libnetwork/iptables: make firewalldInit more atomic

firewalldInit was returning an error if we failed to set up the docker
zone, but did not close the D-Bus connection. Given that we consider
firewalld to "not be usable" in case of an error, let's also close
the connection;

    unable to initialize firewalld; using raw iptables instead

And return the connection on success, instead of implicitly setting the
package-level `firewalld` variable.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

libnetwork/iptables/firewalld.go

@@ -44,22 +44,22 @@ var (
 )
 
 // firewalldInit initializes firewalld management code.
-func firewalldInit() error {
+func firewalldInit() (*firewalldConnection, error) {
-	var err error
+	fwd, err := newConnection()
-	firewalld, err = newConnection()
 	if err != nil {
-		return err
+		return nil, err
 	}
 
 	// start handling D-Bus signals that were registered.
-	firewalld.handleSignals()
+	fwd.handleSignals()
 
-	err = firewalld.setupDockerZone()
+	err = fwd.setupDockerZone()
 	if err != nil {
-		return err
+		_ = fwd.conn.Close()
+		return nil, err
 	}
 
-	return nil
+	return fwd, nil
 }
 
 // newConnection establishes a connection to the system D-Bus and registers

libnetwork/iptables/firewalld_test.go

@@ -27,9 +27,11 @@ func skipIfNoFirewalld(t *testing.T) {
 
 func TestFirewalldInit(t *testing.T) {
 	skipIfNoFirewalld(t)
-	if err := firewalldInit(); err != nil {
+	fwd, err := firewalldInit()
+	if err != nil {
 		t.Fatal(err)
 	}
+	_ = fwd.conn.Close()
 }
 
 func TestReloaded(t *testing.T) {

libnetwork/iptables/iptables.go

@@ -138,7 +138,9 @@ func initFirewalld() {
 		log.G(context.TODO()).Info("skipping firewalld management for rootless mode")
 		return
 	}
-	if err := firewalldInit(); err != nil {
+	var err error
+	firewalld, err = firewalldInit()
+	if err != nil {
 		log.G(context.TODO()).WithError(err).Debugf("unable to initialize firewalld; using raw iptables instead")
 	}
 }