diff options
author | Pavel Moravec <pmoravec@redhat.com> | 2020-05-08 14:06:41 +0200 |
---|---|---|
committer | Bryan Quigley <bryan.quigley@canonical.com> | 2020-05-19 17:11:21 -0700 |
commit | 31e0467885ef3986b476ea070941a786b426f298 (patch) | |
tree | fcfaccba74a4979cafb3ebd9bb9f714b34006a4e | |
parent | 4a5a6beef5fa986f3d36de18e086c9fc88cab549 (diff) | |
download | sos-31e0467885ef3986b476ea070941a786b426f298.tar.gz |
[networking] collect iptables when proper kernel modules loaded
Since kernel-4, iptables / ip6tables is newly provided by nf_tables
kernel module. Therefore, collecting ip[,6]tables commands should
be gated by presence of also this kernel module.
Resolves: #2054
Signed-off-by: Pavel Moravec <pmoravec@redhat.com>
Signed-off-by: Bryan Quigley <bryan.quigley@canonical.com>
-rw-r--r-- | sos/report/plugins/networking.py | 23 |
1 files changed, 13 insertions, 10 deletions
diff --git a/sos/report/plugins/networking.py b/sos/report/plugins/networking.py index cac6ccca..5230303d 100644 --- a/sos/report/plugins/networking.py +++ b/sos/report/plugins/networking.py @@ -35,22 +35,24 @@ class Networking(Plugin): ns_wide = "-W" def collect_iptable(self, tablename): - """ When running the iptables command, it unfortunately auto-loads - the modules before trying to get output. Some people explicitly - don't want this, so check if the modules are loaded before running - the command. If they aren't loaded, there can't possibly be any - relevant rules in that table """ + """ Collecting iptables rules for a table loads either kernel module + of the table name (for kernel <= 3), or nf_tables (for kernel >= 4). + If neither module is present, the rules must be empty.""" modname = "iptable_" + tablename cmd = "iptables -t " + tablename + " -nvL" - self.add_cmd_output(cmd, pred=SoSPredicate(self, kmods=[modname])) + self.add_cmd_output( + cmd, + pred=SoSPredicate(self, kmods=[modname, 'nf_tables'])) def collect_ip6table(self, tablename): """ Same as function above, but for ipv6 """ modname = "ip6table_" + tablename cmd = "ip6tables -t " + tablename + " -nvL" - self.add_cmd_output(cmd, pred=SoSPredicate(self, kmods=[modname])) + self.add_cmd_output( + cmd, + pred=SoSPredicate(self, kmods=[modname, 'nf_tables'])) def collect_nftables(self): """ Collects nftables rulesets with 'nft' commands if the modules @@ -151,16 +153,17 @@ class Networking(Plugin): self.add_cmd_output(ss_cmd, pred=ss_pred, changes=True) # When iptables is called it will load the modules - # iptables and iptables_filter if they are not loaded. + # iptables_filter (for kernel <= 3) or + # nf_tables (for kernel >= 4) if they are not loaded. # The same goes for ipv6. self.add_cmd_output( "iptables -vnxL", - pred=SoSPredicate(self, kmods=['iptable_filter']) + pred=SoSPredicate(self, kmods=['iptable_filter', 'nf_tables']) ) self.add_cmd_output( "ip6tables -vnxL", - pred=SoSPredicate(self, kmods=['ip6table_filter']) + pred=SoSPredicate(self, kmods=['ip6table_filter', 'nf_tables']) ) # Get ethtool output for every device that does not exist in a |