[PATCH nf-next] netfilter: make NF_OSF non-visible symbol

Signed-off-by: Fernando Fernandez Mancera <ffmanc...@riseup.net> --- net/netfilter/Kconfig | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig index e57c9d479503..a5b60e6a983e 100644 --- a/net/netfilter/Kconfig +++ b/net/net

[PATCH nftables] configure.ac: fix a typo in docbook2x error message.

The correct name is "docbook2x-man" not "docbookx2-man". Signed-off-by: Fernando Fernandez Mancera --- configure.ac | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index 36148ae..e698a9b 100644 --- a/configure.ac +++ b/configu

[PATCH nf-next WIP] netfilter: implement Passive OS fingerprint module in nft_osf

Add basic module functions into nft_osf.[ch] in order to start the implementation of OSF module in nf_tables. Signed-off-by: Fernando Fernandez Mancera --- include/net/netfilter/nft_osf.h | 15 + net/netfilter/Kconfig | 7 +++ net/netfilter/Makefile | 1 + net

[PATCH libnftnl WIP] expr: add osf support

Signed-off-by: Fernando Fernandez Mancera --- include/libnftnl/expr.h | 7 + include/linux/netfilter/osf.h | 15 ++ src/Makefile.am | 1 + src/expr/osf.c| 263 ++ src/expr_ops.c| 2 + 5 files changed, 288

Re: [PATCH nf-next WIP] netfilter: implement Passive OS fingerprint module in nft_osf

On 06/27/2018 07:19 PM, Pablo Neira Ayuso wrote: On Wed, Jun 27, 2018 at 07:11:39PM +0200, Fernando Fernandez Mancera wrote: Add basic module functions into nft_osf.[ch] in order to start the implementation of OSF module in nf_tables. Signed-off-by: Fernando Fernandez Mancera --- include

[PATCH nf-next v5] netfilter: nf_osf: nf_osf_ttl() and nf_osf_match()

Added nf_osf_ttl() and nf_osf_match() into nf_osf.c in order to start the nftables OSF implementation. Signed-off-by: Fernando Fernandez Mancera <ffmanc...@riseup.net> --- include/linux/netfilter/nf_osf.h | 29 include/uapi/linux/netfilter/nf_osf.h | 93 +++ includ

[PATCH 2/2 nf-next] nfnetlink_osf: rename nf_osf header file to nfnetlink_osf

As the first client of nf_osf userspace header is nft_osf and xt_osf, we rename it to nfnetlink_osf.h Suggested-by: Jan Engelhardt Signed-off-by: Fernando Fernandez Mancera --- include/linux/netfilter/{nf_osf.h => nfnetlink_osf.h} | 2 +- include/uapi/linux/netfilter/{nf_os

[PATCH nf-next 1/2] fixup: nf_osf: move nf_osf_fingers to non-uapi nf_osf header file

Signed-off-by: Fernando Fernandez Mancera --- include/linux/netfilter/nf_osf.h | 2 ++ include/uapi/linux/netfilter/nf_osf.h | 2 -- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/include/linux/netfilter/nf_osf.h b/include/linux/netfilter/nf_osf.h index aee460fcbd31

Re: [netfilter-core] [nf-next:master 5/7] ./usr/include/linux/netfilter/nf_osf.h:73: userspace cannot reference function or variable defined in the kernel

El 31 de julio de 2018 7:52:26 CEST, Florian Westphal escribió: >kbuild test robot wrote: >> tree: >https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git >master >> head: 4ed8eb6570a49931c705512060acd50058d61616 >> commit: f9324952088f1cd62ea4addf9ff532f1e6452a22 [5/7] netfilter:

Re: [PATCH nftables] doc: add osf expression to man page

Please, apply v2 instead this one. I have fixed a typo. On 08/04/2018 12:15 AM, Fernando Fernandez Mancera wrote: Signed-off-by: Fernando Fernandez Mancera --- doc/primary-expression.txt | 29 + 1 file changed, 29 insertions(+) diff --git a/doc/primary

[PATCH nftables] doc: add osf expression to man page

Signed-off-by: Fernando Fernandez Mancera --- doc/primary-expression.txt | 29 + 1 file changed, 29 insertions(+) diff --git a/doc/primary-expression.txt b/doc/primary-expression.txt index 50093b4..1445288 100644 --- a/doc/primary-expression.txt +++ b/doc/primary

[PATCH nftables] test: py: fix osf testcases warning

Signed-off-by: Fernando Fernandez Mancera --- tests/py/inet/osf.t | 4 ++-- tests/py/inet/osf.t.payload | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/py/inet/osf.t b/tests/py/inet/osf.t index 743049a..4db20b7 100644 --- a/tests/py/inet/osf.t +++ b/tests/py

Re: [PATCH 3/3 nft] src: osf: import nfnl_osf.c to load osf fingerprints

I think we should place osf_init in nfnl_osf.h so this way we don't need to include osf.h in rule.c. If you agree I will send another patchset iteration. Thanks. El 10 de agosto de 2018 15:02:00 CEST, Fernando Fernandez Mancera escribió: >Import iptables/utils/nfnl_osf.c into nftables t

[PATCH 2/2 nftables] test: py: add test cases for "osf" matching

Signed-off-by: Fernando Fernandez Mancera --- tests/py/inet/osf.t | 6 ++ tests/py/inet/osf.t.payload | 4 2 files changed, 10 insertions(+) create mode 100644 tests/py/inet/osf.t create mode 100644 tests/py/inet/osf.t.payload diff --git a/tests/py/inet/osf.t b/tests/py/inet

[PATCH 1/2 nftables] src: introduce passive OS fingerprint matching

Add support for "osf" expression. Example: table ip foo { chain bar { type filter hook input priority 0; policy accept; osf "Linux" counter packets 3 bytes 132 } } Signed-off-by: Fernando Fernandez Mancera ---

[PATCH nftables v2] doc: add osf expression to man page

Signed-off-by: Fernando Fernandez Mancera --- doc/primary-expression.txt | 29 + 1 file changed, 29 insertions(+) diff --git a/doc/primary-expression.txt b/doc/primary-expression.txt index 50093b4..86f3e52 100644 --- a/doc/primary-expression.txt +++ b/doc/primary

[PATCH libnftnl] expr: osf: modify _snprintf_default function

Signed-off-by: Fernando Fernandez Mancera --- src/expr/osf.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/expr/osf.c b/src/expr/osf.c index 1541390..ac7a6f3 100644 --- a/src/expr/osf.c +++ b/src/expr/osf.c @@ -91,11 +91,10 @@ nftnl_expr_osf_parse(struct nftnl_expr *e

[PATCH nf-next v2] netfilter: nft_osf: use NFT_OSF_MAXGENRELEN instead of IFNAMSIZ

As no "genre" on pf.os exceed 16 bytes of length, we reduce NFT_OSF_MAXGENRELEN parameter to 16 bytes and use it instead of IFNAMSIZ. Signed-off-by: Fernando Fernandez Mancera --- include/uapi/linux/netfilter/nf_tables.h | 1 + net/netfilter/nft_osf.c | 8 +++

[PATCH nf-next] netfilter: nfnetlink_osf: add missing enum in nfnetlink_osf uapi header

Signed-off-by: Fernando Fernandez Mancera --- include/linux/netfilter/nfnetlink_osf.h | 12 include/uapi/linux/netfilter/nfnetlink_osf.h | 13 + include/uapi/linux/netfilter/xt_osf.h| 1 + 3 files changed, 14 insertions(+), 12 deletions(-) diff --git

Re: [PATCH 3/3 nft v2] src: osf: import nfnl_osf.c to load osf fingerprints

Thanks you for this review, I am going to send a v3 iteration with the changes done and tested. El 14 de agosto de 2018 16:10:33 CEST, Pablo Neira Ayuso escribió: >On Mon, Aug 13, 2018 at 06:57:08PM +0200, Fernando Fernandez Mancera >wrote: >[...] >> diff --git a/include/nfnl_

[PATCH 2/2 nft v2] tests: improve test cases for osf

Signed-off-by: Fernando Fernandez Mancera --- tests/py/inet/osf.t | 5 - tests/py/inet/osf.t.payload | 12 +++- 2 files changed, 15 insertions(+), 2 deletions(-) diff --git a/tests/py/inet/osf.t b/tests/py/inet/osf.t index 4db20b7..6533b84 100644 --- a/tests/py/inet/osf.t

[PATCH 1/2 nft v2] src: use NFT_OSF_MAXGENRELEN instead of IFNAMSIZ in osf.c

As no "genre" in pf.os exceed 16 bytes of length, we reduce NFT_OSF_MAXGENRELEN parameter to 16 bytes and use it instead of IFNAMSIZ. Signed-off-by: Fernando Fernandez Mancera --- include/linux/netfilter/nf_tables.h | 1 + src/osf.c | 4 +--- 2 files

Re: [PATCH nf-next] netfilter: nft_osf: use OSF_GENRE_SIZE instead of IFNAMSIZ

On 08/06/2018 01:30 PM, Pablo Neira Ayuso wrote: On Mon, Aug 06, 2018 at 01:24:17PM +0200, Fernando Fernandez Mancera wrote: Right now, we have "MAXGENRELEN" defined in UAPI, so I am going to use it instead of define OSF_GENRE_SIZE. Oh I see. This is 32 bytes long and we can

[PATCH nf-next] netfilter: nft_osf: use OSF_GENRE_SIZE instead of IFNAMSIZ

As no "genre" on pf.os exceed 16 bytes of length, we reduce OSF_GENRE_SIZE parameter to 16 bytes and use it instead of IFNAMSIZ. Signed-off-by: Fernando Fernandez Mancera --- include/linux/netfilter/nfnetlink_osf.h | 2 ++ net/netfilter/nft_osf.c | 6 ++ 2 files

Re: [PATCH 3/3 nft] src: osf: import nfnl_osf.c to load osf fingerprints

On 08/11/2018 12:03 PM, Pablo Neira Ayuso wrote: +#endif /* _NF_OSF_H */ diff --git a/include/nfnl_osf.h b/include/nfnl_osf.h new file mode 100644 index 000..d9287e9 --- /dev/null +++ b/include/nfnl_osf.h @@ -0,0 +1,6 @@ +#ifndef _NFNL_OSF_H +#define _NFNL_OSF_H + +int

[PATCH 1/3 nft] files: osf: copy iptables/utils/pf.os into nftables tree

As we are going to need pf.os file to load OS fingerprints from the incoming nfnl_osf.c, we copy it into the nftables tree directory "files/osf/". Signed-off-by: Fernando Fernandez Mancera --- files/osf/pf.os | 709 1 file changed, 709

[PATCH 3/3 nft] src: osf: import nfnl_osf.c to load osf fingerprints

Import iptables/utils/nfnl_osf.c into nftables tree with some changes in order to load OS fingerprints automatically from pf.os file. Signed-off-by: Fernando Fernandez Mancera --- include/linux/netfilter/nfnetlink_osf.h | 119 +++ include/nfnl_osf.h | 6 + include

[PATCH 2/3 nft] src: mnl: make nft_mnl_talk() public

As we are going to use the function nft_mnl_talk() from the incoming nftnl_osf.c, we make it public. Signed-off-by: Fernando Fernandez Mancera --- include/mnl.h | 4 src/mnl.c | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/include/mnl.h b/include/mnl.h index

[PATCH 2/3 nft v2] src: mnl: make nft_mnl_talk() public

As we are going to use the function nft_mnl_talk() from the incoming nftnl_osf.c, we make it public. Signed-off-by: Fernando Fernandez Mancera --- include/mnl.h | 4 src/mnl.c | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/include/mnl.h b/include/mnl.h index

[PATCH 3/3 nft v2] src: osf: import nfnl_osf.c to load osf fingerprints

Import iptables/utils/nfnl_osf.c into nftables tree with some changes in order to load OS fingerprints automatically from pf.os file. Signed-off-by: Fernando Fernandez Mancera --- include/linux/netfilter/nfnetlink_osf.h | 119 +++ include/nfnl_osf.h | 10 + src

[PATCH 1/2 nft] src: use OSF_GENRE_SIZE instead of IFNAMSIZ in osf.c

As no "genre" in pf.os exceed 16 bytes of length, we reduce OSF_GENRE_SIZE parameter to 16 bytes and use it instead of IFNAMSIZ. Signed-off-by: Fernando Fernandez Mancera --- include/osf.h | 2 ++ src/osf.c | 4 +--- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git

[PATCH 2/2 nft] tests: improve test cases for osf

Signed-off-by: Fernando Fernandez Mancera --- tests/py/inet/osf.t | 5 - tests/py/inet/osf.t.payload | 10 ++ 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/tests/py/inet/osf.t b/tests/py/inet/osf.t index 4db20b7..6533b84 100644 --- a/tests/py/inet/osf.t

[PATCH 1/3 nft v3] files: osf: copy iptables/utils/pf.os into nftables tree

As we are going to need pf.os file to load OS fingerprints from the incoming nfnl_osf.c, we copy it into the nftables tree directory "files/osf/". Signed-off-by: Fernando Fernandez Mancera --- configure.ac | 1 + files/Makefile.am | 3 +- files/nftables/M

[PATCH 3/3 nft v3] src: osf: import nfnl_osf.c to load osf fingerprints

Import iptables/utils/nfnl_osf.c into nftables tree with some changes in order to load OS fingerprints automatically from pf.os file. Signed-off-by: Fernando Fernandez Mancera --- include/linux/netfilter/Makefile.am | 1 + include/linux/netfilter/nfnetlink_osf.h | 119 +++ include

[PATCH 2/3 nft v3] src: mnl: make nft_mnl_talk() public

As we are going to use the function nft_mnl_talk() from the incoming nftnl_osf.c, we make it public. Signed-off-by: Fernando Fernandez Mancera --- include/mnl.h | 4 src/mnl.c | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/include/mnl.h b/include/mnl.h index

[PATCH 1/3 nft v4] files: osf: copy iptables/utils/pf.os into nftables tree

As we are going to need pf.os file to load OS fingerprints from the incoming nfnl_osf.c, we copy it into the nftables tree directory "files/osf/". Signed-off-by: Fernando Fernandez Mancera --- configure.ac | 1 + files/Makefile.am | 3 +- files/nftables/M

[PATCH 3/3 nft v4] src: osf: import nfnl_osf.c to load osf fingerprints

Import iptables/utils/nfnl_osf.c into nftables tree with some changes in order to load OS fingerprints automatically from pf.os file. Signed-off-by: Fernando Fernandez Mancera --- include/linux/netfilter/Makefile.am | 1 + include/linux/netfilter/nfnetlink_osf.h | 119 +++ include

[PATCH 2/3 nft v4] src: mnl: make nft_mnl_talk() public

As we are going to use the function nft_mnl_talk() from the incoming nftnl_osf.c, we make it public. Signed-off-by: Fernando Fernandez Mancera --- include/mnl.h | 4 src/mnl.c | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/include/mnl.h b/include/mnl.h index

[PATCH libnftnl v2] expr: add osf support

Signed-off-by: Fernando Fernandez Mancera --- include/libnftnl/expr.h | 7 + include/linux/netfilter/nf_tables.h | 18 +++ src/Makefile.am | 1 + src/expr/osf.c | 242 src/expr_ops.c | 2

[PATCH 1/3 nf-next v2] netfilter: nf_osf: rename nf_osf.c to nfnetlink_osf.c

Rename nf_osf.c to nfnetlink_osf.c as we introduce nfnetlink_osf which is the OSF infraestructure. Signed-off-by: Fernando Fernandez Mancera --- .../linux/netfilter/{nf_osf.h => nfnetlink_osf.h} | 2 +- .../linux/netfilter/{nf_osf.h => nfnetlink_osf.h} | 6 +++--- include/uapi/linux/net

[PATCH 3/3 nf-next v2] netfilter: nft_osf: implement Passive OS fingerprint module in nft_osf

Add basic module functions into nft_osf.[ch] in order to implement OSF module in nf_tables. Signed-off-by: Fernando Fernandez Mancera --- include/uapi/linux/netfilter/nf_tables.h | 10 ++ net/netfilter/Kconfig| 7 ++ net/netfilter/Makefile | 1 + net

[PATCH 2/3 nf-next v2] netfilter: nfnetlink_osf: extract nfnetlink_subsystem code from xt_osf.c

Move nfnetlink osf subsystem from xt_osf.c to standalone module so we can reuse it from the new nft_ost extension. Signed-off-by: Fernando Fernandez Mancera --- include/uapi/linux/netfilter/nfnetlink_osf.h | 12 ++ include/uapi/linux/netfilter/xt_osf.h| 9 +- net/netfilter

[PATCH nf-next v2] netfilter: nfnetlink_osf: add netlink support for osf module

Signed-off-by: Fernando Fernandez Mancera --- include/linux/netfilter/nf_osf.h | 2 + include/uapi/linux/netfilter/nf_osf.h | 5 + include/uapi/linux/netfilter/xt_osf.h | 8 -- net/netfilter/Kconfig | 10 +- net/netfilter/Makefile| 1 + net/netfilter

Re: [PATCH nf-next v2] netfilter: nfnetlink_osf: add netlink support for osf module

osf xt_osf 16384 1 nf_osf 16384 1 xt_osf x_tables 40960 3 iptable_filter,xt_osf,ip_tables Is this enough? Thanks. On 07/17/2018 07:25 PM, Fernando Fernandez Mancera wrote: Signed-off-by: Fernando Fernandez Mancera --- include/linux/netfilter

Re: [PATCH 3/3 nf-next] netfilter: add netlink support for osf module

Thanks, I am going to reorder them. On 07/16/2018 05:12 PM, Pablo Neira Ayuso wrote: BTW, this patch should be 2/3. Order patches in a logic way: 1) Small preparation. 2) Add nfnetlink_osf 3) Add support for osf nft. You can use git rebase interactive mode to reorder patches. Thanks. --

Re: [PATCH 3/3 nf-next] netfilter: add netlink support for osf module

On 07/16/2018 05:10 PM, Pablo Neira Ayuso wrote: On Sat, Jul 14, 2018 at 04:51:01PM +0200, Fernando Fernandez Mancera wrote: Signed-off-by: Fernando Fernandez Mancera --- include/linux/netfilter/nfnetlink_osf.h | 20 + net/netfilter/Kconfig | 11 ++- net/netfilter

Re: [PATCH 2/3 nf-next v2] netfilter: nfnetlink_osf: extract nfnetlink_subsystem code from xt_osf.c

static struct xt_match xt_osf_match = { @@ -178,51 +66,23 @@ static struct xt_match xt_osf_match = { static int __init xt_osf_init(void) { int err = -EINVAL; - int i; - - for (i=0; i err = xt_register_match(_osf_match); You can just simplify this and so:

[PATCH 3/3 nf-next v3] netfilter: nft_osf: implement Passive OS fingerprint module in nft_osf

Add basic module functions into nft_osf.[ch] in order to implement OSF module in nf_tables. Signed-off-by: Fernando Fernandez Mancera --- include/uapi/linux/netfilter/nf_tables.h | 7 ++ net/netfilter/Kconfig| 7 ++ net/netfilter/Makefile | 1 + net

[PATCH 2/3 nf-next v3] netfilter: nfnetlink_osf: extract nfnetlink_subsystem code from xt_osf.c

Move nfnetlink osf subsystem from xt_osf.c to standalone module so we can reuse it from the new nft_ost extension. Signed-off-by: Fernando Fernandez Mancera --- include/uapi/linux/netfilter/nf_osf.h | 11 ++ include/uapi/linux/netfilter/xt_osf.h | 9 +- net/netfilter/nfnetlink_osf.c

[PATCH 1/3 nf-next v3] netfilter: nf_osf: rename nf_osf.c to nfnetlink_osf.c

Rename nf_osf.c to nfnetlink_osf.c as we introduce nfnetlink_osf which is the OSF infraestructure. Signed-off-by: Fernando Fernandez Mancera --- net/netfilter/Kconfig | 15 ++- net/netfilter/Makefile | 2 +- net/netfilter/{nf_osf.c

[PATCH libnftnl v3] expr: add osf support

Signed-off-by: Fernando Fernandez Mancera --- include/libnftnl/expr.h | 4 + include/linux/netfilter/nf_tables.h | 12 ++ src/Makefile.am | 1 + src/expr/osf.c | 174 src/expr_ops.c | 2

typo found in socket.h at nftables repository

Hi, I think I found a typo in socket.h at nftables repository. It is just a small fix so I propose this patch. --- From c788837976b674878d8ea819e97e9b4a762db91d Mon Sep 17 00:00:00 2001 From: Fernando Fernandez Mancera Date: Sat, 21 Jul 2018 21:39:09 +0200 Subject: [PATCH nftables] src: fix

[PATCH 3/3 nf-next] netfilter: add netlink support for osf module

Signed-off-by: Fernando Fernandez Mancera --- include/linux/netfilter/nfnetlink_osf.h | 20 + net/netfilter/Kconfig | 11 ++- net/netfilter/Makefile | 1 + net/netfilter/nfnetlink_osf.c | 100 +++ net/netfilter/xt_osf.c

[PATCH 1/3 nf-next] netfilter: add missing definitions in nf_osf.h

Added missing definitions from nf_osf.h in order to extract Passive OS fingerprint infrastructure from xt_osf. Signed-off-by: Fernando Fernandez Mancera --- include/uapi/linux/netfilter/nf_osf.h | 13 + include/uapi/linux/netfilter/xt_osf.h | 10 ++ 2 files changed, 15

[PATCH 2/3 WIP nf-next] netfilter: implement Passive OS fingerprint module in nft_osf

Add basic module functions into nft_osf.[ch] in order to start the implementation of OSF module in nf_tables. Signed-off-by: Fernando Fernandez Mancera --- include/uapi/linux/netfilter/nf_tables.h | 10 ++ net/netfilter/Kconfig| 6 ++ net/netfilter/Makefile

Re: [PATCH 2/3 WIP nf-next] netfilter: implement Passive OS fingerprint module in nft_osf

It hasn't been tested yet. All necessary changes to introduce NFTA_OSF_DREG are already done. After the review and testing I am going to implement the match_packet function. On 07/14/2018 04:51 PM, Fernando Fernandez Mancera wrote: Add basic module functions into nft_osf.[ch] in order

Re: [PATCH 3/3 nf-next] netfilter: add netlink support for osf module

16384 1 xt_osf x_tables 40960 3 iptable_filter,xt_osf,ip_tables Is it enough? Thanks! On 07/14/2018 04:51 PM, Fernando Fernandez Mancera wrote: Signed-off-by: Fernando Fernandez Mancera --- include/linux/netfilter/nfnetlink_osf.h | 20 + net/netfilter/Kconfig

Re: [PATCH 1/3 nf-next] netfilter: add missing definitions in nf_osf.h

Tested-by: Fernando Fernandez Mancera On 07/14/2018 04:50 PM, Fernando Fernandez Mancera wrote: Added missing definitions from nf_osf.h in order to extract Passive OS fingerprint infrastructure from xt_osf. Signed-off-by: Fernando Fernandez Mancera --- include/uapi/linux/netfilter/nf_osf.h

Re: [PATCH nf-next 3/3] netfilter: nf_osf: add nf_osf_find()

Tested-by: Fernando Fernandez Mancera On 07/13/2018 02:54 PM, Pablo Neira Ayuso wrote: This new function returns the OS genre as a string. Plan is to use to from the new nft_osf extension. Note that this doesn't yet support ttl options, but it could be easily extended to do so. Signed-off

[PATCH nft] src: osf: load pf.os from expr_evaluate_osf()

Remove osf_init variable and call nfnl_osf_load_fingerprints() from expr_evaluate_osf() instead of doing that from do_command_add() path. Signed-off-by: Fernando Fernandez Mancera --- include/osf.h | 1 - src/evaluate.c | 11 +++ src/nfnl_osf.c | 2 -- src/osf.c | 1 - src

Re: [PATCH nft] src: osf: load pf.os from expr_evaluate_osf()

On 8/31/18 7:19 PM, Pablo Neira Ayuso wrote: On Thu, Aug 30, 2018 at 07:18:42PM +0200, Fernando Fernandez Mancera wrote: Remove osf_init variable and call nfnl_osf_load_fingerprints() from expr_evaluate_osf() instead of doing that from do_command_add() path. Applied, thanks Fernando. BTW, I

Re: [PATCH 2/2 WIP nf-next] nft: implement the nf_tables_api changes to add osf signatures in nft

On 07/12/2018 01:27 PM, Florian Westphal wrote: Fernando Fernandez Mancera wrote: + list_for_each_entry(sf, _osf_fingers[!!f->df], finger_entry) { + if (memcmp(>finger, f, sizeof(struct nf_osf_user_finger))) + continue; + + kf

Re: [PATCH 2/2 WIP nf-next] nft: implement the nf_tables_api changes to add osf signatures in nft

Hi Florian, thanks for the review. On 07/12/2018 01:03 PM, Florian Westphal wrote: Fernando Fernandez Mancera wrote: +extern struct list_head nft_osf_fingers[2]; How is this going to be used? I find it weird to see this in netfilter core. This list is used to load the OS signatures from

Re: [PATCH 1/2 WIP nf-next] netfilter: implement Passive OS fingerprint module in nft_osf

On 07/12/2018 12:53 PM, Florian Westphal wrote: Fernando Fernandez Mancera wrote: Add basic module functions into nft_osf.[ch] in order to start the implementation of OSF module in nf_tables. +struct nft_osf { + chargenre[OSF_GENRE_SIZE]; + __u32 flags; + __u32

[PATCH 2/2 WIP nf-next] nft: implement the nf_tables_api changes to add osf signatures in nft

Added _ADD and _REMOVE commands to nf_tables_api.c in order to use the nf_tables interface to add 'osf' signatures in nft. Signed-off-by: Fernando Fernandez Mancera --- include/net/netfilter/nf_tables_core.h | 2 + include/uapi/linux/netfilter/nf_osf.h| 8 ++ include/uapi/linux

[PATCH WIP libnftnl] expr: add osf support

Signed-off-by: Fernando Fernandez Mancera --- include/libnftnl/expr.h | 7 + include/linux/netfilter/nf_tables.h | 20 +++ src/Makefile.am | 1 + src/expr/osf.c | 262 src/expr_ops.c | 2

[PATCH nf-next v4] netfilter: nf_osf: nf_osf_ttl() and nf_osf_match()

Added nf_osf_ttl() and nf_osf_match() into nf_osf.c in order to start the nftables OSF implementation. Signed-off-by: Fernando Fernandez Mancera <ffmanc...@riseup.net> --- include/linux/netfilter/nf_osf.h | 28 include/uapi/linux/netfilter/nf_osf.h | 97 ++ includ

[PATCH nf-next] nf_osf implementation: nf_osf_ttl() and nf_osf_match()

Added nf_osf_ttl() and nf_osf_match() into nf_osf.c in order to start the nftables OSF implementation. From 26ffd9191052c35726026663d75a1a89c44e5f60 Mon Sep 17 00:00:00 2001 From: Fernando Fernandez Mancera <ffmanc...@riseup.net> Date: Sun, 18 Mar 2018 23:54:20 +0100 Subject: [PATCH]

[PATCH nf-next v2] netfilter: nf_osf implementation: nf_osf_ttl() and nf_osf_match()

>From 520cf8eb6b1c7ae803f26fdfe8b49b642b1d51d8 Mon Sep 17 00:00:00 2001 From: Fernando Fernandez Mancera <ffmanc...@riseup.net> Date: Fri, 30 Mar 2018 15:53:09 +0200 Subject: [PATCH] nf_osf implementation: nf_osf_ttl() and nf_osf_match() Added nf_osf_ttl() and nf_osf_match() into

Re: [PATCH 1/2 nft v2] src: osf: add ttl option support

Comments below. On 10/15/18 2:47 PM, Pablo Neira Ayuso wrote: Please send a v3 including tests/py. More comments below. On Sat, Sep 29, 2018 at 12:15:17PM +0200, Fernando Fernandez Mancera wrote: Add support for ttl option in "osf" expression. Example: table ip foo {

Re: [PATCH 1/2 nft v2] src: osf: add ttl option support

El 22 de octubre de 2018 20:38:13 CEST, Pablo Neira Ayuso escribió: >On Mon, Oct 22, 2018 at 05:35:42PM +0200, Fernando Fernandez Mancera >wrote: >> I am going to add the necessary NFT_OSF_* definitions in the >nf_tables.h > >Just add a copy of nf_osf.h to nftables t

[PATCH 1/2 nft v3 preview] src: osf: add ttl option support

Add support for ttl option in "osf" expression. Example: table ip foo { chain bar { type filter hook input priority filter; policy accept; osf skip name "Linux" } } Signed-off-by: Fernando Fernandez Mancera --- v1:initial patc

[PATCH 2/2 nft v3] doc: osf: add ttl option to man page

--- doc/primary-expression.txt | 20 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/doc/primary-expression.txt b/doc/primary-expression.txt index 0fda76d..0c02d9d 100644 --- a/doc/primary-expression.txt +++ b/doc/primary-expression.txt @@ -187,18 +187,30 @@

Re: [PATCH 1/2 nft v2] src: osf: add ttl option support

On 10/15/18 2:47 PM, Pablo Neira Ayuso wrote: Please send a v3 including tests/py. More comments below. On Sat, Sep 29, 2018 at 12:15:17PM +0200, Fernando Fernandez Mancera wrote: Add support for ttl option in "osf" expression. Example: table ip foo {

[PATCH nft v3] src: osf: add ttl option support

Add support for ttl option in "osf" expression. Example: table ip foo { chain bar { type filter hook input priority filter; policy accept; osf ttl skip name "Linux" } } Signed-off-by: Fernando Fernandez Mancera --- v1:initi

Re: [nft PATCH 2/3] json: Fix osf ttl support

Thanks Phil, I will keep this in mind for the next time. On 10/24/18 12:35 PM, Phil Sutter wrote: Having to use numerical values for ttl property in JSON is not practical as these values are arbitrary and meaningful only in netfilter. Instead align JSON output/input with standard API, accepting

[PATCH nf-next v4] nft_osf: Add ttl option support

Add ttl option support to the nftables "osf" expression. Signed-off-by: Fernando Fernandez Mancera --- v1:initial patch v2:v2: code correctness and fix the "~" typo. v3:make priv->ttl = ttl; optional and priv->ttl default value is now 0. v4:delete "if (ttl_check !=

[PATCH nf] netfilter: nft_osf: output hook is not valid anymore

nft_osf no longer supports "output" hook as xt_osf doesn't either. Fixes: b96af92d6eaf ("netfilter: nf_tables: implement Passive OS fingerprint module in nft_osf") Signed-off-by: Fernando Fernandez Mancera --- net/netfilter/nft_osf.c | 10 ++ 1 file changed, 10

[PATCH 1/2 nft v2] src: osf: add ttl option support

Add support for ttl option in "osf" expression. Example: table ip foo { chain bar { type filter hook input priority filter; policy accept; osf ttl nocheck name "Linux" } } Signed-off-by: Fernando Fernandez Mancera --- v1: i

[PATCH 2/2 nft] doc: osf: add ttl option to man page

--- doc/primary-expression.txt | 20 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/doc/primary-expression.txt b/doc/primary-expression.txt index 0fda76d..92dd89a 100644 --- a/doc/primary-expression.txt +++ b/doc/primary-expression.txt @@ -187,18 +187,30 @@

[PATCH libnftnl] expr: osf: add ttl option support

Signed-off-by: Fernando Fernandez Mancera --- include/libnftnl/expr.h | 1 + include/linux/netfilter/nf_tables.h | 4 +++- src/expr/osf.c | 26 +- 3 files changed, 29 insertions(+), 2 deletions(-) diff --git a/include/libnftnl/expr.h b

[PATCH nf-next v2] nft_osf: Add ttl option support

Add ttl option support to the nftables "osf" expression. Signed-off-by: Fernando Fernandez Mancera --- v1: initial patch v2: code correctness and fix the "~" typo. --- include/linux/netfilter/nfnetlink_osf.h | 3 ++- include/uapi/linux/netfilter/nf_tables.h | 7 ++

Re: [PATCH nf-next v2] nft_osf: Add ttl option support

On 10/3/18 5:36 PM, Pablo Neira Ayuso wrote: Hi Fernando, A few comments. On Sat, Sep 29, 2018 at 12:18:51PM +0200, Fernando Fernandez Mancera wrote: Add ttl option support to the nftables "osf" expression. [..] if (!os_name) strncpy((char *)dest

Re: [PATCH nf-next v3] nft_osf: Add ttl option support

On 10/4/18 2:03 PM, Pablo Neira Ayuso wrote: On Thu, Oct 04, 2018 at 01:57:17PM +0200, Fernando Fernandez Mancera wrote: [...] diff --git a/net/netfilter/nfnetlink_osf.c b/net/netfilter/nfnetlink_osf.c index 00db27dfd2ff..e0fe1b8429ac 100644 --- a/net/netfilter/nfnetlink_osf.c +++ b/net

[PATCH nf-next v3] nft_osf: Add ttl option support

Add ttl option support to the nftables "osf" expression. Signed-off-by: Fernando Fernandez Mancera --- v1:initial patch v2:v2: code correctness and fix the "~" typo. v3:make priv->ttl = ttl; optional and priv->ttl default value is now 0. --- include/linux/netfi

Re: [PATCH 2/2 nft] doc: osf: add ttl option to man page

Sorry, I have forgotten to add "Signed-off-by: Fernando Fernandez Mancera ". Thanks. On 9/29/18 12:15 PM, Fernando Fernandez Mancera wrote: --- doc/primary-expression.txt | 20 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/doc/primary-expres

[PATCH nft] include: add missing xfrm.h to Makefile.am

Signed-off-by: Fernando Fernandez Mancera --- include/Makefile.am | 1 + 1 file changed, 1 insertion(+) diff --git a/include/Makefile.am b/include/Makefile.am index d3a677d..c103f48 100644 --- a/include/Makefile.am +++ b/include/Makefile.am @@ -31,4 +31,5 @@ noinst_HEADERS = cli.h

Re: [PATCH nft] src: osf: add ttl option support

! On 9/18/18 1:16 AM, Pablo Neira Ayuso wrote: On Sun, Sep 16, 2018 at 09:11:12PM +0200, Fernando Fernandez Mancera wrote: Add support for ttl option in "osf" expression. Example: table ip foo { chain bar { type filter hook input priority filter; pol

Re: [PATCH nft] src: osf: add ttl option support

On 9/18/18 1:16 AM, Pablo Neira Ayuso wrote: On Sun, Sep 16, 2018 at 09:11:12PM +0200, Fernando Fernandez Mancera wrote: Add support for ttl option in "osf" expression. Example: table ip foo { chain bar {     type filter hook input priority filter; policy accept;     osf

[PATCH nft] src: osf: add ttl option support

Add support for ttl option in "osf" expression. Example: table ip foo { chain bar { type filter hook input priority filter; policy accept; osf ttl 0 name "Linux" } } Signed-off-by: Fernando Fernandez Mancera ---

[PATCH nf-next] nft_osf: Add ttl option support

Add ttl option support to the nftables "osf" expression. Signed-off-by: Fernando Fernandez Mancera --- include/linux/netfilter/nfnetlink_osf.h | 3 ++- include/uapi/linux/netfilter/nf_tables.h | 7 +++ include/uapi/linux/netfilter/nfnetlink_osf.h | 1 + net

Re: [PATCH nft] src: osf: add ttl option support

I have not implemented tests and json support yet because I prefer to do it after the review of this patchset. Thanks! On 9/16/18 9:11 PM, Fernando Fernandez Mancera wrote: Add support for ttl option in "osf" expression. Example: table ip foo { chain bar { t

Re: [PATCH nft] src: osf: add ttl option support

On 9/18/18 1:16 AM, Pablo Neira Ayuso wrote: On Sun, Sep 16, 2018 at 09:11:12PM +0200, Fernando Fernandez Mancera wrote: Add support for ttl option in "osf" expression. Example: table ip foo { chain bar { type filter hook input priority filter; pol

Re: [PATCH nf-next] nft_osf: Add ttl option support

On 9/18/18 1:15 AM, Pablo Neira Ayuso wrote: On Sun, Sep 16, 2018 at 09:10:16PM +0200, Fernando Fernandez Mancera wrote: Add ttl option support to the nftables "osf" expression. Signed-off-by: Fernando Fernandez Mancera --- include/linux/netfilter/nfnetlink_osf.h | 3 ++-