
-                    backend = VIR_FIREWALL_BACKEND_DIRECT;
-                }
-            } else {
+
+        if (rv == -1)
+            return -1;
+
+        if (rv == -2) {
+            if (backend == VIR_FIREWALL_BACKEND_FIREWALLD) {
+                virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
+                               _("firewalld backend requested, but service is not running"));
                 return -1;
+            } else {
+                VIR_DEBUG("firewalld service not running, using direct backend");
+                backend = VIR_FIREWALL_BACKEND_DIRECT;
             }
         } else {
             VIR_DEBUG("firewalld service running, using firewalld backend");
@@ -124,25 +138,7 @@ virFirewallValidateBackend(virFirewallBackend backend)
         }
     }
 
-    if (backend == VIR_FIREWALL_BACKEND_DIRECT) {
-        const char *commands[] = {
-            IPTABLES_PATH, IP6TABLES_PATH, EBTABLES_PATH
-        };
-        size_t i;
-
-        for (i = 0; i < G_N_ELEMENTS(commands); i++) {
-            if (!virFileIsExecutable(commands[i])) {
-                virReportSystemError(errno,
-                                     _("direct firewall backend requested, but %s is not available"),
-                                     commands[i]);
-                return -1;
-            }
-        }
-        VIR_DEBUG("found iptables/ip6tables/ebtables, using direct backend");
-    }
-
     currentBackend = backend;
-
     return 0;
 }
 
-- 
2.28.0







