conf: report an error if nic needs filtering by no driver is present

If a <interface> includes a filter name but the nwfilter driver is not present we silently do nothing. This is very bad, because an application that thinks it is protected by malicious guest traffic will in fact be vulnerable. Reporting an error gives the administrator the ability to know there is a problem and fix it. Reviewed-by: N John Ferlan <jferlan@redhat.com> Signed-off-by: N Daniel P. Berrangé <berrange@redhat.com>

conf: report an error if nic needs filtering by no driver is present
If a <interface> includes a filter name but the nwfilter driver is not present we silently do nothing. This is very bad, because an application that thinks it is protected by malicious guest traffic will in fact be vulnerable. Reporting an error gives the administrator the ability to know there is a problem and fix it. Reviewed-by: N John Ferlan <jferlan@redhat.com> Signed-off-by: N Daniel P. Berrangé <berrange@redhat.com>
c0fa7713 · Daniel P. Berrangé · fca9afa0 · c0fa7713
隐藏空白更改
内联并排

Showing with 7 addition and 2 deletion

src/conf/domain_nwfilter.c src/conf/domain_nwfilter.c +7 -2

未找到文件。
--- a/src/conf/domain_nwfilter.c
+++ b/src/conf/domain_nwfilter.c
@@ -28,6 +28,9 @@
 #include "datatypes.h"
 #include "domain_conf.h"
 #include "domain_nwfilter.h"
+#include "virerror.h"
+
+#define VIR_FROM_THIS VIR_FROM_NWFILTER

 static virDomainConfNWFilterDriverPtr nwfilterDriver;

@@ -44,8 +47,10 @@ virDomainConfNWFilterInstantiate(const char *vmname,
 {
    if (nwfilterDriver != NULL)
        return nwfilterDriver->instantiateFilter(vmname, vmuuid, net);
-    /* driver module not available -- don't indicate failure */
-    return 0;
+
+    virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
+                   _("No network filter driver available"));
+    return -1;
 }

 void