diff options
author | Fernando Fernandez Mancera <ffmancera@riseup.net> | 2018-10-22 22:46:19 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2018-10-23 17:51:32 +0200 |
commit | b83dd8ff56ff9f3170ebec52aeebb7a3a62c9dc7 (patch) | |
tree | e3ce2936ab38eaaae89b4a22f6d8d55ff298ed15 /doc | |
parent | 03eafe098d5eead786cbbe6f79348f05819cd99e (diff) |
doc: osf: add ttl option to man page
Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'doc')
-rw-r--r-- | doc/primary-expression.txt | 20 |
1 files changed, 16 insertions, 4 deletions
diff --git a/doc/primary-expression.txt b/doc/primary-expression.txt index 0fda76dd..761f50bc 100644 --- a/doc/primary-expression.txt +++ b/doc/primary-expression.txt @@ -187,18 +187,30 @@ and others) from packets with the SYN bit set. [options="header"] |================== |Name |Description| Type +|ttl| +Do TTL checks on the packet to determine the operating system.| +string |name| -Name of the OS signature to match. All signatures can be found at pf.os file.| -Use "unknown" for OS signatures that the expression could not detect. +Name of the OS signature to match. All signatures can be found at pf.os file. +Use "unknown" for OS signatures that the expression could not detect.| +string |================== +.Available ttl values +--------------------- +If no TTL attribute is passed, make a true IP header and fingerprint TTL true comparison. This generally works for LANs. + +* loose: Check if the IP header's TTL is less than the fingerprint one. Works for globally-routable addresses. +* skip: Do not compare the TTL at all. +--------------------- + .Using osf expression --------------------- -# Accept packets that match the "Linux" OS signature. +# Accept packets that match the "Linux" OS genre signature without comparing TTL. table inet x { chain y { type filter hook input priority 0; policy accept; - osf "Linux" + osf ttl skip name "Linux" } } ----------------------- |