1029266 – Error message is not clear for command nwfilter-define under non-root user.

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1029266 - Error message is not clear for command nwfilter-define under non-root user.

Summary: Error message is not clear for command nwfilter-define under non-root user.

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	libvirt
Sub Component:
Version:	7.0
Hardware:	x86_64
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Ján Tomko
QA Contact:	Virtualization Bugs
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-11-12 02:44 UTC by zhengqin
Modified:	2015-03-05 07:25 UTC (History)
CC List:	8 users (show)
Fixed In Version:	libvirt-1.2.7-1.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-03-05 07:25:46 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2015:0323	0	normal	SHIPPED_LIVE	Low: libvirt security, bug fix, and enhancement update	2015-03-05 12:10:54 UTC

Description zhengqin 2013-11-12 02:44:40 UTC

Description
On latest RHEL7, For non-root user, when executing command “virsh nwfilter-define <nwfilterXML>”, error will occurs but error message is not clear.


Version:
libvirt-1.1.1-11.el7.x86_64

How reproducible:
100%

Steps to Reproduce:
1. Issue the following command to create a user and set its password:
#useradd non-root ;  passwd non-root

2. Switch to user “non-root” by command “su - non-root”, and prepare a xml file named disallow-arp.xml like below:
-----------------------------------------------------------------
<filter name='disallow-arp1' chain='arp'>
  <rule action='drop' direction='inout' priority='500'/>
</filter>
-----------------------------------------------------------------


3. Execute command “nwfilter-define” under “non-root” user, and error will occurs.


Actual results：
[non-root@localhost ~]$ virsh nwfilter-define disallow-arp.xml 
error: Failed to define network filter from disallow-arp.xml
error: cannot create config directory (null): Bad address


The above error message is not clear.



Expected results:
Error message should be clear and improved, such as, "error: cannot create config directory: permission denied."

Comment 1 Ján Tomko 2013-11-12 11:44:44 UTC

Upstream patch proposed:
https://www.redhat.com/archives/libvir-list/2013-November/msg00368.html

Comment 2 Ján Tomko 2013-11-13 10:40:32 UTC

Fixed upstream by:
commit b7829f959b33c6e32422222a9ed745c0da7dc696
Author:     Ján Tomko <jtomko>
AuthorDate: 2013-11-12 13:18:54 +0100
Commit:     Ján Tomko <jtomko>
CommitDate: 2013-11-13 09:41:57 +0100

    Disable nwfilter driver when running unprivileged
    
    When opening a new connection to the driver, nwfilterOpen
    only succeeds if the driverState has been allocated.
    
    Move the privilege check in driver initialization before
    the state allocation to disable the driver.
    
    This changes the nwfilter-define error from:
    error: cannot create config directory (null): Bad address
    To:
    this function is not supported by the connection driver:
    virNWFilterDefineXML
    
    https://bugzilla.redhat.com/show_bug.cgi?id=1029266

git describe: v1.1.4-79-gb7829f9

Comment 5 zhenfeng wang 2014-11-24 05:55:17 UTC

I can reproduce this issue with libvirt-1.1.1-11.el7.x86_64 follow the comment0's step

$ virsh nwfilter-define disallow-arp.xml 
error: Failed to define network filter from disallow-arp.xml
error: cannot create config directory (null): Bad address

Verify with the libvirt-1.2.8-8.el7.x86_64, could get the expect result, so the bug has been fixed, the verify steps like following :

1.cat disallow-arp.xml 
<filter name='disallow-arp1' chain='arp'>
  <rule action='drop' direction='inout' priority='500'/>
</filter>

$ virsh nwfilter-define disallow-arp.xml 
error: Failed to define network filter from disallow-arp.xml
error: this function is not supported by the connection driver: virNWFilterDefineXML


2.check the nwfilter with the non-root user
$ virsh nwfilter-list
error: Failed to count network filters
error: this function is not supported by the connection driver: virConnectNumOfNWFilters


3.give the normal permission to connect the libvirt system instance
$ virsh -c qemu:///system nwfilter-list
 UUID                                  Name                 
------------------------------------------------------------------
 2380965c-3aef-40e6-9cbc-67c3965c3bd7  allow-arp           
 3457b66c-597d-4c81-be19-a01f631ef99b  allow-dhcp          
 7086bb44-f181-4d9f-848e-e4e6ac02df41  allow-dhcp-server   
 92ffef96-0a2c-4342-acfc-8d21b8b0d430  allow-incoming-ipv4 
 473a3110-5220-4768-bbf4-5f80a29168b4  allow-ipv4          
 2dbd5ee5-b032-4575-bede-0a4caba01af1  clean-traffic       
 8075af04-d48d-4a55-a7f0-d18ccc18d48e  no-arp-ip-spoofing  
 06b71196-4f69-4972-ba0c-f15d97d67791  no-arp-mac-spoofing 
 4151e04a-b861-4781-8174-a4162cdf10a9  no-arp-spoofing     
 f010bcaf-8b0a-4368-b418-3c1711ed5342  no-ip-multicast     
 fa00719a-9369-414f-80a9-0a84c820a4d3  no-ip-spoofing      
 c8dfbf17-a884-46df-8139-361fc080f337  no-mac-broadcast    
 8bb6ec95-0784-4fa8-93d4-57db0c6108d6  no-mac-spoofing     
 703831ec-521d-4b5c-b50a-8ab2c4120671  no-other-l2-traffic 
 566580f1-dedb-4cc9-a237-f9b50deabf97  no-other-rarp-traffic
 44b28a60-1073-4030-b349-0c6f5190cd92  qemu-announce-self  
 23f082a2-57c1-4de6-868d-4fcfc7b27282  qemu-announce-self-rarp
 fac813ac-bdfa-4f37-91af-261a74011002  vdsm-no-mac-spoofing

4.check the nwfitler's info with non-root user, get the expect error

$ virsh nwfilter-dumpxml 2380965c-3aef-40e6-9cbc-67c3965c3bd7
error: failed to get nwfilter '2380965c-3aef-40e6-9cbc-67c3965c3bd7'
error: this function is not supported by the connection driver: virNWFilterLookupByName

$ virsh nwfilter-dumpxml  vdsm-no-mac-spoofing
error: failed to get nwfilter 'vdsm-no-mac-spoofing'
error: this function is not supported by the connection driver: virNWFilterLookupByName

5.delete the nwfilter with non-root user, get the expect error

$ virsh nwfilter-undefine qemu-announce-self-rarp
error: failed to get nwfilter 'qemu-announce-self-rarp'
error: this function is not supported by the connection driver: virNWFilterLookupByName


6.edit the nwfilter with the non-root user, get the expect error
$ virsh nwfilter-edit qemu-announce-self
error: failed to get nwfilter 'qemu-announce-self'
error: this function is not supported by the connection driver: virNWFilterLookupByName

Comment 7 errata-xmlrpc 2015-03-05 07:25:46 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0323.html

Note You need to log in before you can comment on or make changes to this bug.