aboutsummaryrefslogtreecommitdiffstats
path: root/include
diff options
context:
space:
mode:
authorEvgeniy Polyakov <zbr@ioremap.net>2009-06-08 11:01:51 -0400
committerPatrick McHardy <kaber@trash.net>2009-06-08 11:01:51 -0400
commit11eeef41d5f63c7d2f7fdfcc733eb7fb137cc384 (patch)
tree6fe29550776dc668b73b81bb2407064049ccd0ef /include
parentf87fb666bb00a7afcbd7992d236e42ac544996f9 (diff)
netfilter: passive OS fingerprint xtables match
Passive OS fingerprinting netfilter module allows to passively detect remote OS and perform various netfilter actions based on that knowledge. This module compares some data (WS, MSS, options and it's order, ttl, df and others) from packets with SYN bit set with dynamically loaded OS fingerprints. Fingerprint matching rules can be downloaded from OpenBSD source tree or found in archive and loaded via netfilter netlink subsystem into the kernel via special util found in archive. Archive contains library file (also attached), which was shipped with iptables extensions some time ago (at least when ipt_osf existed in patch-o-matic). Following changes were made in this release: * added NLM_F_CREATE/NLM_F_EXCL checks * dropped _rcu list traversing helpers in the protected add/remove calls * dropped unneded structures, debug prints, obscure comment and check Fingerprints can be downloaded from http://www.openbsd.org/cgi-bin/cvsweb/src/etc/pf.os or can be found in archive Example usage: -d switch removes fingerprints Please consider for inclusion. Thank you. Passive OS fingerprint homepage (archives, examples): http://www.ioremap.net/projects/osf Signed-off-by: Evgeniy Polyakov <zbr@ioremap.net> Signed-off-by: Patrick McHardy <kaber@trash.net>
Diffstat (limited to 'include')
-rw-r--r--include/linux/netfilter/Kbuild1
-rw-r--r--include/linux/netfilter/nfnetlink.h3
-rw-r--r--include/linux/netfilter/xt_osf.h133
3 files changed, 136 insertions, 1 deletions
diff --git a/include/linux/netfilter/Kbuild b/include/linux/netfilter/Kbuild
index af9d2fb97212..2aea50399c0b 100644
--- a/include/linux/netfilter/Kbuild
+++ b/include/linux/netfilter/Kbuild
@@ -33,6 +33,7 @@ header-y += xt_limit.h
33header-y += xt_mac.h 33header-y += xt_mac.h
34header-y += xt_mark.h 34header-y += xt_mark.h
35header-y += xt_multiport.h 35header-y += xt_multiport.h
36header-y += xt_osf.h
36header-y += xt_owner.h 37header-y += xt_owner.h
37header-y += xt_pkttype.h 38header-y += xt_pkttype.h
38header-y += xt_quota.h 39header-y += xt_quota.h
diff --git a/include/linux/netfilter/nfnetlink.h b/include/linux/netfilter/nfnetlink.h
index 2214e5161461..bff4d5741d98 100644
--- a/include/linux/netfilter/nfnetlink.h
+++ b/include/linux/netfilter/nfnetlink.h
@@ -46,7 +46,8 @@ struct nfgenmsg {
46#define NFNL_SUBSYS_CTNETLINK_EXP 2 46#define NFNL_SUBSYS_CTNETLINK_EXP 2
47#define NFNL_SUBSYS_QUEUE 3 47#define NFNL_SUBSYS_QUEUE 3
48#define NFNL_SUBSYS_ULOG 4 48#define NFNL_SUBSYS_ULOG 4
49#define NFNL_SUBSYS_COUNT 5 49#define NFNL_SUBSYS_OSF 5
50#define NFNL_SUBSYS_COUNT 6
50 51
51#ifdef __KERNEL__ 52#ifdef __KERNEL__
52 53
diff --git a/include/linux/netfilter/xt_osf.h b/include/linux/netfilter/xt_osf.h
new file mode 100644
index 000000000000..fd2272e0959a
--- /dev/null
+++ b/include/linux/netfilter/xt_osf.h
@@ -0,0 +1,133 @@
1/*
2 * Copyright (c) 2003+ Evgeniy Polyakov <johnpol@2ka.mxt.ru>
3 *
4 *
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License as published by
7 * the Free Software Foundation; either version 2 of the License, or
8 * (at your option) any later version.
9 *
10 * This program is distributed in the hope that it will be useful,
11 * but WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 * GNU General Public License for more details.
14 *
15 * You should have received a copy of the GNU General Public License
16 * along with this program; if not, write to the Free Software
17 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
18 */
19
20#ifndef _XT_OSF_H
21#define _XT_OSF_H
22
23#define MAXGENRELEN 32
24
25#define XT_OSF_GENRE (1<<0)
26#define XT_OSF_TTL (1<<1)
27#define XT_OSF_LOG (1<<2)
28#define XT_OSF_INVERT (1<<3)
29
30#define XT_OSF_LOGLEVEL_ALL 0 /* log all matched fingerprints */
31#define XT_OSF_LOGLEVEL_FIRST 1 /* log only the first matced fingerprint */
32#define XT_OSF_LOGLEVEL_ALL_KNOWN 2 /* do not log unknown packets */
33
34#define XT_OSF_TTL_TRUE 0 /* True ip and fingerprint TTL comparison */
35#define XT_OSF_TTL_LESS 1 /* Check if ip TTL is less than fingerprint one */
36#define XT_OSF_TTL_NOCHECK 2 /* Do not compare ip and fingerprint TTL at all */
37
38struct xt_osf_info {
39 char genre[MAXGENRELEN];
40 __u32 len;
41 __u32 flags;
42 __u32 loglevel;
43 __u32 ttl;
44};
45
46/*
47 * Wildcard MSS (kind of).
48 * It is used to implement a state machine for the different wildcard values
49 * of the MSS and window sizes.
50 */
51struct xt_osf_wc {
52 __u32 wc;
53 __u32 val;
54};
55
56/*
57 * This struct represents IANA options
58 * http://www.iana.org/assignments/tcp-parameters
59 */
60struct xt_osf_opt {
61 __u16 kind, length;
62 struct xt_osf_wc wc;
63};
64
65struct xt_osf_user_finger {
66 struct xt_osf_wc wss;
67
68 __u8 ttl, df;
69 __u16 ss, mss;
70 __u16 opt_num;
71
72 char genre[MAXGENRELEN];
73 char version[MAXGENRELEN];
74 char subtype[MAXGENRELEN];
75
76 /* MAX_IPOPTLEN is maximum if all options are NOPs or EOLs */
77 struct xt_osf_opt opt[MAX_IPOPTLEN];
78};
79
80struct xt_osf_nlmsg {
81 struct xt_osf_user_finger f;
82 struct iphdr ip;
83 struct tcphdr tcp;
84};
85
86/* Defines for IANA option kinds */
87
88enum iana_options {
89 OSFOPT_EOL = 0, /* End of options */
90 OSFOPT_NOP, /* NOP */
91 OSFOPT_MSS, /* Maximum segment size */
92 OSFOPT_WSO, /* Window scale option */
93 OSFOPT_SACKP, /* SACK permitted */
94 OSFOPT_SACK, /* SACK */
95 OSFOPT_ECHO,
96 OSFOPT_ECHOREPLY,
97 OSFOPT_TS, /* Timestamp option */
98 OSFOPT_POCP, /* Partial Order Connection Permitted */
99 OSFOPT_POSP, /* Partial Order Service Profile */
100
101 /* Others are not used in the current OSF */
102 OSFOPT_EMPTY = 255,
103};
104
105/*
106 * Initial window size option state machine: multiple of mss, mtu or
107 * plain numeric value. Can also be made as plain numeric value which
108 * is not a multiple of specified value.
109 */
110enum xt_osf_window_size_options {
111 OSF_WSS_PLAIN = 0,
112 OSF_WSS_MSS,
113 OSF_WSS_MTU,
114 OSF_WSS_MODULO,
115 OSF_WSS_MAX,
116};
117
118/*
119 * Add/remove fingerprint from the kernel.
120 */
121enum xt_osf_msg_types {
122 OSF_MSG_ADD,
123 OSF_MSG_REMOVE,
124 OSF_MSG_MAX,
125};
126
127enum xt_osf_attr_type {
128 OSF_ATTR_UNSPEC,
129 OSF_ATTR_FINGER,
130 OSF_ATTR_MAX,
131};
132
133#endif /* _XT_OSF_H */