Re: osfp pfctl and states

2013-09-12 Thread sven falempin 
On Thu, Sep 12, 2013 at 2:50 AM, Henning Brauer
wrote:

> * sven falempin  [2013-09-11 22:30]:
> > At his point <> is available.
> > Lets assume pf_state got a  "struct pf_osfp_enlist  l_osfp"
> > To get back the info from userland, doing
> >
> > Would a diff like this hurts ??
>
> everything that grows the state hurts (last not least hurts
> performance), so it has to be truly worth it.
> I don't see that in this case.
>
>
What about a separate system then ?
Like logging the fp and the source IP from pf_osfp_fingerprint_hdr ?

Or do someone have something else in mind to reach the goal ?

Re: osfp pfctl and states

2013-09-11 Thread Henning Brauer 
* sven falempin  [2013-09-11 22:30]:
> At his point <> is available.
> Lets assume pf_state got a  "struct pf_osfp_enlist  l_osfp"
> To get back the info from userland, doing
>
> Would a diff like this hurts ??

everything that grows the state hurts (last not least hurts
performance), so it has to be truly worth it. 
I don't see that in this case.

-- 
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services GmbH, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed
Henning Brauer Consulting, http://henningbrauer.com/

Re: osfp pfctl and states

2013-09-11 Thread sven falempin 
If I want this on FreeBSD i am alone, but here...

So this code check the fingerprint, and does not bother to save it, because
it is never used , and that s good :-)

I read the code a bit:

pf.c : around line 3232
  - - - - - -
case IPPROTO_TCP:
PF_TEST_ATTRIB(((r->flagset & th->th_flags) !=
r->flags),
TAILQ_NEXT(r, entries));
PF_TEST_ATTRIB((r->os_fingerprint != PF_OSFP_ANY &&
!pf_osfp_match(pf_osfp_fingerprint(pd),
r->os_fingerprint)),
TAILQ_NEXT(r, entries));
  - - - - - -


1/
At his point <> is available.
Lets assume pf_state got a  "struct pf_osfp_enlist  l_osfp"
To get back the info from userland, doing

TAILQ_NEXT(r, entries));
//pf_osfp_fingerprint return the list of matching os for the fingerprint
//afaik this list is save during initilized so we saved the pointer .
struct pf_osfp_enlist * _l_osfp = pf_osfp_fingerprint(pd);
(*sm)->l_osfp = _l_osfp;
PF_TEST_ATTRIB((r->os_fingerprint != PF_OSFP_ANY &&
!pf_osfp_match(p_osfp,
r->os_fingerprint)),


Would a diff like this hurts ??
Nevertheless:::


2/ Few problems remains:
a/ copying this to the pfsync_struct,
b/ ioctl wont be able to send the data or must copy the all list (next
point solve this)
c/ the data i want is more the one <>
in pf_osfp_fingerprint_hdr around  line 112
struct pf_os_fingerprint fp;

To get this back i should pass sm as argument to  pf_osfp_fingerprint and
pf_osfp_fingerprint_hdr
and do
sm->fp = fp;
inside

Would a diff like this hurts ??

Digression:
I found the osfp code a bit stange as the fp is not get trough a function
and then pass to the matcher.
pf_osfp_fingerprint_hdr  calcute the value and look for the entry
then pass the list of <> os, a function that compute the fp to
get somethink like this:
fp = pf_osfp_get_fingerprint(pd);
if (fp) {
  struct pf_osfp_enlist * oses = pf_osfp_get_oses(fp); //inside
pf_osfp_match
  pf_osfp_match(oses ,
r->os_fingerprint)),
}


Btw, the goal is to know how many different fingerprint come from from one
source without doing log or traffic analysis.




On Fri, Sep 6, 2013 at 5:27 AM, Henning Brauer wrote:

> * sven falempin  [2013-09-05 18:14]:
> > Reading pfctl manual and net/pfvar.h i didnt find the ospf information
> > inside a states entry .
> > So i assume it is not possible to recover the fingerprint of a state
> trough
> > the ioctl.
>
> otoh this is the case.
>
> > - creatorId is something i hould look into.
>
> no, creatorID is for pfsync setups to know which node created the
> state.
>
> --
> Henning Brauer, h...@bsws.de, henn...@openbsd.org
> BS Web Services GmbH, http://bsws.de, Full-Service ISP
> Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully
> Managed
> Henning Brauer Consulting, http://henningbrauer.com/
>
>


-- 
-
() ascii ribbon campaign - against html e-mail
/\

Re: osfp pfctl and states

2013-09-06 Thread Henning Brauer 
* sven falempin  [2013-09-05 18:14]:
> Reading pfctl manual and net/pfvar.h i didnt find the ospf information
> inside a states entry .
> So i assume it is not possible to recover the fingerprint of a state trough
> the ioctl.

otoh this is the case.

> - creatorId is something i hould look into.

no, creatorID is for pfsync setups to know which node created the
state. 

-- 
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services GmbH, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed
Henning Brauer Consulting, http://henningbrauer.com/

osfp pfctl and states

2013-09-05 Thread sven falempin 
openBSDs,

Reading pfctl manual and net/pfvar.h i didnt find the ospf information
inside a states entry .
So i assume it is not possible to recover the fingerprint of a state trough
the ioctl.
Unless
- i didnt read enough (help is welcome)
- creatorId is something i hould look into.

or i have to patch i want to have the SYN fingerprint saved into states if
possible.

Maybe there's another way ?

Best regards.

-- 
-
() ascii ribbon campaign - against html e-mail
/\