a >hC@s*ddlmZmZmZGdddeeZdS))PluginIndependentPlugin SoSPredicatec@sDeZdZdZdZdZdZdZdZddZ d d Z d d Z d dZ dS)FirewallTablesaCollects information about local firewall tables, such as iptables, and nf_tables (via nft). Note that this plugin does _not_ collect firewalld information, which is handled by a separate plugin. Collections from this plugin are largely gated byt the presence of relevant kernel modules - for example, the plugin will not collect the nf_tables ruleset if both the `nf_tables` and `nfnetlink` kernel modules are not currently loaded (unless using the --allow-system-changes option). zfirewall tablesZfirewall_tables)networksystem) /etc/nftables)Z ip_tablesZ ip6_tables nf_tables nfnetlinkZebtablescCs2d|}d|d}|j|t||dgdddS)z Collecting iptables rules for a table loads either kernel module of the table name (for kernel <= 3), or nf_tables (for kernel >= 4). If neither module is present, the rules must be empty.Ziptable_z iptables -t  -nvLr kmodspredNadd_cmd_outputrselfZ tablenamemodnamecmdrF/usr/lib/python3.9/site-packages/sos/report/plugins/firewall_tables.pycollect_iptables  zFirewallTables.collect_iptablecCs2d|}d|d}|j|t||dgdddS)z& Same as function above, but for ipv6 Z ip6table_z ip6tables -t r r r rNrrrrrcollect_ip6table*s  zFirewallTables.collect_ip6tablecCs&t|ddgddid}|jd|ddS) zS Collects nftables rulesets with 'nft' commands if the modules are present r r r all)r requiredznft -a list rulesetT)rZchanges)rZcollect_cmd_output)rZnft_predrrrcollect_nftables3szFirewallTables.collect_nftablesc Cs|}ggd}|ddkr&|dnd}|D]N}|dd}t|dkr2|ddkr2|d|vr2||d|d q2d }z>d }t|d d d}|} Wdn1s0YWnty|} Yn0| D]&} |ddkr| |dvr|| qz@d} t| d d d} | } Wdn1s@0YWntyd|} Yn0| D],} |ddkrn| |dvrn| | qn|ddksd|dvr|j dt |ddgdd|ddksd|dvr|j dt |ddgdd| gddS)N)ipip6statusroutputtablezmangle filter nat z/proc/net/ip_tables_namesrzUTF-8)encodingrz/proc/net/ip6_tables_namesrfilterziptables -vnxLZiptable_filterr r rzip6tables -vnxLZip6table_filter)rz/etc/sysconfig/nftables.confz/etc/nftables.conf) r splitlinessplitlenappendopenreadIOErrorrrrrZ add_copy_spec) rZnft_listZ nft_ip_tablesZ nft_lineslinewordsZdefault_ip_tablesZproc_net_ip_tablesZifileZip_tables_namesr#Zproc_net_ip6_tablesZipfilerrrsetup>sN   *    ,  zFirewallTables.setupN) __name__ __module__ __qualname____doc__Z short_descZ plugin_nameZprofilesfilesZ kernel_modsrrrr2rrrrr s    rN)Zsos.report.pluginsrrrrrrrr s