Please, send your patches via git-send-email.
> diff --git a/include/linux/netfilter/nf_osf.h b/include/linux/netfilter/nf_osf.h
> new file mode 100644
> index 000000000000..5f2871fcde42
> --- /dev/null
> +++ b/include/linux/netfilter/nf_osf.h
This one needs to be in uapi because...
> @@ -0,0 +1,110 @@
> +#define NF_MAXGENRELEN 32
> +
> +#define NF_OSF_TTL (1<<1)
> +#define NF_OSF_LOG (1<<2)
> +
> +#define NF_OSF_LOGLEVEL_ALL 0 /* log all matched fingerprints */
> +#define NF_OSF_LOGLEVEL_FIRST 1 /* log only the first matced fingerprint */
> +#define NF_OSF_LOGLEVEL_ALL_KNOWN 2 /* do not log unknown packets */
> +
> +#define NF_OSF_TTL_TRUE 0 /* True ip and fingerprint TTL comparison */
> +#define NF_OSF_TTL_NOCHECK 2 /* Do not compare ip and fingerprint TTL at all */
> +
> +/*
> + * Wildcard MSS (kind of).
> + * It is used to implement a state machine for the different wildcard values
> + * of the MSS and window sizes.
> + */
> +struct xt_osf_wc {
And then, this should be nf_osf_ everywhere, so we don't have xt_
stuff in the generic nf_osf infrastructure.
> + __u32 wc;
> + __u32 val;
> +};
> +
> +/*
> + * This struct represents IANA options
> + * http://www.iana.org/assignments/tcp-parameters
> + */
> +struct xt_osf_opt {
Same above and everywhere else in this file.
Yes, you will have to update xt_osf.c
[...]
> +enum osf_fmatch_states {
> + /* Packet does not match the fingerprint */
> + FMATCH_WRONG = 0,
> + /* Packet matches the fingerprint */
> + FMATCH_OK,
> + /* Options do not match the fingerprint, but header does */
> + FMATCH_OPT_WRONG,
> +};
> +
> +bool nf_osf_match(const struct sk_buff *skb, u_int8_t family,
> + int hooknum, struct net_device *in, struct net_device *out,
> + const struct xt_osf_info *info, struct net *net);
enum osf_fmatch_states and nf_osf_match() should be placed in:
include/net/netfilter/nf_osf.h
This file will not be exposed to userspace via UAPI since they just
declare a function and this enum in a way that is not useful to
userspace.
> diff --git a/include/uapi/linux/netfilter/xt_osf.h b/include/uapi/linux/netfilter/xt_osf.h
> index dad197e2ab99..eb71a1c703db 100644
> --- a/include/uapi/linux/netfilter/xt_osf.h
> +++ b/include/uapi/linux/netfilter/xt_osf.h
> @@ -23,101 +23,24 @@
> #include <linux/types.h>
> #include <linux/ip.h>
> #include <linux/tcp.h>
> +#include <linux/netfilter/nf_osf.h>
>
> -#define MAXGENRELEN 32
> +#define MAXGENRELEN NF_MAXGENRELEN
>
> -#define XT_OSF_GENRE (1<<0)
> -#define XT_OSF_TTL (1<<1)
> -#define XT_OSF_LOG (1<<2)
> -#define XT_OSF_INVERT (1<<3)
> +#define XT_OSF_GENRE NF_OSF_GENRE
> +#define XT_OSF_INVERT NF_OSF_INVERT
>
> -#define XT_OSF_LOGLEVEL_ALL 0 /* log all matched fingerprints */
> -#define XT_OSF_LOGLEVEL_FIRST 1 /* log only the first matced fingerprint */
> -#define XT_OSF_LOGLEVEL_ALL_KNOWN 2 /* do not log unknown packets */
> +#define XT_OSF_TTL NF_OSF_TTL
> +#define XT_OSF_LOG NF_OSF_LOG
>
> -#define XT_OSF_TTL_TRUE 0 /* True ip and fingerprint TTL comparison */
> -#define XT_OSF_TTL_LESS 1 /* Check if ip TTL is less than fingerprint one */
> -#define XT_OSF_TTL_NOCHECK 2 /* Do not compare ip and fingerprint TTL at all */
> -
> -struct xt_osf_info {
Add compatibility defines here too, eg.
#define xt_osf_info nf_osf_info
Same for all other structures.
> - char genre[MAXGENRELEN];
> - __u32 len;
> - __u32 flags;
> - __u32 loglevel;
> - __u32 ttl;
> -};
> -
> -/*
> - * Wildcard MSS (kind of).
> - * It is used to implement a state machine for the different wildcard values
> - * of the MSS and window sizes.
> - */
> -struct xt_osf_wc {
> - __u32 wc;
> - __u32 val;
> -};
> -
> -/*
> - * This struct represents IANA options
> - * http://www.iana.org/assignments/tcp-parameters
> - */
> -struct xt_osf_opt {
> - __u16 kind, length;
> - struct xt_osf_wc wc;
> -};
> -
> -struct xt_osf_user_finger {
> - struct xt_osf_wc wss;
> -
> - __u8 ttl, df;
> - __u16 ss, mss;
> - __u16 opt_num;
> +#define XT_OSF_LOGLEVEL_ALL NF_OSF_LOGLEVEL_ALL
> +#define XT_OSF_LOGLEVEL_FIRST NF_OSF_LOGLEVEL_FIRST
> +#define XT_OSF_LOGLEVEL_ALL_KNOWN NF_OSF_LOGLEVEL_ALL_KNOWN
>
> - char genre[MAXGENRELEN];
> - char version[MAXGENRELEN];
> - char subtype[MAXGENRELEN];
> +#define XT_OSF_TTL_TRUE NF_OSF_TTL_TRUE
> +#define XT_OSF_TTL_NOCHECK NF_OSF_TTL_NOCHECK
>
> - /* MAX_IPOPTLEN is maximum if all options are NOPs or EOLs */
> - struct xt_osf_opt opt[MAX_IPOPTLEN];
> -};
> -
> -struct xt_osf_nlmsg {
> - struct xt_osf_user_finger f;
> - struct iphdr ip;
> - struct tcphdr tcp;
> -};
> -
> -/* Defines for IANA option kinds */
> -
> -enum iana_options {
> - OSFOPT_EOL = 0, /* End of options */
> - OSFOPT_NOP, /* NOP */
> - OSFOPT_MSS, /* Maximum segment size */
> - OSFOPT_WSO, /* Window scale option */
> - OSFOPT_SACKP, /* SACK permitted */
> - OSFOPT_SACK, /* SACK */
> - OSFOPT_ECHO,
> - OSFOPT_ECHOREPLY,
> - OSFOPT_TS, /* Timestamp option */
> - OSFOPT_POCP, /* Partial Order Connection Permitted */
> - OSFOPT_POSP, /* Partial Order Service Profile */
> -
> - /* Others are not used in the current OSF */
> - OSFOPT_EMPTY = 255,
> -};
> -
> -/*
> - * Initial window size option state machine: multiple of mss, mtu or
> - * plain numeric value. Can also be made as plain numeric value which
> - * is not a multiple of specified value.
> - */
> -enum xt_osf_window_size_options {
> - OSF_WSS_PLAIN = 0,
> - OSF_WSS_MSS,
> - OSF_WSS_MTU,
> - OSF_WSS_MODULO,
> - OSF_WSS_MAX,
> -};
> +#define XT_OSF_TTL_LESS 1 /* Check if ip TTL is less than fingerprint one */
>
> /*
> * Add/remove fingerprint from the kernel.
> diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
> index d3220b43c832..bd1c0eef0aa2 100644
> --- a/net/netfilter/Kconfig
> +++ b/net/netfilter/Kconfig
> @@ -631,6 +631,10 @@ config NFT_FIB_INET
> The lookup will be delegated to the IPv4 or IPv6 FIB depending
> on the protocol of the packet.
>
> +config NF_OSF
> + tristate '"osf" Passive OS fingerprint match'
^^^^
This is no a tab indent.
> + depends on NETFILTER_ADVANCED && NETFILTER_NETLINK
> +
> if NF_TABLES_NETDEV
>
> config NF_DUP_NETDEV
> @@ -1377,6 +1381,7 @@ config NETFILTER_XT_MATCH_NFACCT
> config NETFILTER_XT_MATCH_OSF
> tristate '"osf" Passive OS fingerprint match'
> depends on NETFILTER_ADVANCED && NETFILTER_NETLINK
> + select NF_OSF
^^^^
This is not a tab indent either.
Other than that, this looks good :-)
Please, revamp and resend asap, thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
