관리-도구

편집 파일: firewall_tables.cpython-39.opt-1.pyc

����-�_gC����������������������@���s*���d�dl�mZmZmZ�G�dd��dee�ZdS�)�����)�Plugin�IndependentPlugin�SoSPredicatec�������������������@���sD���e�Zd�ZdZdZdZdZdZdZdd��Z	d	d
��Z
dd��Zd
d��ZdS�)�FirewallTablesa���Collects information about local firewall tables, such as iptables,
    and nf_tables (via nft). Note that this plugin does _not_ collect firewalld
    information, which is handled by a separate plugin.

Collections from this plugin are largely gated byt the presence of relevant
    kernel modules - for example,  the plugin will not collect the nf_tables
    ruleset if both the `nf_tables` and `nfnetlink` kernel modules are not
    currently loaded (unless using the --allow-system-changes option).
    zfirewall tablesZfirewall_tables)�network�system)�
/etc/nftables)Z	ip_tablesZ
ip6_tables�	nf_tables�	nfnetlinkZebtablesc�����������������C���s2���d|�}d|�d�}|�j�|t|�|dgd�d��dS�)z� Collecting iptables rules for a table loads either kernel module
        of the table name (for kernel <= 3), or nf_tables (for kernel >= 4).
        If neither module is present, the rules must be empty.Ziptable_ziptables -t � -nvLr	�����kmods��predN��add_cmd_outputr�����selfZ	tablename�modname�cmd��r����F/usr/lib/python3.9/site-packages/sos/report/plugins/firewall_tables.py�collect_iptable���s�����zFirewallTables.collect_iptablec�����������������C���s2���d|�}d|�d�}|�j�|t|�|dgd�d��dS�)z& Same as function above, but for ipv6 Z	ip6table_z
ip6tables -t r���r	���r���r���Nr���r���r���r���r����collect_ip6table*���s�����zFirewallTables.collect_ip6tablec�����������������C���s&���t�|�ddgddid�}|�jd|dd�S�)	zS Collects nftables rulesets with 'nft' commands if the modules
        are present r	���r
���r
����all)r
����requiredznft -a list rulesetT)r���Zchanges)r���Zcollect_cmd_output)r���Znft_predr���r���r����collect_nftables3���s������zFirewallTables.collect_nftablesc�����������
������C���s��|�����}g�g�d�}|d�dkr&|d�nd}|���D�]N}|���dd��}t|�dkr2|d�dkr2|d�|v�r2||d���|d	���q2d
}z>d}t|dd
d��}|���}	W�d�����n1�s�0����Y��W�n�ty����|}	Y�n0�|	���D�]&}
|d�dkr�|
|d�v�r�|��|
��q�z@d}t|dd
d��}|���}	W�d�����n1��s@0����Y��W�n�t�yd���|}	Y�n0�|	���D�],}
|d�dk�rn|
|d�v��rn|��	|
���qn|d�dk�s�d|d�v��r�|�j
dt|�ddgd�d��|d�dk�s�d|d�v��r|�j
dt|�ddgd�d��|��g�d���d�S�)N)�ip�ip6�statusr����output�������table��������zmangle
filter
nat
z/proc/net/ip_tables_names�rzUTF-8)�encodingr���z/proc/net/ip6_tables_namesr����filterziptables -vnxLZiptable_filterr	���r���r���zip6tables -vnxLZip6table_filter)r���z/etc/sysconfig/nftables.confz/etc/nftables.conf)
r����
splitlines�split�len�append�open�read�IOErrorr���r���r���r���Z
add_copy_spec)
r���Znft_listZ
nft_ip_tablesZ	nft_lines�line�wordsZdefault_ip_tablesZproc_net_ip_tablesZifileZip_tables_namesr#���Zproc_net_ip6_tablesZipfiler���r���r����setup>���sN����

�*
,
��zFirewallTables.setupN)
�__name__�
__module__�__qualname__�__doc__Z
short_descZplugin_nameZprofiles�filesZkernel_modsr���r���r���r2���r���r���r���r���r������s���
	r���N)Zsos.report.pluginsr���r���r���r���r���r���r���r����<module>	���s���