|
 |
bceef4 |
From 31e0467885ef3986b476ea070941a786b426f298 Mon Sep 17 00:00:00 2001
|
|
|
bceef4 |
From: Pavel Moravec <pmoravec@redhat.com>
|
|
|
bceef4 |
Date: Fri, 8 May 2020 14:06:41 +0200
|
|
|
bceef4 |
Subject: [PATCH] [networking] collect iptables when proper kernel modules
|
|
|
bceef4 |
loaded
|
|
|
bceef4 |
|
|
|
bceef4 |
Since kernel-4, iptables / ip6tables is newly provided by nf_tables
|
|
|
bceef4 |
kernel module. Therefore, collecting ip[,6]tables commands should
|
|
|
bceef4 |
be gated by presence of also this kernel module.
|
|
|
bceef4 |
|
|
|
bceef4 |
Resolves: #2054
|
|
|
bceef4 |
|
|
|
bceef4 |
Signed-off-by: Pavel Moravec <pmoravec@redhat.com>
|
|
|
bceef4 |
Signed-off-by: Bryan Quigley <bryan.quigley@canonical.com>
|
|
|
bceef4 |
---
|
|
|
bceef4 |
sos/plugins/networking.py | 23 +++++++++++++----------
|
|
|
bceef4 |
1 file changed, 13 insertions(+), 10 deletions(-)
|
|
|
bceef4 |
|
|
|
bceef4 |
diff --git a/sos/plugins/networking.py b/sos/plugins/networking.py
|
|
|
bceef4 |
index cac6ccca..5230303d 100644
|
|
|
bceef4 |
--- a/sos/plugins/networking.py
|
|
|
bceef4 |
+++ b/sos/plugins/networking.py
|
|
|
bceef4 |
@@ -35,22 +35,24 @@ class Networking(Plugin):
|
|
|
bceef4 |
ns_wide = "-W"
|
|
|
bceef4 |
|
|
|
bceef4 |
def collect_iptable(self, tablename):
|
|
|
bceef4 |
- """ When running the iptables command, it unfortunately auto-loads
|
|
|
bceef4 |
- the modules before trying to get output. Some people explicitly
|
|
|
bceef4 |
- don't want this, so check if the modules are loaded before running
|
|
|
bceef4 |
- the command. If they aren't loaded, there can't possibly be any
|
|
|
bceef4 |
- relevant rules in that table """
|
|
|
bceef4 |
+ """ Collecting iptables rules for a table loads either kernel module
|
|
|
bceef4 |
+ of the table name (for kernel <= 3), or nf_tables (for kernel >= 4).
|
|
|
bceef4 |
+ If neither module is present, the rules must be empty."""
|
|
|
bceef4 |
|
|
|
bceef4 |
modname = "iptable_" + tablename
|
|
|
bceef4 |
cmd = "iptables -t " + tablename + " -nvL"
|
|
|
bceef4 |
- self.add_cmd_output(cmd, pred=SoSPredicate(self, kmods=[modname]))
|
|
|
bceef4 |
+ self.add_cmd_output(
|
|
|
bceef4 |
+ cmd,
|
|
|
bceef4 |
+ pred=SoSPredicate(self, kmods=[modname, 'nf_tables']))
|
|
|
bceef4 |
|
|
|
bceef4 |
def collect_ip6table(self, tablename):
|
|
|
bceef4 |
""" Same as function above, but for ipv6 """
|
|
|
bceef4 |
|
|
|
bceef4 |
modname = "ip6table_" + tablename
|
|
|
bceef4 |
cmd = "ip6tables -t " + tablename + " -nvL"
|
|
|
bceef4 |
- self.add_cmd_output(cmd, pred=SoSPredicate(self, kmods=[modname]))
|
|
|
bceef4 |
+ self.add_cmd_output(
|
|
|
bceef4 |
+ cmd,
|
|
|
bceef4 |
+ pred=SoSPredicate(self, kmods=[modname, 'nf_tables']))
|
|
|
bceef4 |
|
|
|
bceef4 |
def collect_nftables(self):
|
|
|
bceef4 |
""" Collects nftables rulesets with 'nft' commands if the modules
|
|
|
bceef4 |
@@ -151,16 +153,17 @@ class Networking(Plugin):
|
|
|
bceef4 |
self.add_cmd_output(ss_cmd, pred=ss_pred, changes=True)
|
|
|
bceef4 |
|
|
|
bceef4 |
# When iptables is called it will load the modules
|
|
|
bceef4 |
- # iptables and iptables_filter if they are not loaded.
|
|
|
bceef4 |
+ # iptables_filter (for kernel <= 3) or
|
|
|
bceef4 |
+ # nf_tables (for kernel >= 4) if they are not loaded.
|
|
|
bceef4 |
# The same goes for ipv6.
|
|
|
bceef4 |
self.add_cmd_output(
|
|
|
bceef4 |
"iptables -vnxL",
|
|
|
bceef4 |
- pred=SoSPredicate(self, kmods=['iptable_filter'])
|
|
|
bceef4 |
+ pred=SoSPredicate(self, kmods=['iptable_filter', 'nf_tables'])
|
|
|
bceef4 |
)
|
|
|
bceef4 |
|
|
|
bceef4 |
self.add_cmd_output(
|
|
|
bceef4 |
"ip6tables -vnxL",
|
|
|
bceef4 |
- pred=SoSPredicate(self, kmods=['ip6table_filter'])
|
|
|
bceef4 |
+ pred=SoSPredicate(self, kmods=['ip6table_filter', 'nf_tables'])
|
|
|
bceef4 |
)
|
|
|
bceef4 |
|
|
|
bceef4 |
# Get ethtool output for every device that does not exist in a
|
|
|
bceef4 |
--
|
|
|
bceef4 |
2.21.3
|
|
|
bceef4 |
|