Re: [PATCH 3/3 nf-next] netfilter: add netlink support for osf module

[Fernando Fernandez Mancera <ffmancera@xxxxxxxxxx>]

On 07/16/2018 05:10 PM, Pablo Neira Ayuso wrote:
> On Sat, Jul 14, 2018 at 04:51:01PM +0200, Fernando Fernandez Mancera wrote:
> > Signed-off-by: Fernando Fernandez Mancera <ffmancera@xxxxxxxxxx>
> > ---
> >   include/linux/netfilter/nfnetlink_osf.h |  20 +++++
> >   net/netfilter/Kconfig                   |  11 ++-
> >   net/netfilter/Makefile                  |   1 +
> >   net/netfilter/nfnetlink_osf.c           | 100 +++++++++++++++++++++++
> >   net/netfilter/xt_osf.c                  | 103 ++----------------------
> >   5 files changed, 139 insertions(+), 96 deletions(-)
> >   create mode 100644 include/linux/netfilter/nfnetlink_osf.h
> >   create mode 100644 net/netfilter/nfnetlink_osf.c
> >
> > diff --git a/include/linux/netfilter/nfnetlink_osf.h b/include/linux/netfilter/nfnetlink_osf.h
> > new file mode 100644
> > index 000000000000..80fbbbbcd21b
> > --- /dev/null
> > +++ b/include/linux/netfilter/nfnetlink_osf.h
> > @@ -0,0 +1,20 @@
> > +#ifndef _NFNETLINK_OSF_H
> > +#define _NFNETLINK_OSF_H
> > +
> > +#include <linux/list.h>
> > +
> > +#include <linux/netfilter/nfnetlink.h>
> > +
> > +extern struct list_head nf_osf_fingers[2];
> This declaration you can place it in the existing nf_osf.h file, so we
> don't need to create yet another new header file.
>
> And regarding these below...
>
> > +int nf_osf_add_callback(struct net *net, struct sock *ctnl,
> > +			struct sk_buff *skb, const struct nlmsghdr *nlh,
> > +			const struct nlattr * const osf_attrs[],
> > +			struct netlink_ext_ack *extack);
> > +
> > +int nf_osf_remove_callback(struct net *net, struct sock *ctnl,
> > +			   struct sk_buff *skb, const struct nlmsghdr *nlh,
> > +			   const struct nlattr * const osf_attrs[],
> > +			   struct netlink_ext_ack *extack);
>
> You don't need to place these function declararions in the .h file.
>
> Rule of thumb is: You only place declaration in header file that will
> be used by other .c files or other modules...
>
> These are internal, so...

They are going to be used by xt_osf.c and nft_osf.c so we need to define 
them here right?

> > +
> > +#endif	/* _NFNETLINK_OSF_H */
> > diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
> > index 29c8591f87c2..1e156978535b 100644
> > --- a/net/netfilter/Kconfig
> > +++ b/net/netfilter/Kconfig
> > @@ -46,6 +46,14 @@ config NETFILTER_NETLINK_LOG
> >   	  and is also scheduled to replace the old syslog-based ipt_LOG
> >   	  and ip6t_LOG modules.
> >   
> > +config NETFILTER_NETLINK_OSF
> > +	tristate "Netfilter NFOSF over NFNETLINK interface"
> > +	depends on NETFILTER_ADVANCED
> > +	select NETFILTER_NETLINK
> > +	help
> > +	  If this option is enables, the kernel will include support
> > +	  for passive OS fingerprint via NFNETLINK.
> > +
> >   config NF_CONNTRACK
> >   	tristate "Netfilter connection tracking support"
> >   	default m if NETFILTER_ADVANCED=n
> > @@ -636,6 +644,7 @@ config NFT_SOCKET
> >   config NFT_OSF
> >   	tristate "Netfilter nf_tables passive OS fingerprinting support"
> >   	select NF_OSF
> > +	select NETFILTER_NETLINK_OSF
> >   	help
> >   	  This option allows matching packets from an specific OS.
> >   
> > @@ -1385,8 +1394,8 @@ config NETFILTER_XT_MATCH_NFACCT
> >   
> >   config NETFILTER_XT_MATCH_OSF
> >   	tristate '"osf" Passive OS fingerprint match'
> > -	depends on NETFILTER_ADVANCED && NETFILTER_NETLINK
> >   	select NF_OSF
> > +	select NETFILTER_NETLINK_OSF
> >   	help
> >   	  This option selects the Passive OS Fingerprinting match module
> >   	  that allows to passively match the remote operating system by
> > diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile
> > index 75ddcb0f748d..2fa826d5fdc5 100644
> > --- a/net/netfilter/Makefile
> > +++ b/net/netfilter/Makefile
> > @@ -20,6 +20,7 @@ obj-$(CONFIG_NETFILTER_NETLINK) += nfnetlink.o
> >   obj-$(CONFIG_NETFILTER_NETLINK_ACCT) += nfnetlink_acct.o
> >   obj-$(CONFIG_NETFILTER_NETLINK_QUEUE) += nfnetlink_queue.o
> >   obj-$(CONFIG_NETFILTER_NETLINK_LOG) += nfnetlink_log.o
> > +obj-$(CONFIG_NETFILTER_NETLINK_OSF) += nfnetlink_osf.o
> >   
> >   # connection tracking
> >   obj-$(CONFIG_NF_CONNTRACK) += nf_conntrack.o
> > diff --git a/net/netfilter/nfnetlink_osf.c b/net/netfilter/nfnetlink_osf.c
> > new file mode 100644
> > index 000000000000..df9d49c54655
> > --- /dev/null
> > +++ b/net/netfilter/nfnetlink_osf.c
> > @@ -0,0 +1,100 @@
> > +#include <linux/netfilter/nfnetlink_osf.h>
> > +#include <linux/netfilter/nf_osf.h>
> > +
> > +/*
> > + * Indexed by dont-fragment bit.
> > + * It is the only constant value in the fingerprint.
> > + */
> > +struct list_head nf_osf_fingers[2];
> > +EXPORT_SYMBOL_GPL(nf_osf_fingers);
> >
> > +static const struct nla_policy nf_osf_policy[OSF_ATTR_MAX + 1] = {
> > +	[OSF_ATTR_FINGER]	= { .len = sizeof(struct nf_osf_user_finger) },
> > +};
> > +
> > +int nf_osf_add_callback(struct net *net, struct sock *ctnl,
>
> use _static_ here instead.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html