From dc75ac0406c37f227eace6991739f20d78ae01e9 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Tue, 29 Mar 2022 09:03:43 +0200 Subject: [PATCH] use nft is available and ignore iptables errors --- CHANGELOG | 2 + dump-server-state.sh | 95 +++++++++++++++++++++++++------------------- 2 files changed, 56 insertions(+), 41 deletions(-) diff --git a/CHANGELOG b/CHANGELOG index a278137..85840a4 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -14,6 +14,8 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Changed +use nft is available and ignore iptables errors + ### Fixed ### Removed diff --git a/dump-server-state.sh b/dump-server-state.sh index 0a779d3..54c7687 100644 --- a/dump-server-state.sh +++ b/dump-server-state.sh @@ -425,52 +425,65 @@ task_iptables() { debug "Task: iptables" iptables_bin=$(command -v iptables) + + if [ -n "${iptables_bin}" ]; then + last_result=$({ ${iptables_bin} -L -n -v; ${iptables_bin} -t filter -L -n -v; } > "${dump_dir}/iptables-v.txt") + last_rc=$? + + if [ ${last_rc} -eq 0 ]; then + debug "* iptables -v OK" + else + debug "* iptables -v ERROR" + debug "${last_result}" + # Ignore errors because we don't know if this is nft related or a real error + # rc=10 + fi + + last_result=$({ ${iptables_bin} -L -n; ${iptables_bin} -t filter -L -n; } > "${dump_dir}/iptables.txt") + last_rc=$? + + if [ ${last_rc} -eq 0 ]; then + debug "* iptables OK" + else + debug "* iptables ERROR" + debug "${last_result}" + # Ignore errors because we don't know if this is nft related or a real error + # rc=10 + fi + else + debug "* iptables not found" + fi + + iptables_save_bin=$(command -v iptables-save) + + if [ -n "${iptables_save_bin}" ]; then + last_result=$(${iptables_save_bin} > "${dump_dir}/iptables-save.txt") + last_rc=$? + + if [ ${last_rc} -eq 0 ]; then + debug "* iptables-save OK" + else + debug "* iptables-save ERROR" + debug "${last_result}" + # Ignore errors because we don't know if this is nft related or a real error + # rc=10 + fi + else + debug "* iptables-save not found" + fi + nft_bin=$(command -v nft) if [ -n "${nft_bin}" ]; then - debug "* nft found, skip iptables" - else - if [ -n "${iptables_bin}" ]; then - last_result=$({ ${iptables_bin} -L -n -v; ${iptables_bin} -t filter -L -n -v; } >> "${dump_dir}/iptables-v.txt") - last_rc=$? + last_result=$(${nft_bin} list ruleset > "${dump_dir}/nft-ruleset.txt") + last_rc=$? - if [ ${last_rc} -eq 0 ]; then - debug "* iptables -v OK" - else - debug "* iptables -v ERROR" - debug "${last_result}" - rc=10 - fi - - last_result=$({ ${iptables_bin} -L -n; ${iptables_bin} -t filter -L -n; } >> "${dump_dir}/iptables.txt") - last_rc=$? - - if [ ${last_rc} -eq 0 ]; then - debug "* iptables OK" - else - debug "* iptables ERROR" - debug "${last_result}" - rc=10 - fi + if [ ${last_rc} -eq 0 ]; then + debug "* nft ruleset OK" else - debug "* iptables not found" - fi - - iptables_save_bin=$(command -v iptables-save) - - if [ -n "${iptables_save_bin}" ]; then - last_result=$(${iptables_save_bin} > "${dump_dir}/iptables-save.txt") - last_rc=$? - - if [ ${last_rc} -eq 0 ]; then - debug "* iptables-save OK" - else - debug "* iptables-save ERROR" - debug "${last_result}" - rc=10 - fi - else - debug "* iptables-save not found" + debug "* nft ruleset ERROR" + debug "${last_result}" + rc=10 fi fi }