On Fri, Jul 20, 2018 at 04:41:13PM +0200, Fernando Fernandez Mancera wrote:
> Add basic module functions into nft_osf.[ch] in order to implement OSF
> module in nf_tables.
>
> Signed-off-by: Fernando Fernandez Mancera <ffmancera@xxxxxxxxxx>
> ---
> include/uapi/linux/netfilter/nf_tables.h | 10 ++
> net/netfilter/Kconfig | 7 ++
> net/netfilter/Makefile | 1 +
> net/netfilter/nft_osf.c | 123 +++++++++++++++++++++++
> 4 files changed, 141 insertions(+)
> create mode 100644 net/netfilter/nft_osf.c
>
> diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h
> index f466860bcf75..eab5d83a73b0 100644
> --- a/include/uapi/linux/netfilter/nf_tables.h
> +++ b/include/uapi/linux/netfilter/nf_tables.h
> @@ -1463,6 +1463,16 @@ enum nft_flowtable_hook_attributes {
> };
> #define NFTA_FLOWTABLE_HOOK_MAX (__NFTA_FLOWTABLE_HOOK_MAX - 1)
>
> +enum nft_osf_attributes {
> + NFTA_OSF_UNSPEC,
> + NFTA_OSF_DREG,
> + NFTA_OSF_FLAGS,
> + NFTA_OSF_LOGLEVEL,
> + NFTA_OSF_TTL,
Look: flags, loglevel and ttl are not yet used. They are just set and
never used, since nf_osf_find() is not using them. So you can remove
them from this patch by now.
> + __NFTA_OSF_MAX,
> +};
> +#define NFTA_OSF_MAX (__NFTA_OSF_MAX - 1)
> +
> /**
> * enum nft_device_attributes - nf_tables device netlink attributes
> *
> diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
> index 3e5334997062..1ce88b5bb54f 100644
> --- a/net/netfilter/Kconfig
> +++ b/net/netfilter/Kconfig
> @@ -638,6 +638,13 @@ config NFT_SOCKET
> This option allows matching for the presence or absence of a
> corresponding socket and its attributes.
>
> +config NFT_OSF
> + tristate "Netfilter nf_tables passive OS fingerprint support"
> + depends on NETFILTER_ADVANCED
> + select NETFILTER_NETLINK_OSF
> + help
> + This option allows matching packets from an specific OS.
> +
> if NF_TABLES_NETDEV
>
> config NF_DUP_NETDEV
> diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile
> index 150a4eb2373a..dfbadee341f7 100644
> --- a/net/netfilter/Makefile
> +++ b/net/netfilter/Makefile
> @@ -109,6 +109,7 @@ obj-$(CONFIG_NFT_FIB) += nft_fib.o
> obj-$(CONFIG_NFT_FIB_INET) += nft_fib_inet.o
> obj-$(CONFIG_NFT_FIB_NETDEV) += nft_fib_netdev.o
> obj-$(CONFIG_NFT_SOCKET) += nft_socket.o
> +obj-$(CONFIG_NFT_OSF) += nft_osf.o
>
> # nf_tables netdev
> obj-$(CONFIG_NFT_DUP_NETDEV) += nft_dup_netdev.o
> diff --git a/net/netfilter/nft_osf.c b/net/netfilter/nft_osf.c
> new file mode 100644
> index 000000000000..b42a205c5262
> --- /dev/null
> +++ b/net/netfilter/nft_osf.c
> @@ -0,0 +1,123 @@
> +#include <net/netfilter/nf_tables.h>
> +#include <linux/netfilter/nfnetlink_osf.h>
> +
> +#define OSF_GENRE_SIZE 32
> +
> +struct nft_osf {
> + enum nft_registers dreg:8;
> + __u8 flags;
> + __u8 loglevel;
> + __u8 ttl;
> +};
> +
> +static const struct nla_policy nft_osf_policy[NFTA_OSF_MAX + 1] = {
> + [NFTA_OSF_DREG] = { .type = NLA_U32 },
> + [NFTA_OSF_FLAGS] = { .type = NLA_U8 },
> + [NFTA_OSF_LOGLEVEL] = { .type = NLA_U8 },
> + [NFTA_OSF_TTL] = { .type = NLA_U8 },
> +};
> +
> +static void nft_osf_eval(const struct nft_expr *expr, struct nft_regs *regs,
> + const struct nft_pktinfo *pkt)
> +{
> + struct nft_osf *priv = nft_expr_priv(expr);
> + u32 *dest = ®s->data[priv->dreg];
> + struct sk_buff *skb = pkt->skb;
> + const struct tcphdr *tcp;
> + struct tcphdr _tcph;
> + const char *os_name;
> +
> + tcp = skb_header_pointer(skb, ip_hdrlen(skb), sizeof(struct tcphdr), &_tcph);
> + if (!tcp)
> + regs->verdict.code = NFT_BREAK;
Missing:
return;
here.
> + if (!tcp->syn)
> + regs->verdict.code = NFT_BREAK;
Missing:
return;
here too.
This patchset looks very good, I'm expecting we can merge it in the v3
iteration.
Thanks!
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
