From c9157be3fe0bdcc3fb54855056e1cebe94e4dcd5 Mon Sep 17 00:00:00 2001 From: Lars Kruse Date: Sat, 24 Feb 2018 22:58:04 +0100 Subject: [PATCH] iptables-related plugins: use "-w" for consistent results The parameter "-w" forces iptables to wait for a lock before printing data. The parameter requires iptables 1.6 (released 2015). See https://github.com/munin-monitoring/munin/issues/586 --- plugins/accounting/accounting_ | 22 +++++++++++----------- plugins/ip6/ip6_ | 8 ++++---- plugins/ip6/ip6t_accounting | 4 ++-- plugins/network/fwbuilder_ | 8 ++++---- plugins/network/ipt_accounting_ | 8 ++++---- plugins/network/ipt_basic_ | 8 ++++---- plugins/network/traffic_ipt | 4 ++-- 7 files changed, 31 insertions(+), 31 deletions(-) diff --git a/plugins/accounting/accounting_ b/plugins/accounting/accounting_ index f6fd2116..7628d3a2 100644 --- a/plugins/accounting/accounting_ +++ b/plugins/accounting/accounting_ @@ -115,7 +115,7 @@ fi if [ "$1" == "autoconf" ]; then if [ -r /proc/net/dev ]; then - $IPTABLES -L INPUT -v -n -x >/dev/null 2>/dev/null + $IPTABLES -L INPUT -v -n -x -w >/dev/null 2>/dev/null if [ $? -gt 0 ]; then echo "no (could not run iptables as user `whoami`)" exit 1 @@ -132,11 +132,11 @@ fi if [ "$1" = "suggest" ]; then if [ $PROTO = "ipv4" ]; then - $IPTABLES -L INPUT -v -x -n 2>/dev/null | sed -n 's/^.*\/\* ACCT\-\([a-zA-Z\-]*\) \*\/.*$/\ipv4_\1/p' - $IPTABLES -L OUTPUT -v -x -n 2>/dev/null | sed -n 's/^.*\/\* ACCT\-\([a-zA-Z\-]*\) \*\/.*$/\ipv4_\1/p' + $IPTABLES -L INPUT -v -x -n -w 2>/dev/null | sed -n 's/^.*\/\* ACCT\-\([a-zA-Z\-]*\) \*\/.*$/\ipv4_\1/p' + $IPTABLES -L OUTPUT -v -x -n -w 2>/dev/null | sed -n 's/^.*\/\* ACCT\-\([a-zA-Z\-]*\) \*\/.*$/\ipv4_\1/p' elif [ $PROTO == "ipv6" ]; then - $IPTABLES -L INPUT -v -x -n 2>/dev/null | sed -n 's/^.*\/\* ACCT\-\([a-zA-Z\-]*\) \*\/.*$/\ipv6_\1/p' - $IPTABLES -L OUTPUT -v -x -n 2>/dev/null | sed -n 's/^.*\/\* ACCT\-\([a-zA-Z\-]*\) \*\/.*$/\ipv6_\1/p' + $IPTABLES -L INPUT -v -x -n -w 2>/dev/null | sed -n 's/^.*\/\* ACCT\-\([a-zA-Z\-]*\) \*\/.*$/\ipv6_\1/p' + $IPTABLES -L OUTPUT -v -x -n -w 2>/dev/null | sed -n 's/^.*\/\* ACCT\-\([a-zA-Z\-]*\) \*\/.*$/\ipv6_\1/p' fi exit 0 @@ -192,12 +192,12 @@ if [ "$1" = "config" ]; then fi; echo 'multigraph '${0##*/}'_in' -$IPTABLES -L INPUT -v -n -x | grep "\/\* ACCT\-"$SUBCHAIN"\-tcp\-in \*\/" | tr -s '*' '-' | awk "{ print \"tcpIN.value \" \$2 }" -$IPTABLES -L INPUT -v -n -x | grep "\/\* ACCT\-"$SUBCHAIN"\-udp\-in \*\/" | tr -s '*' '-' | awk "{ print \"udpIN.value \" \$2 }" -$IPTABLES -L INPUT -v -n -x | grep "\/\* ACCT\-"$SUBCHAIN"\-icmp\-in \*\/" | tr -s '*' '-' | awk "{ print \"icmpIN.value \" \$2 }" +$IPTABLES -L INPUT -v -n -x -w | grep "\/\* ACCT\-"$SUBCHAIN"\-tcp\-in \*\/" | tr -s '*' '-' | awk "{ print \"tcpIN.value \" \$2 }" +$IPTABLES -L INPUT -v -n -x -w | grep "\/\* ACCT\-"$SUBCHAIN"\-udp\-in \*\/" | tr -s '*' '-' | awk "{ print \"udpIN.value \" \$2 }" +$IPTABLES -L INPUT -v -n -x -w | grep "\/\* ACCT\-"$SUBCHAIN"\-icmp\-in \*\/" | tr -s '*' '-' | awk "{ print \"icmpIN.value \" \$2 }" echo echo 'multigraph '${0##*/}'_out' -$IPTABLES -L OUTPUT -v -n -x | grep "\/\* ACCT\-"$SUBCHAIN"\-tcp\-out \*\/" | tr -s '*' '-' | awk "{ print \"tcpOUT.value \" \$2 }" -$IPTABLES -L OUTPUT -v -n -x | grep "\/\* ACCT\-"$SUBCHAIN"\-udp\-out \*\/" | tr -s '*' '-' | awk "{ print \"udpOUT.value \" \$2 }" -$IPTABLES -L OUTPUT -v -n -x | grep "\/\* ACCT\-"$SUBCHAIN"\-icmp\-out \*\/" | tr -s '*' '-' | awk "{ print \"icmpOUT.value \" \$2 }" +$IPTABLES -L OUTPUT -v -n -x -w | grep "\/\* ACCT\-"$SUBCHAIN"\-tcp\-out \*\/" | tr -s '*' '-' | awk "{ print \"tcpOUT.value \" \$2 }" +$IPTABLES -L OUTPUT -v -n -x -w | grep "\/\* ACCT\-"$SUBCHAIN"\-udp\-out \*\/" | tr -s '*' '-' | awk "{ print \"udpOUT.value \" \$2 }" +$IPTABLES -L OUTPUT -v -n -x -w | grep "\/\* ACCT\-"$SUBCHAIN"\-icmp\-out \*\/" | tr -s '*' '-' | awk "{ print \"icmpOUT.value \" \$2 }" diff --git a/plugins/ip6/ip6_ b/plugins/ip6/ip6_ index 099de58c..20408378 100755 --- a/plugins/ip6/ip6_ +++ b/plugins/ip6/ip6_ @@ -28,7 +28,7 @@ IP=`basename $0 | sed 's/^ip6_//g' | tr '_' ':' ` if [ "$1" = "autoconf" ]; then if [ -r /proc/net/dev ]; then - ip6tables -L INPUT -v -n -x >/dev/null 2>/dev/null + ip6tables -L INPUT -v -n -x -w >/dev/null 2>/dev/null if [ $? -gt 0 ]; then echo "no (could not run ip6tables as user `whoami`)" exit 1 @@ -43,7 +43,7 @@ if [ "$1" = "autoconf" ]; then fi if [ "$1" = "suggest" ]; then - ip6tables -L INPUT -v -n -x 2>/dev/null | awk --posix '$8 ~ /^([0-9a-f]{1,4}(\:|\:\:)){1,7}([0-9a-f]{1,4})\/([0-9]{1,3})$/ { if (done[$8]!=1) {print $8; done[$8]=1;}}'|sed "s#/[0-9]\{1,3\}##" + ip6tables -L INPUT -v -n -x -w 2>/dev/null | awk --posix '$8 ~ /^([0-9a-f]{1,4}(\:|\:\:)){1,7}([0-9a-f]{1,4})\/([0-9]{1,3})$/ { if (done[$8]!=1) {print $8; done[$8]=1;}}'|sed "s#/[0-9]\{1,3\}##" exit 0 fi @@ -64,5 +64,5 @@ if [ "$1" = "config" ]; then exit 0 fi; -ip6tables -L INPUT -v -n -x | grep -m1 $IP | awk "{ print \"in.value \" \$2 }" -ip6tables -L OUTPUT -v -n -x | grep -m1 $IP | awk "{ print \"out.value \" \$2 }" +ip6tables -L INPUT -v -n -x -w | grep -m1 $IP | awk "{ print \"in.value \" \$2 }" +ip6tables -L OUTPUT -v -n -x -w | grep -m1 $IP | awk "{ print \"out.value \" \$2 }" diff --git a/plugins/ip6/ip6t_accounting b/plugins/ip6/ip6t_accounting index 2919a9c2..aaaebe50 100755 --- a/plugins/ip6/ip6t_accounting +++ b/plugins/ip6/ip6t_accounting @@ -10,7 +10,7 @@ graph_category network graph_args -l 0 graph_info ip6tables bites ipv6 EOF -ip6tables -vxL|grep -E 'ACC|REJ'|grep -v ^Chain|sed -e 's/dpt://g' -e 's/ .*://g'|awk '{print $NF"-"$4".label", $NF" "$4"\n",$NF"-"$4".min", 0}'|sed 's/^\s*//g' +ip6tables -vx -w -L | grep -E 'ACC|REJ'|grep -v ^Chain|sed -e 's/dpt://g' -e 's/ .*://g'|awk '{print $NF"-"$4".label", $NF" "$4"\n",$NF"-"$4".min", 0}'|sed 's/^\s*//g' exit 0 fi if [ "$1" = "autoconf" ]; then @@ -18,5 +18,5 @@ if [ "$1" = "autoconf" ]; then exit 0 fi -ip6tables -vxL|grep -E 'ACC|REJ'|grep -v ^Chain|awk '{print $NF"-"$4".value", $2}'|sed 's/^dpt://' +ip6tables -vx -w -L | grep -E 'ACC|REJ'|grep -v ^Chain|awk '{print $NF"-"$4".value", $2}'|sed 's/^dpt://' diff --git a/plugins/network/fwbuilder_ b/plugins/network/fwbuilder_ index c7742d75..23f8ba3c 100755 --- a/plugins/network/fwbuilder_ +++ b/plugins/network/fwbuilder_ @@ -61,7 +61,7 @@ IP=${IP/-/\/} if [ "$1" = "autoconf" ]; then if [ -r /proc/net/dev ]; then - iptables -L INPUT -v -n -x >/dev/null 2>/dev/null + iptables -L INPUT -v -n -x -w >/dev/null 2>/dev/null if [ $? -gt 0 ]; then echo "no (could not run iptables as user `whoami`)" exit 1 @@ -77,7 +77,7 @@ fi if [ "$1" = "suggest" ]; then # find Chains for Accounting - iptables -L -n |grep ^ACCOUNTING |awk '{printf "%s\n%s\n",$4,$5}'| sort -u |sed 's#\/#-#' + iptables -L -n -w | grep ^ACCOUNTING |awk '{printf "%s\n%s\n",$4,$5}'| sort -u |sed 's#\/#-#' exit 0 fi @@ -99,6 +99,6 @@ if [ "$1" = "config" ]; then exit 0 fi; -echo "in.value $(( $(iptables -L -n -v -x |grep "ACCOUNTING" |awk '{printf "%s %s\n",$2,$9}' |grep $IP |awk '{printf "%s + ",$1}') 0 ))" -echo "out.value $(( $(iptables -L -n -v -x |grep "ACCOUNTING" |awk '{printf "%s %s\n",$2,$8}' |grep $IP |awk '{printf "%s + ",$1}') 0 ))" +echo "in.value $(( $(iptables -L -n -v -x -w | grep "ACCOUNTING" | awk '{printf "%s %s\n",$2,$9}' | grep $IP | awk '{printf "%s + ",$1}') 0 ))" +echo "out.value $(( $(iptables -L -n -v -x -w |grep "ACCOUNTING" | awk '{printf "%s %s\n",$2,$8}' | grep $IP | awk '{printf "%s + ",$1}') 0 ))" diff --git a/plugins/network/ipt_accounting_ b/plugins/network/ipt_accounting_ index bd5a2281..3050c368 100755 --- a/plugins/network/ipt_accounting_ +++ b/plugins/network/ipt_accounting_ @@ -42,7 +42,7 @@ ACC=`basename $0 | sed 's/^ipt_accounting_//g'` if [ "$1" = "autoconf" ]; then if [ -r /proc/net/dev ]; then - iptables -L INPUT -v -n -x >/dev/null 2>/dev/null + iptables -L INPUT -v -n -x -w >/dev/null 2>/dev/null if [ $? -gt 0 ]; then echo "no (could not run iptables as user `whoami`)" exit 1 @@ -57,7 +57,7 @@ if [ "$1" = "autoconf" ]; then fi if [ "$1" = "suggest" ]; then - iptables -L INPUT -v -x -n 2>/dev/null | sed -n 's/^.*\/\* ACC\-\([a-zA-Z]*\) \*\/.*$/\1/p' + iptables -L INPUT -v -x -n -w 2>/dev/null | sed -n 's/^.*\/\* ACC\-\([a-zA-Z]*\) \*\/.*$/\1/p' exit 0 fi @@ -79,5 +79,5 @@ if [ "$1" = "config" ]; then exit 0 fi; -iptables -L INPUT -v -n -x | grep -m1 "\/\* ACC\-"$ACC" \*\/" | awk "{ print \"in.value \" \$2 }" -iptables -L OUTPUT -v -n -x | grep -m1 "\/\* ACC\-"$ACC" \*\/" | awk "{ print \"out.value \" \$2 }" +iptables -L INPUT -v -n -x -w | grep -m1 "\/\* ACC\-"$ACC" \*\/" | awk "{ print \"in.value \" \$2 }" +iptables -L OUTPUT -v -n -x -w | grep -m1 "\/\* ACC\-"$ACC" \*\/" | awk "{ print \"out.value \" \$2 }" diff --git a/plugins/network/ipt_basic_ b/plugins/network/ipt_basic_ index 6f05638c..ec17102f 100755 --- a/plugins/network/ipt_basic_ +++ b/plugins/network/ipt_basic_ @@ -45,7 +45,7 @@ iptables='/sbin/iptables' if [ "$1" = "autoconf" ]; then if [ -r /proc/net/dev ]; then - RES=`$iptables -L $TNAME -nvx 2>&1 >/dev/null` + RES=`$iptables -L $TNAME -nvx -w 2>&1 >/dev/null` if [ $? -gt 0 ]; then echo "no (could not run iptables as user `whoami`; $RES)" exit 1 @@ -79,7 +79,7 @@ if [ "$1" = "initialise" ]; then exit 1 fi -IFACES=`$iptables -L munin_node -nvx | awk '$6 ~ /(eth|ppp)[0-9]/ { if (done[$6]!=1) {print $6; done[$6]=1;}}'` +IFACES=`$iptables -L munin_node -nvx -w | awk '$6 ~ /(eth|ppp)[0-9]/ { if (done[$6]!=1) {print $6; done[$6]=1;}}'` if [ "$1" = "config" ]; then @@ -108,7 +108,7 @@ if [ "$1" = "config" ]; then fi; if [ "$TYPE" = "pkts" ]; then - $iptables -L munin_node -nvx | egrep "eth|ppp" | awk "{ print \$6 \".value \" \$1 }" + $iptables -L munin_node -nvx -w | egrep "eth|ppp" | awk "{ print \$6 \".value \" \$1 }" else - $iptables -L munin_node -nvx | egrep "eth|ppp" | awk "{ print \$6 \".value \" \$2 }" + $iptables -L munin_node -nvx -w | egrep "eth|ppp" | awk "{ print \$6 \".value \" \$2 }" fi diff --git a/plugins/network/traffic_ipt b/plugins/network/traffic_ipt index a2a994e4..29f899f5 100755 --- a/plugins/network/traffic_ipt +++ b/plugins/network/traffic_ipt @@ -110,7 +110,7 @@ ipv6=0 diffv4=0 diffv6=0 -IPv4_bytes=$(iptables -L -n -v -x | egrep '^\W*[0-9]+\W+[0-9]+\W+all\W+--\W+\*\W+\*\W+0.0.0.0/0\W+0.0.0.0/0\W*$' | while read pkts bytes rest; do echo $bytes; done) +IPv4_bytes=$(iptables -L -n -v -x -w | egrep '^\W*[0-9]+\W+[0-9]+\W+all\W+--\W+\*\W+\*\W+0.0.0.0/0\W+0.0.0.0/0\W*$' | while read pkts bytes rest; do echo $bytes; done) if [ -z "$IPv4_bytes" ]; then echo "W: Unable to read rule from iptables, please add rules" >&2 @@ -118,7 +118,7 @@ else ipv4=$(echo $IPv4_bytes | sed -e 's/ / + /' | bc -l) fi -IPv6_bytes=$(ip6tables -L -n -v -x | egrep '^\W*[0-9]+\W+[0-9]+\W+all\W+\*\W+\*\W+::/0\W+::/0\W*$' | while read pkts bytes rest; do echo $bytes; done) +IPv6_bytes=$(ip6tables -L -n -v -x -w | egrep '^\W*[0-9]+\W+[0-9]+\W+all\W+\*\W+\*\W+::/0\W+::/0\W*$' | while read pkts bytes rest; do echo $bytes; done) if [ -z "$IPv6_bytes" ]; then echo "W: Unable to read rule from ip6tables, please add rules" >&2