So the following rule to set the conntrack mark based on the OS passive
recognition works:
# nft add rule x y ct mark set osf name map { "Windows" : 1, "MacOs" : 2 }
Fixes: 9f28b685b473 ("src: introduce passive OS fingerprint matching")
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
src/parser_bison.y | 1 +
tests/py/inet/osf.t | 1 +
tests/py/inet/osf.t.payload | 9 +++++++++
3 files changed, 11 insertions(+)
diff --git a/src/parser_bison.y b/src/parser_bison.y
index 9a75120a4dc7..f3c882995e60 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -2537,6 +2537,7 @@ primary_stmt_expr : symbol_expr { $$ =
$1; }
| payload_expr { $$ = $1; }
| keyword_expr { $$ = $1; }
| socket_expr { $$ = $1; }
+ | osf_expr { $$ = $1; }
;
shift_stmt_expr : primary_stmt_expr
diff --git a/tests/py/inet/osf.t b/tests/py/inet/osf.t
index 6533b84e1c25..7cf909312aa5 100644
--- a/tests/py/inet/osf.t
+++ b/tests/py/inet/osf.t
@@ -7,3 +7,4 @@
osf name "Linux";ok
osf name "morethansixteenbytes";fail
osf name ;fail
+ct mark set osf name map { "Windows" : 0x00000001, "MacOs" : 0x00000002 };ok
diff --git a/tests/py/inet/osf.t.payload b/tests/py/inet/osf.t.payload
index f94c17ec69b6..0381378f8d67 100644
--- a/tests/py/inet/osf.t.payload
+++ b/tests/py/inet/osf.t.payload
@@ -12,3 +12,12 @@ ip6 osfip6 osfchain
inet osfinet osfchain
[ osf dreg 1 ]
[ cmp eq reg 1 0x756e694c 0x00000078 0x00000000 0x00000000 ]
+
+# ct mark set osf name map { "Windows" : 0x00000001, "MacOs" : 0x00000002 }
+__map%d osfip b size 2
+__map%d osfip 0
+ element 646e6957 0073776f 00000000 00000000 : 00000001 0 [end]
element 4f63614d 00000073 00000000 00000000 : 00000002 0 [end]
+ip osfip osfchain
+ [ osf dreg 1 ]
+ [ lookup reg 1 set __map%d dreg 1 ]
+ [ ct set mark with reg 1 ]
--
2.11.0
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
