[libvirt] [PATCH 03/13] Fix logging of failed iptables commands
Laine Stump
laine at laine.org
Mon Dec 20 08:03:15 UTC 2010
The functions in iptables.c all return -1 on failure, but all their
callers (which all happen to be in bridge_driver.c) assume that they
are returning an errno, and the logging is done accordingly. This
patch fixes all the error checking and logging to assume < 0 is an
error, and nothing else.
---
src/network/bridge_driver.c | 183 +++++++++++++++++++++----------------------
1 files changed, 91 insertions(+), 92 deletions(-)
diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c
index c3f32d7..5186511 100644
--- a/src/network/bridge_driver.c
+++ b/src/network/bridge_driver.c
@@ -586,28 +586,28 @@ cleanup:
static int
networkAddMasqueradingIptablesRules(struct network_driver *driver,
virNetworkObjPtr network) {
- int err;
+
/* allow forwarding packets from the bridge interface */
- if ((err = iptablesAddForwardAllowOut(driver->iptables,
- &network->def->ipAddress,
- &network->def->netmask,
- network->def->bridge,
- network->def->forwardDev))) {
- virReportSystemError(err,
- _("failed to add iptables rule to allow forwarding from '%s'"),
- network->def->bridge);
+ if (iptablesAddForwardAllowOut(driver->iptables,
+ &network->def->ipAddress,
+ &network->def->netmask,
+ network->def->bridge,
+ network->def->forwardDev) < 0) {
+ networkReportError(VIR_ERR_SYSTEM_ERROR,
+ _("failed to add iptables rule to allow forwarding from '%s'"),
+ network->def->bridge);
goto masqerr1;
}
/* allow forwarding packets to the bridge interface if they are part of an existing connection */
- if ((err = iptablesAddForwardAllowRelatedIn(driver->iptables,
- &network->def->ipAddress,
- &network->def->netmask,
- network->def->bridge,
- network->def->forwardDev))) {
- virReportSystemError(err,
- _("failed to add iptables rule to allow forwarding to '%s'"),
- network->def->bridge);
+ if (iptablesAddForwardAllowRelatedIn(driver->iptables,
+ &network->def->ipAddress,
+ &network->def->netmask,
+ network->def->bridge,
+ network->def->forwardDev) < 0) {
+ networkReportError(VIR_ERR_SYSTEM_ERROR,
+ _("failed to add iptables rule to allow forwarding to '%s'"),
+ network->def->bridge);
goto masqerr2;
}
@@ -635,38 +635,38 @@ networkAddMasqueradingIptablesRules(struct network_driver *driver,
*/
/* First the generic masquerade rule for other protocols */
- if ((err = iptablesAddForwardMasquerade(driver->iptables,
- &network->def->ipAddress,
- &network->def->netmask,
- network->def->forwardDev,
- NULL))) {
- virReportSystemError(err,
- _("failed to add iptables rule to enable masquerading to '%s'"),
- network->def->forwardDev ? network->def->forwardDev : NULL);
+ if (iptablesAddForwardMasquerade(driver->iptables,
+ &network->def->ipAddress,
+ &network->def->netmask,
+ network->def->forwardDev,
+ NULL) < 0) {
+ networkReportError(VIR_ERR_SYSTEM_ERROR,
+ _("failed to add iptables rule to enable masquerading to '%s'"),
+ network->def->forwardDev ? network->def->forwardDev : NULL);
goto masqerr3;
}
/* UDP with a source port restriction */
- if ((err = iptablesAddForwardMasquerade(driver->iptables,
- &network->def->ipAddress,
- &network->def->netmask,
- network->def->forwardDev,
- "udp"))) {
- virReportSystemError(err,
- _("failed to add iptables rule to enable UDP masquerading to '%s'"),
- network->def->forwardDev ? network->def->forwardDev : NULL);
+ if (iptablesAddForwardMasquerade(driver->iptables,
+ &network->def->ipAddress,
+ &network->def->netmask,
+ network->def->forwardDev,
+ "udp") < 0) {
+ networkReportError(VIR_ERR_SYSTEM_ERROR,
+ _("failed to add iptables rule to enable UDP masquerading to '%s'"),
+ network->def->forwardDev ? network->def->forwardDev : NULL);
goto masqerr4;
}
/* TCP with a source port restriction */
- if ((err = iptablesAddForwardMasquerade(driver->iptables,
- &network->def->ipAddress,
- &network->def->netmask,
- network->def->forwardDev,
- "tcp"))) {
- virReportSystemError(err,
- _("failed to add iptables rule to enable TCP masquerading to '%s'"),
- network->def->forwardDev ? network->def->forwardDev : NULL);
+ if (iptablesAddForwardMasquerade(driver->iptables,
+ &network->def->ipAddress,
+ &network->def->netmask,
+ network->def->forwardDev,
+ "tcp") < 0) {
+ networkReportError(VIR_ERR_SYSTEM_ERROR,
+ _("failed to add iptables rule to enable TCP masquerading to '%s'"),
+ network->def->forwardDev ? network->def->forwardDev : NULL);
goto masqerr5;
}
@@ -703,28 +703,28 @@ networkAddMasqueradingIptablesRules(struct network_driver *driver,
static int
networkAddRoutingIptablesRules(struct network_driver *driver,
virNetworkObjPtr network) {
- int err;
+
/* allow routing packets from the bridge interface */
- if ((err = iptablesAddForwardAllowOut(driver->iptables,
- &network->def->ipAddress,
- &network->def->netmask,
- network->def->bridge,
- network->def->forwardDev))) {
- virReportSystemError(err,
- _("failed to add iptables rule to allow routing from '%s'"),
- network->def->bridge);
+ if (iptablesAddForwardAllowOut(driver->iptables,
+ &network->def->ipAddress,
+ &network->def->netmask,
+ network->def->bridge,
+ network->def->forwardDev) < 0) {
+ networkReportError(VIR_ERR_SYSTEM_ERROR,
+ _("failed to add iptables rule to allow routing from '%s'"),
+ network->def->bridge);
goto routeerr1;
}
/* allow routing packets to the bridge interface */
- if ((err = iptablesAddForwardAllowIn(driver->iptables,
- &network->def->ipAddress,
- &network->def->netmask,
- network->def->bridge,
- network->def->forwardDev))) {
- virReportSystemError(err,
- _("failed to add iptables rule to allow routing to '%s'"),
- network->def->bridge);
+ if (iptablesAddForwardAllowIn(driver->iptables,
+ &network->def->ipAddress,
+ &network->def->netmask,
+ network->def->bridge,
+ network->def->forwardDev) < 0) {
+ networkReportError(VIR_ERR_SYSTEM_ERROR,
+ _("failed to add iptables rule to allow routing to '%s'"),
+ network->def->bridge);
goto routeerr2;
}
@@ -744,69 +744,68 @@ networkAddRoutingIptablesRules(struct network_driver *driver,
static int
networkAddIptablesRules(struct network_driver *driver,
virNetworkObjPtr network) {
- int err;
/* allow DHCP requests through to dnsmasq */
- if ((err = iptablesAddTcpInput(driver->iptables, network->def->bridge, 67))) {
- virReportSystemError(err,
- _("failed to add iptables rule to allow DHCP requests from '%s'"),
- network->def->bridge);
+ if (iptablesAddTcpInput(driver->iptables, network->def->bridge, 67) < 0) {
+ networkReportError(VIR_ERR_SYSTEM_ERROR,
+ _("failed to add iptables rule to allow DHCP requests from '%s'"),
+ network->def->bridge);
goto err1;
}
- if ((err = iptablesAddUdpInput(driver->iptables, network->def->bridge, 67))) {
- virReportSystemError(err,
- _("failed to add iptables rule to allow DHCP requests from '%s'"),
- network->def->bridge);
+ if (iptablesAddUdpInput(driver->iptables, network->def->bridge, 67) < 0) {
+ networkReportError(VIR_ERR_SYSTEM_ERROR,
+ _("failed to add iptables rule to allow DHCP requests from '%s'"),
+ network->def->bridge);
goto err2;
}
/* allow DNS requests through to dnsmasq */
- if ((err = iptablesAddTcpInput(driver->iptables, network->def->bridge, 53))) {
- virReportSystemError(err,
- _("failed to add iptables rule to allow DNS requests from '%s'"),
- network->def->bridge);
+ if (iptablesAddTcpInput(driver->iptables, network->def->bridge, 53) < 0) {
+ networkReportError(VIR_ERR_SYSTEM_ERROR,
+ _("failed to add iptables rule to allow DNS requests from '%s'"),
+ network->def->bridge);
goto err3;
}
- if ((err = iptablesAddUdpInput(driver->iptables, network->def->bridge, 53))) {
- virReportSystemError(err,
- _("failed to add iptables rule to allow DNS requests from '%s'"),
- network->def->bridge);
+ if (iptablesAddUdpInput(driver->iptables, network->def->bridge, 53) < 0) {
+ networkReportError(VIR_ERR_SYSTEM_ERROR,
+ _("failed to add iptables rule to allow DNS requests from '%s'"),
+ network->def->bridge);
goto err4;
}
/* allow TFTP requests through to dnsmasq */
if (network->def->tftproot &&
- (err = iptablesAddUdpInput(driver->iptables, network->def->bridge, 69))) {
- virReportSystemError(err,
- _("failed to add iptables rule to allow TFTP requests from '%s'"),
- network->def->bridge);
+ iptablesAddUdpInput(driver->iptables, network->def->bridge, 69) < 0) {
+ networkReportError(VIR_ERR_SYSTEM_ERROR,
+ _("failed to add iptables rule to allow TFTP requests from '%s'"),
+ network->def->bridge);
goto err4tftp;
}
/* Catch all rules to block forwarding to/from bridges */
- if ((err = iptablesAddForwardRejectOut(driver->iptables, network->def->bridge))) {
- virReportSystemError(err,
- _("failed to add iptables rule to block outbound traffic from '%s'"),
- network->def->bridge);
+ if (iptablesAddForwardRejectOut(driver->iptables, network->def->bridge) < 0) {
+ networkReportError(VIR_ERR_SYSTEM_ERROR,
+ _("failed to add iptables rule to block outbound traffic from '%s'"),
+ network->def->bridge);
goto err5;
}
- if ((err = iptablesAddForwardRejectIn(driver->iptables, network->def->bridge))) {
- virReportSystemError(err,
- _("failed to add iptables rule to block inbound traffic to '%s'"),
- network->def->bridge);
+ if (iptablesAddForwardRejectIn(driver->iptables, network->def->bridge) < 0) {
+ networkReportError(VIR_ERR_SYSTEM_ERROR,
+ _("failed to add iptables rule to block inbound traffic to '%s'"),
+ network->def->bridge);
goto err6;
}
/* Allow traffic between guests on the same bridge */
- if ((err = iptablesAddForwardAllowCross(driver->iptables, network->def->bridge))) {
- virReportSystemError(err,
- _("failed to add iptables rule to allow cross bridge traffic on '%s'"),
- network->def->bridge);
+ if (iptablesAddForwardAllowCross(driver->iptables, network->def->bridge) < 0) {
+ networkReportError(VIR_ERR_SYSTEM_ERROR,
+ _("failed to add iptables rule to allow cross bridge traffic on '%s'"),
+ network->def->bridge);
goto err7;
}
@@ -829,7 +828,7 @@ networkAddIptablesRules(struct network_driver *driver,
if ((VIR_SOCKET_HAS_ADDR(&network->def->ipAddress) ||
network->def->nranges) &&
(iptablesAddOutputFixUdpChecksum(driver->iptables,
- network->def->bridge, 68) != 0)) {
+ network->def->bridge, 68) < 0)) {
VIR_WARN("Could not add rule to fixup DHCP response checksums "
"on network '%s'.", network->def->name);
VIR_WARN0("May need to update iptables package & kernel to support CHECKSUM rule.");
--
1.7.3.4
More information about the libvir-list
mailing list