|
 |
003633 |
From 7d5157aa5071e3620246e2d4aa80acb2d3ed30f0 Mon Sep 17 00:00:00 2001
|
|
|
003633 |
From: Pavel Moravec <pmoravec@redhat.com>
|
|
|
003633 |
Date: Tue, 28 Sep 2021 22:44:52 +0200
|
|
|
003633 |
Subject: [PATCH] [networking] prevent iptables-save commands to load nf_tables
|
|
|
003633 |
kmod
|
|
|
003633 |
|
|
|
003633 |
If iptables has built-in nf_tables kmod, then
|
|
|
003633 |
'ip netns <foo> iptables-save' command requires the kmod which must
|
|
|
003633 |
be guarded by predicate.
|
|
|
003633 |
|
|
|
003633 |
Analogously for ip6tables.
|
|
|
003633 |
|
|
|
003633 |
Resolves: #2703
|
|
|
003633 |
|
|
|
003633 |
Signed-off-by: Pavel Moravec <pmoravec@redhat.com>
|
|
|
003633 |
---
|
|
|
003633 |
sos/report/plugins/networking.py | 29 ++++++++++++++++++++++++-----
|
|
|
003633 |
1 file changed, 24 insertions(+), 5 deletions(-)
|
|
|
003633 |
|
|
|
003633 |
diff --git a/sos/report/plugins/networking.py b/sos/report/plugins/networking.py
|
|
|
003633 |
index c80ae719..1237f629 100644
|
|
|
003633 |
--- a/sos/report/plugins/networking.py
|
|
|
003633 |
+++ b/sos/report/plugins/networking.py
|
|
|
003633 |
@@ -182,22 +182,41 @@ class Networking(Plugin):
|
|
|
003633 |
# per-namespace.
|
|
|
003633 |
self.add_cmd_output("ip netns")
|
|
|
003633 |
cmd_prefix = "ip netns exec "
|
|
|
003633 |
- for namespace in self.get_network_namespaces(
|
|
|
003633 |
- self.get_option("namespace_pattern"),
|
|
|
003633 |
- self.get_option("namespaces")):
|
|
|
003633 |
+ namespaces = self.get_network_namespaces(
|
|
|
003633 |
+ self.get_option("namespace_pattern"),
|
|
|
003633 |
+ self.get_option("namespaces"))
|
|
|
003633 |
+ if (namespaces):
|
|
|
003633 |
+ # 'ip netns exec <foo> iptables-save' must be guarded by nf_tables
|
|
|
003633 |
+ # kmod, if 'iptables -V' output contains 'nf_tables'
|
|
|
003633 |
+ # analogously for ip6tables
|
|
|
003633 |
+ co = {'cmd': 'iptables -V', 'output': 'nf_tables'}
|
|
|
003633 |
+ co6 = {'cmd': 'ip6tables -V', 'output': 'nf_tables'}
|
|
|
003633 |
+ iptables_with_nft = (SoSPredicate(self, kmods=['nf_tables'])
|
|
|
003633 |
+ if self.test_predicate(self,
|
|
|
003633 |
+ pred=SoSPredicate(self, cmd_outputs=co))
|
|
|
003633 |
+ else None)
|
|
|
003633 |
+ ip6tables_with_nft = (SoSPredicate(self, kmods=['nf_tables'])
|
|
|
003633 |
+ if self.test_predicate(self,
|
|
|
003633 |
+ pred=SoSPredicate(self, cmd_outputs=co6))
|
|
|
003633 |
+ else None)
|
|
|
003633 |
+ for namespace in namespaces:
|
|
|
003633 |
ns_cmd_prefix = cmd_prefix + namespace + " "
|
|
|
003633 |
self.add_cmd_output([
|
|
|
003633 |
ns_cmd_prefix + "ip address show",
|
|
|
003633 |
ns_cmd_prefix + "ip route show table all",
|
|
|
003633 |
ns_cmd_prefix + "ip -s -s neigh show",
|
|
|
003633 |
ns_cmd_prefix + "ip rule list",
|
|
|
003633 |
- ns_cmd_prefix + "iptables-save",
|
|
|
003633 |
- ns_cmd_prefix + "ip6tables-save",
|
|
|
003633 |
ns_cmd_prefix + "netstat %s -neopa" % self.ns_wide,
|
|
|
003633 |
ns_cmd_prefix + "netstat -s",
|
|
|
003633 |
ns_cmd_prefix + "netstat %s -agn" % self.ns_wide,
|
|
|
003633 |
ns_cmd_prefix + "nstat -zas",
|
|
|
003633 |
], priority=50)
|
|
|
003633 |
+ self.add_cmd_output([ns_cmd_prefix + "iptables-save"],
|
|
|
003633 |
+ pred=iptables_with_nft,
|
|
|
003633 |
+ priority=50)
|
|
|
003633 |
+ self.add_cmd_output([ns_cmd_prefix + "ip6tables-save"],
|
|
|
003633 |
+ pred=ip6tables_with_nft,
|
|
|
003633 |
+ priority=50)
|
|
|
003633 |
|
|
|
003633 |
ss_cmd = ns_cmd_prefix + "ss -peaonmi"
|
|
|
003633 |
# --allow-system-changes is handled directly in predicate
|
|
|
003633 |
--
|
|
|
003633 |
2.31.1
|
|
|
003633 |
|