diff options
| author | Pavel Moravec <pmoravec@redhat.com> | 2021-09-28 22:44:52 +0200 |
|---|---|---|
| committer | Jake Hunsaker <jhunsake@redhat.com> | 2021-09-30 14:01:34 -0400 |
| commit | 7d5157aa5071e3620246e2d4aa80acb2d3ed30f0 (patch) | |
| tree | 4a240fbe7d63279cf8bff1f387bd5b0b8a9973c0 | |
| parent | 3d064102f8ca6662fd9602512e1cb05cf8746dfd (diff) | |
| download | sos-7d5157aa5071e3620246e2d4aa80acb2d3ed30f0.tar.gz | |
[networking] prevent iptables-save commands to load nf_tables kmod
If iptables has built-in nf_tables kmod, then
'ip netns <foo> iptables-save' command requires the kmod which must
be guarded by predicate.
Analogously for ip6tables.
Resolves: #2703
Signed-off-by: Pavel Moravec <pmoravec@redhat.com>
| -rw-r--r-- | sos/report/plugins/networking.py | 29 |
1 files changed, 24 insertions, 5 deletions
diff --git a/sos/report/plugins/networking.py b/sos/report/plugins/networking.py index c80ae719..1237f629 100644 --- a/sos/report/plugins/networking.py +++ b/sos/report/plugins/networking.py @@ -182,22 +182,41 @@ class Networking(Plugin): # per-namespace. self.add_cmd_output("ip netns") cmd_prefix = "ip netns exec " - for namespace in self.get_network_namespaces( - self.get_option("namespace_pattern"), - self.get_option("namespaces")): + namespaces = self.get_network_namespaces( + self.get_option("namespace_pattern"), + self.get_option("namespaces")) + if (namespaces): + # 'ip netns exec <foo> iptables-save' must be guarded by nf_tables + # kmod, if 'iptables -V' output contains 'nf_tables' + # analogously for ip6tables + co = {'cmd': 'iptables -V', 'output': 'nf_tables'} + co6 = {'cmd': 'ip6tables -V', 'output': 'nf_tables'} + iptables_with_nft = (SoSPredicate(self, kmods=['nf_tables']) + if self.test_predicate(self, + pred=SoSPredicate(self, cmd_outputs=co)) + else None) + ip6tables_with_nft = (SoSPredicate(self, kmods=['nf_tables']) + if self.test_predicate(self, + pred=SoSPredicate(self, cmd_outputs=co6)) + else None) + for namespace in namespaces: ns_cmd_prefix = cmd_prefix + namespace + " " self.add_cmd_output([ ns_cmd_prefix + "ip address show", ns_cmd_prefix + "ip route show table all", ns_cmd_prefix + "ip -s -s neigh show", ns_cmd_prefix + "ip rule list", - ns_cmd_prefix + "iptables-save", - ns_cmd_prefix + "ip6tables-save", ns_cmd_prefix + "netstat %s -neopa" % self.ns_wide, ns_cmd_prefix + "netstat -s", ns_cmd_prefix + "netstat %s -agn" % self.ns_wide, ns_cmd_prefix + "nstat -zas", ], priority=50) + self.add_cmd_output([ns_cmd_prefix + "iptables-save"], + pred=iptables_with_nft, + priority=50) + self.add_cmd_output([ns_cmd_prefix + "ip6tables-save"], + pred=ip6tables_with_nft, + priority=50) ss_cmd = ns_cmd_prefix + "ss -peaonmi" # --allow-system-changes is handled directly in predicate |