openstack
/
ansible-role-collect-logs
Code Issues Proposed changes

Use nftables when we can 

nftables content will contain all of iptables - especially starting cs8,
where iptables is a compatibility wrapper for nftables (true name:
iptables-nft).

In addition, getting a dedicated file for nftables content makes things
easier to read, especially with the nftables output (think "json", more
or less).

Notes:
- iptables will still be called if the system can't find the
  "nft" binary.
- this patch will be especially important once [1] get in, since
  iptables will NOT see any of the nftables rules.

[1] https://review.opendev.org/c/openstack/tripleo-ansible/+/841414

Change-Id: Icba6b51ba5480091adcd2e010c9e34c049216c22
This commit is contained in:
Cédric Jeanneret 2022-05-24 14:19:56 +02:00 committed by Cedric Jeanneret
parent 5f1069ba9a
commit ea02074571
1 changed files with 9 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
roles/collect_logs/tasks/collect/network.yml
View File

@ -14,13 +14,16 @@
ip -${ipv} a &>> /var/log/extra/network.txt;
echo "### IPv${ipv} routing" >> /var/log/extra/network.txt;
ip -${ipv} r &>> /var/log/extra/network.txt;
echo "### IPTables (IPv${ipv})" &>> /var/log/extra/network.txt;
test $ipv -eq 4 && iptables-save &>> /var/log/extra/network.txt;
test $ipv -eq 6 && ip6tables-save &>> /var/log/extra/network.txt;
echo "### IPTables Stats (IPv${ipv})" &>> /var/log/extra/network.txt;
test $ipv -eq 4 && iptables -vnL &>> /var/log/extra/network.txt;
test $ipv -eq 6 && ip6tables -vnL &>> /var/log/extra/network.txt;
if [[ ! $(command -v nft) ]]; then
echo "### IPTables (IPv${ipv})" &>> /var/log/extra/network.txt;
test $ipv -eq 4 && iptables-save &>> /var/log/extra/network.txt;
test $ipv -eq 6 && ip6tables-save &>> /var/log/extra/network.txt;
echo "### IPTables Stats (IPv${ipv})" &>> /var/log/extra/network.txt;
test $ipv -eq 4 && iptables -vnL &>> /var/log/extra/network.txt;
test $ipv -eq 6 && ip6tables -vnL &>> /var/log/extra/network.txt;
fi
done;
command -v nft && nft list ruleset &>/var/log/extra/nftables.txt;
(for NS in $(ip netns list | cut -f 1 -d " "); do
for ipv in 4 6; do
echo "==== $NS (${ipv})====";