doc: osf: add ttl option to man page

Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/doc/primary-expression.txt b/doc/primary-expression.txt
index 0fda76dda11b048f3cf4ec6d14b8f26a1d137a9c..761f50bc13923aff99ac691a50c5f59366e9f975 100644 (file)
--- a/doc/primary-expression.txt
+++ b/doc/primary-expression.txt
@@ -187,18 +187,30 @@ and others) from packets with the SYN bit set.
 [options="header"]
 |==================
 |Name |Description| Type
+|ttl|
+Do TTL checks on the packet to determine the operating system.|
+string
 |name|
-Name of the OS signature to match. All signatures can be found at pf.os file.|
-Use "unknown" for OS signatures that the expression could not detect.
+Name of the OS signature to match. All signatures can be found at pf.os file.
+Use "unknown" for OS signatures that the expression could not detect.|
+string
 |==================
 
+.Available ttl values
+---------------------
+If no TTL attribute is passed, make a true IP header and fingerprint TTL true comparison. This generally works for LANs.
+
+* loose: Check if the IP header's TTL is less than the fingerprint one. Works for globally-routable addresses.
+* skip: Do not compare the TTL at all.
+---------------------
+
 .Using osf expression
 ---------------------
-# Accept packets that match the "Linux" OS signature.
+# Accept packets that match the "Linux" OS genre signature without comparing TTL.
 table inet x {
     chain y {
        type filter hook input priority 0; policy accept;
-        osf "Linux"
+        osf ttl skip name "Linux"
     }
 }
 -----------------------