If neither iptables or nftables are present, and no explicit config
setting was made, skip network driver initialization, rather than
making it a hard error.

This allows libvirtd to carry on operating with the network driver
disabled, while ensuring virtnetworkd will shutdown.

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
 src/network/bridge_driver.c      | 8 +++++++-
 src/network/bridge_driver_conf.c | 8 ++++----
 2 files changed, 11 insertions(+), 5 deletions(-)

diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c
index 32572c755f..371bc2bae6 100644
--- a/src/network/bridge_driver.c
+++ b/src/network/bridge_driver.c
@@ -588,6 +588,7 @@ networkStateInitialize(bool privileged,
 #ifdef WITH_FIREWALLD
     GDBusConnection *sysbus = NULL;
 #endif
+    int ret = VIR_DRV_STATE_INIT_ERROR;
 
     if (root != NULL) {
         virReportError(VIR_ERR_INVALID_ARG, "%s",
@@ -611,6 +612,11 @@ networkStateInitialize(bool privileged,
     if (!(network_driver->config = cfg = virNetworkDriverConfigNew(privileged)))
         goto error;
 
+    if (network_driver->config->firewallBackend == -1) {
+        ret = VIR_DRV_STATE_INIT_SKIPPED;
+        goto error;
+    }
+
     if ((network_driver->lockFD =
          virPidFileAcquire(cfg->stateDir, "driver", getpid())) < 0)
         goto error;
@@ -689,7 +695,7 @@ networkStateInitialize(bool privileged,
 
  error:
     networkStateCleanup();
-    return VIR_DRV_STATE_INIT_ERROR;
+    return ret;
 }
 
 
diff --git a/src/network/bridge_driver_conf.c b/src/network/bridge_driver_conf.c
index e2f3613a41..f6c89ddddf 100644
--- a/src/network/bridge_driver_conf.c
+++ b/src/network/bridge_driver_conf.c
@@ -132,7 +132,7 @@ virNetworkLoadDriverConfig(virNetworkDriverConfig *cfg G_GNUC_UNUSED,
     if (fwBackendSelected) {
         VIR_INFO("using firewall_backend: '%s'",
                  virFirewallBackendTypeToString(cfg->firewallBackend));
-        return 0;
+        return 1;
 
     } else if (fwBackendStr) {
 
@@ -143,9 +143,9 @@ virNetworkLoadDriverConfig(virNetworkDriverConfig *cfg G_GNUC_UNUSED,
         return -1;
 
     } else {
-        virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
-                       _("could not find a usable firewall backend"));
-        return -1;
+        cfg->firewallBackend = -1;
+        VIR_ERROR(_("could not find a usable firewall backend"));
+        return 0;
     }
 }
 
-- 
2.45.1

On 6/11/24 12:47 PM, Daniel P. Berrangé wrote:
> If neither iptables or nftables are present, and no explicit config
> setting was made, skip network driver initialization, rather than
> making it a hard error.
> 
> This allows libvirtd to carry on operating with the network driver
> disabled, while ensuring virtnetworkd will shutdown.

My assumption after reading the report about this from Roman was that he 
must have been using <forward mode='open'/>, which would never use any 
firewall functions and thus would succeed. If that's the case, then this 
change would still fail for him.

If, on the other hand, FreeBSD users are only using <interface 
type='bridge'/), then this patch will be fine.

If I re-assume to the latter, then:

Reviewed-by: Laine Stump <laine@redhat.com>

(and soon to be Tested-by, but first I have some errands to run :-)

but we should make sure they aren't trying to use <forward mode='open'/> 
on platforms with no supported firewall.

> 
> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
> ---
>   src/network/bridge_driver.c      | 8 +++++++-
>   src/network/bridge_driver_conf.c | 8 ++++----
>   2 files changed, 11 insertions(+), 5 deletions(-)
> 
> diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c
> index 32572c755f..371bc2bae6 100644
> --- a/src/network/bridge_driver.c
> +++ b/src/network/bridge_driver.c
> @@ -588,6 +588,7 @@ networkStateInitialize(bool privileged,
>   #ifdef WITH_FIREWALLD
>       GDBusConnection *sysbus = NULL;
>   #endif
> +    int ret = VIR_DRV_STATE_INIT_ERROR;
>   
>       if (root != NULL) {
>           virReportError(VIR_ERR_INVALID_ARG, "%s",
> @@ -611,6 +612,11 @@ networkStateInitialize(bool privileged,
>       if (!(network_driver->config = cfg = virNetworkDriverConfigNew(privileged)))
>           goto error;
>   
> +    if (network_driver->config->firewallBackend == -1) {
> +        ret = VIR_DRV_STATE_INIT_SKIPPED;
> +        goto error;
> +    }
> +
>       if ((network_driver->lockFD =
>            virPidFileAcquire(cfg->stateDir, "driver", getpid())) < 0)
>           goto error;
> @@ -689,7 +695,7 @@ networkStateInitialize(bool privileged,
>   
>    error:
>       networkStateCleanup();
> -    return VIR_DRV_STATE_INIT_ERROR;
> +    return ret;
>   }
>   
>   
> diff --git a/src/network/bridge_driver_conf.c b/src/network/bridge_driver_conf.c
> index e2f3613a41..f6c89ddddf 100644
> --- a/src/network/bridge_driver_conf.c
> +++ b/src/network/bridge_driver_conf.c
> @@ -132,7 +132,7 @@ virNetworkLoadDriverConfig(virNetworkDriverConfig *cfg G_GNUC_UNUSED,
>       if (fwBackendSelected) {
>           VIR_INFO("using firewall_backend: '%s'",
>                    virFirewallBackendTypeToString(cfg->firewallBackend));
> -        return 0;
> +        return 1;
>   
>       } else if (fwBackendStr) {
>   
> @@ -143,9 +143,9 @@ virNetworkLoadDriverConfig(virNetworkDriverConfig *cfg G_GNUC_UNUSED,
>           return -1;
>   
>       } else {
> -        virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
> -                       _("could not find a usable firewall backend"));
> -        return -1;
> +        cfg->firewallBackend = -1;
> +        VIR_ERROR(_("could not find a usable firewall backend"));
> +        return 0;
>       }
>   }
>