1588b615bc78ddef3752f356d1e243129c4dbba96Patrick McHardy/*
2588b615bc78ddef3752f356d1e243129c4dbba96Patrick McHardy * Copyright (c) 2003+ Evgeniy Polyakov <zbr@ioremap.net>
3588b615bc78ddef3752f356d1e243129c4dbba96Patrick McHardy *
4588b615bc78ddef3752f356d1e243129c4dbba96Patrick McHardy *
5588b615bc78ddef3752f356d1e243129c4dbba96Patrick McHardy * This program is free software; you can redistribute it and/or modify
6588b615bc78ddef3752f356d1e243129c4dbba96Patrick McHardy * it under the terms of the GNU General Public License as published by
7588b615bc78ddef3752f356d1e243129c4dbba96Patrick McHardy * the Free Software Foundation; either version 2 of the License, or
8588b615bc78ddef3752f356d1e243129c4dbba96Patrick McHardy * (at your option) any later version.
9588b615bc78ddef3752f356d1e243129c4dbba96Patrick McHardy *
10588b615bc78ddef3752f356d1e243129c4dbba96Patrick McHardy * This program is distributed in the hope that it will be useful,
11588b615bc78ddef3752f356d1e243129c4dbba96Patrick McHardy * but WITHOUT ANY WARRANTY; without even the implied warranty of
12588b615bc78ddef3752f356d1e243129c4dbba96Patrick McHardy * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
13588b615bc78ddef3752f356d1e243129c4dbba96Patrick McHardy * GNU General Public License for more details.
14588b615bc78ddef3752f356d1e243129c4dbba96Patrick McHardy *
15588b615bc78ddef3752f356d1e243129c4dbba96Patrick McHardy * You should have received a copy of the GNU General Public License
16588b615bc78ddef3752f356d1e243129c4dbba96Patrick McHardy * along with this program; if not, write to the Free Software
17588b615bc78ddef3752f356d1e243129c4dbba96Patrick McHardy * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
18588b615bc78ddef3752f356d1e243129c4dbba96Patrick McHardy */
19588b615bc78ddef3752f356d1e243129c4dbba96Patrick McHardy
20588b615bc78ddef3752f356d1e243129c4dbba96Patrick McHardy/*
21588b615bc78ddef3752f356d1e243129c4dbba96Patrick McHardy * xtables interface for OS fingerprint matching module.
22588b615bc78ddef3752f356d1e243129c4dbba96Patrick McHardy */
23588b615bc78ddef3752f356d1e243129c4dbba96Patrick McHardy#include <stdio.h>
24588b615bc78ddef3752f356d1e243129c4dbba96Patrick McHardy#include <string.h>
25588b615bc78ddef3752f356d1e243129c4dbba96Patrick McHardy#include <xtables.h>
26588b615bc78ddef3752f356d1e243129c4dbba96Patrick McHardy#include <netinet/ip.h>
27588b615bc78ddef3752f356d1e243129c4dbba96Patrick McHardy#include <netinet/tcp.h>
28588b615bc78ddef3752f356d1e243129c4dbba96Patrick McHardy#include <linux/netfilter/xt_osf.h>
29588b615bc78ddef3752f356d1e243129c4dbba96Patrick McHardy
3094cd683a969e024ec870df258fafd790b8a1abf1Jan Engelhardtenum {
3194cd683a969e024ec870df258fafd790b8a1abf1Jan Engelhardt	O_GENRE = 0,
3294cd683a969e024ec870df258fafd790b8a1abf1Jan Engelhardt	O_TTL,
3394cd683a969e024ec870df258fafd790b8a1abf1Jan Engelhardt	O_LOGLEVEL,
3494cd683a969e024ec870df258fafd790b8a1abf1Jan Engelhardt};
3594cd683a969e024ec870df258fafd790b8a1abf1Jan Engelhardt
36588b615bc78ddef3752f356d1e243129c4dbba96Patrick McHardystatic void osf_help(void)
37588b615bc78ddef3752f356d1e243129c4dbba96Patrick McHardy{
38588b615bc78ddef3752f356d1e243129c4dbba96Patrick McHardy	printf("OS fingerprint match options:\n"
3923e718b525f96b95510f50d20161c2bd92824ff1Jan Engelhardt		"[!] --genre string     Match a OS genre by passive fingerprinting.\n"
4023e718b525f96b95510f50d20161c2bd92824ff1Jan Engelhardt		"--ttl level            Use some TTL check extensions to determine OS:\n"
41588b615bc78ddef3752f356d1e243129c4dbba96Patrick McHardy		"       0                       true ip and fingerprint TTL comparison. Works for LAN.\n"
42588b615bc78ddef3752f356d1e243129c4dbba96Patrick McHardy		"       1                       check if ip TTL is less than fingerprint one. Works for global addresses.\n"
43588b615bc78ddef3752f356d1e243129c4dbba96Patrick McHardy		"       2                       do not compare TTL at all. Allows to detect NMAP, but can produce false results.\n"
44588b615bc78ddef3752f356d1e243129c4dbba96Patrick McHardy		"--log level            Log determined genres into dmesg even if they do not match desired one:\n"
45588b615bc78ddef3752f356d1e243129c4dbba96Patrick McHardy		"       0                       log all matched or unknown signatures.\n"
46588b615bc78ddef3752f356d1e243129c4dbba96Patrick McHardy		"       1                       log only first one.\n"
47588b615bc78ddef3752f356d1e243129c4dbba96Patrick McHardy		"       2                       log all known matched signatures.\n"
48588b615bc78ddef3752f356d1e243129c4dbba96Patrick McHardy		);
49588b615bc78ddef3752f356d1e243129c4dbba96Patrick McHardy}
50588b615bc78ddef3752f356d1e243129c4dbba96Patrick McHardy
5194cd683a969e024ec870df258fafd790b8a1abf1Jan Engelhardt#define s struct xt_osf_info
5294cd683a969e024ec870df258fafd790b8a1abf1Jan Engelhardtstatic const struct xt_option_entry osf_opts[] = {
5394cd683a969e024ec870df258fafd790b8a1abf1Jan Engelhardt	{.name = "genre", .id = O_GENRE, .type = XTTYPE_STRING,
5494cd683a969e024ec870df258fafd790b8a1abf1Jan Engelhardt	 .flags = XTOPT_MAND | XTOPT_INVERT | XTOPT_PUT,
5594cd683a969e024ec870df258fafd790b8a1abf1Jan Engelhardt	 XTOPT_POINTER(s, genre)},
5694cd683a969e024ec870df258fafd790b8a1abf1Jan Engelhardt	{.name = "ttl", .id = O_TTL, .type = XTTYPE_UINT32,
5794cd683a969e024ec870df258fafd790b8a1abf1Jan Engelhardt	 .flags = XTOPT_PUT, XTOPT_POINTER(s, ttl), .min = 0, .max = 2},
5894cd683a969e024ec870df258fafd790b8a1abf1Jan Engelhardt	{.name = "log", .id = O_LOGLEVEL, .type = XTTYPE_UINT32,
5994cd683a969e024ec870df258fafd790b8a1abf1Jan Engelhardt	 .flags = XTOPT_PUT, XTOPT_POINTER(s, loglevel), .min = 0, .max = 2},
6094cd683a969e024ec870df258fafd790b8a1abf1Jan Engelhardt	XTOPT_TABLEEND,
61588b615bc78ddef3752f356d1e243129c4dbba96Patrick McHardy};
6294cd683a969e024ec870df258fafd790b8a1abf1Jan Engelhardt#undef s
63588b615bc78ddef3752f356d1e243129c4dbba96Patrick McHardy
6494cd683a969e024ec870df258fafd790b8a1abf1Jan Engelhardtstatic void osf_parse(struct xt_option_call *cb)
65588b615bc78ddef3752f356d1e243129c4dbba96Patrick McHardy{
6694cd683a969e024ec870df258fafd790b8a1abf1Jan Engelhardt	struct xt_osf_info *info = cb->data;
67588b615bc78ddef3752f356d1e243129c4dbba96Patrick McHardy
6894cd683a969e024ec870df258fafd790b8a1abf1Jan Engelhardt	xtables_option_parse(cb);
6994cd683a969e024ec870df258fafd790b8a1abf1Jan Engelhardt	switch (cb->entry->id) {
7094cd683a969e024ec870df258fafd790b8a1abf1Jan Engelhardt		case O_GENRE:
7194cd683a969e024ec870df258fafd790b8a1abf1Jan Engelhardt			if (cb->invert)
72588b615bc78ddef3752f356d1e243129c4dbba96Patrick McHardy				info->flags |= XT_OSF_INVERT;
7394cd683a969e024ec870df258fafd790b8a1abf1Jan Engelhardt			info->len = strlen(info->genre);
74588b615bc78ddef3752f356d1e243129c4dbba96Patrick McHardy			break;
7594cd683a969e024ec870df258fafd790b8a1abf1Jan Engelhardt		case O_TTL:
76588b615bc78ddef3752f356d1e243129c4dbba96Patrick McHardy			info->flags |= XT_OSF_TTL;
77588b615bc78ddef3752f356d1e243129c4dbba96Patrick McHardy			break;
7894cd683a969e024ec870df258fafd790b8a1abf1Jan Engelhardt		case O_LOGLEVEL:
79588b615bc78ddef3752f356d1e243129c4dbba96Patrick McHardy			info->flags |= XT_OSF_LOG;
80588b615bc78ddef3752f356d1e243129c4dbba96Patrick McHardy			break;
81588b615bc78ddef3752f356d1e243129c4dbba96Patrick McHardy	}
82588b615bc78ddef3752f356d1e243129c4dbba96Patrick McHardy}
83588b615bc78ddef3752f356d1e243129c4dbba96Patrick McHardy
84588b615bc78ddef3752f356d1e243129c4dbba96Patrick McHardystatic void osf_print(const void *ip, const struct xt_entry_match *match, int numeric)
85588b615bc78ddef3752f356d1e243129c4dbba96Patrick McHardy{
86588b615bc78ddef3752f356d1e243129c4dbba96Patrick McHardy	const struct xt_osf_info *info = (const struct xt_osf_info*) match->data;
87588b615bc78ddef3752f356d1e243129c4dbba96Patrick McHardy
8873866357e4a7a0fdc1b293bf8863fee2bd56da9eJan Engelhardt	printf(" OS fingerprint match %s%s", (info->flags & XT_OSF_INVERT) ? "! " : "", info->genre);
89588b615bc78ddef3752f356d1e243129c4dbba96Patrick McHardy}
90588b615bc78ddef3752f356d1e243129c4dbba96Patrick McHardy
91588b615bc78ddef3752f356d1e243129c4dbba96Patrick McHardystatic void osf_save(const void *ip, const struct xt_entry_match *match)
92588b615bc78ddef3752f356d1e243129c4dbba96Patrick McHardy{
93588b615bc78ddef3752f356d1e243129c4dbba96Patrick McHardy	const struct xt_osf_info *info = (const struct xt_osf_info*) match->data;
94588b615bc78ddef3752f356d1e243129c4dbba96Patrick McHardy
955c522b4523f2edb8e581131ba4cb414a5ee7ece4Pablo Neira Ayuso	if (info->flags & XT_OSF_INVERT)
965c522b4523f2edb8e581131ba4cb414a5ee7ece4Pablo Neira Ayuso		printf(" !");
975c522b4523f2edb8e581131ba4cb414a5ee7ece4Pablo Neira Ayuso
985c522b4523f2edb8e581131ba4cb414a5ee7ece4Pablo Neira Ayuso	printf(" --genre %s", info->genre);
9971e2bf5cf25a821d62f7d75eb8efa4c61a214c6bPablo Neira Ayuso	if (info->flags & XT_OSF_TTL)
10071e2bf5cf25a821d62f7d75eb8efa4c61a214c6bPablo Neira Ayuso		printf(" --ttl %u", info->ttl);
10171e2bf5cf25a821d62f7d75eb8efa4c61a214c6bPablo Neira Ayuso	if (info->flags & XT_OSF_LOG)
10271e2bf5cf25a821d62f7d75eb8efa4c61a214c6bPablo Neira Ayuso		printf(" --log %u", info->loglevel);
103588b615bc78ddef3752f356d1e243129c4dbba96Patrick McHardy}
104588b615bc78ddef3752f356d1e243129c4dbba96Patrick McHardy
105588b615bc78ddef3752f356d1e243129c4dbba96Patrick McHardystatic struct xtables_match osf_match = {
106588b615bc78ddef3752f356d1e243129c4dbba96Patrick McHardy	.name		= "osf",
107588b615bc78ddef3752f356d1e243129c4dbba96Patrick McHardy	.version	= XTABLES_VERSION,
108588b615bc78ddef3752f356d1e243129c4dbba96Patrick McHardy	.size		= XT_ALIGN(sizeof(struct xt_osf_info)),
109588b615bc78ddef3752f356d1e243129c4dbba96Patrick McHardy	.userspacesize	= XT_ALIGN(sizeof(struct xt_osf_info)),
110588b615bc78ddef3752f356d1e243129c4dbba96Patrick McHardy	.help		= osf_help,
11194cd683a969e024ec870df258fafd790b8a1abf1Jan Engelhardt	.x6_parse	= osf_parse,
112588b615bc78ddef3752f356d1e243129c4dbba96Patrick McHardy	.print		= osf_print,
113588b615bc78ddef3752f356d1e243129c4dbba96Patrick McHardy	.save		= osf_save,
11494cd683a969e024ec870df258fafd790b8a1abf1Jan Engelhardt	.x6_options	= osf_opts,
11594cd683a969e024ec870df258fafd790b8a1abf1Jan Engelhardt	.family		= NFPROTO_IPV4,
116588b615bc78ddef3752f356d1e243129c4dbba96Patrick McHardy};
117588b615bc78ddef3752f356d1e243129c4dbba96Patrick McHardy
118588b615bc78ddef3752f356d1e243129c4dbba96Patrick McHardyvoid _init(void)
119588b615bc78ddef3752f356d1e243129c4dbba96Patrick McHardy{
120588b615bc78ddef3752f356d1e243129c4dbba96Patrick McHardy	xtables_register_match(&osf_match);
121588b615bc78ddef3752f356d1e243129c4dbba96Patrick McHardy}
122