From 7d5157aa5071e3620246e2d4aa80acb2d3ed30f0 Mon Sep 17 00:00:00 2001

From: Pavel Moravec <pmoravec@redhat.com>

Date: Tue, 28 Sep 2021 22:44:52 +0200

Subject: [PATCH] [networking] prevent iptables-save commands to load nf_tables

 kmod

If iptables has built-in nf_tables kmod, then

'ip netns <foo> iptables-save' command requires the kmod which must

be guarded by predicate.

Analogously for ip6tables.

Resolves: #2703

Signed-off-by: Pavel Moravec <pmoravec@redhat.com>

---

 sos/report/plugins/networking.py | 29 ++++++++++++++++++++++++-----

 1 file changed, 24 insertions(+), 5 deletions(-)

diff --git a/sos/report/plugins/networking.py b/sos/report/plugins/networking.py

index c80ae719..1237f629 100644

--- a/sos/report/plugins/networking.py

+++ b/sos/report/plugins/networking.py

@@ -182,22 +182,41 @@ class Networking(Plugin):

         # per-namespace.

         self.add_cmd_output("ip netns")

         cmd_prefix = "ip netns exec "

-        for namespace in self.get_network_namespaces(

-                            self.get_option("namespace_pattern"),

-                            self.get_option("namespaces")):

+        namespaces = self.get_network_namespaces(

+                self.get_option("namespace_pattern"),

+                self.get_option("namespaces"))

+        if (namespaces):

+            # 'ip netns exec <foo> iptables-save' must be guarded by nf_tables

+            # kmod, if 'iptables -V' output contains 'nf_tables'

+            # analogously for ip6tables

+            co = {'cmd': 'iptables -V', 'output': 'nf_tables'}

+            co6 = {'cmd': 'ip6tables -V', 'output': 'nf_tables'}

+            iptables_with_nft = (SoSPredicate(self, kmods=['nf_tables'])

+                                 if self.test_predicate(self,

+                                 pred=SoSPredicate(self, cmd_outputs=co))

+                                 else None)

+            ip6tables_with_nft = (SoSPredicate(self, kmods=['nf_tables'])

+                                  if self.test_predicate(self,

+                                  pred=SoSPredicate(self, cmd_outputs=co6))

+                                  else None)

+        for namespace in namespaces:

             ns_cmd_prefix = cmd_prefix + namespace + " "

             self.add_cmd_output([

                 ns_cmd_prefix + "ip address show",

                 ns_cmd_prefix + "ip route show table all",

                 ns_cmd_prefix + "ip -s -s neigh show",

                 ns_cmd_prefix + "ip rule list",

-                ns_cmd_prefix + "iptables-save",

-                ns_cmd_prefix + "ip6tables-save",

                 ns_cmd_prefix + "netstat %s -neopa" % self.ns_wide,

                 ns_cmd_prefix + "netstat -s",

                 ns_cmd_prefix + "netstat %s -agn" % self.ns_wide,

                 ns_cmd_prefix + "nstat -zas",

             ], priority=50)

+            self.add_cmd_output([ns_cmd_prefix + "iptables-save"],

+                                pred=iptables_with_nft,

+                                priority=50)

+            self.add_cmd_output([ns_cmd_prefix + "ip6tables-save"],

+                                pred=ip6tables_with_nft,

+                                priority=50)

             ss_cmd = ns_cmd_prefix + "ss -peaonmi"

             # --allow-system-changes is handled directly in predicate

-- 

2.31.1