| 1/* $FreeBSD: head/sys/contrib/pf/net/pf_osfp.c 126261 2004-02-26 02:34:12Z mlaier $ */
|
1/* $OpenBSD: pf_osfp.c,v 1.3 2003/08/27 18:23:36 frantzen Exp $ */ 2 3/* 4 * Copyright (c) 2003 Mike Frantzen <frantzen@w4g.org> 5 * 6 * Permission to use, copy, modify, and distribute this software for any 7 * purpose with or without fee is hereby granted, provided that the above 8 * copyright notice and this permission notice appear in all copies. 9 * 10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 * 18 */ 19 20#include <sys/param.h> 21#include <sys/socket.h> 22#ifdef _KERNEL 23# include <sys/systm.h> 24#endif /* _KERNEL */ 25#include <sys/mbuf.h> 26 27#include <netinet/in.h> 28#include <netinet/in_systm.h> 29#include <netinet/ip.h> 30#include <netinet/tcp.h> 31 32#include <net/if.h> 33#include <net/pfvar.h> 34 35#ifdef INET6 36#include <netinet/ip6.h> 37#endif /* INET6 */ 38
| 2/* $OpenBSD: pf_osfp.c,v 1.3 2003/08/27 18:23:36 frantzen Exp $ */ 3 4/* 5 * Copyright (c) 2003 Mike Frantzen <frantzen@w4g.org> 6 * 7 * Permission to use, copy, modify, and distribute this software for any 8 * purpose with or without fee is hereby granted, provided that the above 9 * copyright notice and this permission notice appear in all copies. 10 * 11 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 12 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 13 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 14 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 15 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 16 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 17 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 18 * 19 */ 20 21#include <sys/param.h> 22#include <sys/socket.h> 23#ifdef _KERNEL 24# include <sys/systm.h> 25#endif /* _KERNEL */ 26#include <sys/mbuf.h> 27 28#include <netinet/in.h> 29#include <netinet/in_systm.h> 30#include <netinet/ip.h> 31#include <netinet/tcp.h> 32 33#include <net/if.h> 34#include <net/pfvar.h> 35 36#ifdef INET6 37#include <netinet/ip6.h> 38#endif /* INET6 */ 39
|
39
| |
40#ifdef _KERNEL 41# define DPFPRINTF(format, x...) \ 42 if (pf_status.debug >= PF_DEBUG_NOISY) \ 43 printf(format , ##x)
| 40#ifdef _KERNEL 41# define DPFPRINTF(format, x...) \ 42 if (pf_status.debug >= PF_DEBUG_NOISY) \ 43 printf(format , ##x)
|
| 44#if defined(__FreeBSD__) 45typedef uma_zone_t pool_t; 46#else
|
44typedef struct pool pool_t;
| 47typedef struct pool pool_t;
|
| 48#endif
|
45 46#else 47/* Userland equivalents so we can lend code to tcpdump et al. */ 48 49# include <arpa/inet.h> 50# include <errno.h> 51# include <stdio.h> 52# include <stdlib.h> 53# define pool_t int 54# define pool_get(pool, flags) malloc(*(pool)) 55# define pool_put(pool, item) free(item) 56# define pool_init(pool, size, a, ao, f, m, p) (*(pool)) = (size) 57
| 49 50#else 51/* Userland equivalents so we can lend code to tcpdump et al. */ 52 53# include <arpa/inet.h> 54# include <errno.h> 55# include <stdio.h> 56# include <stdlib.h> 57# define pool_t int 58# define pool_get(pool, flags) malloc(*(pool)) 59# define pool_put(pool, item) free(item) 60# define pool_init(pool, size, a, ao, f, m, p) (*(pool)) = (size) 61
|
| 62# if defined(__FreeBSD__) 63# define NTOHS(x) (x) = ntohs((u_int16_t)(x)) 64# endif 65
|
58# ifdef PFDEBUG 59# include <stdarg.h> 60# define DPFPRINTF(format, x...) fprintf(stderr, format , ##x) 61# else 62# define DPFPRINTF(format, x...) ((void)0) 63# endif /* PFDEBUG */ 64#endif /* _KERNEL */ 65 66 67SLIST_HEAD(pf_osfp_list, pf_os_fingerprint) pf_osfp_list; 68pool_t pf_osfp_entry_pl; 69pool_t pf_osfp_pl; 70 71struct pf_os_fingerprint *pf_osfp_find(struct pf_osfp_list *, 72 struct pf_os_fingerprint *, u_int8_t); 73struct pf_os_fingerprint *pf_osfp_find_exact(struct pf_osfp_list *, 74 struct pf_os_fingerprint *); 75void pf_osfp_insert(struct pf_osfp_list *, 76 struct pf_os_fingerprint *); 77 78 79#ifdef _KERNEL 80/* 81 * Passively fingerprint the OS of the host (IPv4 TCP SYN packets only) 82 * Returns the list of possible OSes. 83 */ 84struct pf_osfp_enlist * 85pf_osfp_fingerprint(struct pf_pdesc *pd, struct mbuf *m, int off, 86 const struct tcphdr *tcp) 87{ 88 struct ip *ip; 89 char hdr[60]; 90 91 /* XXX don't have a fingerprint database for IPv6 :-( */ 92 if (pd->af != PF_INET || pd->proto != IPPROTO_TCP || (tcp->th_off << 2) 93 < sizeof(*tcp)) 94 return (NULL); 95 96 ip = mtod(m, struct ip *); 97 if (!pf_pull_hdr(m, off, hdr, tcp->th_off << 2, NULL, NULL, pd->af)) 98 return (NULL); 99 100 return (pf_osfp_fingerprint_hdr(ip, (struct tcphdr *)hdr)); 101} 102#endif /* _KERNEL */ 103 104struct pf_osfp_enlist * 105pf_osfp_fingerprint_hdr(const struct ip *ip, const struct tcphdr *tcp) 106{ 107 struct pf_os_fingerprint fp, *fpresult; 108 int cnt, optlen = 0;
| 66# ifdef PFDEBUG 67# include <stdarg.h> 68# define DPFPRINTF(format, x...) fprintf(stderr, format , ##x) 69# else 70# define DPFPRINTF(format, x...) ((void)0) 71# endif /* PFDEBUG */ 72#endif /* _KERNEL */ 73 74 75SLIST_HEAD(pf_osfp_list, pf_os_fingerprint) pf_osfp_list; 76pool_t pf_osfp_entry_pl; 77pool_t pf_osfp_pl; 78 79struct pf_os_fingerprint *pf_osfp_find(struct pf_osfp_list *, 80 struct pf_os_fingerprint *, u_int8_t); 81struct pf_os_fingerprint *pf_osfp_find_exact(struct pf_osfp_list *, 82 struct pf_os_fingerprint *); 83void pf_osfp_insert(struct pf_osfp_list *, 84 struct pf_os_fingerprint *); 85 86 87#ifdef _KERNEL 88/* 89 * Passively fingerprint the OS of the host (IPv4 TCP SYN packets only) 90 * Returns the list of possible OSes. 91 */ 92struct pf_osfp_enlist * 93pf_osfp_fingerprint(struct pf_pdesc *pd, struct mbuf *m, int off, 94 const struct tcphdr *tcp) 95{ 96 struct ip *ip; 97 char hdr[60]; 98 99 /* XXX don't have a fingerprint database for IPv6 :-( */ 100 if (pd->af != PF_INET || pd->proto != IPPROTO_TCP || (tcp->th_off << 2) 101 < sizeof(*tcp)) 102 return (NULL); 103 104 ip = mtod(m, struct ip *); 105 if (!pf_pull_hdr(m, off, hdr, tcp->th_off << 2, NULL, NULL, pd->af)) 106 return (NULL); 107 108 return (pf_osfp_fingerprint_hdr(ip, (struct tcphdr *)hdr)); 109} 110#endif /* _KERNEL */ 111 112struct pf_osfp_enlist * 113pf_osfp_fingerprint_hdr(const struct ip *ip, const struct tcphdr *tcp) 114{ 115 struct pf_os_fingerprint fp, *fpresult; 116 int cnt, optlen = 0;
|
109 u_int8_t *optp;
| 117 const u_int8_t *optp;
|
110 111 if ((tcp->th_flags & (TH_SYN|TH_ACK)) != TH_SYN || (ip->ip_off & 112 htons(IP_OFFMASK))) 113 return (NULL); 114 115 memset(&fp, 0, sizeof(fp)); 116 117 fp.fp_psize = ntohs(ip->ip_len); 118 fp.fp_ttl = ip->ip_ttl; 119 if (ip->ip_off & htons(IP_DF)) 120 fp.fp_flags |= PF_OSFP_DF; 121 fp.fp_wsize = ntohs(tcp->th_win); 122 123 124 cnt = (tcp->th_off << 2) - sizeof(*tcp);
| 118 119 if ((tcp->th_flags & (TH_SYN|TH_ACK)) != TH_SYN || (ip->ip_off & 120 htons(IP_OFFMASK))) 121 return (NULL); 122 123 memset(&fp, 0, sizeof(fp)); 124 125 fp.fp_psize = ntohs(ip->ip_len); 126 fp.fp_ttl = ip->ip_ttl; 127 if (ip->ip_off & htons(IP_DF)) 128 fp.fp_flags |= PF_OSFP_DF; 129 fp.fp_wsize = ntohs(tcp->th_win); 130 131 132 cnt = (tcp->th_off << 2) - sizeof(*tcp);
|
125 optp = (caddr_t)tcp + sizeof(*tcp);
| 133 optp = (const u_int8_t *)((const char *)tcp + sizeof(*tcp));
|
126 for (; cnt > 0; cnt -= optlen, optp += optlen) { 127 if (*optp == TCPOPT_EOL) 128 break; 129 130 fp.fp_optcnt++; 131 if (*optp == TCPOPT_NOP) { 132 fp.fp_tcpopts = (fp.fp_tcpopts << PF_OSFP_TCPOPT_BITS) | 133 PF_OSFP_TCPOPT_NOP; 134 optlen = 1; 135 } else { 136 if (cnt < 2) 137 return (NULL); 138 optlen = optp[1]; 139 if (optlen > cnt || optlen < 2) 140 return (NULL); 141 switch (*optp) { 142 case TCPOPT_MAXSEG: 143 if (optlen >= TCPOLEN_MAXSEG) 144 memcpy(&fp.fp_mss, &optp[2], 145 sizeof(fp.fp_mss)); 146 fp.fp_tcpopts = (fp.fp_tcpopts << 147 PF_OSFP_TCPOPT_BITS) | PF_OSFP_TCPOPT_MSS; 148 NTOHS(fp.fp_mss); 149 break; 150 case TCPOPT_WINDOW: 151 if (optlen >= TCPOLEN_WINDOW) 152 memcpy(&fp.fp_wscale, &optp[2], 153 sizeof(fp.fp_wscale)); 154 NTOHS(fp.fp_wscale); 155 fp.fp_tcpopts = (fp.fp_tcpopts << 156 PF_OSFP_TCPOPT_BITS) | 157 PF_OSFP_TCPOPT_WSCALE; 158 break; 159 case TCPOPT_SACK_PERMITTED: 160 fp.fp_tcpopts = (fp.fp_tcpopts << 161 PF_OSFP_TCPOPT_BITS) | PF_OSFP_TCPOPT_SACK; 162 break; 163 case TCPOPT_TIMESTAMP: 164 if (optlen >= TCPOLEN_TIMESTAMP) { 165 u_int32_t ts; 166 memcpy(&ts, &optp[2], sizeof(ts)); 167 if (ts == 0) 168 fp.fp_flags |= PF_OSFP_TS0; 169 170 } 171 fp.fp_tcpopts = (fp.fp_tcpopts << 172 PF_OSFP_TCPOPT_BITS) | PF_OSFP_TCPOPT_TS; 173 break; 174 default: 175 return (NULL); 176 } 177 } 178 optlen = MAX(optlen, 1); /* paranoia */ 179 } 180 181 DPFPRINTF("fingerprinted %s:%d %d:%d:%d:%d:%llx (%d) " 182 "(TS=%s,M=%s%d,W=%s%d)\n", 183 inet_ntoa(ip->ip_src), ntohs(tcp->th_sport), 184 fp.fp_wsize, fp.fp_ttl, (fp.fp_flags & PF_OSFP_DF) != 0, 185 fp.fp_psize, (long long int)fp.fp_tcpopts, fp.fp_optcnt, 186 (fp.fp_flags & PF_OSFP_TS0) ? "0" : "", 187 (fp.fp_flags & PF_OSFP_MSS_MOD) ? "%" : 188 (fp.fp_flags & PF_OSFP_MSS_DC) ? "*" : "", 189 fp.fp_mss, 190 (fp.fp_flags & PF_OSFP_WSCALE_MOD) ? "%" : 191 (fp.fp_flags & PF_OSFP_WSCALE_DC) ? "*" : "", 192 fp.fp_wscale); 193 194 if ((fpresult = pf_osfp_find(&pf_osfp_list, &fp, 195 PF_OSFP_MAXTTL_OFFSET))) 196 return (&fpresult->fp_oses); 197 return (NULL); 198} 199 200/* Match a fingerprint ID against a list of OSes */ 201int 202pf_osfp_match(struct pf_osfp_enlist *list, pf_osfp_t os) 203{ 204 struct pf_osfp_entry *entry; 205 int os_class, os_version, os_subtype; 206 int en_class, en_version, en_subtype; 207 208 if (os == PF_OSFP_ANY) 209 return (1); 210 if (list == NULL) { 211 DPFPRINTF("osfp no match against %x\n", os); 212 return (os == PF_OSFP_UNKNOWN); 213 } 214 PF_OSFP_UNPACK(os, os_class, os_version, os_subtype); 215 SLIST_FOREACH(entry, list, fp_entry) { 216 PF_OSFP_UNPACK(entry->fp_os, en_class, en_version, en_subtype); 217 if ((os_class == PF_OSFP_ANY || en_class == os_class) && 218 (os_version == PF_OSFP_ANY || en_version == os_version) && 219 (os_subtype == PF_OSFP_ANY || en_subtype == os_subtype)) { 220 DPFPRINTF("osfp matched %s %s %s %x==%x\n", 221 entry->fp_class_nm, entry->fp_version_nm, 222 entry->fp_subtype_nm, os, entry->fp_os); 223 return (1); 224 } 225 } 226 DPFPRINTF("fingerprint 0x%x didn't match\n", os); 227 return (0); 228} 229 230/* Initialize the OS fingerprint system */
| 134 for (; cnt > 0; cnt -= optlen, optp += optlen) { 135 if (*optp == TCPOPT_EOL) 136 break; 137 138 fp.fp_optcnt++; 139 if (*optp == TCPOPT_NOP) { 140 fp.fp_tcpopts = (fp.fp_tcpopts << PF_OSFP_TCPOPT_BITS) | 141 PF_OSFP_TCPOPT_NOP; 142 optlen = 1; 143 } else { 144 if (cnt < 2) 145 return (NULL); 146 optlen = optp[1]; 147 if (optlen > cnt || optlen < 2) 148 return (NULL); 149 switch (*optp) { 150 case TCPOPT_MAXSEG: 151 if (optlen >= TCPOLEN_MAXSEG) 152 memcpy(&fp.fp_mss, &optp[2], 153 sizeof(fp.fp_mss)); 154 fp.fp_tcpopts = (fp.fp_tcpopts << 155 PF_OSFP_TCPOPT_BITS) | PF_OSFP_TCPOPT_MSS; 156 NTOHS(fp.fp_mss); 157 break; 158 case TCPOPT_WINDOW: 159 if (optlen >= TCPOLEN_WINDOW) 160 memcpy(&fp.fp_wscale, &optp[2], 161 sizeof(fp.fp_wscale)); 162 NTOHS(fp.fp_wscale); 163 fp.fp_tcpopts = (fp.fp_tcpopts << 164 PF_OSFP_TCPOPT_BITS) | 165 PF_OSFP_TCPOPT_WSCALE; 166 break; 167 case TCPOPT_SACK_PERMITTED: 168 fp.fp_tcpopts = (fp.fp_tcpopts << 169 PF_OSFP_TCPOPT_BITS) | PF_OSFP_TCPOPT_SACK; 170 break; 171 case TCPOPT_TIMESTAMP: 172 if (optlen >= TCPOLEN_TIMESTAMP) { 173 u_int32_t ts; 174 memcpy(&ts, &optp[2], sizeof(ts)); 175 if (ts == 0) 176 fp.fp_flags |= PF_OSFP_TS0; 177 178 } 179 fp.fp_tcpopts = (fp.fp_tcpopts << 180 PF_OSFP_TCPOPT_BITS) | PF_OSFP_TCPOPT_TS; 181 break; 182 default: 183 return (NULL); 184 } 185 } 186 optlen = MAX(optlen, 1); /* paranoia */ 187 } 188 189 DPFPRINTF("fingerprinted %s:%d %d:%d:%d:%d:%llx (%d) " 190 "(TS=%s,M=%s%d,W=%s%d)\n", 191 inet_ntoa(ip->ip_src), ntohs(tcp->th_sport), 192 fp.fp_wsize, fp.fp_ttl, (fp.fp_flags & PF_OSFP_DF) != 0, 193 fp.fp_psize, (long long int)fp.fp_tcpopts, fp.fp_optcnt, 194 (fp.fp_flags & PF_OSFP_TS0) ? "0" : "", 195 (fp.fp_flags & PF_OSFP_MSS_MOD) ? "%" : 196 (fp.fp_flags & PF_OSFP_MSS_DC) ? "*" : "", 197 fp.fp_mss, 198 (fp.fp_flags & PF_OSFP_WSCALE_MOD) ? "%" : 199 (fp.fp_flags & PF_OSFP_WSCALE_DC) ? "*" : "", 200 fp.fp_wscale); 201 202 if ((fpresult = pf_osfp_find(&pf_osfp_list, &fp, 203 PF_OSFP_MAXTTL_OFFSET))) 204 return (&fpresult->fp_oses); 205 return (NULL); 206} 207 208/* Match a fingerprint ID against a list of OSes */ 209int 210pf_osfp_match(struct pf_osfp_enlist *list, pf_osfp_t os) 211{ 212 struct pf_osfp_entry *entry; 213 int os_class, os_version, os_subtype; 214 int en_class, en_version, en_subtype; 215 216 if (os == PF_OSFP_ANY) 217 return (1); 218 if (list == NULL) { 219 DPFPRINTF("osfp no match against %x\n", os); 220 return (os == PF_OSFP_UNKNOWN); 221 } 222 PF_OSFP_UNPACK(os, os_class, os_version, os_subtype); 223 SLIST_FOREACH(entry, list, fp_entry) { 224 PF_OSFP_UNPACK(entry->fp_os, en_class, en_version, en_subtype); 225 if ((os_class == PF_OSFP_ANY || en_class == os_class) && 226 (os_version == PF_OSFP_ANY || en_version == os_version) && 227 (os_subtype == PF_OSFP_ANY || en_subtype == os_subtype)) { 228 DPFPRINTF("osfp matched %s %s %s %x==%x\n", 229 entry->fp_class_nm, entry->fp_version_nm, 230 entry->fp_subtype_nm, os, entry->fp_os); 231 return (1); 232 } 233 } 234 DPFPRINTF("fingerprint 0x%x didn't match\n", os); 235 return (0); 236} 237 238/* Initialize the OS fingerprint system */
|
| 239#if defined(__FreeBSD__) 240int 241#else
|
231void
| 242void
|
| 243#endif
|
232pf_osfp_initialize(void) 233{
| 244pf_osfp_initialize(void) 245{
|
| 246#if defined(__FreeBSD__) && defined(_KERNEL) 247 int error = ENOMEM; 248 249 do { 250 pf_osfp_entry_pl = pf_osfp_pl = NULL; 251 UMA_CREATE(pf_osfp_entry_pl, struct pf_osfp_entry, "pfospfen"); 252 UMA_CREATE(pf_osfp_pl, struct pf_os_fingerprint, "pfosfp"); 253 error = 0; 254 } while(0); 255#else
|
234 pool_init(&pf_osfp_entry_pl, sizeof(struct pf_osfp_entry), 0, 0, 0, 235 "pfosfpen", NULL); 236 pool_init(&pf_osfp_pl, sizeof(struct pf_os_fingerprint), 0, 0, 0, 237 "pfosfp", NULL);
| 256 pool_init(&pf_osfp_entry_pl, sizeof(struct pf_osfp_entry), 0, 0, 0, 257 "pfosfpen", NULL); 258 pool_init(&pf_osfp_pl, sizeof(struct pf_os_fingerprint), 0, 0, 0, 259 "pfosfp", NULL);
|
| 260#endif
|
238 SLIST_INIT(&pf_osfp_list);
| 261 SLIST_INIT(&pf_osfp_list);
|
| 262#if defined(__FreeBSD__) 263#if defined(_KERNEL) 264 return (error); 265#else 266 return (0); 267#endif 268#endif
|
239} 240
| 269} 270
|
| 271#if defined(__FreeBSD__) && (_KERNEL) 272void 273pf_osfp_cleanup(void) 274{ 275 UMA_DESTROY(pf_osfp_entry_pl); 276 UMA_DESTROY(pf_osfp_pl); 277} 278#endif 279
|
241/* Flush the fingerprint list */ 242void 243pf_osfp_flush(void) 244{ 245 struct pf_os_fingerprint *fp; 246 struct pf_osfp_entry *entry; 247 248 while ((fp = SLIST_FIRST(&pf_osfp_list))) { 249 SLIST_REMOVE_HEAD(&pf_osfp_list, fp_next); 250 while ((entry = SLIST_FIRST(&fp->fp_oses))) { 251 SLIST_REMOVE_HEAD(&fp->fp_oses, fp_entry); 252 pool_put(&pf_osfp_entry_pl, entry); 253 } 254 pool_put(&pf_osfp_pl, fp); 255 } 256} 257 258 259/* Add a fingerprint */ 260int 261pf_osfp_add(struct pf_osfp_ioctl *fpioc) 262{ 263 struct pf_os_fingerprint *fp, fpadd; 264 struct pf_osfp_entry *entry; 265 266 memset(&fpadd, 0, sizeof(fpadd)); 267 fpadd.fp_tcpopts = fpioc->fp_tcpopts; 268 fpadd.fp_wsize = fpioc->fp_wsize; 269 fpadd.fp_psize = fpioc->fp_psize; 270 fpadd.fp_mss = fpioc->fp_mss; 271 fpadd.fp_flags = fpioc->fp_flags; 272 fpadd.fp_optcnt = fpioc->fp_optcnt; 273 fpadd.fp_wscale = fpioc->fp_wscale; 274 fpadd.fp_ttl = fpioc->fp_ttl; 275 276 DPFPRINTF("adding osfp %s %s %s = %s%d:%d:%d:%s%d:0x%llx %d " 277 "(TS=%s,M=%s%d,W=%s%d) %x\n", 278 fpioc->fp_os.fp_class_nm, fpioc->fp_os.fp_version_nm, 279 fpioc->fp_os.fp_subtype_nm, 280 (fpadd.fp_flags & PF_OSFP_WSIZE_MOD) ? "%" : 281 (fpadd.fp_flags & PF_OSFP_WSIZE_MSS) ? "S" : 282 (fpadd.fp_flags & PF_OSFP_WSIZE_MTU) ? "T" : 283 (fpadd.fp_flags & PF_OSFP_WSIZE_DC) ? "*" : "", 284 fpadd.fp_wsize, 285 fpadd.fp_ttl, 286 (fpadd.fp_flags & PF_OSFP_DF) ? 1 : 0, 287 (fpadd.fp_flags & PF_OSFP_PSIZE_MOD) ? "%" : 288 (fpadd.fp_flags & PF_OSFP_PSIZE_DC) ? "*" : "", 289 fpadd.fp_psize, 290 (long long int)fpadd.fp_tcpopts, fpadd.fp_optcnt, 291 (fpadd.fp_flags & PF_OSFP_TS0) ? "0" : "", 292 (fpadd.fp_flags & PF_OSFP_MSS_MOD) ? "%" : 293 (fpadd.fp_flags & PF_OSFP_MSS_DC) ? "*" : "", 294 fpadd.fp_mss, 295 (fpadd.fp_flags & PF_OSFP_WSCALE_MOD) ? "%" : 296 (fpadd.fp_flags & PF_OSFP_WSCALE_DC) ? "*" : "", 297 fpadd.fp_wscale, 298 fpioc->fp_os.fp_os); 299 300 301 if ((fp = pf_osfp_find_exact(&pf_osfp_list, &fpadd))) { 302 SLIST_FOREACH(entry, &fp->fp_oses, fp_entry) { 303 if (PF_OSFP_ENTRY_EQ(entry, &fpioc->fp_os)) 304 return (EEXIST); 305 } 306 if ((entry = pool_get(&pf_osfp_entry_pl, PR_NOWAIT)) == NULL) 307 return (ENOMEM); 308 } else { 309 if ((fp = pool_get(&pf_osfp_pl, PR_NOWAIT)) == NULL) 310 return (ENOMEM); 311 memset(fp, 0, sizeof(*fp)); 312 fp->fp_tcpopts = fpioc->fp_tcpopts; 313 fp->fp_wsize = fpioc->fp_wsize; 314 fp->fp_psize = fpioc->fp_psize; 315 fp->fp_mss = fpioc->fp_mss; 316 fp->fp_flags = fpioc->fp_flags; 317 fp->fp_optcnt = fpioc->fp_optcnt; 318 fp->fp_wscale = fpioc->fp_wscale; 319 fp->fp_ttl = fpioc->fp_ttl; 320 SLIST_INIT(&fp->fp_oses); 321 if ((entry = pool_get(&pf_osfp_entry_pl, PR_NOWAIT)) == NULL) { 322 pool_put(&pf_osfp_pl, fp); 323 return (ENOMEM); 324 } 325 pf_osfp_insert(&pf_osfp_list, fp); 326 } 327 memcpy(entry, &fpioc->fp_os, sizeof(*entry)); 328 329 /* Make sure the strings are NUL terminated */ 330 entry->fp_class_nm[sizeof(entry->fp_class_nm)-1] = '\0'; 331 entry->fp_version_nm[sizeof(entry->fp_version_nm)-1] = '\0'; 332 entry->fp_subtype_nm[sizeof(entry->fp_subtype_nm)-1] = '\0'; 333 334 SLIST_INSERT_HEAD(&fp->fp_oses, entry, fp_entry); 335 336#ifdef PFDEBUG 337 if ((fp = pf_osfp_validate())) 338 printf("Invalid fingerprint list\n"); 339#endif /* PFDEBUG */ 340 return (0); 341} 342 343 344/* Find a fingerprint in the list */ 345struct pf_os_fingerprint * 346pf_osfp_find(struct pf_osfp_list *list, struct pf_os_fingerprint *find, 347 u_int8_t ttldiff) 348{ 349 struct pf_os_fingerprint *f; 350 351#define MATCH_INT(_MOD, _DC, _field) \ 352 if ((f->fp_flags & _DC) == 0) { \ 353 if ((f->fp_flags & _MOD) == 0) { \ 354 if (f->_field != find->_field) \ 355 continue; \ 356 } else { \ 357 if (f->_field == 0 || find->_field % f->_field) \ 358 continue; \ 359 } \ 360 } 361 362 SLIST_FOREACH(f, list, fp_next) { 363 if (f->fp_tcpopts != find->fp_tcpopts || 364 f->fp_optcnt != find->fp_optcnt || 365 f->fp_ttl < find->fp_ttl || 366 f->fp_ttl - find->fp_ttl > ttldiff || 367 (f->fp_flags & (PF_OSFP_DF|PF_OSFP_TS0)) != 368 (find->fp_flags & (PF_OSFP_DF|PF_OSFP_TS0))) 369 continue; 370 371 MATCH_INT(PF_OSFP_PSIZE_MOD, PF_OSFP_PSIZE_DC, fp_psize) 372 MATCH_INT(PF_OSFP_MSS_MOD, PF_OSFP_MSS_DC, fp_mss) 373 MATCH_INT(PF_OSFP_WSCALE_MOD, PF_OSFP_WSCALE_DC, fp_wscale) 374 if ((f->fp_flags & PF_OSFP_WSIZE_DC) == 0) { 375 if (f->fp_flags & PF_OSFP_WSIZE_MSS) { 376 if (find->fp_mss == 0) 377 continue; 378 379/* Some "smart" NAT devices and DSL routers will tweak the MSS size and 380 * will set it to whatever is suitable for the link type. 381 */ 382#define SMART_MSS 1460 383 if ((find->fp_wsize % find->fp_mss || 384 find->fp_wsize / find->fp_mss != 385 f->fp_wsize) && 386 (find->fp_wsize % SMART_MSS || 387 find->fp_wsize / SMART_MSS != 388 f->fp_wsize)) 389 continue; 390 } else if (f->fp_flags & PF_OSFP_WSIZE_MTU) { 391 if (find->fp_mss == 0) 392 continue; 393 394#define MTUOFF (sizeof(struct ip) + sizeof(struct tcphdr)) 395#define SMART_MTU (SMART_MSS + MTUOFF) 396 if ((find->fp_wsize % (find->fp_mss + MTUOFF) || 397 find->fp_wsize / (find->fp_mss + MTUOFF) != 398 f->fp_wsize) && 399 (find->fp_wsize % SMART_MTU || 400 find->fp_wsize / SMART_MTU != 401 f->fp_wsize)) 402 continue; 403 } else if (f->fp_flags & PF_OSFP_WSIZE_MOD) { 404 if (f->fp_wsize == 0 || find->fp_wsize % 405 f->fp_wsize) 406 continue; 407 } else { 408 if (f->fp_wsize != find->fp_wsize) 409 continue; 410 } 411 } 412 return (f); 413 } 414 415 return (NULL); 416} 417 418/* Find an exact fingerprint in the list */ 419struct pf_os_fingerprint * 420pf_osfp_find_exact(struct pf_osfp_list *list, struct pf_os_fingerprint *find) 421{ 422 struct pf_os_fingerprint *f; 423 424 SLIST_FOREACH(f, list, fp_next) { 425 if (f->fp_tcpopts == find->fp_tcpopts && 426 f->fp_wsize == find->fp_wsize && 427 f->fp_psize == find->fp_psize && 428 f->fp_mss == find->fp_mss && 429 f->fp_flags == find->fp_flags && 430 f->fp_optcnt == find->fp_optcnt && 431 f->fp_wscale == find->fp_wscale && 432 f->fp_ttl == find->fp_ttl) 433 return (f); 434 } 435 436 return (NULL); 437} 438 439/* Insert a fingerprint into the list */ 440void 441pf_osfp_insert(struct pf_osfp_list *list, struct pf_os_fingerprint *ins) 442{ 443 struct pf_os_fingerprint *f, *prev = NULL; 444 445 /* XXX need to go semi tree based. can key on tcp options */ 446 447 SLIST_FOREACH(f, list, fp_next) 448 prev = f; 449 if (prev) 450 SLIST_INSERT_AFTER(prev, ins, fp_next); 451 else 452 SLIST_INSERT_HEAD(list, ins, fp_next); 453} 454 455/* Fill a fingerprint by its number (from an ioctl) */ 456int 457pf_osfp_get(struct pf_osfp_ioctl *fpioc) 458{ 459 struct pf_os_fingerprint *fp; 460 struct pf_osfp_entry *entry; 461 int num = fpioc->fp_getnum; 462 int i = 0; 463 464 465 memset(fpioc, 0, sizeof(*fpioc)); 466 SLIST_FOREACH(fp, &pf_osfp_list, fp_next) { 467 SLIST_FOREACH(entry, &fp->fp_oses, fp_entry) { 468 if (i++ == num) { 469 fpioc->fp_mss = fp->fp_mss; 470 fpioc->fp_wsize = fp->fp_wsize; 471 fpioc->fp_flags = fp->fp_flags; 472 fpioc->fp_psize = fp->fp_psize; 473 fpioc->fp_ttl = fp->fp_ttl; 474 fpioc->fp_wscale = fp->fp_wscale; 475 fpioc->fp_getnum = num; 476 memcpy(&fpioc->fp_os, entry, 477 sizeof(fpioc->fp_os)); 478 return (0); 479 } 480 } 481 } 482 483 return (EBUSY); 484} 485 486 487/* Validate that each signature is reachable */ 488struct pf_os_fingerprint * 489pf_osfp_validate(void) 490{ 491 struct pf_os_fingerprint *f, *f2, find; 492 493 SLIST_FOREACH(f, &pf_osfp_list, fp_next) { 494 memcpy(&find, f, sizeof(find)); 495 496 /* We do a few MSS/th_win percolations to make things unique */ 497 if (find.fp_mss == 0) 498 find.fp_mss = 128; 499 if (f->fp_flags & PF_OSFP_WSIZE_MSS) 500 find.fp_wsize *= find.fp_mss, 1; 501 else if (f->fp_flags & PF_OSFP_WSIZE_MTU) 502 find.fp_wsize *= (find.fp_mss + 40); 503 else if (f->fp_flags & PF_OSFP_WSIZE_MOD) 504 find.fp_wsize *= 2; 505 if (f != (f2 = pf_osfp_find(&pf_osfp_list, &find, 0))) { 506 if (f2) 507 printf("Found \"%s %s %s\" instead of " 508 "\"%s %s %s\"\n", 509 SLIST_FIRST(&f2->fp_oses)->fp_class_nm, 510 SLIST_FIRST(&f2->fp_oses)->fp_version_nm, 511 SLIST_FIRST(&f2->fp_oses)->fp_subtype_nm, 512 SLIST_FIRST(&f->fp_oses)->fp_class_nm, 513 SLIST_FIRST(&f->fp_oses)->fp_version_nm, 514 SLIST_FIRST(&f->fp_oses)->fp_subtype_nm); 515 else 516 printf("Couldn't find \"%s %s %s\"\n", 517 SLIST_FIRST(&f->fp_oses)->fp_class_nm, 518 SLIST_FIRST(&f->fp_oses)->fp_version_nm, 519 SLIST_FIRST(&f->fp_oses)->fp_subtype_nm); 520 return (f); 521 } 522 } 523 return (NULL); 524}
| 280/* Flush the fingerprint list */ 281void 282pf_osfp_flush(void) 283{ 284 struct pf_os_fingerprint *fp; 285 struct pf_osfp_entry *entry; 286 287 while ((fp = SLIST_FIRST(&pf_osfp_list))) { 288 SLIST_REMOVE_HEAD(&pf_osfp_list, fp_next); 289 while ((entry = SLIST_FIRST(&fp->fp_oses))) { 290 SLIST_REMOVE_HEAD(&fp->fp_oses, fp_entry); 291 pool_put(&pf_osfp_entry_pl, entry); 292 } 293 pool_put(&pf_osfp_pl, fp); 294 } 295} 296 297 298/* Add a fingerprint */ 299int 300pf_osfp_add(struct pf_osfp_ioctl *fpioc) 301{ 302 struct pf_os_fingerprint *fp, fpadd; 303 struct pf_osfp_entry *entry; 304 305 memset(&fpadd, 0, sizeof(fpadd)); 306 fpadd.fp_tcpopts = fpioc->fp_tcpopts; 307 fpadd.fp_wsize = fpioc->fp_wsize; 308 fpadd.fp_psize = fpioc->fp_psize; 309 fpadd.fp_mss = fpioc->fp_mss; 310 fpadd.fp_flags = fpioc->fp_flags; 311 fpadd.fp_optcnt = fpioc->fp_optcnt; 312 fpadd.fp_wscale = fpioc->fp_wscale; 313 fpadd.fp_ttl = fpioc->fp_ttl; 314 315 DPFPRINTF("adding osfp %s %s %s = %s%d:%d:%d:%s%d:0x%llx %d " 316 "(TS=%s,M=%s%d,W=%s%d) %x\n", 317 fpioc->fp_os.fp_class_nm, fpioc->fp_os.fp_version_nm, 318 fpioc->fp_os.fp_subtype_nm, 319 (fpadd.fp_flags & PF_OSFP_WSIZE_MOD) ? "%" : 320 (fpadd.fp_flags & PF_OSFP_WSIZE_MSS) ? "S" : 321 (fpadd.fp_flags & PF_OSFP_WSIZE_MTU) ? "T" : 322 (fpadd.fp_flags & PF_OSFP_WSIZE_DC) ? "*" : "", 323 fpadd.fp_wsize, 324 fpadd.fp_ttl, 325 (fpadd.fp_flags & PF_OSFP_DF) ? 1 : 0, 326 (fpadd.fp_flags & PF_OSFP_PSIZE_MOD) ? "%" : 327 (fpadd.fp_flags & PF_OSFP_PSIZE_DC) ? "*" : "", 328 fpadd.fp_psize, 329 (long long int)fpadd.fp_tcpopts, fpadd.fp_optcnt, 330 (fpadd.fp_flags & PF_OSFP_TS0) ? "0" : "", 331 (fpadd.fp_flags & PF_OSFP_MSS_MOD) ? "%" : 332 (fpadd.fp_flags & PF_OSFP_MSS_DC) ? "*" : "", 333 fpadd.fp_mss, 334 (fpadd.fp_flags & PF_OSFP_WSCALE_MOD) ? "%" : 335 (fpadd.fp_flags & PF_OSFP_WSCALE_DC) ? "*" : "", 336 fpadd.fp_wscale, 337 fpioc->fp_os.fp_os); 338 339 340 if ((fp = pf_osfp_find_exact(&pf_osfp_list, &fpadd))) { 341 SLIST_FOREACH(entry, &fp->fp_oses, fp_entry) { 342 if (PF_OSFP_ENTRY_EQ(entry, &fpioc->fp_os)) 343 return (EEXIST); 344 } 345 if ((entry = pool_get(&pf_osfp_entry_pl, PR_NOWAIT)) == NULL) 346 return (ENOMEM); 347 } else { 348 if ((fp = pool_get(&pf_osfp_pl, PR_NOWAIT)) == NULL) 349 return (ENOMEM); 350 memset(fp, 0, sizeof(*fp)); 351 fp->fp_tcpopts = fpioc->fp_tcpopts; 352 fp->fp_wsize = fpioc->fp_wsize; 353 fp->fp_psize = fpioc->fp_psize; 354 fp->fp_mss = fpioc->fp_mss; 355 fp->fp_flags = fpioc->fp_flags; 356 fp->fp_optcnt = fpioc->fp_optcnt; 357 fp->fp_wscale = fpioc->fp_wscale; 358 fp->fp_ttl = fpioc->fp_ttl; 359 SLIST_INIT(&fp->fp_oses); 360 if ((entry = pool_get(&pf_osfp_entry_pl, PR_NOWAIT)) == NULL) { 361 pool_put(&pf_osfp_pl, fp); 362 return (ENOMEM); 363 } 364 pf_osfp_insert(&pf_osfp_list, fp); 365 } 366 memcpy(entry, &fpioc->fp_os, sizeof(*entry)); 367 368 /* Make sure the strings are NUL terminated */ 369 entry->fp_class_nm[sizeof(entry->fp_class_nm)-1] = '\0'; 370 entry->fp_version_nm[sizeof(entry->fp_version_nm)-1] = '\0'; 371 entry->fp_subtype_nm[sizeof(entry->fp_subtype_nm)-1] = '\0'; 372 373 SLIST_INSERT_HEAD(&fp->fp_oses, entry, fp_entry); 374 375#ifdef PFDEBUG 376 if ((fp = pf_osfp_validate())) 377 printf("Invalid fingerprint list\n"); 378#endif /* PFDEBUG */ 379 return (0); 380} 381 382 383/* Find a fingerprint in the list */ 384struct pf_os_fingerprint * 385pf_osfp_find(struct pf_osfp_list *list, struct pf_os_fingerprint *find, 386 u_int8_t ttldiff) 387{ 388 struct pf_os_fingerprint *f; 389 390#define MATCH_INT(_MOD, _DC, _field) \ 391 if ((f->fp_flags & _DC) == 0) { \ 392 if ((f->fp_flags & _MOD) == 0) { \ 393 if (f->_field != find->_field) \ 394 continue; \ 395 } else { \ 396 if (f->_field == 0 || find->_field % f->_field) \ 397 continue; \ 398 } \ 399 } 400 401 SLIST_FOREACH(f, list, fp_next) { 402 if (f->fp_tcpopts != find->fp_tcpopts || 403 f->fp_optcnt != find->fp_optcnt || 404 f->fp_ttl < find->fp_ttl || 405 f->fp_ttl - find->fp_ttl > ttldiff || 406 (f->fp_flags & (PF_OSFP_DF|PF_OSFP_TS0)) != 407 (find->fp_flags & (PF_OSFP_DF|PF_OSFP_TS0))) 408 continue; 409 410 MATCH_INT(PF_OSFP_PSIZE_MOD, PF_OSFP_PSIZE_DC, fp_psize) 411 MATCH_INT(PF_OSFP_MSS_MOD, PF_OSFP_MSS_DC, fp_mss) 412 MATCH_INT(PF_OSFP_WSCALE_MOD, PF_OSFP_WSCALE_DC, fp_wscale) 413 if ((f->fp_flags & PF_OSFP_WSIZE_DC) == 0) { 414 if (f->fp_flags & PF_OSFP_WSIZE_MSS) { 415 if (find->fp_mss == 0) 416 continue; 417 418/* Some "smart" NAT devices and DSL routers will tweak the MSS size and 419 * will set it to whatever is suitable for the link type. 420 */ 421#define SMART_MSS 1460 422 if ((find->fp_wsize % find->fp_mss || 423 find->fp_wsize / find->fp_mss != 424 f->fp_wsize) && 425 (find->fp_wsize % SMART_MSS || 426 find->fp_wsize / SMART_MSS != 427 f->fp_wsize)) 428 continue; 429 } else if (f->fp_flags & PF_OSFP_WSIZE_MTU) { 430 if (find->fp_mss == 0) 431 continue; 432 433#define MTUOFF (sizeof(struct ip) + sizeof(struct tcphdr)) 434#define SMART_MTU (SMART_MSS + MTUOFF) 435 if ((find->fp_wsize % (find->fp_mss + MTUOFF) || 436 find->fp_wsize / (find->fp_mss + MTUOFF) != 437 f->fp_wsize) && 438 (find->fp_wsize % SMART_MTU || 439 find->fp_wsize / SMART_MTU != 440 f->fp_wsize)) 441 continue; 442 } else if (f->fp_flags & PF_OSFP_WSIZE_MOD) { 443 if (f->fp_wsize == 0 || find->fp_wsize % 444 f->fp_wsize) 445 continue; 446 } else { 447 if (f->fp_wsize != find->fp_wsize) 448 continue; 449 } 450 } 451 return (f); 452 } 453 454 return (NULL); 455} 456 457/* Find an exact fingerprint in the list */ 458struct pf_os_fingerprint * 459pf_osfp_find_exact(struct pf_osfp_list *list, struct pf_os_fingerprint *find) 460{ 461 struct pf_os_fingerprint *f; 462 463 SLIST_FOREACH(f, list, fp_next) { 464 if (f->fp_tcpopts == find->fp_tcpopts && 465 f->fp_wsize == find->fp_wsize && 466 f->fp_psize == find->fp_psize && 467 f->fp_mss == find->fp_mss && 468 f->fp_flags == find->fp_flags && 469 f->fp_optcnt == find->fp_optcnt && 470 f->fp_wscale == find->fp_wscale && 471 f->fp_ttl == find->fp_ttl) 472 return (f); 473 } 474 475 return (NULL); 476} 477 478/* Insert a fingerprint into the list */ 479void 480pf_osfp_insert(struct pf_osfp_list *list, struct pf_os_fingerprint *ins) 481{ 482 struct pf_os_fingerprint *f, *prev = NULL; 483 484 /* XXX need to go semi tree based. can key on tcp options */ 485 486 SLIST_FOREACH(f, list, fp_next) 487 prev = f; 488 if (prev) 489 SLIST_INSERT_AFTER(prev, ins, fp_next); 490 else 491 SLIST_INSERT_HEAD(list, ins, fp_next); 492} 493 494/* Fill a fingerprint by its number (from an ioctl) */ 495int 496pf_osfp_get(struct pf_osfp_ioctl *fpioc) 497{ 498 struct pf_os_fingerprint *fp; 499 struct pf_osfp_entry *entry; 500 int num = fpioc->fp_getnum; 501 int i = 0; 502 503 504 memset(fpioc, 0, sizeof(*fpioc)); 505 SLIST_FOREACH(fp, &pf_osfp_list, fp_next) { 506 SLIST_FOREACH(entry, &fp->fp_oses, fp_entry) { 507 if (i++ == num) { 508 fpioc->fp_mss = fp->fp_mss; 509 fpioc->fp_wsize = fp->fp_wsize; 510 fpioc->fp_flags = fp->fp_flags; 511 fpioc->fp_psize = fp->fp_psize; 512 fpioc->fp_ttl = fp->fp_ttl; 513 fpioc->fp_wscale = fp->fp_wscale; 514 fpioc->fp_getnum = num; 515 memcpy(&fpioc->fp_os, entry, 516 sizeof(fpioc->fp_os)); 517 return (0); 518 } 519 } 520 } 521 522 return (EBUSY); 523} 524 525 526/* Validate that each signature is reachable */ 527struct pf_os_fingerprint * 528pf_osfp_validate(void) 529{ 530 struct pf_os_fingerprint *f, *f2, find; 531 532 SLIST_FOREACH(f, &pf_osfp_list, fp_next) { 533 memcpy(&find, f, sizeof(find)); 534 535 /* We do a few MSS/th_win percolations to make things unique */ 536 if (find.fp_mss == 0) 537 find.fp_mss = 128; 538 if (f->fp_flags & PF_OSFP_WSIZE_MSS) 539 find.fp_wsize *= find.fp_mss, 1; 540 else if (f->fp_flags & PF_OSFP_WSIZE_MTU) 541 find.fp_wsize *= (find.fp_mss + 40); 542 else if (f->fp_flags & PF_OSFP_WSIZE_MOD) 543 find.fp_wsize *= 2; 544 if (f != (f2 = pf_osfp_find(&pf_osfp_list, &find, 0))) { 545 if (f2) 546 printf("Found \"%s %s %s\" instead of " 547 "\"%s %s %s\"\n", 548 SLIST_FIRST(&f2->fp_oses)->fp_class_nm, 549 SLIST_FIRST(&f2->fp_oses)->fp_version_nm, 550 SLIST_FIRST(&f2->fp_oses)->fp_subtype_nm, 551 SLIST_FIRST(&f->fp_oses)->fp_class_nm, 552 SLIST_FIRST(&f->fp_oses)->fp_version_nm, 553 SLIST_FIRST(&f->fp_oses)->fp_subtype_nm); 554 else 555 printf("Couldn't find \"%s %s %s\"\n", 556 SLIST_FIRST(&f->fp_oses)->fp_class_nm, 557 SLIST_FIRST(&f->fp_oses)->fp_version_nm, 558 SLIST_FIRST(&f->fp_oses)->fp_subtype_nm); 559 return (f); 560 } 561 } 562 return (NULL); 563}
|