On Thu, Mar 14, 2019 at 09:07:37PM +0100, Pablo Neira Ayuso wrote:
> On Thu, Mar 14, 2019 at 06:34:54PM +0100, Phil Sutter wrote:
> > Hi,
> >
> > On Thu, Mar 14, 2019 at 02:58:40PM +0100, Pablo Neira Ayuso wrote:
> > > Hi,
> > >
> > > On Thu, Mar 14, 2019 at 12:14:23PM +0100, Fernando Fernandez Mancera wrote:
> > > > Hi,
> > > >
> > > > I have been thinking more about this today. I don't know how access to
> > > > the right-hand-side string from the kernel if it is possible. Sorry if
> > > > the question is very dumb, but I may lack experience with the nft
> > > > registers and RHS data of an expression.
> > >
> > > I think you can hide flags from json, which is what Phil suggests, I
> > > mean, just infer version flags from the syntax, ie. if
> > > "genre::version" is used, then set of the version flag.
> > >
> > > I think Phil is not suggesting kernel changes.
> >
> > Actually I'm still in the process of understanding how all this works.
> > What I got so far is (correct me if I'm wrong): osf expr does the
> > fingerprinting and returns a string which relational expr compares to
> > right-hand side. This new version flag defines whether osf expr adds the
> > version to returned string or not.
> >
> > Assuming the above is correct, my suggestion of making the flag option
> > implicit does not quite hold, at least not without painful
> > postprocessing of relational statement in userspace.
> >
> > Right now this all seems to me like enabling multiple comparisons within
> > a single relational, i.e. one for genre and the other for version.
> > Nftables doesn't quite do such things. E.g. matching on two TCP header
> > fields requires two relationals, e.g. 'tcp dport 22 tcp sport > 1024'.
> > Internally then, these two statements may be combined into a single
> > payload match if suitable.
>
> The osf expression returns a string with the OS genre, and if the
> version flag is set on, it appends the version to this string, ie.
> genre + version.
>
> This allows us to build maps, ie.
>
> meta mark set osf genre { "linux" : 0x10, "windows" : 0x20, "macos" : 0x40 }
>
> But, with this new version, you could also do:
>
> meta mark set osf genre { "linux::4.0" : 0x11, "linux::3.0" : 0x12, ...}
>
> and so on.
>
> So I see this version thing as a extended matching.
>
> The osf engine actually _already_ finds a precise matching, ie. genre
> + version, since the fingerprint is per genre + version. But you can
> just decide to match on the genre (eg. linux).
>
> > Applying the same logic to osf expression, we would implement 'osf name
> > foo osf version 3.141' and add 'osf_try_merge()' routine to
> > 'rule_postprocess()' which tries to combine the two statements.
> > Obviously, this is quite a bit of extra work, not sure if feasible.
>
> I think the discussion here is the syntax, ie.
>
> osf genre "Linux::4.10"
>
> vs.
>
> osf genre "Linux" version "4.10"
>
> This only requires changes to the userspace nftables side, if you
> prefer this syntax, which is what I understand you would like to see,
> right?
>
> The use of the colon, which comes from the pf.os file:
>
> 512:64:0:44:M*: Linux:2.0:3x:Linux 2.0.3x
> ^^^^^^^^^
>
> Then, this allows us to match for "Linux:2.0".
I think we could even extend this later on to match things like:
# Popular cluster config scripts disable timestamps and
# selective ACK:
S4:64:1:48:M1460,N,W0: Linux:2.4:cluster:Linux 2.4 in cluster
^^^^^^^^^^^^^^^^^
Then, do:
os gente "Linux:2.4:cluster"
by adding a new flag to match the "Subtype" field (according to the
file description in pf.os).
Thanks!
