[firewall_tables] Call iptables only when nft ip filter table exists

iptables -vnxL creates nft 'ip filter' table if it does not exist, hence
we must guard iptables execution by presence of the nft table.

An equivalent logic applies to ip6tables.

Resolves: #2724

Signed-off-by: Pavel Moravec <pmoravec@redhat.com>

1 files changed, 14 insertions, 12 deletions

diff --git a/sos/report/plugins/firewall_tables.py b/sos/report/plugins/firewall_tables.py
index ef04d939..7eafd60f 100644
--- a/sos/report/plugins/firewall_tables.py
+++ b/sos/report/plugins/firewall_tables.py
@@ -80,19 +80,21 @@ class firewall_tables(Plugin, IndependentPlugin):
             if nft_list['status'] == 0 and table in nft_ip_tables['ip6']:
                 self.collect_ip6table(table)
 
-        # When iptables is called it will load the modules
-        # iptables_filter (for kernel <= 3) or
-        # nf_tables (for kernel >= 4) if they are not loaded.
+        # When iptables is called it will load:
+        # 1) the modules iptables_filter (for kernel <= 3) or
+        #    nf_tables (for kernel >= 4) if they are not loaded.
+        # 2) nft 'ip filter' table will be created
         # The same goes for ipv6.
-        self.add_cmd_output(
-            "iptables -vnxL",
-            pred=SoSPredicate(self, kmods=['iptable_filter', 'nf_tables'])
-        )
-
-        self.add_cmd_output(
-            "ip6tables -vnxL",
-            pred=SoSPredicate(self, kmods=['ip6table_filter', 'nf_tables'])
-        )
+        if nft_list['status'] != 0 or 'filter' in nft_ip_tables['ip']:
+            self.add_cmd_output(
+                "iptables -vnxL",
+                pred=SoSPredicate(self, kmods=['iptable_filter', 'nf_tables'])
+            )
+        if nft_list['status'] != 0 or 'filter' in nft_ip_tables['ip6']:
+            self.add_cmd_output(
+                "ip6tables -vnxL",
+                pred=SoSPredicate(self, kmods=['ip6table_filter', 'nf_tables'])
+            )
 
         self.add_copy_spec([
             "/etc/nftables",