The idea of passive OS fingerprint matching exists for quite a long time,
but was created as extension fo OpenBSD pf only some weeks ago.
Original idea was lurked in some OpenBSD mailing list (thanks
grange@open...) and than adopted for Linux netfilter in form of this code.

Original fingerprint table was created by Michal Zalewski <lcamtuf@coredump.cx>.

This module compares some data(WS, MSS, options and it's order, ttl,
df and others) from first SYN packet (actually from packets with SYN
bit set) with dinamically loaded OS fingerprints.


OSF also has:
  --log 1/0. 
	If present, OSF will log determined genres even if they don't match
	desired one.	
	0 - log all determined entries, 
	1 - only first one.
	
	Example:
	#iptables -I INPUT -j ACCEPT -p tcp -m osf --genre Linux --log 1 --smart
	NOTE: -p tcp is obviously required as it is a TCP match.

	In syslog you find something like this:
	ipt_osf: Windows [2000:SP3:Windows XP Pro SP1, 2000 SP3]: 11.22.33.55:4024 -> 11.22.33.44:139
	ipt_osf: Unknown: 16384:106:1:48:020405B401010402 44.33.22.11:1239 -> 11.22.33.44:80

  --smart
  	if present, OSF will use some smartness to determine remote OS.
	OSF will use initial TTL only if source of connection is in our local network.
  
  --netlink
	If present, OSF will log all events also through netlink NETLINK_NFLOG groupt 1.

Fingerprints can be loaded and read through /proc/sys/net/ipv4/osf file.
One can flush all fingerprints with following command:
echo -en FLUSH > /proc/sys/net/ipv4/osf

Only one fingerprint per open/write/close.

Fingerprints can be downloaded from http://www.openbsd.org/cgi-bin/cvsweb/src/etc/pf.os
