In normal practice a firewall rule should never have 0 args by the
time it gets to the Apply stage, but at some time while debugging
auto-rollback exactly that happened (due to a bug that was since
squashed), and having a check for it helped debugging, so let's
permanently check for it (the nftables version of ApplyRule already
has this check).
Signed-off-by: Laine Stump <laine@xxxxxxxxxx>
---
src/util/viriptables.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/src/util/viriptables.c b/src/util/viriptables.c
index 96b69daf68..4e3188e4d1 100644
--- a/src/util/viriptables.c
+++ b/src/util/viriptables.c
@@ -71,10 +71,11 @@ virIptablesApplyFirewallRule(virFirewall *firewall G_GNUC_UNUSED,
{
virFirewallLayer layer = virFirewallRuleGetLayer(rule);
const char *bin = virIptablesLayerCommandTypeToString(layer);
+ size_t count = virFirewallRuleGetArgCount(rule);
g_autoptr(virCommand) cmd = NULL;
g_autofree char *cmdStr = NULL;
g_autofree char *error = NULL;
- size_t i, count;
+ size_t i;
int status;
if (!bin) {
@@ -83,6 +84,12 @@ virIptablesApplyFirewallRule(virFirewall *firewall G_GNUC_UNUSED,
return -1;
}
+ if (count == 0) {
+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
+ _("Can't apply empty firewall rule"));
+ return -1;
+ }
+
cmd = virCommandNewArgList(bin, NULL);
/* lock to assure nobody else is messing with the tables while we are */
@@ -98,7 +105,6 @@ virIptablesApplyFirewallRule(virFirewall *firewall G_GNUC_UNUSED,
break;
}
- count = virFirewallRuleGetArgCount(rule);
for (i = 0; i < count; i++)
virCommandAddArg(cmd, virFirewallRuleGetArg(rule, i));
--
2.39.2
