[2/2,nft] doc: osf: add ttl option to man page

Message ID 20180929101518.843-2-ffmancera@riseup.net
State Changes Requested
Delegated to: Pablo Neira
Headers show
Series
  • [1/2,nft,v2] src: osf: add ttl option support
Related show

Commit Message

Fernando Fernandez Mancera Sept. 29, 2018, 10:15 a.m.
---
 doc/primary-expression.txt | 20 ++++++++++++++++----
 1 file changed, 16 insertions(+), 4 deletions(-)

Comments

Fernando Fernandez Mancera Sept. 30, 2018, 9:05 a.m. | #1
Sorry, I have forgotten to add "Signed-off-by: Fernando Fernandez 
Mancera <ffmancera@riseup.net>". Thanks.

On 9/29/18 12:15 PM, Fernando Fernandez Mancera wrote:
> ---
>   doc/primary-expression.txt | 20 ++++++++++++++++----
>   1 file changed, 16 insertions(+), 4 deletions(-)
> 
> diff --git a/doc/primary-expression.txt b/doc/primary-expression.txt
> index 0fda76d..92dd89a 100644
> --- a/doc/primary-expression.txt
> +++ b/doc/primary-expression.txt
> @@ -187,18 +187,30 @@ and others) from packets with the SYN bit set.
>   [options="header"]
>   |==================
>   |Name |Description| Type
> +|ttl|
> +Do TTL checks on the packet to determine the operating system.|
> +string
>   |name|
> -Name of the OS signature to match. All signatures can be found at pf.os file.|
> -Use "unknown" for OS signatures that the expression could not detect.
> +Name of the OS signature to match. All signatures can be found at pf.os file.
> +Use "unknown" for OS signatures that the expression could not detect.|
> +string
>   |==================
>   
> +.Available ttl values
> +---------------------
> +If no TTL attribute is passed, make a true IP header and fingerprint TTL true comparison. This generally works for LANs.
> +
> +* ttl-global: Check if the IP header's TTL is less than the fingerprint one. Works for globally-routable addresses.
> +* ttl-nocheck: Do not compare the TTL at all.
> +---------------------
> +
>   .Using osf expression
>   ---------------------
> -# Accept packets that match the "Linux" OS signature.
> +# Accept packets that match the "Linux" OS genre signature without comparing TTL.
>   table inet x {
>       chain y {
>   	type filter hook input priority 0; policy accept;
> -        osf "Linux"
> +        osf ttl-nocheck name "Linux"
>       }
>   }
>   -----------------------
>

Patch

diff --git a/doc/primary-expression.txt b/doc/primary-expression.txt
index 0fda76d..92dd89a 100644
--- a/doc/primary-expression.txt
+++ b/doc/primary-expression.txt
@@ -187,18 +187,30 @@  and others) from packets with the SYN bit set.
 [options="header"]
 |==================
 |Name |Description| Type
+|ttl|
+Do TTL checks on the packet to determine the operating system.|
+string
 |name|
-Name of the OS signature to match. All signatures can be found at pf.os file.|
-Use "unknown" for OS signatures that the expression could not detect.
+Name of the OS signature to match. All signatures can be found at pf.os file.
+Use "unknown" for OS signatures that the expression could not detect.|
+string
 |==================
 
+.Available ttl values
+---------------------
+If no TTL attribute is passed, make a true IP header and fingerprint TTL true comparison. This generally works for LANs.
+
+* ttl-global: Check if the IP header's TTL is less than the fingerprint one. Works for globally-routable addresses.
+* ttl-nocheck: Do not compare the TTL at all.
+---------------------
+
 .Using osf expression
 ---------------------
-# Accept packets that match the "Linux" OS signature.
+# Accept packets that match the "Linux" OS genre signature without comparing TTL.
 table inet x {
     chain y {
 	type filter hook input priority 0; policy accept;
-        osf "Linux"
+        osf ttl-nocheck name "Linux"
     }
 }
 -----------------------