o * b@s*ddlmZmZmZGdddeeZdS))PluginIndependentPlugin SoSPredicatec@s8eZdZdZdZdZddZddZddZd d Z d S) firewall_tableszfirewall tables)ZnetworksystemcC2d|}d|d}|j|t||dgdddS)z Collecting iptables rules for a table loads either kernel module of the table name (for kernel <= 3), or nf_tables (for kernel >= 4). If neither module is present, the rules must be empty.Ziptable_z iptables -t  -nvL nf_tableskmodspredNadd_cmd_outputrselfZ tablenamemodnamecmdrD/usr/lib/python3/dist-packages/sos/report/plugins/firewall_tables.pycollect_iptables   zfirewall_tables.collect_iptablecCr)z& Same as function above, but for ipv6 Z ip6table_z ip6tables -t rr r r Nrrrrrcollect_ip6tables   z firewall_tables.collect_ip6tablecCs&t|ddgddid}|jd|ddS) zS Collects nftables rulesets with 'nft' commands if the modules are present r Z nfnetlinkr all)r requiredznft list rulesetT)r Zchanges)rZcollect_cmd_output)rZnft_predrrrcollect_nftables'sz firewall_tables.collect_nftablesc Cs|}ggd}|ddkr|dnd}|D])}|dd}t|dkrB|ddkrB|d|vrB||d|d qd }ztd }Wn tyX|}Ynw|D]}|ddkrp||d vrp| |q]ztd }Wn ty|}Ynw|D]}|ddkr||dvr| |q|ddksd|d vr|j dt |ddgdd|ddksd|dvr|j dt |ddgdd| gddS)N)ipip6statusroutputtablezmangle filter z/proc/net/ip_tables_namesrz/proc/net/ip6_tables_namesrfilterziptables -vnxLZiptable_filterr r r zip6tables -vnxLZip6table_filter)z /etc/nftablesz/etc/sysconfig/nftables.confz/etc/nftables.conf)r splitlinessplitlenkeysappendopenreadIOErrorrrrrZ add_copy_spec) rZnft_listZ nft_ip_tablesZ nft_lineslineZwordsZdefault_ip_tablesZip_tables_namesr!rrrsetup2sP        zfirewall_tables.setupN) __name__ __module__ __qualname__Z short_descZ plugin_nameZprofilesrrrr.rrrrr s  rN)Zsos.report.pluginsrrrrrrrrs