diff options
author | Evgeniy Polyakov <zbr@ioremap.net> | 2009-06-08 11:01:51 -0400 |
---|---|---|
committer | Patrick McHardy <kaber@trash.net> | 2009-06-08 11:01:51 -0400 |
commit | 11eeef41d5f63c7d2f7fdfcc733eb7fb137cc384 (patch) | |
tree | 6fe29550776dc668b73b81bb2407064049ccd0ef /include | |
parent | f87fb666bb00a7afcbd7992d236e42ac544996f9 (diff) |
netfilter: passive OS fingerprint xtables match
Passive OS fingerprinting netfilter module allows to passively detect
remote OS and perform various netfilter actions based on that knowledge.
This module compares some data (WS, MSS, options and it's order, ttl, df
and others) from packets with SYN bit set with dynamically loaded OS
fingerprints.
Fingerprint matching rules can be downloaded from OpenBSD source tree
or found in archive and loaded via netfilter netlink subsystem into
the kernel via special util found in archive.
Archive contains library file (also attached), which was shipped
with iptables extensions some time ago (at least when ipt_osf existed
in patch-o-matic).
Following changes were made in this release:
* added NLM_F_CREATE/NLM_F_EXCL checks
* dropped _rcu list traversing helpers in the protected add/remove calls
* dropped unneded structures, debug prints, obscure comment and check
Fingerprints can be downloaded from
http://www.openbsd.org/cgi-bin/cvsweb/src/etc/pf.os
or can be found in archive
Example usage:
-d switch removes fingerprints
Please consider for inclusion.
Thank you.
Passive OS fingerprint homepage (archives, examples):
http://www.ioremap.net/projects/osf
Signed-off-by: Evgeniy Polyakov <zbr@ioremap.net>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Diffstat (limited to 'include')
-rw-r--r-- | include/linux/netfilter/Kbuild | 1 | ||||
-rw-r--r-- | include/linux/netfilter/nfnetlink.h | 3 | ||||
-rw-r--r-- | include/linux/netfilter/xt_osf.h | 133 |
3 files changed, 136 insertions, 1 deletions
diff --git a/include/linux/netfilter/Kbuild b/include/linux/netfilter/Kbuild index af9d2fb97212..2aea50399c0b 100644 --- a/include/linux/netfilter/Kbuild +++ b/include/linux/netfilter/Kbuild | |||
@@ -33,6 +33,7 @@ header-y += xt_limit.h | |||
33 | header-y += xt_mac.h | 33 | header-y += xt_mac.h |
34 | header-y += xt_mark.h | 34 | header-y += xt_mark.h |
35 | header-y += xt_multiport.h | 35 | header-y += xt_multiport.h |
36 | header-y += xt_osf.h | ||
36 | header-y += xt_owner.h | 37 | header-y += xt_owner.h |
37 | header-y += xt_pkttype.h | 38 | header-y += xt_pkttype.h |
38 | header-y += xt_quota.h | 39 | header-y += xt_quota.h |
diff --git a/include/linux/netfilter/nfnetlink.h b/include/linux/netfilter/nfnetlink.h index 2214e5161461..bff4d5741d98 100644 --- a/include/linux/netfilter/nfnetlink.h +++ b/include/linux/netfilter/nfnetlink.h | |||
@@ -46,7 +46,8 @@ struct nfgenmsg { | |||
46 | #define NFNL_SUBSYS_CTNETLINK_EXP 2 | 46 | #define NFNL_SUBSYS_CTNETLINK_EXP 2 |
47 | #define NFNL_SUBSYS_QUEUE 3 | 47 | #define NFNL_SUBSYS_QUEUE 3 |
48 | #define NFNL_SUBSYS_ULOG 4 | 48 | #define NFNL_SUBSYS_ULOG 4 |
49 | #define NFNL_SUBSYS_COUNT 5 | 49 | #define NFNL_SUBSYS_OSF 5 |
50 | #define NFNL_SUBSYS_COUNT 6 | ||
50 | 51 | ||
51 | #ifdef __KERNEL__ | 52 | #ifdef __KERNEL__ |
52 | 53 | ||
diff --git a/include/linux/netfilter/xt_osf.h b/include/linux/netfilter/xt_osf.h new file mode 100644 index 000000000000..fd2272e0959a --- /dev/null +++ b/include/linux/netfilter/xt_osf.h | |||
@@ -0,0 +1,133 @@ | |||
1 | /* | ||
2 | * Copyright (c) 2003+ Evgeniy Polyakov <johnpol@2ka.mxt.ru> | ||
3 | * | ||
4 | * | ||
5 | * This program is free software; you can redistribute it and/or modify | ||
6 | * it under the terms of the GNU General Public License as published by | ||
7 | * the Free Software Foundation; either version 2 of the License, or | ||
8 | * (at your option) any later version. | ||
9 | * | ||
10 | * This program is distributed in the hope that it will be useful, | ||
11 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
12 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
13 | * GNU General Public License for more details. | ||
14 | * | ||
15 | * You should have received a copy of the GNU General Public License | ||
16 | * along with this program; if not, write to the Free Software | ||
17 | * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA | ||
18 | */ | ||
19 | |||
20 | #ifndef _XT_OSF_H | ||
21 | #define _XT_OSF_H | ||
22 | |||
23 | #define MAXGENRELEN 32 | ||
24 | |||
25 | #define XT_OSF_GENRE (1<<0) | ||
26 | #define XT_OSF_TTL (1<<1) | ||
27 | #define XT_OSF_LOG (1<<2) | ||
28 | #define XT_OSF_INVERT (1<<3) | ||
29 | |||
30 | #define XT_OSF_LOGLEVEL_ALL 0 /* log all matched fingerprints */ | ||
31 | #define XT_OSF_LOGLEVEL_FIRST 1 /* log only the first matced fingerprint */ | ||
32 | #define XT_OSF_LOGLEVEL_ALL_KNOWN 2 /* do not log unknown packets */ | ||
33 | |||
34 | #define XT_OSF_TTL_TRUE 0 /* True ip and fingerprint TTL comparison */ | ||
35 | #define XT_OSF_TTL_LESS 1 /* Check if ip TTL is less than fingerprint one */ | ||
36 | #define XT_OSF_TTL_NOCHECK 2 /* Do not compare ip and fingerprint TTL at all */ | ||
37 | |||
38 | struct xt_osf_info { | ||
39 | char genre[MAXGENRELEN]; | ||
40 | __u32 len; | ||
41 | __u32 flags; | ||
42 | __u32 loglevel; | ||
43 | __u32 ttl; | ||
44 | }; | ||
45 | |||
46 | /* | ||
47 | * Wildcard MSS (kind of). | ||
48 | * It is used to implement a state machine for the different wildcard values | ||
49 | * of the MSS and window sizes. | ||
50 | */ | ||
51 | struct xt_osf_wc { | ||
52 | __u32 wc; | ||
53 | __u32 val; | ||
54 | }; | ||
55 | |||
56 | /* | ||
57 | * This struct represents IANA options | ||
58 | * http://www.iana.org/assignments/tcp-parameters | ||
59 | */ | ||
60 | struct xt_osf_opt { | ||
61 | __u16 kind, length; | ||
62 | struct xt_osf_wc wc; | ||
63 | }; | ||
64 | |||
65 | struct xt_osf_user_finger { | ||
66 | struct xt_osf_wc wss; | ||
67 | |||
68 | __u8 ttl, df; | ||
69 | __u16 ss, mss; | ||
70 | __u16 opt_num; | ||
71 | |||
72 | char genre[MAXGENRELEN]; | ||
73 | char version[MAXGENRELEN]; | ||
74 | char subtype[MAXGENRELEN]; | ||
75 | |||
76 | /* MAX_IPOPTLEN is maximum if all options are NOPs or EOLs */ | ||
77 | struct xt_osf_opt opt[MAX_IPOPTLEN]; | ||
78 | }; | ||
79 | |||
80 | struct xt_osf_nlmsg { | ||
81 | struct xt_osf_user_finger f; | ||
82 | struct iphdr ip; | ||
83 | struct tcphdr tcp; | ||
84 | }; | ||
85 | |||
86 | /* Defines for IANA option kinds */ | ||
87 | |||
88 | enum iana_options { | ||
89 | OSFOPT_EOL = 0, /* End of options */ | ||
90 | OSFOPT_NOP, /* NOP */ | ||
91 | OSFOPT_MSS, /* Maximum segment size */ | ||
92 | OSFOPT_WSO, /* Window scale option */ | ||
93 | OSFOPT_SACKP, /* SACK permitted */ | ||
94 | OSFOPT_SACK, /* SACK */ | ||
95 | OSFOPT_ECHO, | ||
96 | OSFOPT_ECHOREPLY, | ||
97 | OSFOPT_TS, /* Timestamp option */ | ||
98 | OSFOPT_POCP, /* Partial Order Connection Permitted */ | ||
99 | OSFOPT_POSP, /* Partial Order Service Profile */ | ||
100 | |||
101 | /* Others are not used in the current OSF */ | ||
102 | OSFOPT_EMPTY = 255, | ||
103 | }; | ||
104 | |||
105 | /* | ||
106 | * Initial window size option state machine: multiple of mss, mtu or | ||
107 | * plain numeric value. Can also be made as plain numeric value which | ||
108 | * is not a multiple of specified value. | ||
109 | */ | ||
110 | enum xt_osf_window_size_options { | ||
111 | OSF_WSS_PLAIN = 0, | ||
112 | OSF_WSS_MSS, | ||
113 | OSF_WSS_MTU, | ||
114 | OSF_WSS_MODULO, | ||
115 | OSF_WSS_MAX, | ||
116 | }; | ||
117 | |||
118 | /* | ||
119 | * Add/remove fingerprint from the kernel. | ||
120 | */ | ||
121 | enum xt_osf_msg_types { | ||
122 | OSF_MSG_ADD, | ||
123 | OSF_MSG_REMOVE, | ||
124 | OSF_MSG_MAX, | ||
125 | }; | ||
126 | |||
127 | enum xt_osf_attr_type { | ||
128 | OSF_ATTR_UNSPEC, | ||
129 | OSF_ATTR_FINGER, | ||
130 | OSF_ATTR_MAX, | ||
131 | }; | ||
132 | |||
133 | #endif /* _XT_OSF_H */ | ||