conf: report an error if nic needs filtering by no driver is present

If a <interface> includes a filter name but the nwfilter driver is not
present we silently do nothing. This is very bad, because an application
that thinks it is protected by malicious guest traffic will in fact be
vulnerable. Reporting an error gives the administrator the ability to
know there is a problem and fix it.

Reviewed-by: John Ferlan <jferlan@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>

diff --git a/src/conf/domain_nwfilter.c b/src/conf/domain_nwfilter.c
index e360aceeba262d7fade54e4c0045ce490406f753..7570e0ae831689c62e260ad9c6051f00fc689430 100644 (file)
--- a/src/conf/domain_nwfilter.c
+++ b/src/conf/domain_nwfilter.c
@@ -28,6 +28,9 @@
 #include "datatypes.h"
 #include "domain_conf.h"
 #include "domain_nwfilter.h"
+#include "virerror.h"
+
+#define VIR_FROM_THIS VIR_FROM_NWFILTER
 
 static virDomainConfNWFilterDriverPtr nwfilterDriver;
 
@@ -44,8 +47,10 @@ virDomainConfNWFilterInstantiate(const char *vmname,
 {
     if (nwfilterDriver != NULL)
         return nwfilterDriver->instantiateFilter(vmname, vmuuid, net);
-    /* driver module not available -- don't indicate failure */
-    return 0;
+
+    virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
+                   _("No network filter driver available"));
+    return -1;
 }
 
 void