From patchwork Tue Mar 10 16:01:51 2009
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Evgeniy Polyakov <zbr@ioremap.net>
X-Patchwork-Id: 24259
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming@ozlabs.org
Delivered-To: patchwork-incoming@ozlabs.org
Received: from vger.kernel.org (vger.kernel.org [209.132.176.167])
	by ozlabs.org (Postfix) with ESMTP id 210E4DE14C
	for <patchwork-incoming@ozlabs.org>;
	Wed, 11 Mar 2009 03:02:10 +1100 (EST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1756538AbZCJQCA (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);
	Tue, 10 Mar 2009 12:02:00 -0400
Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1756794AbZCJQB7
	(ORCPT <rfc822; netdev-outgoing>); Tue, 10 Mar 2009 12:01:59 -0400
Received: from cet.com.ru ([195.178.208.66]:37650 "EHLO tservice.net.ru"
	rhost-flags-OK-FAIL-OK-OK) by vger.kernel.org with ESMTP
	id S1756673AbZCJQB6 (ORCPT <rfc822;netdev@vger.kernel.org>);
	Tue, 10 Mar 2009 12:01:58 -0400
Received: by tservice.net.ru (Postfix, from userid 1000)
	id 6C45FFE49; Tue, 10 Mar 2009 19:01:51 +0300 (MSK)
Date: Tue, 10 Mar 2009 19:01:51 +0300
From: Evgeniy Polyakov <zbr@ioremap.net>
To: Patrick McHardy <kaber@trash.net>
Cc: netdev@vger.kernel.org, David Miller <davem@davemloft.net>,
	"Paul E. McKenney" <paulmck@linux.vnet.ibm.com>,
	Netfilter Development Mailinglist <netfilter-devel@vger.kernel.org>,
	Jan Engelhardt <jengelh@medozas.de>
Subject: Re: Passive OS fingerprint xtables match.
Message-ID: <20090310160151.GA13742@ioremap.net>
References: <20090310151357.GA10658@ioremap.net>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <20090310151357.GA10658@ioremap.net>
User-Agent: Mutt/1.5.13 (2006-08-11)
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

On Tue, Mar 10, 2009 at 06:13:57PM +0300, Evgeniy Polyakov (zbr@ioremap.net) wrote:
> Passive OS fingerprinting netfilter module allows to passively detect
> remote OS and perform various netfilter actions based on that knowledge.
> This module compares some data (WS, MSS, options and it's order, ttl, df
> and others) from packets with SYN bit set with dynamically loaded OS
> fingerprints.
> 
> Fingerprint matching rules can be downloaded from OpenBSD source tree
> and loaded via netlink connector into the kernel via special util found
> in archive. It will also listen for events about matching packets.
> 
> Archive also contains library file (also attached), which was shipped
> with iptables extensions some time ago (at least when ipt_osf existed
> in patch-o-matic).
> 
> This release implements suggestions found during the code review like
> codying style, structure split and tighter packing, bool and %pi4
> usage and similar changes.

Not the latest version, it misses the following fix from the parallel
tree.

    Fixed TCP header copy to the userspace when given option is enabled.

diff --git a/net/netfilter/xt_osf.c b/net/netfilter/xt_osf.c
index 3114bbd..e619f09 100644
--- a/net/netfilter/xt_osf.c
+++ b/net/netfilter/xt_osf.c
@@ -83,7 +83,7 @@ static void ipt_osf_send_connector(struct ipt_osf_user_finger *f,
 	struct ipt_osf_message *msg = &per_cpu(ipt_osf_mbuf, smp_processor_id());
 	struct ipt_osf_nlmsg *data = &msg->nlmsg;
 	struct iphdr *iph = ip_hdr(skb);
-	struct tcphdr *tcph = tcp_hdr(skb);
+	struct tcphdr *tcp;
 
 	memcpy(&msg->cmsg.id, &cn_osf_id, sizeof(struct cn_msg));
 	msg->cmsg.seq = osf_seq++;
@@ -92,7 +92,9 @@ static void ipt_osf_send_connector(struct ipt_osf_user_finger *f,
 
 	memcpy(&data->f, f, sizeof(struct ipt_osf_user_finger));
 	memcpy(&data->ip, iph, sizeof(struct iphdr));
-	memcpy(&data->tcp, tcph, sizeof(struct tcphdr));
+	tcp = skb_header_pointer(skb, ip_hdrlen(skb), sizeof(struct tcphdr), &data->tcp);
+	if (tcp)
+		memcpy(&data->tcp, tcp, sizeof(struct tcphdr));
 
 	cn_netlink_send(&msg->cmsg, CN_IDX_OSF, GFP_ATOMIC);
 }