On Wed, Jun 27, 2018 at 07:11:39PM +0200, Fernando Fernandez Mancera wrote:
> Add basic module functions into nft_osf.[ch] in order to start the
> implementation of OSF module in nf_tables.
>
> Signed-off-by: Fernando Fernandez Mancera <ffmancera@xxxxxxxxxx>
> ---
> include/net/netfilter/nft_osf.h | 15 +++++
> net/netfilter/Kconfig | 7 +++
> net/netfilter/Makefile | 1 +
> net/netfilter/nft_osf.c | 104 ++++++++++++++++++++++++++++++++
> 4 files changed, 127 insertions(+)
> create mode 100644 include/net/netfilter/nft_osf.h
> create mode 100644 net/netfilter/nft_osf.c
>
> diff --git a/include/net/netfilter/nft_osf.h b/include/net/netfilter/nft_osf.h
> new file mode 100644
> index 000000000000..af6c8550f564
> --- /dev/null
> +++ b/include/net/netfilter/nft_osf.h
> @@ -0,0 +1,15 @@
> +#ifndef _NFT_OSF_H
> +#define _NFT_OSF_H
> +
> +enum nft_osf_attributes {
> + NFTA_OSF_UNSPEC,
> + NFTA_OSF_GENRE,
> + NFTA_OSF_FLAGS,
> + NFTA_OSF_LOGLEVEL,
> + NFTA_OSF_TTL,
> + __NFTA_OSF_MAX,
> +};
> +
> +#define NFTA_OSF_MAX (__NFTA_OSF_MAX - 1)
> +
> +#endif /* _NFT_OSF_H */
> diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
> index dbd7d1fad277..e630aac8a081 100644
> --- a/net/netfilter/Kconfig
> +++ b/net/netfilter/Kconfig
> @@ -631,6 +631,13 @@ config NFT_SOCKET
> This option allows matching for the presence or absence of a
> corresponding socket and its attributes.
>
> +config NFT_OSF
> + tristate "Netfilter nf_tables passive OS fingerprinting support"
> + depends on NETFILTER_ADVANCED && NETFILTER_NETLINK
> + select NF_OSF
> + help
> + This option allows matching packets from an specific OS.
> +
> if NF_TABLES_NETDEV
>
> config NF_DUP_NETDEV
> diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile
> index 44449389e527..d15bd858ecef 100644
> --- a/net/netfilter/Makefile
> +++ b/net/netfilter/Makefile
> @@ -104,6 +104,7 @@ obj-$(CONFIG_NFT_FIB_INET) += nft_fib_inet.o
> obj-$(CONFIG_NFT_FIB_NETDEV) += nft_fib_netdev.o
> obj-$(CONFIG_NF_OSF) += nf_osf.o
> obj-$(CONFIG_NFT_SOCKET) += nft_socket.o
> +obj-$(CONFIG_NFT_OSF) += nft_osf.o
>
> # nf_tables netdev
> obj-$(CONFIG_NFT_DUP_NETDEV) += nft_dup_netdev.o
> diff --git a/net/netfilter/nft_osf.c b/net/netfilter/nft_osf.c
> new file mode 100644
> index 000000000000..008e3484f3da
> --- /dev/null
> +++ b/net/netfilter/nft_osf.c
> @@ -0,0 +1,104 @@
> +#include <net/netfilter/nf_tables.h>
> +#include <linux/tcp.h>
> +#include <net/netfilter/nft_osf.h>
> +
> +#define OSF_GENRE_SIZE 32
> +
> +struct nft_osf {
> + char genre[OSF_GENRE_SIZE];
> + __u32 flags;
> + __u32 loglevel;
> + __u32 ttl;
> + __u32 len;
> +};
> +
> +/* placeholder function WIP */
> +static inline bool match_packet(struct nft_osf *priv, struct sk_buff *skb)
> +{
> + return 1;
OK, so your follow up step is to support this, right?
> +}
> +
> +static const struct nla_policy nft_osf_policy[NFTA_OSF_MAX + 1] = {
> + [NFTA_OSF_GENRE] = { .type = NLA_STRING, .len = OSF_GENRE_SIZE },
> + [NFTA_OSF_FLAGS] = { .type = NLA_U32 },
> + [NFTA_OSF_LOGLEVEL] = { .type = NLA_U32 },
> + [NFTA_OSF_TTL] = { .type = NLA_U32 },
> +};
> +
> +static void nft_osf_eval(const struct nft_expr *expr, struct nft_regs *regs,
> + const struct nft_pktinfo *pkt)
> +{
> + struct nft_osf *priv = nft_expr_priv(expr);
> + struct sk_buff *skb = pkt->skb;
> +
> + if (match_packet(priv, skb))
> + regs->verdict.code = NFT_CONTINUE;
NFT_CONTINUE is implicit, so not needed.
> + else
> + regs->verdict.code = NFT_BREAK;
So you can simplify this to:
if (!match_packet(priv, skb))
regs->verdict.code = NFT_BREAK;
> +}
> +
> +static int nft_osf_init(const struct nft_ctx *ctx,
> + const struct nft_expr *expr,
> + const struct nlattr * const tb[])
> +{
> + struct nft_osf *priv = nft_expr_priv(expr);
> +
> + if (tb[NFTA_OSF_GENRE] == NULL)
> + return -EINVAL;
> + nla_strlcpy(priv->genre, tb[NFTA_OSF_GENRE], OSF_GENRE_SIZE);
> + priv->flags = ntohl(nla_get_be32(tb[NFTA_OSF_FLAGS]));
I guess you have to check for invalid flags here, eg.
if (priv->flags & ~MASK_WITH_SUPPORT_FLAGS)
return -EOPNOTSUPP;
> + priv->loglevel = ntohl(nla_get_be32(tb[NFTA_OSF_LOGLEVEL]));
Probably same thing here?
> + priv->ttl = ntohl(nla_get_be32(tb[NFTA_OSF_TTL]));
> + priv->len = strlen(priv->genre);
> + return 0;
> +}
> +
> +static int nft_osf_dump(struct sk_buff *skb, const struct nft_expr *expr)
> +{
> + const struct nft_osf *priv = nft_expr_priv(expr);
> +
> + if (nla_put_string(skb, NFTA_OSF_GENRE, priv->genre) ||
> + nla_put_be32(skb, NFTA_OSF_FLAGS, htonl(priv->flags)) ||
> + nla_put_be32(skb, NFTA_OSF_LOGLEVEL, htonl(priv->loglevel)) ||
> + nla_put_be32(skb, NFTA_OSF_TTL, htonl(priv->ttl)))
> + goto nla_put_failure;
> + return 0;
> +
> +nla_put_failure:
> + return -1;
> +}
> +
> +static struct nft_expr_type nft_osf_type;
> +
> +static const struct nft_expr_ops nft_osf_op = {
> + .eval = nft_osf_eval,
> + .size = NFT_EXPR_SIZE(sizeof(struct nft_osf)),
> + .init = nft_osf_init,
> + .dump = nft_osf_dump,
> + .type = &nft_osf_type,
> +};
> +
> +static struct nft_expr_type nft_osf_type __read_mostly = {
> + .ops = &nft_osf_op,
> + .name = "osf",
> + .owner = THIS_MODULE,
> + .policy = nft_osf_policy,
> + .maxattr = NFTA_OSF_MAX,
> +};
> +
> +static int __init nft_osf_module_init(void)
> +{
> + return nft_register_expr(&nft_osf_type);
> +}
> +
> +static void __exit nft_osf_module_exit(void)
> +{
> + return nft_unregister_expr(&nft_osf_type);
> +}
> +
> +module_init(nft_osf_module_init);
> +module_exit(nft_osf_module_exit);
> +
> +MODULE_LICENSE("GPL");
> +MODULE_AUTHOR("Fernando Fernandez <ffmancera@xxxxxxxxxx>");
> +MODULE_ALIAS_NFT_EXPR("osf");
> --
> 2.18.0
>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
