From fdda1fad8853b92bac726cbe162b58a5b73c8b4d Mon Sep 17 00:00:00 2001 From: Fernando Fernandez Mancera Date: Wed, 27 Mar 2019 11:37:56 +0100 Subject: osf: add version fingerprint support Add support for version fingerprint in "osf" expression. Example: table ip foo { chain bar { type filter hook input priority filter; policy accept; osf ttl skip name "Linux" osf ttl skip version "Linux:4.20" } } Signed-off-by: Fernando Fernandez Mancera Signed-off-by: Pablo Neira Ayuso --- include/expression.h | 1 + include/linux/netfilter/nf_tables.h | 6 ++++++ include/osf.h | 3 ++- 3 files changed, 9 insertions(+), 1 deletion(-) (limited to 'include') diff --git a/include/expression.h b/include/expression.h index 6d72f64c..6416ac09 100644 --- a/include/expression.h +++ b/include/expression.h @@ -350,6 +350,7 @@ struct expr { struct { /* EXPR_OSF */ uint8_t ttl; + uint32_t flags; } osf; }; }; diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h index 37036be0..09a7b9ed 100644 --- a/include/linux/netfilter/nf_tables.h +++ b/include/linux/netfilter/nf_tables.h @@ -944,15 +944,21 @@ enum nft_socket_keys { * * @NFTA_OSF_DREG: destination register (NLA_U32: nft_registers) * @NFTA_OSF_TTL: Value of the TTL osf option (NLA_U8) + * @NFTA_OSF_FLAGS: flags (NLA_U32) */ enum nft_osf_attributes { NFTA_OSF_UNSPEC, NFTA_OSF_DREG, NFTA_OSF_TTL, + NFTA_OSF_FLAGS, __NFTA_OSF_MAX }; #define NFT_OSF_MAX (__NFTA_OSF_MAX - 1) +enum nft_osf_flags { + NFT_OSF_F_VERSION = 1 << 0, /* check fingerprint version */ +}; + /** * enum nft_ct_keys - nf_tables ct expression keys * diff --git a/include/osf.h b/include/osf.h index 23ea34d3..8f6f5840 100644 --- a/include/osf.h +++ b/include/osf.h @@ -1,7 +1,8 @@ #ifndef NFTABLES_OSF_H #define NFTABLES_OSF_H -struct expr *osf_expr_alloc(const struct location *loc, const uint8_t ttl); +struct expr *osf_expr_alloc(const struct location *loc, const uint8_t ttl, + const uint32_t flags); extern int nfnl_osf_load_fingerprints(struct netlink_ctx *ctx, int del); -- cgit v1.2.3