From ab238e23b4d313b3d5f44684990c52df1ff89821 Mon Sep 17 00:00:00 2001 From: Laine Stump Date: Tue, 16 Nov 2021 14:12:05 -0500 Subject: [PATCH] util: remove check for iptables binary during virFirewallInit It's unclear exactly why this check exists; possibly a parallel to a long-removed check for the firewall-cmd binary (added to viriptables.c with the initial support for firewalld in commit bf156385a03 in 2012, and long since removed), or possibly because virFirewallOnceInit() was intended to be called at daemon startup, and it seemed like a good idea to just log this error once when trying to determine whether to use firewalld, or direct iptables commands, and then not waste time building commands that could never be executed. The odd thing is that it would sometimes result in logging an error when it couldn't find a binary that wasn't needed anyway (e.g., if all the rules were iptables rules, but ebtables and/or ip6tables weren't also installed). If we just remove this check, then virCommandRun() will end up logging an error and failing if the needed binary isn't found when we try to execute it, which seems like it should just as good (or at least good enough, especially since we eventually want to get rid of iptables completely). So let's remove it! Signed-off-by: Laine Stump Reviewed-by: Michal Privoznik --- src/util/virfirewall.c | 25 ------------------------- 1 file changed, 25 deletions(-) diff --git a/src/util/virfirewall.c b/src/util/virfirewall.c index f3172e5c96..1e6c667ee1 100644 --- a/src/util/virfirewall.c +++ b/src/util/virfirewall.c @@ -98,23 +98,6 @@ VIR_ONCE_GLOBAL_INIT(virFirewall); static int virFirewallValidateBackend(virFirewallBackend backend) { - const char *commands[] = { - IPTABLES, IP6TABLES, EBTABLES - }; - size_t i; - - for (i = 0; i < G_N_ELEMENTS(commands); i++) { - g_autofree char *path = virFindFileInPath(commands[i]); - - if (!path) { - virReportSystemError(errno, - _("%s not available, firewall backend will not function"), - commands[i]); - return -1; - } - } - VIR_DEBUG("found iptables/ip6tables/ebtables"); - if (backend == VIR_FIREWALL_BACKEND_AUTOMATIC || backend == VIR_FIREWALL_BACKEND_FIREWALLD) { int rv = virFirewallDIsRegistered(); @@ -694,14 +677,6 @@ virFirewallApply(virFirewall *firewall) virMutexLock(&ruleLock); - if (currentBackend == VIR_FIREWALL_BACKEND_AUTOMATIC) { - /* a specific backend should have been set when the firewall - * object was created. If not, it means none was found. - */ - virReportError(VIR_ERR_INTERNAL_ERROR, "%s", - _("Failed to initialize a valid firewall backend")); - goto cleanup; - } if (!firewall || firewall->err) { int err = EINVAL;