netfilter: extract Passive OS fingerprint infrastructure from xt_osf

#include <uapi/linux/netfilter/nf_osf.h>

/* Initial window size option state machine: multiple of mss, mtu or

 * plain numeric value. Can also be made as plain numeric value which

 * is not a multiple of specified value.

 */

enum nf_osf_window_size_options {

	OSF_WSS_PLAIN   = 0,

	OSF_WSS_MSS,

	OSF_WSS_MTU,

	OSF_WSS_MODULO,

	OSF_WSS_MAX,

};

enum osf_fmatch_states {

	/* Packet does not match the fingerprint */

	FMATCH_WRONG = 0,

	/* Packet matches the fingerprint */

	FMATCH_OK,

	/* Options do not match the fingerprint, but header does */

	FMATCH_OPT_WRONG,

};

bool nf_osf_match(const struct sk_buff *skb, u_int8_t family,

		  int hooknum, struct net_device *in, struct net_device *out,

		  const struct nf_osf_info *info, struct net *net,

		  const struct list_head *nf_osf_fingers);

#ifndef _NF_OSF_H

#define _NF_OSF_H

#define MAXGENRELEN	32

#define NF_OSF_GENRE	(1 << 0)

#define NF_OSF_TTL	(1 << 1)

#define NF_OSF_LOG	(1 << 2)

#define NF_OSF_INVERT	(1 << 3)

#define NF_OSF_LOGLEVEL_ALL		0	/* log all matched fingerprints */

#define NF_OSF_LOGLEVEL_FIRST		1	/* log only the first matced fingerprint */

#define NF_OSF_LOGLEVEL_ALL_KNOWN	2	/* do not log unknown packets */

#define NF_OSF_TTL_TRUE			0	/* True ip and fingerprint TTL comparison */

/* Do not compare ip and fingerprint TTL at all */

#define NF_OSF_TTL_NOCHECK		2

/* Wildcard MSS (kind of).

 * It is used to implement a state machine for the different wildcard values

 * of the MSS and window sizes.

 */

struct nf_osf_wc {

	__u32	wc;

	__u32	val;

};

/* This struct represents IANA options

 * http://www.iana.org/assignments/tcp-parameters

 */

struct nf_osf_opt {

	__u16			kind, length;

	struct nf_osf_wc	wc;

};

struct nf_osf_info {

	char	genre[MAXGENRELEN];

	__u32	len;

	__u32	flags;

	__u32	loglevel;

	__u32	ttl;

};

struct nf_osf_user_finger {

	struct nf_osf_wc	wss;

	__u8	ttl, df;

	__u16	ss, mss;

	__u16	opt_num;

	char	genre[MAXGENRELEN];

	char	version[MAXGENRELEN];

	char	subtype[MAXGENRELEN];

	/* MAX_IPOPTLEN is maximum if all options are NOPs or EOLs */

	struct nf_osf_opt	opt[MAX_IPOPTLEN];

};

struct nf_osf_finger {

	struct rcu_head			rcu_head;

	struct list_head		finger_entry;

	struct nf_osf_user_finger	finger;

};

struct nf_osf_nlmsg {

	struct nf_osf_user_finger	f;

	struct iphdr			ip;

	struct tcphdr			tcp;

};

/* Defines for IANA option kinds */

enum iana_options {

	OSFOPT_EOL = 0,		/* End of options */

	OSFOPT_NOP,		/* NOP */

	OSFOPT_MSS,		/* Maximum segment size */

	OSFOPT_WSO,		/* Window scale option */

	OSFOPT_SACKP,		/* SACK permitted */

	OSFOPT_SACK,		/* SACK */

	OSFOPT_ECHO,

	OSFOPT_ECHOREPLY,

	OSFOPT_TS,		/* Timestamp option */

	OSFOPT_POCP,		/* Partial Order Connection Permitted */

	OSFOPT_POSP,		/* Partial Order Service Profile */

	/* Others are not used in the current OSF */

	OSFOPT_EMPTY = 255,

};

#endif /* _NF_OSF_H */

#include <linux/types.h>

#include <linux/types.h>

#include <linux/ip.h>

#include <linux/ip.h>

#include <linux/tcp.h>

#include <linux/tcp.h>

#include <linux/netfilter/nf_osf.h>

#define MAXGENRELEN		32

#define XT_OSF_GENRE		NF_OSF_GENRE

#define XT_OSF_INVERT		NF_OSF_INVERT

#define XT_OSF_GENRE		(1<<0)

#define XT_OSF_TTL		NF_OSF_TTL

#define	XT_OSF_TTL		(1<<1)

#define XT_OSF_LOG		NF_OSF_LOG

#define XT_OSF_LOG		(1<<2)

#define XT_OSF_INVERT		(1<<3)

#define XT_OSF_LOGLEVEL_ALL	0	/* log all matched fingerprints */

#define XT_OSF_LOGLEVEL_ALL		NF_OSF_LOGLEVEL_ALL

#define XT_OSF_LOGLEVEL_FIRST	1	/* log only the first matced fingerprint */

#define XT_OSF_LOGLEVEL_FIRST		NF_OSF_LOGLEVEL_FIRST

#define XT_OSF_LOGLEVEL_ALL_KNOWN	2 /* do not log unknown packets */

#define XT_OSF_LOGLEVEL_ALL_KNOWN	NF_OSF_LOGLEVEL_ALL_KNOWN

#define XT_OSF_TTL_TRUE		0	/* True ip and fingerprint TTL comparison */

#define XT_OSF_TTL_TRUE		NF_OSF_TTL_TRUE

#define XT_OSF_TTL_LESS		1	/* Check if ip TTL is less than fingerprint one */

#define XT_OSF_TTL_NOCHECK	NF_OSF_TTL_NOCHECK

#define XT_OSF_TTL_NOCHECK	2	/* Do not compare ip and fingerprint TTL at all */

struct xt_osf_info {

	char			genre[MAXGENRELEN];

	__u32			len;

	__u32			flags;

	__u32			loglevel;

	__u32			ttl;

};

/*

 * Wildcard MSS (kind of).

 * It is used to implement a state machine for the different wildcard values

 * of the MSS and window sizes.

 */

struct xt_osf_wc {

	__u32			wc;

	__u32			val;

};

/*

 * This struct represents IANA options

 * http://www.iana.org/assignments/tcp-parameters

 */

struct xt_osf_opt {

	__u16			kind, length;

	struct xt_osf_wc	wc;

};

struct xt_osf_user_finger {

	struct xt_osf_wc	wss;

	__u8			ttl, df;

	__u16			ss, mss;

	__u16			opt_num;

	char			genre[MAXGENRELEN];

#define XT_OSF_TTL_LESS	1	/* Check if ip TTL is less than fingerprint one */

	char			version[MAXGENRELEN];

	char			subtype[MAXGENRELEN];

	/* MAX_IPOPTLEN is maximum if all options are NOPs or EOLs */

	struct xt_osf_opt	opt[MAX_IPOPTLEN];

};

struct xt_osf_nlmsg {

	struct xt_osf_user_finger	f;

	struct iphdr		ip;

	struct tcphdr		tcp;

};

/* Defines for IANA option kinds */

enum iana_options {

	OSFOPT_EOL = 0,		/* End of options */

	OSFOPT_NOP, 		/* NOP */

	OSFOPT_MSS, 		/* Maximum segment size */

	OSFOPT_WSO, 		/* Window scale option */

	OSFOPT_SACKP,		/* SACK permitted */

	OSFOPT_SACK,		/* SACK */

	OSFOPT_ECHO,

	OSFOPT_ECHOREPLY,

	OSFOPT_TS,		/* Timestamp option */

	OSFOPT_POCP,		/* Partial Order Connection Permitted */

	OSFOPT_POSP,		/* Partial Order Service Profile */

	/* Others are not used in the current OSF */

	OSFOPT_EMPTY = 255,

};

/*

#define xt_osf_wc		nf_osf_wc

 * Initial window size option state machine: multiple of mss, mtu or

#define xt_osf_opt		nf_osf_opt

 * plain numeric value. Can also be made as plain numeric value which

#define xt_osf_info		nf_osf_info

 * is not a multiple of specified value.

#define xt_osf_user_finger	nf_osf_user_finger

 */

#define xt_osf_finger		nf_osf_finger

enum xt_osf_window_size_options {

#define xt_osf_nlmsg		nf_osf_nlmsg

	OSF_WSS_PLAIN	= 0,

	OSF_WSS_MSS,

	OSF_WSS_MTU,

	OSF_WSS_MODULO,

	OSF_WSS_MAX,

};

/*

/*

 * Add/remove fingerprint from the kernel.

 * Add/remove fingerprint from the kernel.

endif # NF_CONNTRACK

endif # NF_CONNTRACK

config NF_OSF

	tristate 'Passive OS fingerprint infrastructure'

config NF_TABLES

config NF_TABLES

	select NETFILTER_NETLINK

	select NETFILTER_NETLINK

	tristate "Netfilter nf_tables support"

	tristate "Netfilter nf_tables support"

config NETFILTER_XT_MATCH_OSF

config NETFILTER_XT_MATCH_OSF

	tristate '"osf" Passive OS fingerprint match'

	tristate '"osf" Passive OS fingerprint match'

	depends on NETFILTER_ADVANCED && NETFILTER_NETLINK

	depends on NETFILTER_ADVANCED && NETFILTER_NETLINK

	select NF_OSF

	help

	help

	  This option selects the Passive OS Fingerprinting match module

	  This option selects the Passive OS Fingerprinting match module

	  that allows to passively match the remote operating system by

	  that allows to passively match the remote operating system by

obj-$(CONFIG_NFT_FIB)		+= nft_fib.o

obj-$(CONFIG_NFT_FIB)		+= nft_fib.o

obj-$(CONFIG_NFT_FIB_INET)	+= nft_fib_inet.o

obj-$(CONFIG_NFT_FIB_INET)	+= nft_fib_inet.o

obj-$(CONFIG_NFT_FIB_NETDEV)	+= nft_fib_netdev.o

obj-$(CONFIG_NFT_FIB_NETDEV)	+= nft_fib_netdev.o

obj-$(CONFIG_NF_OSF)		+= nf_osf.o

# nf_tables netdev

# nf_tables netdev

obj-$(CONFIG_NFT_DUP_NETDEV)	+= nft_dup_netdev.o

obj-$(CONFIG_NFT_DUP_NETDEV)	+= nft_dup_netdev.o