From: Fernando Fernandez Mancera <ffmancera@riseup.net>
To: netfilter-devel@vger.kernel.org
Cc: Fernando Fernandez Mancera <ffmancera@riseup.net>
Subject: [PATCH nft v2 1/6] osf: add version fingerprint support
Date: Mon, 11 Mar 2019 16:14:12 +0100 [thread overview]
Message-ID: <20190311151417.17772-1-ffmancera@riseup.net> (raw)
Add support for version fingerprint in "osf" expression. Example:
table ip foo {
chain bar {
type filter hook input priority filter; policy accept;
osf ttl skip name "Linux"
osf ttl skip name version "Linux:4.20"
}
}
Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
---
v1: initial patch
v2: flags type is now u32
---
include/expression.h | 1 +
include/linux/netfilter/nf_tables.h | 6 ++++++
include/osf.h | 3 ++-
src/netlink_delinearize.c | 4 +++-
src/netlink_linearize.c | 1 +
src/osf.c | 13 ++++++++++---
src/parser_bison.y | 8 ++++++--
7 files changed, 29 insertions(+), 7 deletions(-)
diff --git a/include/expression.h b/include/expression.h
index 6d72f64..6416ac0 100644
--- a/include/expression.h
+++ b/include/expression.h
@@ -350,6 +350,7 @@ struct expr {
struct {
/* EXPR_OSF */
uint8_t ttl;
+ uint32_t flags;
} osf;
};
};
diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h
index 37036be..09a7b9e 100644
--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
@@ -944,15 +944,21 @@ enum nft_socket_keys {
*
* @NFTA_OSF_DREG: destination register (NLA_U32: nft_registers)
* @NFTA_OSF_TTL: Value of the TTL osf option (NLA_U8)
+ * @NFTA_OSF_FLAGS: flags (NLA_U32)
*/
enum nft_osf_attributes {
NFTA_OSF_UNSPEC,
NFTA_OSF_DREG,
NFTA_OSF_TTL,
+ NFTA_OSF_FLAGS,
__NFTA_OSF_MAX
};
#define NFT_OSF_MAX (__NFTA_OSF_MAX - 1)
+enum nft_osf_flags {
+ NFT_OSF_F_VERSION = 1 << 0, /* check fingerprint version */
+};
+
/**
* enum nft_ct_keys - nf_tables ct expression keys
*
diff --git a/include/osf.h b/include/osf.h
index 23ea34d..8f6f584 100644
--- a/include/osf.h
+++ b/include/osf.h
@@ -1,7 +1,8 @@
#ifndef NFTABLES_OSF_H
#define NFTABLES_OSF_H
-struct expr *osf_expr_alloc(const struct location *loc, const uint8_t ttl);
+struct expr *osf_expr_alloc(const struct location *loc, const uint8_t ttl,
+ const uint32_t flags);
extern int nfnl_osf_load_fingerprints(struct netlink_ctx *ctx, int del);
diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c
index d0eaf5b..9a2d63d 100644
--- a/src/netlink_delinearize.c
+++ b/src/netlink_delinearize.c
@@ -655,10 +655,12 @@ static void netlink_parse_osf(struct netlink_parse_ctx *ctx,
{
enum nft_registers dreg;
struct expr *expr;
+ uint32_t flags;
uint8_t ttl;
ttl = nftnl_expr_get_u8(nle, NFTNL_EXPR_OSF_TTL);
- expr = osf_expr_alloc(loc, ttl);
+ flags = nftnl_expr_get_u32(nle, NFTNL_EXPR_OSF_FLAGS);
+ expr = osf_expr_alloc(loc, ttl, flags);
dreg = netlink_parse_register(nle, NFTNL_EXPR_OSF_DREG);
netlink_set_register(ctx, dreg, expr);
diff --git a/src/netlink_linearize.c b/src/netlink_linearize.c
index 61149bf..8df82d5 100644
--- a/src/netlink_linearize.c
+++ b/src/netlink_linearize.c
@@ -228,6 +228,7 @@ static void netlink_gen_osf(struct netlink_linearize_ctx *ctx,
nle = alloc_nft_expr("osf");
netlink_put_register(nle, NFTNL_EXPR_OSF_DREG, dreg);
nftnl_expr_set_u8(nle, NFTNL_EXPR_OSF_TTL, expr->osf.ttl);
+ nftnl_expr_set_u32(nle, NFTNL_EXPR_OSF_FLAGS, expr->osf.flags);
nftnl_rule_add_expr(ctx->nlr, nle);
}
diff --git a/src/osf.c b/src/osf.c
index 9252934..b57fcfe 100644
--- a/src/osf.c
+++ b/src/osf.c
@@ -19,17 +19,22 @@ static void osf_expr_print(const struct expr *expr, struct output_ctx *octx)
{
const char *ttl_str = osf_ttl_int_to_str(expr->osf.ttl);
- nft_print(octx, "osf %sname", ttl_str);
+ if (expr->osf.flags & NFT_OSF_F_VERSION)
+ nft_print(octx, "osf %sname version", ttl_str);
+ else
+ nft_print(octx, "osf %sname", ttl_str);
}
static void osf_expr_clone(struct expr *new, const struct expr *expr)
{
new->osf.ttl = expr->osf.ttl;
+ new->osf.flags = expr->osf.flags;
}
static bool osf_expr_cmp(const struct expr *e1, const struct expr *e2)
{
- return e1->osf.ttl == e2->osf.ttl;
+ return (e1->osf.ttl == e2->osf.ttl) &&
+ (e1->osf.flags == e2->osf.flags);
}
const struct expr_ops osf_expr_ops = {
@@ -41,7 +46,8 @@ const struct expr_ops osf_expr_ops = {
.json = osf_expr_json,
};
-struct expr *osf_expr_alloc(const struct location *loc, const uint8_t ttl)
+struct expr *osf_expr_alloc(const struct location *loc, const uint8_t ttl,
+ const uint32_t flags)
{
unsigned int len = NFT_OSF_MAXGENRELEN * BITS_PER_BYTE;
const struct datatype *type = &string_type;
@@ -50,6 +56,7 @@ struct expr *osf_expr_alloc(const struct location *loc, const uint8_t ttl)
expr = expr_alloc(loc, EXPR_OSF, type,
BYTEORDER_HOST_ENDIAN, len);
expr->osf.ttl = ttl;
+ expr->osf.flags = flags;
return expr;
}
diff --git a/src/parser_bison.y b/src/parser_bison.y
index b20be3a..161f1a5 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -3190,9 +3190,13 @@ fib_tuple : fib_flag DOT fib_tuple
| fib_flag
;
-osf_expr : OSF osf_ttl NAME
+osf_expr : OSF osf_ttl NAME HDRVERSION
{
- $$ = osf_expr_alloc(&@$, $2);
+ $$ = osf_expr_alloc(&@$, $2, NFT_OSF_F_VERSION);
+ }
+ | OSF osf_ttl NAME
+ {
+ $$ = osf_expr_alloc(&@$, $2, 0);
}
;
--
2.20.1
next reply other threads:[~2019-03-11 15:14 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-03-11 15:14 Fernando Fernandez Mancera [this message]
2019-03-11 15:14 ` [PATCH nft v2 2/6] json: osf: add version json support Fernando Fernandez Mancera
2019-03-11 15:14 ` [PATCH nft v2 3/6] tests: py: add osf tests with versions Fernando Fernandez Mancera
2019-03-11 15:14 ` [PATCH nft v2 4/6] doc: add osf version option to man page Fernando Fernandez Mancera
2019-03-11 15:14 ` [PATCH nft v2 5/6] files: osf: update pf.os with newer OS fingerprints Fernando Fernandez Mancera
2019-03-11 15:14 ` [PATCH nft v2 6/6] files: pf.os: merge the signatures spllited by version Fernando Fernandez Mancera
2019-03-13 9:44 ` [PATCH nft v2 1/6] osf: add version fingerprint support Phil Sutter
2019-03-13 10:14 ` Fernando Fernandez Mancera
2019-03-13 11:27 ` Phil Sutter
2019-03-13 14:15 ` Fernando Fernandez Mancera
2019-03-13 15:06 ` Phil Sutter
2019-03-13 15:22 ` Fernando Fernandez Mancera
2019-03-13 15:34 ` Phil Sutter
2019-03-13 16:46 ` Fernando Fernandez Mancera
2019-03-14 11:14 ` Fernando Fernandez Mancera
2019-03-14 13:58 ` Pablo Neira Ayuso
2019-03-14 17:34 ` Phil Sutter
2019-03-14 18:24 ` Fernando Fernandez Mancera
2019-03-15 10:03 ` Phil Sutter
2019-03-15 17:13 ` Pablo Neira Ayuso
2019-03-15 20:21 ` Fernando Fernandez Mancera
2019-03-16 9:05 ` Pablo Neira Ayuso
2019-03-17 17:10 ` Fernando Fernandez Mancera
2019-03-18 17:42 ` Phil Sutter
2019-03-19 11:06 ` Pablo Neira Ayuso
2019-03-20 13:46 ` Phil Sutter
2019-03-21 8:32 ` Pablo Neira Ayuso
2019-03-21 11:15 ` Phil Sutter
2019-03-21 11:18 ` Pablo Neira Ayuso
2019-03-21 14:06 ` Phil Sutter
2019-03-21 16:57 ` Pablo Neira Ayuso
2019-03-21 18:14 ` Phil Sutter
2019-03-14 20:07 ` Pablo Neira Ayuso
2019-03-14 20:13 ` [PATCH nft v2 1/6] osf: add version fingerprint supportg Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190311151417.17772-1-ffmancera@riseup.net \
--to=ffmancera@riseup.net \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.