Deleted Added
sdiff udiff text old ( 126259 ) new ( 126261 )
full compact
pf_osfp.c (126259) pf_osfp.c (126261)
1/* $FreeBSD: head/sys/contrib/pf/net/pf_osfp.c 126261 2004-02-26 02:34:12Z mlaier $ */
1/* $OpenBSD: pf_osfp.c,v 1.3 2003/08/27 18:23:36 frantzen Exp $ */
2
3/*
4 * Copyright (c) 2003 Mike Frantzen <frantzen@w4g.org>
5 *
6 * Permission to use, copy, modify, and distribute this software for any
7 * purpose with or without fee is hereby granted, provided that the above
8 * copyright notice and this permission notice appear in all copies.
9 *
10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17 *
18 */
19
20#include <sys/param.h>
21#include <sys/socket.h>
22#ifdef _KERNEL
23# include <sys/systm.h>
24#endif /* _KERNEL */
25#include <sys/mbuf.h>
26
27#include <netinet/in.h>
28#include <netinet/in_systm.h>
29#include <netinet/ip.h>
30#include <netinet/tcp.h>
31
32#include <net/if.h>
33#include <net/pfvar.h>
34
35#ifdef INET6
36#include <netinet/ip6.h>
37#endif /* INET6 */
38
2/* $OpenBSD: pf_osfp.c,v 1.3 2003/08/27 18:23:36 frantzen Exp $ */
3
4/*
5 * Copyright (c) 2003 Mike Frantzen <frantzen@w4g.org>
6 *
7 * Permission to use, copy, modify, and distribute this software for any
8 * purpose with or without fee is hereby granted, provided that the above
9 * copyright notice and this permission notice appear in all copies.
10 *
11 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
12 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
13 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
14 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
15 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18 *
19 */
20
21#include <sys/param.h>
22#include <sys/socket.h>
23#ifdef _KERNEL
24# include <sys/systm.h>
25#endif /* _KERNEL */
26#include <sys/mbuf.h>
27
28#include <netinet/in.h>
29#include <netinet/in_systm.h>
30#include <netinet/ip.h>
31#include <netinet/tcp.h>
32
33#include <net/if.h>
34#include <net/pfvar.h>
35
36#ifdef INET6
37#include <netinet/ip6.h>
38#endif /* INET6 */
39
39
40#ifdef _KERNEL
41# define DPFPRINTF(format, x...) \
42 if (pf_status.debug >= PF_DEBUG_NOISY) \
43 printf(format , ##x)
40#ifdef _KERNEL
41# define DPFPRINTF(format, x...) \
42 if (pf_status.debug >= PF_DEBUG_NOISY) \
43 printf(format , ##x)
44#if defined(__FreeBSD__)
45typedef uma_zone_t pool_t;
46#else
44typedef struct pool pool_t;
47typedef struct pool pool_t;
48#endif
45
46#else
47/* Userland equivalents so we can lend code to tcpdump et al. */
48
49# include <arpa/inet.h>
50# include <errno.h>
51# include <stdio.h>
52# include <stdlib.h>
53# define pool_t int
54# define pool_get(pool, flags) malloc(*(pool))
55# define pool_put(pool, item) free(item)
56# define pool_init(pool, size, a, ao, f, m, p) (*(pool)) = (size)
57
49
50#else
51/* Userland equivalents so we can lend code to tcpdump et al. */
52
53# include <arpa/inet.h>
54# include <errno.h>
55# include <stdio.h>
56# include <stdlib.h>
57# define pool_t int
58# define pool_get(pool, flags) malloc(*(pool))
59# define pool_put(pool, item) free(item)
60# define pool_init(pool, size, a, ao, f, m, p) (*(pool)) = (size)
61
62# if defined(__FreeBSD__)
63# define NTOHS(x) (x) = ntohs((u_int16_t)(x))
64# endif
65
58# ifdef PFDEBUG
59# include <stdarg.h>
60# define DPFPRINTF(format, x...) fprintf(stderr, format , ##x)
61# else
62# define DPFPRINTF(format, x...) ((void)0)
63# endif /* PFDEBUG */
64#endif /* _KERNEL */
65
66
67SLIST_HEAD(pf_osfp_list, pf_os_fingerprint) pf_osfp_list;
68pool_t pf_osfp_entry_pl;
69pool_t pf_osfp_pl;
70
71struct pf_os_fingerprint *pf_osfp_find(struct pf_osfp_list *,
72 struct pf_os_fingerprint *, u_int8_t);
73struct pf_os_fingerprint *pf_osfp_find_exact(struct pf_osfp_list *,
74 struct pf_os_fingerprint *);
75void pf_osfp_insert(struct pf_osfp_list *,
76 struct pf_os_fingerprint *);
77
78
79#ifdef _KERNEL
80/*
81 * Passively fingerprint the OS of the host (IPv4 TCP SYN packets only)
82 * Returns the list of possible OSes.
83 */
84struct pf_osfp_enlist *
85pf_osfp_fingerprint(struct pf_pdesc *pd, struct mbuf *m, int off,
86 const struct tcphdr *tcp)
87{
88 struct ip *ip;
89 char hdr[60];
90
91 /* XXX don't have a fingerprint database for IPv6 :-( */
92 if (pd->af != PF_INET || pd->proto != IPPROTO_TCP || (tcp->th_off << 2)
93 < sizeof(*tcp))
94 return (NULL);
95
96 ip = mtod(m, struct ip *);
97 if (!pf_pull_hdr(m, off, hdr, tcp->th_off << 2, NULL, NULL, pd->af))
98 return (NULL);
99
100 return (pf_osfp_fingerprint_hdr(ip, (struct tcphdr *)hdr));
101}
102#endif /* _KERNEL */
103
104struct pf_osfp_enlist *
105pf_osfp_fingerprint_hdr(const struct ip *ip, const struct tcphdr *tcp)
106{
107 struct pf_os_fingerprint fp, *fpresult;
108 int cnt, optlen = 0;
66# ifdef PFDEBUG
67# include <stdarg.h>
68# define DPFPRINTF(format, x...) fprintf(stderr, format , ##x)
69# else
70# define DPFPRINTF(format, x...) ((void)0)
71# endif /* PFDEBUG */
72#endif /* _KERNEL */
73
74
75SLIST_HEAD(pf_osfp_list, pf_os_fingerprint) pf_osfp_list;
76pool_t pf_osfp_entry_pl;
77pool_t pf_osfp_pl;
78
79struct pf_os_fingerprint *pf_osfp_find(struct pf_osfp_list *,
80 struct pf_os_fingerprint *, u_int8_t);
81struct pf_os_fingerprint *pf_osfp_find_exact(struct pf_osfp_list *,
82 struct pf_os_fingerprint *);
83void pf_osfp_insert(struct pf_osfp_list *,
84 struct pf_os_fingerprint *);
85
86
87#ifdef _KERNEL
88/*
89 * Passively fingerprint the OS of the host (IPv4 TCP SYN packets only)
90 * Returns the list of possible OSes.
91 */
92struct pf_osfp_enlist *
93pf_osfp_fingerprint(struct pf_pdesc *pd, struct mbuf *m, int off,
94 const struct tcphdr *tcp)
95{
96 struct ip *ip;
97 char hdr[60];
98
99 /* XXX don't have a fingerprint database for IPv6 :-( */
100 if (pd->af != PF_INET || pd->proto != IPPROTO_TCP || (tcp->th_off << 2)
101 < sizeof(*tcp))
102 return (NULL);
103
104 ip = mtod(m, struct ip *);
105 if (!pf_pull_hdr(m, off, hdr, tcp->th_off << 2, NULL, NULL, pd->af))
106 return (NULL);
107
108 return (pf_osfp_fingerprint_hdr(ip, (struct tcphdr *)hdr));
109}
110#endif /* _KERNEL */
111
112struct pf_osfp_enlist *
113pf_osfp_fingerprint_hdr(const struct ip *ip, const struct tcphdr *tcp)
114{
115 struct pf_os_fingerprint fp, *fpresult;
116 int cnt, optlen = 0;
109 u_int8_t *optp;
117 const u_int8_t *optp;
110
111 if ((tcp->th_flags & (TH_SYN|TH_ACK)) != TH_SYN || (ip->ip_off &
112 htons(IP_OFFMASK)))
113 return (NULL);
114
115 memset(&fp, 0, sizeof(fp));
116
117 fp.fp_psize = ntohs(ip->ip_len);
118 fp.fp_ttl = ip->ip_ttl;
119 if (ip->ip_off & htons(IP_DF))
120 fp.fp_flags |= PF_OSFP_DF;
121 fp.fp_wsize = ntohs(tcp->th_win);
122
123
124 cnt = (tcp->th_off << 2) - sizeof(*tcp);
118
119 if ((tcp->th_flags & (TH_SYN|TH_ACK)) != TH_SYN || (ip->ip_off &
120 htons(IP_OFFMASK)))
121 return (NULL);
122
123 memset(&fp, 0, sizeof(fp));
124
125 fp.fp_psize = ntohs(ip->ip_len);
126 fp.fp_ttl = ip->ip_ttl;
127 if (ip->ip_off & htons(IP_DF))
128 fp.fp_flags |= PF_OSFP_DF;
129 fp.fp_wsize = ntohs(tcp->th_win);
130
131
132 cnt = (tcp->th_off << 2) - sizeof(*tcp);
125 optp = (caddr_t)tcp + sizeof(*tcp);
133 optp = (const u_int8_t *)((const char *)tcp + sizeof(*tcp));
126 for (; cnt > 0; cnt -= optlen, optp += optlen) {
127 if (*optp == TCPOPT_EOL)
128 break;
129
130 fp.fp_optcnt++;
131 if (*optp == TCPOPT_NOP) {
132 fp.fp_tcpopts = (fp.fp_tcpopts << PF_OSFP_TCPOPT_BITS) |
133 PF_OSFP_TCPOPT_NOP;
134 optlen = 1;
135 } else {
136 if (cnt < 2)
137 return (NULL);
138 optlen = optp[1];
139 if (optlen > cnt || optlen < 2)
140 return (NULL);
141 switch (*optp) {
142 case TCPOPT_MAXSEG:
143 if (optlen >= TCPOLEN_MAXSEG)
144 memcpy(&fp.fp_mss, &optp[2],
145 sizeof(fp.fp_mss));
146 fp.fp_tcpopts = (fp.fp_tcpopts <<
147 PF_OSFP_TCPOPT_BITS) | PF_OSFP_TCPOPT_MSS;
148 NTOHS(fp.fp_mss);
149 break;
150 case TCPOPT_WINDOW:
151 if (optlen >= TCPOLEN_WINDOW)
152 memcpy(&fp.fp_wscale, &optp[2],
153 sizeof(fp.fp_wscale));
154 NTOHS(fp.fp_wscale);
155 fp.fp_tcpopts = (fp.fp_tcpopts <<
156 PF_OSFP_TCPOPT_BITS) |
157 PF_OSFP_TCPOPT_WSCALE;
158 break;
159 case TCPOPT_SACK_PERMITTED:
160 fp.fp_tcpopts = (fp.fp_tcpopts <<
161 PF_OSFP_TCPOPT_BITS) | PF_OSFP_TCPOPT_SACK;
162 break;
163 case TCPOPT_TIMESTAMP:
164 if (optlen >= TCPOLEN_TIMESTAMP) {
165 u_int32_t ts;
166 memcpy(&ts, &optp[2], sizeof(ts));
167 if (ts == 0)
168 fp.fp_flags |= PF_OSFP_TS0;
169
170 }
171 fp.fp_tcpopts = (fp.fp_tcpopts <<
172 PF_OSFP_TCPOPT_BITS) | PF_OSFP_TCPOPT_TS;
173 break;
174 default:
175 return (NULL);
176 }
177 }
178 optlen = MAX(optlen, 1); /* paranoia */
179 }
180
181 DPFPRINTF("fingerprinted %s:%d %d:%d:%d:%d:%llx (%d) "
182 "(TS=%s,M=%s%d,W=%s%d)\n",
183 inet_ntoa(ip->ip_src), ntohs(tcp->th_sport),
184 fp.fp_wsize, fp.fp_ttl, (fp.fp_flags & PF_OSFP_DF) != 0,
185 fp.fp_psize, (long long int)fp.fp_tcpopts, fp.fp_optcnt,
186 (fp.fp_flags & PF_OSFP_TS0) ? "0" : "",
187 (fp.fp_flags & PF_OSFP_MSS_MOD) ? "%" :
188 (fp.fp_flags & PF_OSFP_MSS_DC) ? "*" : "",
189 fp.fp_mss,
190 (fp.fp_flags & PF_OSFP_WSCALE_MOD) ? "%" :
191 (fp.fp_flags & PF_OSFP_WSCALE_DC) ? "*" : "",
192 fp.fp_wscale);
193
194 if ((fpresult = pf_osfp_find(&pf_osfp_list, &fp,
195 PF_OSFP_MAXTTL_OFFSET)))
196 return (&fpresult->fp_oses);
197 return (NULL);
198}
199
200/* Match a fingerprint ID against a list of OSes */
201int
202pf_osfp_match(struct pf_osfp_enlist *list, pf_osfp_t os)
203{
204 struct pf_osfp_entry *entry;
205 int os_class, os_version, os_subtype;
206 int en_class, en_version, en_subtype;
207
208 if (os == PF_OSFP_ANY)
209 return (1);
210 if (list == NULL) {
211 DPFPRINTF("osfp no match against %x\n", os);
212 return (os == PF_OSFP_UNKNOWN);
213 }
214 PF_OSFP_UNPACK(os, os_class, os_version, os_subtype);
215 SLIST_FOREACH(entry, list, fp_entry) {
216 PF_OSFP_UNPACK(entry->fp_os, en_class, en_version, en_subtype);
217 if ((os_class == PF_OSFP_ANY || en_class == os_class) &&
218 (os_version == PF_OSFP_ANY || en_version == os_version) &&
219 (os_subtype == PF_OSFP_ANY || en_subtype == os_subtype)) {
220 DPFPRINTF("osfp matched %s %s %s %x==%x\n",
221 entry->fp_class_nm, entry->fp_version_nm,
222 entry->fp_subtype_nm, os, entry->fp_os);
223 return (1);
224 }
225 }
226 DPFPRINTF("fingerprint 0x%x didn't match\n", os);
227 return (0);
228}
229
230/* Initialize the OS fingerprint system */
134 for (; cnt > 0; cnt -= optlen, optp += optlen) {
135 if (*optp == TCPOPT_EOL)
136 break;
137
138 fp.fp_optcnt++;
139 if (*optp == TCPOPT_NOP) {
140 fp.fp_tcpopts = (fp.fp_tcpopts << PF_OSFP_TCPOPT_BITS) |
141 PF_OSFP_TCPOPT_NOP;
142 optlen = 1;
143 } else {
144 if (cnt < 2)
145 return (NULL);
146 optlen = optp[1];
147 if (optlen > cnt || optlen < 2)
148 return (NULL);
149 switch (*optp) {
150 case TCPOPT_MAXSEG:
151 if (optlen >= TCPOLEN_MAXSEG)
152 memcpy(&fp.fp_mss, &optp[2],
153 sizeof(fp.fp_mss));
154 fp.fp_tcpopts = (fp.fp_tcpopts <<
155 PF_OSFP_TCPOPT_BITS) | PF_OSFP_TCPOPT_MSS;
156 NTOHS(fp.fp_mss);
157 break;
158 case TCPOPT_WINDOW:
159 if (optlen >= TCPOLEN_WINDOW)
160 memcpy(&fp.fp_wscale, &optp[2],
161 sizeof(fp.fp_wscale));
162 NTOHS(fp.fp_wscale);
163 fp.fp_tcpopts = (fp.fp_tcpopts <<
164 PF_OSFP_TCPOPT_BITS) |
165 PF_OSFP_TCPOPT_WSCALE;
166 break;
167 case TCPOPT_SACK_PERMITTED:
168 fp.fp_tcpopts = (fp.fp_tcpopts <<
169 PF_OSFP_TCPOPT_BITS) | PF_OSFP_TCPOPT_SACK;
170 break;
171 case TCPOPT_TIMESTAMP:
172 if (optlen >= TCPOLEN_TIMESTAMP) {
173 u_int32_t ts;
174 memcpy(&ts, &optp[2], sizeof(ts));
175 if (ts == 0)
176 fp.fp_flags |= PF_OSFP_TS0;
177
178 }
179 fp.fp_tcpopts = (fp.fp_tcpopts <<
180 PF_OSFP_TCPOPT_BITS) | PF_OSFP_TCPOPT_TS;
181 break;
182 default:
183 return (NULL);
184 }
185 }
186 optlen = MAX(optlen, 1); /* paranoia */
187 }
188
189 DPFPRINTF("fingerprinted %s:%d %d:%d:%d:%d:%llx (%d) "
190 "(TS=%s,M=%s%d,W=%s%d)\n",
191 inet_ntoa(ip->ip_src), ntohs(tcp->th_sport),
192 fp.fp_wsize, fp.fp_ttl, (fp.fp_flags & PF_OSFP_DF) != 0,
193 fp.fp_psize, (long long int)fp.fp_tcpopts, fp.fp_optcnt,
194 (fp.fp_flags & PF_OSFP_TS0) ? "0" : "",
195 (fp.fp_flags & PF_OSFP_MSS_MOD) ? "%" :
196 (fp.fp_flags & PF_OSFP_MSS_DC) ? "*" : "",
197 fp.fp_mss,
198 (fp.fp_flags & PF_OSFP_WSCALE_MOD) ? "%" :
199 (fp.fp_flags & PF_OSFP_WSCALE_DC) ? "*" : "",
200 fp.fp_wscale);
201
202 if ((fpresult = pf_osfp_find(&pf_osfp_list, &fp,
203 PF_OSFP_MAXTTL_OFFSET)))
204 return (&fpresult->fp_oses);
205 return (NULL);
206}
207
208/* Match a fingerprint ID against a list of OSes */
209int
210pf_osfp_match(struct pf_osfp_enlist *list, pf_osfp_t os)
211{
212 struct pf_osfp_entry *entry;
213 int os_class, os_version, os_subtype;
214 int en_class, en_version, en_subtype;
215
216 if (os == PF_OSFP_ANY)
217 return (1);
218 if (list == NULL) {
219 DPFPRINTF("osfp no match against %x\n", os);
220 return (os == PF_OSFP_UNKNOWN);
221 }
222 PF_OSFP_UNPACK(os, os_class, os_version, os_subtype);
223 SLIST_FOREACH(entry, list, fp_entry) {
224 PF_OSFP_UNPACK(entry->fp_os, en_class, en_version, en_subtype);
225 if ((os_class == PF_OSFP_ANY || en_class == os_class) &&
226 (os_version == PF_OSFP_ANY || en_version == os_version) &&
227 (os_subtype == PF_OSFP_ANY || en_subtype == os_subtype)) {
228 DPFPRINTF("osfp matched %s %s %s %x==%x\n",
229 entry->fp_class_nm, entry->fp_version_nm,
230 entry->fp_subtype_nm, os, entry->fp_os);
231 return (1);
232 }
233 }
234 DPFPRINTF("fingerprint 0x%x didn't match\n", os);
235 return (0);
236}
237
238/* Initialize the OS fingerprint system */
239#if defined(__FreeBSD__)
240int
241#else
231void
242void
243#endif
232pf_osfp_initialize(void)
233{
244pf_osfp_initialize(void)
245{
246#if defined(__FreeBSD__) && defined(_KERNEL)
247 int error = ENOMEM;
248
249 do {
250 pf_osfp_entry_pl = pf_osfp_pl = NULL;
251 UMA_CREATE(pf_osfp_entry_pl, struct pf_osfp_entry, "pfospfen");
252 UMA_CREATE(pf_osfp_pl, struct pf_os_fingerprint, "pfosfp");
253 error = 0;
254 } while(0);
255#else
234 pool_init(&pf_osfp_entry_pl, sizeof(struct pf_osfp_entry), 0, 0, 0,
235 "pfosfpen", NULL);
236 pool_init(&pf_osfp_pl, sizeof(struct pf_os_fingerprint), 0, 0, 0,
237 "pfosfp", NULL);
256 pool_init(&pf_osfp_entry_pl, sizeof(struct pf_osfp_entry), 0, 0, 0,
257 "pfosfpen", NULL);
258 pool_init(&pf_osfp_pl, sizeof(struct pf_os_fingerprint), 0, 0, 0,
259 "pfosfp", NULL);
260#endif
238 SLIST_INIT(&pf_osfp_list);
261 SLIST_INIT(&pf_osfp_list);
262#if defined(__FreeBSD__)
263#if defined(_KERNEL)
264 return (error);
265#else
266 return (0);
267#endif
268#endif
239}
240
269}
270
271#if defined(__FreeBSD__) && (_KERNEL)
272void
273pf_osfp_cleanup(void)
274{
275 UMA_DESTROY(pf_osfp_entry_pl);
276 UMA_DESTROY(pf_osfp_pl);
277}
278#endif
279
241/* Flush the fingerprint list */
242void
243pf_osfp_flush(void)
244{
245 struct pf_os_fingerprint *fp;
246 struct pf_osfp_entry *entry;
247
248 while ((fp = SLIST_FIRST(&pf_osfp_list))) {
249 SLIST_REMOVE_HEAD(&pf_osfp_list, fp_next);
250 while ((entry = SLIST_FIRST(&fp->fp_oses))) {
251 SLIST_REMOVE_HEAD(&fp->fp_oses, fp_entry);
252 pool_put(&pf_osfp_entry_pl, entry);
253 }
254 pool_put(&pf_osfp_pl, fp);
255 }
256}
257
258
259/* Add a fingerprint */
260int
261pf_osfp_add(struct pf_osfp_ioctl *fpioc)
262{
263 struct pf_os_fingerprint *fp, fpadd;
264 struct pf_osfp_entry *entry;
265
266 memset(&fpadd, 0, sizeof(fpadd));
267 fpadd.fp_tcpopts = fpioc->fp_tcpopts;
268 fpadd.fp_wsize = fpioc->fp_wsize;
269 fpadd.fp_psize = fpioc->fp_psize;
270 fpadd.fp_mss = fpioc->fp_mss;
271 fpadd.fp_flags = fpioc->fp_flags;
272 fpadd.fp_optcnt = fpioc->fp_optcnt;
273 fpadd.fp_wscale = fpioc->fp_wscale;
274 fpadd.fp_ttl = fpioc->fp_ttl;
275
276 DPFPRINTF("adding osfp %s %s %s = %s%d:%d:%d:%s%d:0x%llx %d "
277 "(TS=%s,M=%s%d,W=%s%d) %x\n",
278 fpioc->fp_os.fp_class_nm, fpioc->fp_os.fp_version_nm,
279 fpioc->fp_os.fp_subtype_nm,
280 (fpadd.fp_flags & PF_OSFP_WSIZE_MOD) ? "%" :
281 (fpadd.fp_flags & PF_OSFP_WSIZE_MSS) ? "S" :
282 (fpadd.fp_flags & PF_OSFP_WSIZE_MTU) ? "T" :
283 (fpadd.fp_flags & PF_OSFP_WSIZE_DC) ? "*" : "",
284 fpadd.fp_wsize,
285 fpadd.fp_ttl,
286 (fpadd.fp_flags & PF_OSFP_DF) ? 1 : 0,
287 (fpadd.fp_flags & PF_OSFP_PSIZE_MOD) ? "%" :
288 (fpadd.fp_flags & PF_OSFP_PSIZE_DC) ? "*" : "",
289 fpadd.fp_psize,
290 (long long int)fpadd.fp_tcpopts, fpadd.fp_optcnt,
291 (fpadd.fp_flags & PF_OSFP_TS0) ? "0" : "",
292 (fpadd.fp_flags & PF_OSFP_MSS_MOD) ? "%" :
293 (fpadd.fp_flags & PF_OSFP_MSS_DC) ? "*" : "",
294 fpadd.fp_mss,
295 (fpadd.fp_flags & PF_OSFP_WSCALE_MOD) ? "%" :
296 (fpadd.fp_flags & PF_OSFP_WSCALE_DC) ? "*" : "",
297 fpadd.fp_wscale,
298 fpioc->fp_os.fp_os);
299
300
301 if ((fp = pf_osfp_find_exact(&pf_osfp_list, &fpadd))) {
302 SLIST_FOREACH(entry, &fp->fp_oses, fp_entry) {
303 if (PF_OSFP_ENTRY_EQ(entry, &fpioc->fp_os))
304 return (EEXIST);
305 }
306 if ((entry = pool_get(&pf_osfp_entry_pl, PR_NOWAIT)) == NULL)
307 return (ENOMEM);
308 } else {
309 if ((fp = pool_get(&pf_osfp_pl, PR_NOWAIT)) == NULL)
310 return (ENOMEM);
311 memset(fp, 0, sizeof(*fp));
312 fp->fp_tcpopts = fpioc->fp_tcpopts;
313 fp->fp_wsize = fpioc->fp_wsize;
314 fp->fp_psize = fpioc->fp_psize;
315 fp->fp_mss = fpioc->fp_mss;
316 fp->fp_flags = fpioc->fp_flags;
317 fp->fp_optcnt = fpioc->fp_optcnt;
318 fp->fp_wscale = fpioc->fp_wscale;
319 fp->fp_ttl = fpioc->fp_ttl;
320 SLIST_INIT(&fp->fp_oses);
321 if ((entry = pool_get(&pf_osfp_entry_pl, PR_NOWAIT)) == NULL) {
322 pool_put(&pf_osfp_pl, fp);
323 return (ENOMEM);
324 }
325 pf_osfp_insert(&pf_osfp_list, fp);
326 }
327 memcpy(entry, &fpioc->fp_os, sizeof(*entry));
328
329 /* Make sure the strings are NUL terminated */
330 entry->fp_class_nm[sizeof(entry->fp_class_nm)-1] = '\0';
331 entry->fp_version_nm[sizeof(entry->fp_version_nm)-1] = '\0';
332 entry->fp_subtype_nm[sizeof(entry->fp_subtype_nm)-1] = '\0';
333
334 SLIST_INSERT_HEAD(&fp->fp_oses, entry, fp_entry);
335
336#ifdef PFDEBUG
337 if ((fp = pf_osfp_validate()))
338 printf("Invalid fingerprint list\n");
339#endif /* PFDEBUG */
340 return (0);
341}
342
343
344/* Find a fingerprint in the list */
345struct pf_os_fingerprint *
346pf_osfp_find(struct pf_osfp_list *list, struct pf_os_fingerprint *find,
347 u_int8_t ttldiff)
348{
349 struct pf_os_fingerprint *f;
350
351#define MATCH_INT(_MOD, _DC, _field) \
352 if ((f->fp_flags & _DC) == 0) { \
353 if ((f->fp_flags & _MOD) == 0) { \
354 if (f->_field != find->_field) \
355 continue; \
356 } else { \
357 if (f->_field == 0 || find->_field % f->_field) \
358 continue; \
359 } \
360 }
361
362 SLIST_FOREACH(f, list, fp_next) {
363 if (f->fp_tcpopts != find->fp_tcpopts ||
364 f->fp_optcnt != find->fp_optcnt ||
365 f->fp_ttl < find->fp_ttl ||
366 f->fp_ttl - find->fp_ttl > ttldiff ||
367 (f->fp_flags & (PF_OSFP_DF|PF_OSFP_TS0)) !=
368 (find->fp_flags & (PF_OSFP_DF|PF_OSFP_TS0)))
369 continue;
370
371 MATCH_INT(PF_OSFP_PSIZE_MOD, PF_OSFP_PSIZE_DC, fp_psize)
372 MATCH_INT(PF_OSFP_MSS_MOD, PF_OSFP_MSS_DC, fp_mss)
373 MATCH_INT(PF_OSFP_WSCALE_MOD, PF_OSFP_WSCALE_DC, fp_wscale)
374 if ((f->fp_flags & PF_OSFP_WSIZE_DC) == 0) {
375 if (f->fp_flags & PF_OSFP_WSIZE_MSS) {
376 if (find->fp_mss == 0)
377 continue;
378
379/* Some "smart" NAT devices and DSL routers will tweak the MSS size and
380 * will set it to whatever is suitable for the link type.
381 */
382#define SMART_MSS 1460
383 if ((find->fp_wsize % find->fp_mss ||
384 find->fp_wsize / find->fp_mss !=
385 f->fp_wsize) &&
386 (find->fp_wsize % SMART_MSS ||
387 find->fp_wsize / SMART_MSS !=
388 f->fp_wsize))
389 continue;
390 } else if (f->fp_flags & PF_OSFP_WSIZE_MTU) {
391 if (find->fp_mss == 0)
392 continue;
393
394#define MTUOFF (sizeof(struct ip) + sizeof(struct tcphdr))
395#define SMART_MTU (SMART_MSS + MTUOFF)
396 if ((find->fp_wsize % (find->fp_mss + MTUOFF) ||
397 find->fp_wsize / (find->fp_mss + MTUOFF) !=
398 f->fp_wsize) &&
399 (find->fp_wsize % SMART_MTU ||
400 find->fp_wsize / SMART_MTU !=
401 f->fp_wsize))
402 continue;
403 } else if (f->fp_flags & PF_OSFP_WSIZE_MOD) {
404 if (f->fp_wsize == 0 || find->fp_wsize %
405 f->fp_wsize)
406 continue;
407 } else {
408 if (f->fp_wsize != find->fp_wsize)
409 continue;
410 }
411 }
412 return (f);
413 }
414
415 return (NULL);
416}
417
418/* Find an exact fingerprint in the list */
419struct pf_os_fingerprint *
420pf_osfp_find_exact(struct pf_osfp_list *list, struct pf_os_fingerprint *find)
421{
422 struct pf_os_fingerprint *f;
423
424 SLIST_FOREACH(f, list, fp_next) {
425 if (f->fp_tcpopts == find->fp_tcpopts &&
426 f->fp_wsize == find->fp_wsize &&
427 f->fp_psize == find->fp_psize &&
428 f->fp_mss == find->fp_mss &&
429 f->fp_flags == find->fp_flags &&
430 f->fp_optcnt == find->fp_optcnt &&
431 f->fp_wscale == find->fp_wscale &&
432 f->fp_ttl == find->fp_ttl)
433 return (f);
434 }
435
436 return (NULL);
437}
438
439/* Insert a fingerprint into the list */
440void
441pf_osfp_insert(struct pf_osfp_list *list, struct pf_os_fingerprint *ins)
442{
443 struct pf_os_fingerprint *f, *prev = NULL;
444
445 /* XXX need to go semi tree based. can key on tcp options */
446
447 SLIST_FOREACH(f, list, fp_next)
448 prev = f;
449 if (prev)
450 SLIST_INSERT_AFTER(prev, ins, fp_next);
451 else
452 SLIST_INSERT_HEAD(list, ins, fp_next);
453}
454
455/* Fill a fingerprint by its number (from an ioctl) */
456int
457pf_osfp_get(struct pf_osfp_ioctl *fpioc)
458{
459 struct pf_os_fingerprint *fp;
460 struct pf_osfp_entry *entry;
461 int num = fpioc->fp_getnum;
462 int i = 0;
463
464
465 memset(fpioc, 0, sizeof(*fpioc));
466 SLIST_FOREACH(fp, &pf_osfp_list, fp_next) {
467 SLIST_FOREACH(entry, &fp->fp_oses, fp_entry) {
468 if (i++ == num) {
469 fpioc->fp_mss = fp->fp_mss;
470 fpioc->fp_wsize = fp->fp_wsize;
471 fpioc->fp_flags = fp->fp_flags;
472 fpioc->fp_psize = fp->fp_psize;
473 fpioc->fp_ttl = fp->fp_ttl;
474 fpioc->fp_wscale = fp->fp_wscale;
475 fpioc->fp_getnum = num;
476 memcpy(&fpioc->fp_os, entry,
477 sizeof(fpioc->fp_os));
478 return (0);
479 }
480 }
481 }
482
483 return (EBUSY);
484}
485
486
487/* Validate that each signature is reachable */
488struct pf_os_fingerprint *
489pf_osfp_validate(void)
490{
491 struct pf_os_fingerprint *f, *f2, find;
492
493 SLIST_FOREACH(f, &pf_osfp_list, fp_next) {
494 memcpy(&find, f, sizeof(find));
495
496 /* We do a few MSS/th_win percolations to make things unique */
497 if (find.fp_mss == 0)
498 find.fp_mss = 128;
499 if (f->fp_flags & PF_OSFP_WSIZE_MSS)
500 find.fp_wsize *= find.fp_mss, 1;
501 else if (f->fp_flags & PF_OSFP_WSIZE_MTU)
502 find.fp_wsize *= (find.fp_mss + 40);
503 else if (f->fp_flags & PF_OSFP_WSIZE_MOD)
504 find.fp_wsize *= 2;
505 if (f != (f2 = pf_osfp_find(&pf_osfp_list, &find, 0))) {
506 if (f2)
507 printf("Found \"%s %s %s\" instead of "
508 "\"%s %s %s\"\n",
509 SLIST_FIRST(&f2->fp_oses)->fp_class_nm,
510 SLIST_FIRST(&f2->fp_oses)->fp_version_nm,
511 SLIST_FIRST(&f2->fp_oses)->fp_subtype_nm,
512 SLIST_FIRST(&f->fp_oses)->fp_class_nm,
513 SLIST_FIRST(&f->fp_oses)->fp_version_nm,
514 SLIST_FIRST(&f->fp_oses)->fp_subtype_nm);
515 else
516 printf("Couldn't find \"%s %s %s\"\n",
517 SLIST_FIRST(&f->fp_oses)->fp_class_nm,
518 SLIST_FIRST(&f->fp_oses)->fp_version_nm,
519 SLIST_FIRST(&f->fp_oses)->fp_subtype_nm);
520 return (f);
521 }
522 }
523 return (NULL);
524}
280/* Flush the fingerprint list */
281void
282pf_osfp_flush(void)
283{
284 struct pf_os_fingerprint *fp;
285 struct pf_osfp_entry *entry;
286
287 while ((fp = SLIST_FIRST(&pf_osfp_list))) {
288 SLIST_REMOVE_HEAD(&pf_osfp_list, fp_next);
289 while ((entry = SLIST_FIRST(&fp->fp_oses))) {
290 SLIST_REMOVE_HEAD(&fp->fp_oses, fp_entry);
291 pool_put(&pf_osfp_entry_pl, entry);
292 }
293 pool_put(&pf_osfp_pl, fp);
294 }
295}
296
297
298/* Add a fingerprint */
299int
300pf_osfp_add(struct pf_osfp_ioctl *fpioc)
301{
302 struct pf_os_fingerprint *fp, fpadd;
303 struct pf_osfp_entry *entry;
304
305 memset(&fpadd, 0, sizeof(fpadd));
306 fpadd.fp_tcpopts = fpioc->fp_tcpopts;
307 fpadd.fp_wsize = fpioc->fp_wsize;
308 fpadd.fp_psize = fpioc->fp_psize;
309 fpadd.fp_mss = fpioc->fp_mss;
310 fpadd.fp_flags = fpioc->fp_flags;
311 fpadd.fp_optcnt = fpioc->fp_optcnt;
312 fpadd.fp_wscale = fpioc->fp_wscale;
313 fpadd.fp_ttl = fpioc->fp_ttl;
314
315 DPFPRINTF("adding osfp %s %s %s = %s%d:%d:%d:%s%d:0x%llx %d "
316 "(TS=%s,M=%s%d,W=%s%d) %x\n",
317 fpioc->fp_os.fp_class_nm, fpioc->fp_os.fp_version_nm,
318 fpioc->fp_os.fp_subtype_nm,
319 (fpadd.fp_flags & PF_OSFP_WSIZE_MOD) ? "%" :
320 (fpadd.fp_flags & PF_OSFP_WSIZE_MSS) ? "S" :
321 (fpadd.fp_flags & PF_OSFP_WSIZE_MTU) ? "T" :
322 (fpadd.fp_flags & PF_OSFP_WSIZE_DC) ? "*" : "",
323 fpadd.fp_wsize,
324 fpadd.fp_ttl,
325 (fpadd.fp_flags & PF_OSFP_DF) ? 1 : 0,
326 (fpadd.fp_flags & PF_OSFP_PSIZE_MOD) ? "%" :
327 (fpadd.fp_flags & PF_OSFP_PSIZE_DC) ? "*" : "",
328 fpadd.fp_psize,
329 (long long int)fpadd.fp_tcpopts, fpadd.fp_optcnt,
330 (fpadd.fp_flags & PF_OSFP_TS0) ? "0" : "",
331 (fpadd.fp_flags & PF_OSFP_MSS_MOD) ? "%" :
332 (fpadd.fp_flags & PF_OSFP_MSS_DC) ? "*" : "",
333 fpadd.fp_mss,
334 (fpadd.fp_flags & PF_OSFP_WSCALE_MOD) ? "%" :
335 (fpadd.fp_flags & PF_OSFP_WSCALE_DC) ? "*" : "",
336 fpadd.fp_wscale,
337 fpioc->fp_os.fp_os);
338
339
340 if ((fp = pf_osfp_find_exact(&pf_osfp_list, &fpadd))) {
341 SLIST_FOREACH(entry, &fp->fp_oses, fp_entry) {
342 if (PF_OSFP_ENTRY_EQ(entry, &fpioc->fp_os))
343 return (EEXIST);
344 }
345 if ((entry = pool_get(&pf_osfp_entry_pl, PR_NOWAIT)) == NULL)
346 return (ENOMEM);
347 } else {
348 if ((fp = pool_get(&pf_osfp_pl, PR_NOWAIT)) == NULL)
349 return (ENOMEM);
350 memset(fp, 0, sizeof(*fp));
351 fp->fp_tcpopts = fpioc->fp_tcpopts;
352 fp->fp_wsize = fpioc->fp_wsize;
353 fp->fp_psize = fpioc->fp_psize;
354 fp->fp_mss = fpioc->fp_mss;
355 fp->fp_flags = fpioc->fp_flags;
356 fp->fp_optcnt = fpioc->fp_optcnt;
357 fp->fp_wscale = fpioc->fp_wscale;
358 fp->fp_ttl = fpioc->fp_ttl;
359 SLIST_INIT(&fp->fp_oses);
360 if ((entry = pool_get(&pf_osfp_entry_pl, PR_NOWAIT)) == NULL) {
361 pool_put(&pf_osfp_pl, fp);
362 return (ENOMEM);
363 }
364 pf_osfp_insert(&pf_osfp_list, fp);
365 }
366 memcpy(entry, &fpioc->fp_os, sizeof(*entry));
367
368 /* Make sure the strings are NUL terminated */
369 entry->fp_class_nm[sizeof(entry->fp_class_nm)-1] = '\0';
370 entry->fp_version_nm[sizeof(entry->fp_version_nm)-1] = '\0';
371 entry->fp_subtype_nm[sizeof(entry->fp_subtype_nm)-1] = '\0';
372
373 SLIST_INSERT_HEAD(&fp->fp_oses, entry, fp_entry);
374
375#ifdef PFDEBUG
376 if ((fp = pf_osfp_validate()))
377 printf("Invalid fingerprint list\n");
378#endif /* PFDEBUG */
379 return (0);
380}
381
382
383/* Find a fingerprint in the list */
384struct pf_os_fingerprint *
385pf_osfp_find(struct pf_osfp_list *list, struct pf_os_fingerprint *find,
386 u_int8_t ttldiff)
387{
388 struct pf_os_fingerprint *f;
389
390#define MATCH_INT(_MOD, _DC, _field) \
391 if ((f->fp_flags & _DC) == 0) { \
392 if ((f->fp_flags & _MOD) == 0) { \
393 if (f->_field != find->_field) \
394 continue; \
395 } else { \
396 if (f->_field == 0 || find->_field % f->_field) \
397 continue; \
398 } \
399 }
400
401 SLIST_FOREACH(f, list, fp_next) {
402 if (f->fp_tcpopts != find->fp_tcpopts ||
403 f->fp_optcnt != find->fp_optcnt ||
404 f->fp_ttl < find->fp_ttl ||
405 f->fp_ttl - find->fp_ttl > ttldiff ||
406 (f->fp_flags & (PF_OSFP_DF|PF_OSFP_TS0)) !=
407 (find->fp_flags & (PF_OSFP_DF|PF_OSFP_TS0)))
408 continue;
409
410 MATCH_INT(PF_OSFP_PSIZE_MOD, PF_OSFP_PSIZE_DC, fp_psize)
411 MATCH_INT(PF_OSFP_MSS_MOD, PF_OSFP_MSS_DC, fp_mss)
412 MATCH_INT(PF_OSFP_WSCALE_MOD, PF_OSFP_WSCALE_DC, fp_wscale)
413 if ((f->fp_flags & PF_OSFP_WSIZE_DC) == 0) {
414 if (f->fp_flags & PF_OSFP_WSIZE_MSS) {
415 if (find->fp_mss == 0)
416 continue;
417
418/* Some "smart" NAT devices and DSL routers will tweak the MSS size and
419 * will set it to whatever is suitable for the link type.
420 */
421#define SMART_MSS 1460
422 if ((find->fp_wsize % find->fp_mss ||
423 find->fp_wsize / find->fp_mss !=
424 f->fp_wsize) &&
425 (find->fp_wsize % SMART_MSS ||
426 find->fp_wsize / SMART_MSS !=
427 f->fp_wsize))
428 continue;
429 } else if (f->fp_flags & PF_OSFP_WSIZE_MTU) {
430 if (find->fp_mss == 0)
431 continue;
432
433#define MTUOFF (sizeof(struct ip) + sizeof(struct tcphdr))
434#define SMART_MTU (SMART_MSS + MTUOFF)
435 if ((find->fp_wsize % (find->fp_mss + MTUOFF) ||
436 find->fp_wsize / (find->fp_mss + MTUOFF) !=
437 f->fp_wsize) &&
438 (find->fp_wsize % SMART_MTU ||
439 find->fp_wsize / SMART_MTU !=
440 f->fp_wsize))
441 continue;
442 } else if (f->fp_flags & PF_OSFP_WSIZE_MOD) {
443 if (f->fp_wsize == 0 || find->fp_wsize %
444 f->fp_wsize)
445 continue;
446 } else {
447 if (f->fp_wsize != find->fp_wsize)
448 continue;
449 }
450 }
451 return (f);
452 }
453
454 return (NULL);
455}
456
457/* Find an exact fingerprint in the list */
458struct pf_os_fingerprint *
459pf_osfp_find_exact(struct pf_osfp_list *list, struct pf_os_fingerprint *find)
460{
461 struct pf_os_fingerprint *f;
462
463 SLIST_FOREACH(f, list, fp_next) {
464 if (f->fp_tcpopts == find->fp_tcpopts &&
465 f->fp_wsize == find->fp_wsize &&
466 f->fp_psize == find->fp_psize &&
467 f->fp_mss == find->fp_mss &&
468 f->fp_flags == find->fp_flags &&
469 f->fp_optcnt == find->fp_optcnt &&
470 f->fp_wscale == find->fp_wscale &&
471 f->fp_ttl == find->fp_ttl)
472 return (f);
473 }
474
475 return (NULL);
476}
477
478/* Insert a fingerprint into the list */
479void
480pf_osfp_insert(struct pf_osfp_list *list, struct pf_os_fingerprint *ins)
481{
482 struct pf_os_fingerprint *f, *prev = NULL;
483
484 /* XXX need to go semi tree based. can key on tcp options */
485
486 SLIST_FOREACH(f, list, fp_next)
487 prev = f;
488 if (prev)
489 SLIST_INSERT_AFTER(prev, ins, fp_next);
490 else
491 SLIST_INSERT_HEAD(list, ins, fp_next);
492}
493
494/* Fill a fingerprint by its number (from an ioctl) */
495int
496pf_osfp_get(struct pf_osfp_ioctl *fpioc)
497{
498 struct pf_os_fingerprint *fp;
499 struct pf_osfp_entry *entry;
500 int num = fpioc->fp_getnum;
501 int i = 0;
502
503
504 memset(fpioc, 0, sizeof(*fpioc));
505 SLIST_FOREACH(fp, &pf_osfp_list, fp_next) {
506 SLIST_FOREACH(entry, &fp->fp_oses, fp_entry) {
507 if (i++ == num) {
508 fpioc->fp_mss = fp->fp_mss;
509 fpioc->fp_wsize = fp->fp_wsize;
510 fpioc->fp_flags = fp->fp_flags;
511 fpioc->fp_psize = fp->fp_psize;
512 fpioc->fp_ttl = fp->fp_ttl;
513 fpioc->fp_wscale = fp->fp_wscale;
514 fpioc->fp_getnum = num;
515 memcpy(&fpioc->fp_os, entry,
516 sizeof(fpioc->fp_os));
517 return (0);
518 }
519 }
520 }
521
522 return (EBUSY);
523}
524
525
526/* Validate that each signature is reachable */
527struct pf_os_fingerprint *
528pf_osfp_validate(void)
529{
530 struct pf_os_fingerprint *f, *f2, find;
531
532 SLIST_FOREACH(f, &pf_osfp_list, fp_next) {
533 memcpy(&find, f, sizeof(find));
534
535 /* We do a few MSS/th_win percolations to make things unique */
536 if (find.fp_mss == 0)
537 find.fp_mss = 128;
538 if (f->fp_flags & PF_OSFP_WSIZE_MSS)
539 find.fp_wsize *= find.fp_mss, 1;
540 else if (f->fp_flags & PF_OSFP_WSIZE_MTU)
541 find.fp_wsize *= (find.fp_mss + 40);
542 else if (f->fp_flags & PF_OSFP_WSIZE_MOD)
543 find.fp_wsize *= 2;
544 if (f != (f2 = pf_osfp_find(&pf_osfp_list, &find, 0))) {
545 if (f2)
546 printf("Found \"%s %s %s\" instead of "
547 "\"%s %s %s\"\n",
548 SLIST_FIRST(&f2->fp_oses)->fp_class_nm,
549 SLIST_FIRST(&f2->fp_oses)->fp_version_nm,
550 SLIST_FIRST(&f2->fp_oses)->fp_subtype_nm,
551 SLIST_FIRST(&f->fp_oses)->fp_class_nm,
552 SLIST_FIRST(&f->fp_oses)->fp_version_nm,
553 SLIST_FIRST(&f->fp_oses)->fp_subtype_nm);
554 else
555 printf("Couldn't find \"%s %s %s\"\n",
556 SLIST_FIRST(&f->fp_oses)->fp_class_nm,
557 SLIST_FIRST(&f->fp_oses)->fp_version_nm,
558 SLIST_FIRST(&f->fp_oses)->fp_subtype_nm);
559 return (f);
560 }
561 }
562 return (NULL);
563}