Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add compatibility with netfilter backend #30

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Add compatibility with netfilter backend #30

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
f25b58e
Update iptables_raw.py
networkhell Feb 14, 2020
c1fd9a4
Update iptables_raw.py
networkhell Feb 14, 2020
445ff12
Make module compatible with nftables
networkhell Feb 14, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
70 changes: 54 additions & 16 deletions iptables_raw.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,5 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-

# Make coding more python3-ish
from __future__ import (absolute_import, division, print_function)
__metaclass__ = type
Expand Down Expand Up @@ -293,6 +292,8 @@ class Iptables:
module = None

def __init__(self, module, ipversion):
# make ipversion available to all functions
self._ipversion = ipversion
# Create directory for json files.
if not os.path.exists(self.STATE_DIR):
os.makedirs(self.STATE_DIR)
Expand All @@ -302,7 +303,6 @@ def __init__(self, module, ipversion):
self.system_save_path = self._get_system_save_path(ipversion)
self.state_dict = self._read_state_file()
self.bins = self._get_bins(ipversion)
self.iptables_names_file = self._get_iptables_names_file(ipversion)
# Check if we have a required iptables version.
self._check_compatibility()
# Save active iptables rules for all tables, so that we don't
Expand All @@ -320,25 +320,63 @@ def _get_bins(self, ipversion):
if ipversion == '4':
return {'iptables': Iptables.module.get_bin_path('iptables'),
'iptables-save': Iptables.module.get_bin_path('iptables-save'),
'iptables-restore': Iptables.module.get_bin_path('iptables-restore')}
'iptables-restore': Iptables.module.get_bin_path('iptables-restore'),
'nft': Iptables.module.get_bin_path('nft') }
else:
return {'iptables': Iptables.module.get_bin_path('ip6tables'),
'iptables-save': Iptables.module.get_bin_path('ip6tables-save'),
'iptables-restore': Iptables.module.get_bin_path('ip6tables-restore')}

def _get_iptables_names_file(self, ipversion):
if ipversion == '4':
return '/proc/net/ip_tables_names'
else:
return '/proc/net/ip6_tables_names'

# Return a list of active iptables tables
'iptables-restore': Iptables.module.get_bin_path('ip6tables-restore'),
'nft': Iptables.module.get_bin_path('nft') }

# return list of active tables
# detect if nftables is installed - support for nftables
def _get_list_of_active_tables(self):
if os.path.isfile(self.iptables_names_file):
table_names = open(self.iptables_names_file, 'r').read()
return table_names.splitlines()
if self.bins['nft']:
cmd = [self.bins['nft'], '-v']
rc, stdout, stderr = Iptables.module.run_command(cmd, check_rc=False)
if rc == 0:
if self._ipversion == '4':
cmd = [self.bins['nft'], 'list', 'tables', 'ip', '-j']
rc, stdout, stderr = Iptables.module.run_command(cmd, check_rc=False)
jsonout = json.loads(stdout)
if rc == 0:
if len(jsonout['nftables']) > 0:
table_names = []
for table in jsonout['nftables']:
table_names.append(table['table']['name'])
return table_names
else:
return self.TABLES
else:
cmd = [self.bins['nft'], 'list', 'tables', 'ip6', '-j']
rc, stdout, stderr = Iptables.module.run_command(cmd, check_rc=False)
jsonout = json.loads(stdout)
if rc == 0:
if len(jsonout['nftables']) > 0:
table_names = []
for table in jsonout['nftables']:
table_names.append(table['table']['name'])
return table_names
else:
return self.TABLES
# assume that no nftables is used --> netfilter fallback
else:
return []
if self._ipversion == '4':
iptables_names_file = '/proc/net/ip_tables_names'
if os.path.isfile(iptables_names_file):
table_names = open(iptables_names_file, 'r').read()
if table_names:
return table_names.splitlines()
else:
return self.TABLES
else:
iptables_names_file = '/proc/net/ip6_tables_names'
if os.path.isfile(iptables_names_file):
table_names = open(iptables_names_file, 'r').read()
if table_names:
return table_names.splitlines()
else:
return self.TABLES

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
return []

I think a catch-all return [] might be needed. I saw this error on a fresh Debian 10 system.

Traceback (most recent call last):
  File "/tmp/.ansible-root/tmp/ansible-tmp-1594066148.433582-31501-31867424992637/AnsiballZ_iptables_raw.py", line 102, in <module>
    _ansiballz_main()
  File "/tmp/.ansible-root/tmp/ansible-tmp-1594066148.433582-31501-31867424992637/AnsiballZ_iptables_raw.py", line 94, in _ansiballz_main
    invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)
  File "/tmp/.ansible-root/tmp/ansible-tmp-1594066148.433582-31501-31867424992637/AnsiballZ_iptables_raw.py", line 40, in invoke_module
    runpy.run_module(mod_name='ansible.modules.iptables_raw', init_globals=None, run_name='__main__', alter_sys=True)
  File "/usr/lib/python2.7/runpy.py", line 188, in run_module
    fname, loader, pkg_name)
  File "/usr/lib/python2.7/runpy.py", line 82, in _run_module_code
    mod_name, mod_fname, mod_loader, pkg_name)
  File "/usr/lib/python2.7/runpy.py", line 72, in _run_code
    exec code in run_globals
  File "/tmp/ansible_iptables_raw_payload_nhVmBN/ansible_iptables_raw_payload.zip/ansible/modules/iptables_raw.py", line 1125, in <module>
  File "/tmp/ansible_iptables_raw_payload_nhVmBN/ansible_iptables_raw_payload.zip/ansible/modules/iptables_raw.py", line 1017, in main
  File "/tmp/ansible_iptables_raw_payload_nhVmBN/ansible_iptables_raw_payload.zip/ansible/modules/iptables_raw.py", line 311, in __init__
  File "/tmp/ansible_iptables_raw_payload_nhVmBN/ansible_iptables_raw_payload.zip/ansible/modules/iptables_raw.py", line 567, in _refresh_active_rules
  File "/tmp/ansible_iptables_raw_payload_nhVmBN/ansible_iptables_raw_payload.zip/ansible/modules/iptables_raw.py", line 582, in _get_system_active_rules
TypeError: argument of type 'NoneType' is not iterable

# If /etc/debian_version exist, this means this is a debian based OS (Ubuntu, Mint, etc...)
def _is_debian(self):
Expand Down