From 5d010c3df6152cf5fb00f1f67d22151241f4a8a2 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Daniel=20P=2E=20Berrang=C3=A9?= Date: Wed, 13 Mar 2019 16:21:15 +0000 Subject: [PATCH] network: avoid trying to create global firewall rules if unprivileged MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit The unprivileged libvirtd does not have permission to create firewall rules, or bridge devices, or do anything to the host network in general. Historically we still activate the network driver though and let the network start API call fail. The startup code path which reloads firewall rules on active networks would thus effectively be a no-op when unprivileged as it is impossible for there to be any active networks With the change to use a global set of firewall chains, however, we now have code that is run unconditionally. Ideally we would not register the network driver at all when unprivileged, but the entanglement with the virt drivers currently makes that impractical. As a temporary hack, we just make the firewall reload into a no-op. Signed-off-by: Daniel P. Berrangé --- src/network/bridge_driver.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c index 27d7d072ce..4d4ab0f375 100644 --- a/src/network/bridge_driver.c +++ b/src/network/bridge_driver.c @@ -2095,6 +2095,10 @@ static void networkReloadFirewallRules(virNetworkDriverStatePtr driver, bool startup) { VIR_INFO("Reloading iptables rules"); + /* Ideally we'd not even register the driver when unprivilegd + * but until we untangle the virt driver that's not viable */ + if (!driver->privileged) + return; networkPreReloadFirewallRules(startup); virNetworkObjListForEach(driver->networks, networkReloadFirewallRulesHelper, -- 2.47.2