util: better error message after failure to initialize firewall backend

If the firewalld backend wasn't available and libvirt decides to try
setting up a "direct" backend, it checks for the presence of iptables,
ip6tables, and ebtables. If they are not found, a message like this is logged:

  error : virFirewallValidateBackend:193 : direct firewall backend
          requested, but /usr/sbin/ip6tables is not available:
          No such file or directory

But then at a later time if an attempt is made to use the virFirewall
API, failure will be indicated with:

  error : virFirewallApply:936 : out of memory

This patch changes virFirewallApply to first check if a firewall
backend hadn't been successfully setup, and logs a slightly more
informative message in that case:

  error : virFirewallApply:940 : internal error:
          Failed to initialize a valid firewall backend

This resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1223876

diff --git a/src/util/virfirewall.c b/src/util/virfirewall.c
index 2251f97bae102871e2443d0f3ee493db1819b8b6..a972c05d5baba3859dd5705939dd0bd655f61066 100644 (file)
--- a/src/util/virfirewall.c
+++ b/src/util/virfirewall.c
@@ -1,7 +1,7 @@
 /*
  * virfirewall.c: integration with firewalls
  *
- * Copyright (C) 2013, 2014 Red Hat, Inc.
+ * Copyright (C) 2013-2015 Red Hat, Inc.
  *
  * This library is free software; you can redistribute it and/or
  * modify it under the terms of the GNU Lesser General Public
@@ -932,6 +932,14 @@ virFirewallApply(virFirewallPtr firewall)
 
     virMutexLock(&ruleLock);
 
+    if (currentBackend == VIR_FIREWALL_BACKEND_AUTOMATIC) {
+        /* a specific backend should have been set when the firewall
+         * object was created. If not, it means none was found.
+         */
+        virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
+                       _("Failed to initialize a valid firewall backend"));
+        goto cleanup;
+    }
     if (!firewall || firewall->err == ENOMEM) {
         virReportOOMError();
         goto cleanup;