Library Structure

class nfsinkhole.apparmor.AppArmor[source]

The class for managing apparmor policy enforcement, if it is installed.

disable_enforcement(module='usr.sbin.tcpdump')[source]

The function for disabling AppArmor enforcement for a module.

Parameters:module – Module in /etc/apparmor.d to disable.
Returns:True if disabling enforcement was successful, or False.
Return type:Boolean
enable_enforcement(module='usr.sbin.tcpdump')[source]

The function for enabling AppArmor enforcement for a module.

Parameters:module – Module in /etc/apparmor.d to enable.
Returns:True if enabling enforcement was successful, or False.
Return type:Boolean
exception nfsinkhole.exceptions.BinaryNotFound[source]

An Exception for when a binary is not detected.

exception nfsinkhole.exceptions.IPTablesError[source]

An Exception for when a iptables process generates stderr output.

exception nfsinkhole.exceptions.IPTablesExists[source]

An Exception for when iptables rules, related to nfsinkhole, exist.

exception nfsinkhole.exceptions.IPTablesNotExists[source]

An Exception for when iptables rules, related to nfsinkhole, don’t exist.

exception nfsinkhole.exceptions.SubprocessError[source]

An Exception for when a generic subprocess generates stderr output.

class nfsinkhole.iptables.IPTablesSinkhole(interface=None, interface_addr=None, log_prefix='"[nfsinkhole] "', protocol='all', dport='0:65535', hashlimit='1/h', hashlimitmode='srcip, dstip, dstport', hashlimitburst='1', hashlimitexpire='3600000', srcexclude='127.0.0.1')[source]

The class for managing sinkhole configuration within iptables.

Parameters:
  • interface – The secondary network interface dedicated to sinkhole traffic. Warning: Do not accidentally set this to your primary interface. It will drop all traffic, and kill your remote access.
  • interface_addr – The IP address assigned to interface.
  • log_prefix – Prefix for syslog messages.
  • protocol – The protocol(s) to log (all traffic will still be dropped). Accepts a comma separated string of protocols (tcp,udp,udplite,icmp,esp,ah,sctp) or all.
  • dport – The destination port(s) to log (for applicable protocols). Range should be in the format startport:endport or 0,1,2,3,n..
  • hashlimit – Set the hashlimit rate. Hashlimit is used to tune the amount of events logged. See the iptables-extensions docs: http://ipset.netfilter.org/iptables-extensions.man.html
  • hashlimitmode – Set the hashlimit mode, a comma separated string of options (srcip,srcport,dstip,dstport). More options here results in more logs generated.
  • hashlimitburst – Maximum initial number of packets to match.
  • hashlimitexpire – Number of milliseconds to keep entries in the hash table.
  • srcexclude – Exclude a comma separated string of source IPs/CIDRs from logging.
create_drop_rule()[source]

The function for writing the iptables DROP rule for the interface.

create_rules()[source]

The function for writing iptables rules related to nfsinkhole.

delete_drop_rule()[source]

The function for deleting the iptables DROP rule for the interface.

delete_rules()[source]

The function for deleting iptables rules related to nfsinkhole.

list_existing_rules(filter_io_drop=False)[source]

The function for retrieving current iptables rules related to nfsinkhole.

Parameters:filter_io_drop – Boolean for only showing the DROP rules for INPUT and OUTPUT. These are not shown by default. This exists to avoid allowing packets on the interface if the service is down. If installed, the interface always drops all traffic regardless of the service state.
Returns:Matching sinkhole lines returned by iptables -S.
Return type:List
Raises:IPTablesError – A Unix process had an error (stderr).
class nfsinkhole.rsyslog.RSyslog(is_systemd=False)[source]

The class for managing rsyslog checks and configuration.

Parameters:is_systemd – True if systemd is in use, False if not (use init.d).
create_config(prefix='[nfsinkhole] ')[source]

The function for creating the rsyslog config.

Parameters:prefix – The log prefix set in iptables.
delete_config()[source]

The function for deleting the rsyslog config.

get_version()[source]

The function for checking the rsyslog version.

Returns:rsyslog version string if found, or None.
Return type:String
restart()[source]

The function for restarting the rsyslog service.

selinux_associate()[source]

The function for associating the rsyslog config with selinux.

class nfsinkhole.selinux.SELinux[source]

The class for managing selinux.

associate(path)[source]

The function for associating a file path with selinux

class nfsinkhole.service.SystemService(interface=None, interface_addr=None, log_prefix='"[nfsinkhole] "', protocol='all', dport='0:65535', hashlimit='1/h', hashlimitmode='srcip, dstip, dstport', hashlimitburst='1', hashlimitexpire='3600000', srcexclude='127.0.0.1', pcap=True)[source]

The class for managing the nfsinkhole init.d/systemd service.

Parameters:
  • interface – The secondary network interface dedicated to sinkhole traffic. Warning: Do not accidentally set this to your primary interface. It will drop all traffic, and kill your remote access.
  • interface_addr – The IP address assigned to interface.
  • log_prefix – Prefix for syslog messages.
  • protocol – The protocol(s) to log (all traffic will still be dropped). Accepts a comma separated string of protocols (tcp,udp,udplite,icmp,esp,ah,sctp) or all.
  • dport – The destination port(s) to log (for applicable protocols). Range should be in the format startport:endport or 0,1,2,3,n..
  • hashlimit – Set the hashlimit rate. Hashlimit is used to tune the amount of events logged. See the iptables-extensions docs: http://ipset.netfilter.org/iptables-extensions.man.html
  • hashlimitmode – Set the hashlimit mode, a comma separated string of options (srcip,srcport,dstip,dstport). More options here results in more logs generated.
  • hashlimitburst – Maximum initial number of packets to match.
  • hashlimitexpire – Number of milliseconds to keep entries in the hash table.
  • srcexclude – Exclude a comma separated string of source IPs/CIDRs from logging.
  • pcap – Enable packet capture text or raw depending on tcpdump version.’
check_systemd()[source]

The function for checking if systemd is implemented.

Returns:A tuple: is_systemd, svc_path.
Return type:Tuple (Boolean, String)
create_service()[source]

The function for creating the init.d/systemd service.

delete_service()[source]

The function for deleting the init.d/systemd service.

class nfsinkhole.syslog_ng.SyslogNG(is_systemd=False)[source]

The class for managing syslog-ng checks and configuration.

Parameters:is_systemd – True if systemd is in use, False if not (init.d).
create_config(prefix='[nfsinkhole] ')[source]

The function for creating the syslog-ng config. (incomplete/unused)

Parameters:prefix – The log prefix set in iptables.
delete_config()[source]

The function for deleting the syslog-ng config.

get_version()[source]

The function for checking the syslog-ng version.

Returns:syslog-ng version string if found, or None.
Return type:String
restart()[source]

The function for restarting the syslog-ng service.

selinux_associate()[source]

The function for associating the syslog-ng config with selinux.

class nfsinkhole.tcpdump.TCPDump(sbin='/usr/sbin/tcpdump')[source]

The class for managing tcpdump checks.

Parameters:sbin – Path to tcpdump binary
check_packet_print()[source]

The function for checking if tcpdump/nflog support packet printing.

Returns:True if packet printing is supported, or False.
Return type:Boolean
get_version()[source]

The function for checking the tcpdump version.

Returns:tcpdump version string if found, or None.
Return type:String
nfsinkhole.utils.get_default_interface()[source]

The function for getting the default Unix network interface address.

Returns:The network interface name, or None.
Return type:String
nfsinkhole.utils.get_interface_addr(interface=None)[source]

The function for automatically determining a Unix network interface address.

Parameters:interface – The network interface name.
Returns:The IP address for the interface, or None.
Return type:String
nfsinkhole.utils.popen_wrapper(cmd_arr=None, raise_err=False, log_stdout_line=True)[source]

The function for subprocess with custom logging output.

Parameters:
  • cmd_arr – Array of command strings to pass to subprocess.Popen().
  • raise_err – If stderr is encountered, raise SubprocessError.
  • log_stdout_line – If True, logs each stdout line as a separate log entry. If False, logs all of stdout in a single log entry.
Returns:

stdout, stderr of the completed subprocess.

Return type:

Tuple

Raises:
  • ValueError – cmd_arr argument is not provided or is None.
  • TypeError – cmd_arr argument is not a list.
  • SubprocessError – The subprocess encountered an error (stderr). raise_err must be True for this.
nfsinkhole.utils.set_system_timezone(timezone='UTC')[source]

The function for setting the system timezone.

Parameters:timezone – The timezone to set, see /usr/share/zoneinfo/* for options.
Raises:SubprocessError – One of the processes associated with manual timezone configuration encountered an error.