Nflogr is a Python extension module that allows access to messages and packet
data logged via iptables/netfilter using NFLOG on Linux. There are other
existing libraries that provide similar functionality. Nflogr offers the
following improvements:
- Works with Python threads.
- Provides a simple object oriented API.
Nflogr is available from https://github.com/ryancdotorg/python-nflogr.
This is my first Python extension module, and I consider it ‘beta quality’. It may crash, contain exploitable security vulnerabilities, be unpythonic, etc. There aren’t currently any tests, though infrastructure to add them is in place.
Code review and/or patches to fix bugs would be appreciated.
git clone https://github.com/ryancdotorg/python-nflogr
cd python-nflogr
python3 setup.py install
- Python 3.6 or later, including header files.
- The Python
distutilsandsetuptoolspackages. - A C++ compiler. GCC G++ 8.3.0 is known to work.
- Development versions of libnfnetlink and libnetfilter_log.
On Debian/Ubuntu, try:
sudo apt install libnetfilter-log-dev build-essential
sudo apt install python3-{distutils,setuptools,dev}
NOTE: Either root or cap_net_admin is required to open the handler.
import nflogr
group_id = 123
nflog = nflogr.open(group_id)
"""
your code here
"""
nflog.close()or
import nflogr
group_id = 123
with nflog as nflogr.open(group_id):
"""
your code here
"""The open() function accepts the following optional keyword arguments:
The maximum time that nflog waits until it pushes the log buffer to userspace if no new logged packets have occurred.
Specified in seconds with 0.01 granularity.
The maximum number of log entries in the buffer until it is pushed to userspace.
The maximum size (in bytes) of the receiving socket buffer. Large values may be needed to avoid dropping packets.
If set to 0, the system default value will be used.
The size (in bytes) of the buffer that is used to stack log messages in nflog.
If set to 0, the kernel default (one memory page) will be used.
NOTE: Changing this from the default is strongly discouraged.
Control what happens when recv() fails with ENOBUFS due to dropped packets.
- nflogr.ENOBUFS_RAISE - raise an nflogr.NflogDroppedError exception
- nflogr.ENOBUFS_HANDLE - increment the enbufs counter
- nflogr.ENOBUFS_DISABLE - disable ENOBUFS errors entirely
The amount of data to be copied to userspace for each packet.
- nflogr.COPY_NONE - do not copy any data
- nflogr.COPY_META - copy only packet metadata
- nflogr.COPY_PACKET - copy entire packet
Nflog objects encapsulate NFLOG group handlers. They have the following attributes:
| Name | Description |
|---|---|
| rcvbuf | Maximum size of the socket receive buffer in bytes. (int) |
| drops | Number of times ENOBUFS has been received on the socket (int, can only be set to zero) |
| queued | Number of messages received from the socket but not yet read by the application (int, read-only) |
Reads messages from the socket, and queues them internally. Returns the number of messages queued (which may be zero), or -1 on error. If wait is set to False, the call will be non-blocking.
Returns the next message (NflogData). If wait is set to False, the call will be non-blocking, and None will be returned if no messages are available.
Passes messages (NflogData) to a callback function. The optional second
argument specifies a maximum number of messages to handle before returning,
with -1 meaning 'infinite'. Returns None.
Closes the handler.
NOTE: Nflogr buffers packets, so reads continue to succeed.
Returns the numeric file descriptor (int), or None if not applicable.
Returns the numeric log group id (int), or None if not applicable.
Message handling functions provide NflogData objects, which have the following read-only attributes:
| Name | Description |
|---|---|
| proto | Layer 3 protocol (EtherType) of the packet (int) |
| hwtype | Hardware type identifier (int, see if_arp.h) |
| nfmark | Netfilter packet mark value (int) |
| timestamp | Timestamp of when the packet was logged (float) |
| indev | Name of the logical interface the packet was received on (str), or None if not known/applicable |
| physindev | Name of the physical interface the packet was received on (str), or None if not known/applicable |
| outdev | Name of the logical interface the packet will be sent on (str), or None if not known/applicable |
| physoutdev | Name of the physical interface the packet will be sent on (str), or None if not known/applicable |
| uid | Numeric user id of the user that generated the packet (int), or None if not known/applicable |
| gid | Numeric group id of the user that generated the packet (int), or None if not known/applicable |
| hwaddr | Layer 2 source address (bytes) |
| hwhdr | Layer 2 packet header (bytes) |
| payload | Layer 3 packet data (bytes) |
| prefix | String prefix specified in iptables’ NFLOG target (str) |
NflogData is iterable, so dict(data) will work as expected.
for data in nflog:
"""
your code here
"""or
while True:
data = nflog.next()
"""
your code here
"""def nflog_callback(data):
"""
your code here
"""
nflog.loop(nflog_callback)This software is MIT licensed. See the LICENSE file for details.