If I want this on FreeBSD i am alone, but here...
So this code check the fingerprint, and does not bother to save it, because
it is never used , and that s good :-)
I read the code a bit:
pf.c : around line 3232
- - - - - -
case IPPROTO_TCP:
PF_TEST_ATTRIB(((r->flagset & th->th_flags) !=
r->flags),
TAILQ_NEXT(r, entries));
PF_TEST_ATTRIB((r->os_fingerprint != PF_OSFP_ANY &&
!pf_osfp_match(pf_osfp_fingerprint(pd),
r->os_fingerprint)),
TAILQ_NEXT(r, entries));
- - - - - -
1/
At his point <<struct pf_state **sm>> is available.
Lets assume pf_state got a "struct pf_osfp_enlist l_osfp"
To get back the info from userland, doing
TAILQ_NEXT(r, entries));
//pf_osfp_fingerprint return the list of matching os for the fingerprint
//afaik this list is save during initilized so we saved the pointer .
struct pf_osfp_enlist * _l_osfp = pf_osfp_fingerprint(pd);
(*sm)->l_osfp = _l_osfp;
PF_TEST_ATTRIB((r->os_fingerprint != PF_OSFP_ANY &&
!pf_osfp_match(p_osfp,
r->os_fingerprint)),<http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/pf_osfp.c#rev1.25>
Would a diff like this hurts ??????
Nevertheless:::
2/ Few problems remains:
a/ copying this to the pfsync_struct,
b/ ioctl wont be able to send the data or must copy the all list (next
point solve this)
c/ the data i want is more the one <<hidden>>
in pf_osfp_fingerprint_hdr around line 112
struct pf_os_fingerprint fp;
To get this back i should pass sm as argument to pf_osfp_fingerprint and
pf_osfp_fingerprint_hdr
and do
sm->fp = fp;
inside
Would a diff like this hurts ??????
Digression:
I found the osfp code a bit stange as the fp is not get trough a function
and then pass to the matcher.
pf_osfp_fingerprint_hdr calcute the value and look for the entry
then pass the list of <<compatible>> os, a function that compute the fp to
get somethink like this:
fp = pf_osfp_get_fingerprint(pd);
if (fp) {
struct pf_osfp_enlist * oses = pf_osfp_get_oses(fp); //inside
pf_osfp_match
pf_osfp_match(oses ,
r->os_fingerprint)),<http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/pf_osfp.c#rev1.25>
}
Btw, the goal is to know how many different fingerprint come from from one
source without doing log or traffic analysis.
On Fri, Sep 6, 2013 at 5:27 AM, Henning Brauer <[email protected]>wrote:
> * sven falempin <[email protected]> [2013-09-05 18:14]:
> > Reading pfctl manual and net/pfvar.h i didnt find the ospf information
> > inside a states entry .
> > So i assume it is not possible to recover the fingerprint of a state
> trough
> > the ioctl.
>
> otoh this is the case.
>
> > - creatorId is something i hould look into.
>
> no, creatorID is for pfsync setups to know which node created the
> state.
>
> --
> Henning Brauer, [email protected], [email protected]
> BS Web Services GmbH, http://bsws.de, Full-Service ISP
> Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully
> Managed
> Henning Brauer Consulting, http://henningbrauer.com/
>
>
--
---------------------------------------------------------------------------------------------------------------------
() ascii ribbon campaign - against html e-mail
/\
