Re: [PATCH 3/3 nft] src: osf: import nfnl_osf.c to load osf fingerprints
On Sat, Aug 11, 2018 at 05:17:29PM +0200, Fernando Fernandez Mancera wrote: [...] > If we place osf_init in struct netlink_ctx we will need to modify > osf_expr_alloc() and I am not sure if we can get access to netlink_ctx from > netlink_parse_osf() in netlink_delinearize.c. Also we will need access to > netlink_ctx from parser_bison.y. > > So I propose to add osf_init in nfnl_osf.h in order to have only one extra > include in rule.c. Thanks. OK. Would you send a v2? Thanks.
Re: [PATCH 3/3 nft] src: osf: import nfnl_osf.c to load osf fingerprints
On 08/11/2018 12:03 PM, Pablo Neira Ayuso wrote: +#endif /* _NF_OSF_H */ diff --git a/include/nfnl_osf.h b/include/nfnl_osf.h new file mode 100644 index 000..d9287e9 --- /dev/null +++ b/include/nfnl_osf.h @@ -0,0 +1,6 @@ +#ifndef _NFNL_OSF_H +#define _NFNL_OSF_H + +int nfnl_osf_load_fingerprints(struct netlink_ctx *ctx, int del); + +#endif /* _NFNL_OSF_H */ diff --git a/include/osf.h b/include/osf.h index 715b04e..0a35b07 100644 --- a/include/osf.h +++ b/include/osf.h @@ -1,6 +1,8 @@ #ifndef NFTABLES_OSF_H #define NFTABLES_OSF_H +bool osf_init; I think you can probably place osf_init in struct netlink_ctx? If we place osf_init in struct netlink_ctx we will need to modify osf_expr_alloc() and I am not sure if we can get access to netlink_ctx from netlink_parse_osf() in netlink_delinearize.c. Also we will need access to netlink_ctx from parser_bison.y. So I propose to add osf_init in nfnl_osf.h in order to have only one extra include in rule.c. Thanks. struct expr *osf_expr_alloc(const struct location *loc); #endif /* NFTABLES_OSF_H */ diff --git a/src/Makefile.am b/src/Makefile.am index ed3640e..e569029 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -57,6 +57,7 @@ libnftables_la_SOURCES = \ services.c \ mergesort.c \ osf.c \ + nfnl_osf.c \ tcpopt.c\ socket.c\ libnftables.c diff --git a/src/nfnl_osf.c b/src/nfnl_osf.c new file mode 100644 index 000..07bf682 --- /dev/null +++ b/src/nfnl_osf.c @@ -0,0 +1,449 @@ +/* + * Copyright (c) 2005 Evgeniy Polyakov + * + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + */ + +#include + +#include +#include +#include +#include +#include + +#include +#include + +#include + +#include + +#include +#include +#include +#include + +#define OPTDEL ',' +#define OSFPDEL':' +#define MAXOPTSTRLEN 128 + +static struct nf_osf_opt IANA_opts[] = { + { .kind = 0, .length = 1,}, + { .kind=1, .length=1,}, + { .kind=2, .length=4,}, + { .kind=3, .length=3,}, + { .kind=4, .length=2,}, + { .kind=5, .length=1,}, /* SACK length is not defined */ + { .kind=6, .length=6,}, + { .kind=7, .length=6,}, + { .kind=8, .length=10,}, + { .kind=9, .length=2,}, + { .kind=10, .length=3,}, + { .kind=11, .length=1,},/* CC: Suppose 1 */ + { .kind=12, .length=1,},/* the same */ + { .kind=13, .length=1,},/* and here too */ + { .kind=14, .length=3,}, + { .kind=15, .length=1,},/* TCP Alternate Checksum Data. Length is not defined */ + { .kind=16, .length=1,}, + { .kind=17, .length=1,}, + { .kind=18, .length=3,}, + { .kind=19, .length=18,}, + { .kind=20, .length=1,}, + { .kind=21, .length=1,}, + { .kind=22, .length=1,}, + { .kind=23, .length=1,}, + { .kind=24, .length=1,}, + { .kind=25, .length=1,}, + { .kind=26, .length=1,}, +}; + +static void uloga(const char *f, struct netlink_ctx *ctx, ...) +{ + if (!(ctx->debug_mask & NFT_DEBUG_NETLINK)) + return; + + nft_print(ctx->octx, "%s", f); +} I think you can use uloga() all the time, so you can remove ulog() function. I agree. Changes done. +static void ulog(const char *f, struct netlink_ctx *ctx, ...) +{ + char str[64]; + struct tm tm; + struct timeval tv; + + gettimeofday(, NULL); + localtime_r((time_t *)_sec, ); + strftime(str, sizeof(str), "%F %R:%S", ); + + if (!(ctx->debug_mask & NFT_DEBUG_NETLINK)) + return; + + nft_print(ctx->octx, "%s.%lu %ld %s", str, tv.tv_usec, + syscall(__NR_gettid), f); +} + +#define ulog_err(f, ctx, a...) uloga(f ": %s [%d].\n", ctx, ##a, strerror(errno), errno) And this macro too. Other than that, this looks good to me, thanks.
Re: [PATCH 3/3 nft] src: osf: import nfnl_osf.c to load osf fingerprints
On Fri, Aug 10, 2018 at 03:02:00PM +0200, Fernando Fernandez Mancera wrote: > Import iptables/utils/nfnl_osf.c into nftables tree with some changes in order > to load OS fingerprints automatically from pf.os file. > > Signed-off-by: Fernando Fernandez Mancera > --- > include/linux/netfilter/nfnetlink_osf.h | 119 +++ > include/nfnl_osf.h | 6 + > include/osf.h | 2 + > src/Makefile.am | 1 + > src/nfnl_osf.c | 449 > src/osf.c | 2 + > src/rule.c | 5 + > 7 files changed, 584 insertions(+) > create mode 100644 include/linux/netfilter/nfnetlink_osf.h > create mode 100644 include/nfnl_osf.h > create mode 100644 src/nfnl_osf.c > > diff --git a/include/linux/netfilter/nfnetlink_osf.h > b/include/linux/netfilter/nfnetlink_osf.h > new file mode 100644 > index 000..15a39d2 > --- /dev/null > +++ b/include/linux/netfilter/nfnetlink_osf.h > @@ -0,0 +1,119 @@ > +#ifndef _NF_OSF_H > +#define _NF_OSF_H > + > +#include > + > +#define MAXGENRELEN 32 > + > +#define NF_OSF_GENRE (1 << 0) > +#define NF_OSF_TTL (1 << 1) > +#define NF_OSF_LOG (1 << 2) > +#define NF_OSF_INVERT(1 << 3) > + > +#define NF_OSF_LOGLEVEL_ALL 0 /* log all matched fingerprints > */ > +#define NF_OSF_LOGLEVEL_FIRST1 /* log only the first > matced fingerprint */ > +#define NF_OSF_LOGLEVEL_ALL_KNOWN2 /* do not log unknown packets */ > + > +#define NF_OSF_TTL_TRUE 0 /* True ip and > fingerprint TTL comparison */ > + > +/* Check if ip TTL is less than fingerprint one */ > +#define NF_OSF_TTL_LESS 1 > + > +/* Do not compare ip and fingerprint TTL at all */ > +#define NF_OSF_TTL_NOCHECK 2 > + > +#define NF_OSF_FLAGMASK (NF_OSF_GENRE | NF_OSF_TTL | \ > + NF_OSF_LOG | NF_OSF_INVERT) > +/* Wildcard MSS (kind of). > + * It is used to implement a state machine for the different wildcard values > + * of the MSS and window sizes. > + */ > +struct nf_osf_wc { > + __u32 wc; > + __u32 val; > +}; > + > +/* This struct represents IANA options > + * http://www.iana.org/assignments/tcp-parameters > + */ > +struct nf_osf_opt { > + __u16 kind, length; > + struct nf_osf_wcwc; > +}; > + > +struct nf_osf_info { > + chargenre[MAXGENRELEN]; > + __u32 len; > + __u32 flags; > + __u32 loglevel; > + __u32 ttl; > +}; > + > +struct nf_osf_user_finger { > + struct nf_osf_wcwss; > + > + __u8ttl, df; > + __u16 ss, mss; > + __u16 opt_num; > + > + chargenre[MAXGENRELEN]; > + charversion[MAXGENRELEN]; > + charsubtype[MAXGENRELEN]; > + > + /* MAX_IPOPTLEN is maximum if all options are NOPs or EOLs */ > + struct nf_osf_opt opt[MAX_IPOPTLEN]; > +}; > + > +struct nf_osf_nlmsg { > + struct nf_osf_user_finger f; > + struct iphdrip; > + struct tcphdr tcp; > +}; > + > +/* Defines for IANA option kinds */ > +enum iana_options { > + OSFOPT_EOL = 0, /* End of options */ > + OSFOPT_NOP, /* NOP */ > + OSFOPT_MSS, /* Maximum segment size */ > + OSFOPT_WSO, /* Window scale option */ > + OSFOPT_SACKP, /* SACK permitted */ > + OSFOPT_SACK,/* SACK */ > + OSFOPT_ECHO, > + OSFOPT_ECHOREPLY, > + OSFOPT_TS, /* Timestamp option */ > + OSFOPT_POCP,/* Partial Order Connection Permitted */ > + OSFOPT_POSP,/* Partial Order Service Profile */ > + > + /* Others are not used in the current OSF */ > + OSFOPT_EMPTY = 255, > +}; > + > +/* > + * Initial window size option state machine: multiple of mss, mtu or > + * plain numeric value. Can also be made as plain numeric value which > + * is not a multiple of specified value. > + */ > +enum nf_osf_window_size_options { > + OSF_WSS_PLAIN = 0, > + OSF_WSS_MSS, > + OSF_WSS_MTU, > + OSF_WSS_MODULO, > + OSF_WSS_MAX, > +}; > + > +enum nf_osf_attr_type { > + OSF_ATTR_UNSPEC, > + OSF_ATTR_FINGER, > + OSF_ATTR_MAX, > +}; > + > +/* > + * Add/remove fingerprint from the kernel. > + */ > +enum nf_osf_msg_types { > + OSF_MSG_ADD, > + OSF_MSG_REMOVE, > + OSF_MSG_MAX, > +}; > + > +#endif /* _NF_OSF_H */ > diff --git a/include/nfnl_osf.h b/include/nfnl_osf.h > new file mode 100644 > index 000..d9287e9 > --- /dev/null > +++ b/include/nfnl_osf.h > @@ -0,0 +1,6 @@ > +#ifndef _NFNL_OSF_H > +#define _NFNL_OSF_H > + > +int nfnl_osf_load_fingerprints(struct netlink_ctx *ctx, int del); > + > +#endif /* _NFNL_OSF_H */ > diff --git a/include/osf.h b/include/osf.h > index 715b04e..0a35b07 100644 > --- a/include/osf.h > +++
Re: [PATCH 3/3 nft] src: osf: import nfnl_osf.c to load osf fingerprints
I think we should place osf_init in nfnl_osf.h so this way we don't need to include osf.h in rule.c. If you agree I will send another patchset iteration. Thanks. El 10 de agosto de 2018 15:02:00 CEST, Fernando Fernandez Mancera escribió: >Import iptables/utils/nfnl_osf.c into nftables tree with some changes >in order >to load OS fingerprints automatically from pf.os file. > >Signed-off-by: Fernando Fernandez Mancera >--- > include/linux/netfilter/nfnetlink_osf.h | 119 +++ > include/nfnl_osf.h | 6 + > include/osf.h | 2 + > src/Makefile.am | 1 + > src/nfnl_osf.c | 449 > src/osf.c | 2 + > src/rule.c | 5 + > 7 files changed, 584 insertions(+) > create mode 100644 include/linux/netfilter/nfnetlink_osf.h > create mode 100644 include/nfnl_osf.h > create mode 100644 src/nfnl_osf.c > >diff --git a/include/linux/netfilter/nfnetlink_osf.h >b/include/linux/netfilter/nfnetlink_osf.h >new file mode 100644 >index 000..15a39d2 >--- /dev/null >+++ b/include/linux/netfilter/nfnetlink_osf.h >@@ -0,0 +1,119 @@ >+#ifndef _NF_OSF_H >+#define _NF_OSF_H >+ >+#include >+ >+#define MAXGENRELEN 32 >+ >+#define NF_OSF_GENRE (1 << 0) >+#define NF_OSF_TTL(1 << 1) >+#define NF_OSF_LOG(1 << 2) >+#define NF_OSF_INVERT (1 << 3) >+ >+#define NF_OSF_LOGLEVEL_ALL 0 /* log all matched fingerprints >*/ >+#define NF_OSF_LOGLEVEL_FIRST 1 /* log only the first matced >fingerprint */ >+#define NF_OSF_LOGLEVEL_ALL_KNOWN 2 /* do not log unknown packets */ >+ >+#define NF_OSF_TTL_TRUE 0 /* True ip and >fingerprint TTL comparison >*/ >+ >+/* Check if ip TTL is less than fingerprint one */ >+#define NF_OSF_TTL_LESS 1 >+ >+/* Do not compare ip and fingerprint TTL at all */ >+#define NF_OSF_TTL_NOCHECK2 >+ >+#define NF_OSF_FLAGMASK (NF_OSF_GENRE | NF_OSF_TTL | \ >+ NF_OSF_LOG | NF_OSF_INVERT) >+/* Wildcard MSS (kind of). >+ * It is used to implement a state machine for the different wildcard >values >+ * of the MSS and window sizes. >+ */ >+struct nf_osf_wc { >+ __u32 wc; >+ __u32 val; >+}; >+ >+/* This struct represents IANA options >+ * http://www.iana.org/assignments/tcp-parameters >+ */ >+struct nf_osf_opt { >+ __u16 kind, length; >+ struct nf_osf_wcwc; >+}; >+ >+struct nf_osf_info { >+ chargenre[MAXGENRELEN]; >+ __u32 len; >+ __u32 flags; >+ __u32 loglevel; >+ __u32 ttl; >+}; >+ >+struct nf_osf_user_finger { >+ struct nf_osf_wcwss; >+ >+ __u8ttl, df; >+ __u16 ss, mss; >+ __u16 opt_num; >+ >+ chargenre[MAXGENRELEN]; >+ charversion[MAXGENRELEN]; >+ charsubtype[MAXGENRELEN]; >+ >+ /* MAX_IPOPTLEN is maximum if all options are NOPs or EOLs */ >+ struct nf_osf_opt opt[MAX_IPOPTLEN]; >+}; >+ >+struct nf_osf_nlmsg { >+ struct nf_osf_user_finger f; >+ struct iphdrip; >+ struct tcphdr tcp; >+}; >+ >+/* Defines for IANA option kinds */ >+enum iana_options { >+ OSFOPT_EOL = 0, /* End of options */ >+ OSFOPT_NOP, /* NOP */ >+ OSFOPT_MSS, /* Maximum segment size */ >+ OSFOPT_WSO, /* Window scale option */ >+ OSFOPT_SACKP, /* SACK permitted */ >+ OSFOPT_SACK,/* SACK */ >+ OSFOPT_ECHO, >+ OSFOPT_ECHOREPLY, >+ OSFOPT_TS, /* Timestamp option */ >+ OSFOPT_POCP,/* Partial Order Connection Permitted */ >+ OSFOPT_POSP,/* Partial Order Service Profile */ >+ >+ /* Others are not used in the current OSF */ >+ OSFOPT_EMPTY = 255, >+}; >+ >+/* >+ * Initial window size option state machine: multiple of mss, mtu or >+ * plain numeric value. Can also be made as plain numeric value which >+ * is not a multiple of specified value. >+ */ >+enum nf_osf_window_size_options { >+ OSF_WSS_PLAIN = 0, >+ OSF_WSS_MSS, >+ OSF_WSS_MTU, >+ OSF_WSS_MODULO, >+ OSF_WSS_MAX, >+}; >+ >+enum nf_osf_attr_type { >+ OSF_ATTR_UNSPEC, >+ OSF_ATTR_FINGER, >+ OSF_ATTR_MAX, >+}; >+ >+/* >+ * Add/remove fingerprint from the kernel. >+ */ >+enum nf_osf_msg_types { >+ OSF_MSG_ADD, >+ OSF_MSG_REMOVE, >+ OSF_MSG_MAX, >+}; >+ >+#endif /* _NF_OSF_H */ >diff --git a/include/nfnl_osf.h b/include/nfnl_osf.h >new file mode 100644 >index 000..d9287e9 >--- /dev/null >+++ b/include/nfnl_osf.h >@@ -0,0 +1,6 @@ >+#ifndef _NFNL_OSF_H >+#define _NFNL_OSF_H >+ >+int nfnl_osf_load_fingerprints(struct netlink_ctx *ctx, int del); >+ >+#endif/* _NFNL_OSF_H */ >diff --git a/include/osf.h b/include/osf.h >index