[networking] Nest namespace iteration inside namespace conditional

A CodeQL error alert was highlighted that the iptables predicates might
be unset during execution of the plugin, which in turn could potentially
cause the plugin to throw an exception. Fix this by nesting the
interation of command collections over namespaces that might use this
predicate in the same conditional that defines the predicate.

Related: #3066

Signed-off-by: Jake Hunsaker <jhunsake@redhat.com>

1 files changed, 44 insertions, 43 deletions

diff --git a/sos/report/plugins/networking.py b/sos/report/plugins/networking.py
index 47038093..6095607f 100644
--- a/sos/report/plugins/networking.py
+++ b/sos/report/plugins/networking.py
@@ -184,7 +184,7 @@ class Networking(Plugin):
         namespaces = self.get_network_namespaces(
                 self.get_option("namespace_pattern"),
                 self.get_option("namespaces"))
-        if (namespaces):
+        if namespaces:
             # 'ip netns exec <foo> iptables-save' must be guarded by nf_tables
             # kmod, if 'iptables -V' output contains 'nf_tables'
             # analogously for ip6tables
@@ -198,48 +198,49 @@ class Networking(Plugin):
                                   if self.test_predicate(self,
                                   pred=SoSPredicate(self, cmd_outputs=co6))
                                   else None)
-        for namespace in namespaces:
-            _devs = self.devices['namespaced_network'][namespace]
-            _subdir = "namespaces/%s" % namespace
-            ns_cmd_prefix = cmd_prefix + namespace + " "
-            self.add_cmd_output([
-                ns_cmd_prefix + "ip -d address show",
-                ns_cmd_prefix + "ip route show table all",
-                ns_cmd_prefix + "ip -s -s neigh show",
-                ns_cmd_prefix + "ip -4 rule list",
-                ns_cmd_prefix + "ip -6 rule list",
-                ns_cmd_prefix + "ip vrf show",
-                ns_cmd_prefix + "netstat %s -neopa" % self.ns_wide,
-                ns_cmd_prefix + "netstat -s",
-                ns_cmd_prefix + "netstat %s -agn" % self.ns_wide,
-                ns_cmd_prefix + "nstat -zas",
-            ], priority=50, subdir=_subdir)
-            self.add_cmd_output([ns_cmd_prefix + "iptables-save"],
-                                pred=iptables_with_nft,
-                                subdir=_subdir,
-                                priority=50)
-            self.add_cmd_output([ns_cmd_prefix + "ip6tables-save"],
-                                pred=ip6tables_with_nft,
-                                subdir=_subdir,
-                                priority=50)
-
-            ss_cmd = ns_cmd_prefix + "ss -peaonmi"
-            # --allow-system-changes is handled directly in predicate
-            # evaluation, so plugin code does not need to separately
-            # check for it
-            self.add_cmd_output(ss_cmd, pred=ss_pred, subdir=_subdir)
-
-            # Collect ethtool commands only when ethtool_namespaces
-            # is set to true.
-            if self.get_option("ethtool_namespaces"):
-                # Devices that exist in a namespace use less ethtool
-                # parameters. Run this per namespace.
-                self.add_device_cmd([
-                    ns_cmd_prefix + "ethtool %(dev)s",
-                    ns_cmd_prefix + "ethtool -i %(dev)s",
-                    ns_cmd_prefix + "ethtool -k %(dev)s",
-                    ns_cmd_prefix + "ethtool -S %(dev)s"
-                ], devices=_devs['ethernet'], priority=50, subdir=_subdir)
+
+            for namespace in namespaces:
+                _devs = self.devices['namespaced_network'][namespace]
+                _subdir = "namespaces/%s" % namespace
+                ns_cmd_prefix = cmd_prefix + namespace + " "
+                self.add_cmd_output([
+                    ns_cmd_prefix + "ip -d address show",
+                    ns_cmd_prefix + "ip route show table all",
+                    ns_cmd_prefix + "ip -s -s neigh show",
+                    ns_cmd_prefix + "ip -4 rule list",
+                    ns_cmd_prefix + "ip -6 rule list",
+                    ns_cmd_prefix + "ip vrf show",
+                    ns_cmd_prefix + "netstat %s -neopa" % self.ns_wide,
+                    ns_cmd_prefix + "netstat -s",
+                    ns_cmd_prefix + "netstat %s -agn" % self.ns_wide,
+                    ns_cmd_prefix + "nstat -zas",
+                ], priority=50, subdir=_subdir)
+                self.add_cmd_output([ns_cmd_prefix + "iptables-save"],
+                                    pred=iptables_with_nft,
+                                    subdir=_subdir,
+                                    priority=50)
+                self.add_cmd_output([ns_cmd_prefix + "ip6tables-save"],
+                                    pred=ip6tables_with_nft,
+                                    subdir=_subdir,
+                                    priority=50)
+
+                ss_cmd = ns_cmd_prefix + "ss -peaonmi"
+                # --allow-system-changes is handled directly in predicate
+                # evaluation, so plugin code does not need to separately
+                # check for it
+                self.add_cmd_output(ss_cmd, pred=ss_pred, subdir=_subdir)
+
+                # Collect ethtool commands only when ethtool_namespaces
+                # is set to true.
+                if self.get_option("ethtool_namespaces"):
+                    # Devices that exist in a namespace use less ethtool
+                    # parameters. Run this per namespace.
+                    self.add_device_cmd([
+                        ns_cmd_prefix + "ethtool %(dev)s",
+                        ns_cmd_prefix + "ethtool -i %(dev)s",
+                        ns_cmd_prefix + "ethtool -k %(dev)s",
+                        ns_cmd_prefix + "ethtool -S %(dev)s"
+                    ], devices=_devs['ethernet'], priority=50, subdir=_subdir)
 
 
 class RedHatNetworking(Networking, RedHatPlugin):