firewall: enrich error messages

Signed-off-by: Paul Greenberg <greenpau@outlook.com>
containernetworking · Jul 31, 2020 · 8bd9866 · 8bd9866
1 parent b0e5c6b
commit 8bd9866
Showing 1 changed file with 8 additions and 6 deletions.
diff --git a/plugins/meta/firewall/nftables.go b/plugins/meta/firewall/nftables.go
@@ -25,6 +25,7 @@ import (
 )
 
 type nftBackend struct {
+	cli             string
 	targetTable     string
 	targetChain     string
 	targetHandle    uint64
@@ -143,6 +144,7 @@ var _ FirewallBackend = &nftBackend{}
 
 func newNftablesBackend(conf *FirewallNetConf) (FirewallBackend, error) {
 	backend := &nftBackend{
+		cli:             "/usr/sbin/nft",
 		targetTable:     "filter",
 		targetChain:     "FORWARD",
 		targetHandle:    0,
@@ -154,11 +156,11 @@ func newNftablesBackend(conf *FirewallNetConf) (FirewallBackend, error) {
 
 func (nb *nftBackend) execCommand(args []string) ([]string, []string, error) {
 	var stdout, stderr bytes.Buffer
-	cmd := exec.Command("nft", args...)
+	cmd := exec.Command(nb.cli, args...)
 	cmd.Stdout = &stdout
 	cmd.Stderr = &stderr
 	if err := cmd.Run(); err != nil {
-		return []string{}, []string{}, fmt.Errorf("Error executing %s: %s", args, err)
+		return []string{}, []string{}, fmt.Errorf("Error executing %s: %s\n%s", args, err, cmd.Stderr)
 	}
 
 	stdoutString := stdout.String()
@@ -169,7 +171,7 @@ func (nb *nftBackend) execCommand(args []string) ([]string, []string, error) {
 }
 
 func (nb *nftBackend) getRules() error {
-	cmdArgs := []string{"list", "chain", "ip", nb.targetTable, nb.targetChain, "-a"}
+	cmdArgs := []string{"-a", "list", "chain", "ip", nb.targetTable, nb.targetChain}
 	stdoutLines, _, err := nb.execCommand(cmdArgs)
 	if err != nil {
 		return err
@@ -324,15 +326,15 @@ func (nb *nftBackend) isValidInput(result *current.Result) error {
 
 func (nb *nftBackend) Add(conf *FirewallNetConf, result *current.Result) error {
 	if err := nb.isValidInput(result); err != nil {
-		return fmt.Errorf("nftBackend.Add() %s", err)
+		return fmt.Errorf("nftBackend.Add() failed validation: %s", err)
 	}
 
 	if err := nb.getRules(); err != nil {
-		return fmt.Errorf("nftBackend.Add() %s", err)
+		return fmt.Errorf("nftBackend.Add() failed parsing rules: %s", err)
 	}
 
 	if err := nb.addRules(); err != nil {
-		return fmt.Errorf("nftBackend.Add() %s", err)
+		return fmt.Errorf("nftBackend.Add() failed adding rules: %s", err)
 	}
 
 	return nil