Fernando Fernandez Mancera <ffmanc...@riseup.net> wrote: > Added nf_osf_ttl() and nf_osf_match() into nf_osf.c in order to start > the nftables OSF implementation.
> diff --git a/include/uapi/linux/netfilter/nf_osf.h > b/include/uapi/linux/netfilter/nf_osf.h > new file mode 100644 > index 000000000000..76016b0066f5 > --- /dev/null > +++ b/include/uapi/linux/netfilter/nf_osf.h > +bool nf_osf_match(const struct sk_buff *skb, u_int8_t family, > + int hooknum, struct net_device *in, struct net_device *out, > + const struct xt_osf_info *info, struct net *net); No need to expose this in UAPI header, this would be an inkernel helper function. > diff --git a/include/uapi/linux/netfilter/xt_osf.h > b/include/uapi/linux/netfilter/xt_osf.h > index dad197e2ab99..262ad1607bcf 100644 > --- a/include/uapi/linux/netfilter/xt_osf.h > +++ b/include/uapi/linux/netfilter/xt_osf.h > @@ -24,100 +24,10 @@ > #include <linux/ip.h> > #include <linux/tcp.h> > > -#define MAXGENRELEN 32 > - > #define XT_OSF_GENRE (1<<0) > -#define XT_OSF_TTL (1<<1) > -#define XT_OSF_LOG (1<<2) > #define XT_OSF_INVERT (1<<3) This removes userspace-exposed values from the header so this breaks uapi. Just leave this file alone. > +config NFT_OSF > + tristate '"osf" Passive OS fingerprint match' > + depends on NETFILTER_ADVANCED && NETFILTER_NETLINK > + help > + This option selects the Passive OS Fingerprinting match module > + that allows to passively match the remote operating system by > + analyzing incoming TCP SYN packets. > + > + Rules and loading software can be downloaded from > + http://www.ioremap.net/projects/osf > + > + To compile it as a module, choose M here. If unsure, say N. This says NFT_OSF, yet it controls nf_osf.c which looks like the backend. So this should be "config NF_OSF" and have no help text, then make XT_OSF "select" the NF_OSF knob. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
