U -_gC@s*ddlmZmZmZGdddeeZdS))PluginIndependentPlugin SoSPredicatec@sDeZdZdZdZdZdZdZdZddZ d d Z d d Z d dZ dS)FirewallTablesaCollects information about local firewall tables, such as iptables, and nf_tables (via nft). Note that this plugin does _not_ collect firewalld information, which is handled by a separate plugin. Collections from this plugin are largely gated byt the presence of relevant kernel modules - for example, the plugin will not collect the nf_tables ruleset if both the `nf_tables` and `nfnetlink` kernel modules are not currently loaded (unless using the --allow-system-changes option). zfirewall tablesZfirewall_tables)Znetworksystem) /etc/nftables)Z ip_tablesZ ip6_tables nf_tables nfnetlinkZebtablescCs2d|}d|d}|j|t||dgdddS)z Collecting iptables rules for a table loads either kernel module of the table name (for kernel <= 3), or nf_tables (for kernel >= 4). If neither module is present, the rules must be empty.Ziptable_z iptables -t  -nvLrkmodspredNadd_cmd_outputrselfZ tablenamemodnamecmdrD/usr/lib/python3/dist-packages/sos/report/plugins/firewall_tables.pycollect_iptables  zFirewallTables.collect_iptablecCs2d|}d|d}|j|t||dgdddS)z& Same as function above, but for ipv6 Z ip6table_z ip6tables -t r rr r Nrrrrrcollect_ip6table*s  zFirewallTables.collect_ip6tablecCs&t|ddgddid}|jd|ddS) zS Collects nftables rulesets with 'nft' commands if the modules are present rr r all)r Zrequiredznft -a list rulesetT)rZchanges)rZcollect_cmd_output)rZnft_predrrrcollect_nftables3szFirewallTables.collect_nftablesc Cs|}ggd}|ddkr&|dnd}|D]N}|dd}t|dkr2|ddkr2|d|kr2||d|d q2d }z*d }t|d d d}|} W5QRXWntk r|} YnX| D]&} |ddkr| |dkr|| qz*d} t| d d d} | } W5QRXWntk r>|} YnX| D],} |ddkrH| |dkrH| | qH|ddksd|dkr|j dt |ddgdd|ddksd|dkr|j dt |ddgdd| dddgdS)N)ipip6Zstatusroutputtablezmangle filter nat z/proc/net/ip_tables_namesrzUTF-8)encodingrz/proc/net/ip6_tables_namesrfilterziptables -vnxLZiptable_filterrr r zip6tables -vnxLZip6table_filterrz/etc/sysconfig/nftables.confz/etc/nftables.conf) r splitlinessplitlenappendopenreadIOErrorrrrrZ add_copy_spec) rZnft_listZ nft_ip_tablesZ nft_lineslineZwordsZdefault_ip_tablesZproc_net_ip_tablesZifileZip_tables_namesr Zproc_net_ip6_tablesZipfilerrrsetup>sV        zFirewallTables.setupN) __name__ __module__ __qualname____doc__Z short_descZ plugin_nameZprofilesfilesZ kernel_modsrrrr.rrrrr s    rN)Zsos.report.pluginsrrrrrrrr s