On Thu, Mar 14, 2019 at 06:34:54PM +0100, Phil Sutter wrote:
> Hi,
>
> On Thu, Mar 14, 2019 at 02:58:40PM +0100, Pablo Neira Ayuso wrote:
> > Hi,
> >
> > On Thu, Mar 14, 2019 at 12:14:23PM +0100, Fernando Fernandez Mancera wrote:
> > > Hi,
> > >
> > > I have been thinking more about this today. I don't know how access to
> > > the right-hand-side string from the kernel if it is possible. Sorry if
> > > the question is very dumb, but I may lack experience with the nft
> > > registers and RHS data of an expression.
> >
> > I think you can hide flags from json, which is what Phil suggests, I
> > mean, just infer version flags from the syntax, ie. if
> > "genre::version" is used, then set of the version flag.
> >
> > I think Phil is not suggesting kernel changes.
>
> Actually I'm still in the process of understanding how all this works.
> What I got so far is (correct me if I'm wrong): osf expr does the
> fingerprinting and returns a string which relational expr compares to
> right-hand side. This new version flag defines whether osf expr adds the
> version to returned string or not.
>
> Assuming the above is correct, my suggestion of making the flag option
> implicit does not quite hold, at least not without painful
> postprocessing of relational statement in userspace.
>
> Right now this all seems to me like enabling multiple comparisons within
> a single relational, i.e. one for genre and the other for version.
> Nftables doesn't quite do such things. E.g. matching on two TCP header
> fields requires two relationals, e.g. 'tcp dport 22 tcp sport > 1024'.
> Internally then, these two statements may be combined into a single
> payload match if suitable.
The osf expression returns a string with the OS genre, and if the
version flag is set on, it appends the version to this string, ie.
genre + version.
This allows us to build maps, ie.
meta mark set osf genre { "linux" : 0x10, "windows" : 0x20, "macos" : 0x40 }
But, with this new version, you could also do:
meta mark set osf genre { "linux::4.0" : 0x11, "linux::3.0" : 0x12, ...}
and so on.
So I see this version thing as a extended matching.
The osf engine actually _already_ finds a precise matching, ie. genre
+ version, since the fingerprint is per genre + version. But you can
just decide to match on the genre (eg. linux).
> Applying the same logic to osf expression, we would implement 'osf name
> foo osf version 3.141' and add 'osf_try_merge()' routine to
> 'rule_postprocess()' which tries to combine the two statements.
> Obviously, this is quite a bit of extra work, not sure if feasible.
I think the discussion here is the syntax, ie.
osf genre "Linux::4.10"
vs.
osf genre "Linux" version "4.10"
This only requires changes to the userspace nftables side, if you
prefer this syntax, which is what I understand you would like to see,
right?
The use of the colon, which comes from the pf.os file:
512:64:0:44:M*: Linux:2.0:3x:Linux 2.0.3x
^^^^^^^^^
Then, this allows us to match for "Linux:2.0".
Thanks!
