Library Structure¶
-
class
nfsinkhole.apparmor.
AppArmor
[source]¶ The class for managing apparmor policy enforcement, if it is installed.
-
exception
nfsinkhole.exceptions.
BinaryNotFound
[source]¶ An Exception for when a binary is not detected.
-
exception
nfsinkhole.exceptions.
IPTablesError
[source]¶ An Exception for when a iptables process generates stderr output.
-
exception
nfsinkhole.exceptions.
IPTablesExists
[source]¶ An Exception for when iptables rules, related to nfsinkhole, exist.
-
exception
nfsinkhole.exceptions.
IPTablesNotExists
[source]¶ An Exception for when iptables rules, related to nfsinkhole, don’t exist.
-
exception
nfsinkhole.exceptions.
SubprocessError
[source]¶ An Exception for when a generic subprocess generates stderr output.
-
class
nfsinkhole.iptables.
IPTablesSinkhole
(interface=None, interface_addr=None, log_prefix='"[nfsinkhole] "', protocol='all', dport='0:65535', hashlimit='1/h', hashlimitmode='srcip, dstip, dstport', hashlimitburst='1', hashlimitexpire='3600000', srcexclude='127.0.0.1')[source]¶ The class for managing sinkhole configuration within iptables.
Parameters: - interface – The secondary network interface dedicated to sinkhole traffic. Warning: Do not accidentally set this to your primary interface. It will drop all traffic, and kill your remote access.
- interface_addr – The IP address assigned to interface.
- log_prefix – Prefix for syslog messages.
- protocol – The protocol(s) to log (all traffic will still be dropped). Accepts a comma separated string of protocols (tcp,udp,udplite,icmp,esp,ah,sctp) or all.
- dport – The destination port(s) to log (for applicable protocols). Range should be in the format startport:endport or 0,1,2,3,n..
- hashlimit – Set the hashlimit rate. Hashlimit is used to tune the amount of events logged. See the iptables-extensions docs: http://ipset.netfilter.org/iptables-extensions.man.html
- hashlimitmode – Set the hashlimit mode, a comma separated string of options (srcip,srcport,dstip,dstport). More options here results in more logs generated.
- hashlimitburst – Maximum initial number of packets to match.
- hashlimitexpire – Number of milliseconds to keep entries in the hash table.
- srcexclude – Exclude a comma separated string of source IPs/CIDRs from logging.
-
list_existing_rules
(filter_io_drop=False)[source]¶ The function for retrieving current iptables rules related to nfsinkhole.
Parameters: filter_io_drop – Boolean for only showing the DROP rules for INPUT and OUTPUT. These are not shown by default. This exists to avoid allowing packets on the interface if the service is down. If installed, the interface always drops all traffic regardless of the service state. Returns: Matching sinkhole lines returned by iptables -S. Return type: List Raises: IPTablesError
– A Unix process had an error (stderr).
-
class
nfsinkhole.rsyslog.
RSyslog
(is_systemd=False)[source]¶ The class for managing rsyslog checks and configuration.
Parameters: is_systemd – True if systemd is in use, False if not (use init.d). -
create_config
(prefix='[nfsinkhole] ')[source]¶ The function for creating the rsyslog config.
Parameters: prefix – The log prefix set in iptables.
-
-
class
nfsinkhole.service.
SystemService
(interface=None, interface_addr=None, log_prefix='"[nfsinkhole] "', protocol='all', dport='0:65535', hashlimit='1/h', hashlimitmode='srcip, dstip, dstport', hashlimitburst='1', hashlimitexpire='3600000', srcexclude='127.0.0.1', pcap=True)[source]¶ The class for managing the nfsinkhole init.d/systemd service.
Parameters: - interface – The secondary network interface dedicated to sinkhole traffic. Warning: Do not accidentally set this to your primary interface. It will drop all traffic, and kill your remote access.
- interface_addr – The IP address assigned to interface.
- log_prefix – Prefix for syslog messages.
- protocol – The protocol(s) to log (all traffic will still be dropped). Accepts a comma separated string of protocols (tcp,udp,udplite,icmp,esp,ah,sctp) or all.
- dport – The destination port(s) to log (for applicable protocols). Range should be in the format startport:endport or 0,1,2,3,n..
- hashlimit – Set the hashlimit rate. Hashlimit is used to tune the amount of events logged. See the iptables-extensions docs: http://ipset.netfilter.org/iptables-extensions.man.html
- hashlimitmode – Set the hashlimit mode, a comma separated string of options (srcip,srcport,dstip,dstport). More options here results in more logs generated.
- hashlimitburst – Maximum initial number of packets to match.
- hashlimitexpire – Number of milliseconds to keep entries in the hash table.
- srcexclude – Exclude a comma separated string of source IPs/CIDRs from logging.
- pcap – Enable packet capture text or raw depending on tcpdump version.’
-
class
nfsinkhole.syslog_ng.
SyslogNG
(is_systemd=False)[source]¶ The class for managing syslog-ng checks and configuration.
Parameters: is_systemd – True if systemd is in use, False if not (init.d). -
create_config
(prefix='[nfsinkhole] ')[source]¶ The function for creating the syslog-ng config. (incomplete/unused)
Parameters: prefix – The log prefix set in iptables.
-
-
class
nfsinkhole.tcpdump.
TCPDump
(sbin='/usr/sbin/tcpdump')[source]¶ The class for managing tcpdump checks.
Parameters: sbin – Path to tcpdump binary
-
nfsinkhole.utils.
get_default_interface
()[source]¶ The function for getting the default Unix network interface address.
Returns: The network interface name, or None. Return type: String
-
nfsinkhole.utils.
get_interface_addr
(interface=None)[source]¶ The function for automatically determining a Unix network interface address.
Parameters: interface – The network interface name. Returns: The IP address for the interface, or None. Return type: String
-
nfsinkhole.utils.
popen_wrapper
(cmd_arr=None, raise_err=False, log_stdout_line=True)[source]¶ The function for subprocess with custom logging output.
Parameters: - cmd_arr – Array of command strings to pass to subprocess.Popen().
- raise_err – If stderr is encountered, raise SubprocessError.
- log_stdout_line – If True, logs each stdout line as a separate log entry. If False, logs all of stdout in a single log entry.
Returns: stdout, stderr of the completed subprocess.
Return type: Tuple
Raises: ValueError
– cmd_arr argument is not provided or is None.TypeError
– cmd_arr argument is not a list.SubprocessError
– The subprocess encountered an error (stderr). raise_err must be True for this.
-
nfsinkhole.utils.
set_system_timezone
(timezone='UTC')[source]¶ The function for setting the system timezone.
Parameters: timezone – The timezone to set, see /usr/share/zoneinfo/* for options. Raises: SubprocessError
– One of the processes associated with manual timezone configuration encountered an error.