src - OpenBSD base system

diff options


context:
space:
mode:

author	Mike Frantzen <frantzen@cvs.openbsd.org>	2003-08-21 19:12:10 +0000
committer	Mike Frantzen <frantzen@cvs.openbsd.org>	2003-08-21 19:12:10 +0000
commit	b52022c22d0099a7ee4fac807fbc3cf0d1ed41dd (patch)
tree	ee69abaecaf37fc21178586105aec99dbe4500db /sbin
parent	ac8ea66182cc0e72f3c2b0178333b53707008bbc (diff)

Add Michal Zalewski's p0f v2 style passive OS fingerprinting to PF.

Exposes the source IP's operating system to the filter language. Interesting policy decisions are now enforceable: . block proto tcp from any os SCO . block proto tcp from any os Windows to any port smtp . rdr ... from any os "Windows 98" to port WWW -> 127.0.0.1 port 8001

Diffstat (limited to 'sbin')

-rw-r--r--

sbin/pfctl/Makefile

-rw-r--r--

sbin/pfctl/parse.y

119

-rw-r--r--

sbin/pfctl/pfctl.8

-rw-r--r--

sbin/pfctl/pfctl.c

-rw-r--r--

sbin/pfctl/pfctl_osfp.c

1093

-rw-r--r--

sbin/pfctl/pfctl_parser.c

-rw-r--r--

sbin/pfctl/pfctl_parser.h

7 files changed, 1259 insertions, 41 deletions

diff --git a/sbin/pfctl/Makefile b/sbin/pfctl/Makefile
index 073484f978a..cf9025963c6 100644
--- a/sbin/pfctl/Makefile
+++ b/sbin/pfctl/Makefile

@@ -1,7 +1,7 @@

-# $OpenBSD: Makefile,v 1.12 2003/01/09 17:33:19 henning Exp $

+# $OpenBSD: Makefile,v 1.13 2003/08/21 19:12:08 frantzen Exp $

PROG= pfctl

-SRCS= pfctl.c parse.y pfctl_parser.c pf_print_state.c pfctl_altq.c

+SRCS= pfctl.c parse.y pfctl_parser.c pf_print_state.c pfctl_altq.c pfctl_osfp.c

SRCS+= pfctl_radix.c pfctl_table.c pfctl_qstats.c

CFLAGS+= -Wall -Wmissing-prototypes -Wno-uninitialized

CFLAGS+= -Wstrict-prototypes

diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y
index 887ff9f8bbe..99c93752428 100644
--- a/sbin/pfctl/parse.y
+++ b/sbin/pfctl/parse.y

@@ -1,4 +1,4 @@

-/* $OpenBSD: parse.y,v 1.408 2003/08/20 16:27:36 henning Exp $ */

+/* $OpenBSD: parse.y,v 1.409 2003/08/21 19:12:08 frantzen Exp $ */

@@ -231,9 +231,9 @@ void expand_label(char *, const char *, u_int8_t, struct node_host *,

struct node_port *, struct node_host *, struct node_port *,

u_int8_t);

void expand_rule(struct pf_rule *, struct node_if *, struct node_host *,

- struct node_proto *, struct node_host *, struct node_port *,

- struct node_host *, struct node_port *, struct node_uid *,

- struct node_gid *, struct node_icmp *);

+ struct node_proto *, struct node_os*, struct node_host *,

+ struct node_port *, struct node_host *, struct node_port *,

+ struct node_uid *, struct node_gid *, struct node_icmp *);

int expand_altq(struct pf_altq *, struct node_if *, struct node_queue *,

struct node_queue_bw bwspec, struct node_queue_opt *);

int expand_queue(struct pf_altq *, struct node_if *, struct node_queue *,

@@ -297,6 +297,7 @@ typedef struct {

struct node_proto *proto;

struct node_icmp *icmp;

struct node_host *host;

+ struct node_os *os;

struct node_port *port;

struct node_uid *uid;

struct node_gid *gid;

@@ -304,6 +305,7 @@ typedef struct {

struct peer peer;

struct {

struct peer src, dst;

+ struct node_os *src_os;

} fromto;

struct pf_poolhashkey *hashkey;

struct {

@@ -357,14 +359,14 @@ typedef struct {

-%token PASS BLOCK SCRUB RETURN IN OUT LOG LOGALL QUICK ON FROM TO FLAGS

+%token PASS BLOCK SCRUB RETURN IN OS OUT LOG LOGALL QUICK ON FROM TO FLAGS

%token RETURNRST RETURNICMP RETURNICMP6 PROTO INET INET6 ALL ANY ICMPTYPE

%token ICMP6TYPE CODE KEEP MODULATE STATE PORT RDR NAT BINAT ARROW NODF

%token MINTTL ERROR ALLOWOPTS FASTROUTE FILENAME ROUTETO DUPTO REPLYTO NO LABEL

%token NOROUTE FRAGMENT USER GROUP MAXMSS MAXIMUM TTL TOS DROP TABLE

%token REASSEMBLE FRAGDROP FRAGCROP ANCHOR NATANCHOR RDRANCHOR BINATANCHOR

%token SET OPTIMIZATION TIMEOUT LIMIT LOGINTERFACE BLOCKPOLICY RANDOMID

-%token REQUIREORDER SYNPROXY

+%token REQUIREORDER SYNPROXY FINGERPRINTS

%token ANTISPOOF FOR

%token BITMASK RANDOM SOURCEHASH ROUNDROBIN STATICPORT

%token ALTQ CBQ PRIQ HFSC BANDWIDTH TBRSIZE LINKSHARE REALTIME UPPERLIMIT

@@ -391,6 +393,7 @@ typedef struct {

%type <v.host> ipspec xhost host dynaddr host_list

%type <v.host> redir_host_list redirspec

%type <v.host> route_host route_host_list routespec

+%type <v.os> os xos os_list

%type <v.port> portspec port_list port_item

%type <v.uid> uids uid_list uid_item

%type <v.gid> gids gid_list gid_item

@@ -476,6 +479,16 @@ option : SET OPTIMIZATION STRING {

$3 == 1 ? "yes" : "no");

require_order = $3;

}

+ | SET FINGERPRINTS STRING {

+ if (pf->opts & PF_OPT_VERBOSE)

+ printf("fingerprints %s\n", $3);

+ if (check_rulestate(PFCTL_STATE_OPTION))

+ YYERROR;

+ if (pfctl_file_fingerprints(pf->dev, pf->opts, $3)) {

+ yyerror("error loading fingerprints %s", $3);

+ YYERROR;

+ }

;

string : string STRING {

@@ -508,7 +521,7 @@ anchorrule : ANCHOR string dir interface af proto fromto {

decide_address_family($7.src.host, &r.af);

decide_address_family($7.dst.host, &r.af);

- expand_rule(&r, $4, NULL, $6,

+ expand_rule(&r, $4, NULL, $6, $7.src_os,

$7.src.host, $7.src.port, $7.dst.host, $7.dst.port,

0, 0, 0);

}

@@ -525,7 +538,7 @@ anchorrule : ANCHOR string dir interface af proto fromto {

decide_address_family($6.src.host, &r.af);

decide_address_family($6.dst.host, &r.af);

- expand_rule(&r, $3, NULL, $5,

+ expand_rule(&r, $3, NULL, $5, $6.src_os,

$6.src.host, $6.src.port, $6.dst.host, $6.dst.port,

0, 0, 0);

}

@@ -563,7 +576,7 @@ anchorrule : ANCHOR string dir interface af proto fromto {

r.dst.port_op = $6.dst.port->op;

}

- expand_rule(&r, $3, NULL, $5,

+ expand_rule(&r, $3, NULL, $5, $6.src_os,

$6.src.host, $6.src.port, $6.dst.host, $6.dst.port,

0, 0, 0);

}

@@ -682,7 +695,7 @@ scrubrule : SCRUB dir logquick interface af proto fromto scrub_opts

if ($8.fragcache)

r.rule_flag |= $8.fragcache;

- expand_rule(&r, $4, NULL, $6,

+ expand_rule(&r, $4, NULL, $6, $7.src_os,

$7.src.host, $7.src.port, $7.dst.host, $7.dst.port,

NULL, NULL, NULL);

}

@@ -795,8 +808,8 @@ antispoof : ANTISPOOF logquick antispoof_ifspc af antispoof_opts {

j->not = 1;

h = ifa_lookup(j->ifname, PFCTL_IFLOOKUP_NET);

- expand_rule(&r, j, NULL, NULL, h, NULL, NULL,

- NULL, NULL, NULL, NULL);

+ expand_rule(&r, j, NULL, NULL, NULL, h, NULL,

+ NULL, NULL, NULL, NULL, NULL);

if ((i->ifa_flags & IFF_LOOPBACK) == 0) {

bzero(&r, sizeof(r));

@@ -810,8 +823,9 @@ antispoof : ANTISPOOF logquick antispoof_ifspc af antispoof_opts {

YYERROR;

h = ifa_lookup(i->ifname,

PFCTL_IFLOOKUP_HOST);

- expand_rule(&r, NULL, NULL, NULL, h,

- NULL, NULL, NULL, NULL, NULL, NULL);

+ expand_rule(&r, NULL, NULL, NULL, NULL,

+ h, NULL, NULL, NULL, NULL, NULL,

+ NULL);

}

free($5.label);

@@ -1353,15 +1367,29 @@ pfrule : action dir logquick interface route af proto fromto

if (rule_label(&r, $9.label))

YYERROR;

free($9.label);

- if ($9.flags.b1 || $9.flags.b2) {

+ if ($9.flags.b1 || $9.flags.b2 || $8.src_os) {

for (proto = $7; proto != NULL &&

proto->proto != IPPROTO_TCP;

proto = proto->next)

; /* nothing */

if (proto == NULL && $7 != NULL) {

- yyerror("flags only apply to tcp");

+ if ($9.flags.b1 || $9.flags.b2)

+ yyerror(

+ "flags only apply to tcp");

+ if ($8.src_os)

+ yyerror(

+ "OS fingerprinting only "

+ "apply to tcp");

YYERROR;

}

+#if 0

+ if (($9.flags.b1 & parse_flags("S")) == 0 &&

+ $8.src_os) {

+ yyerror("OS fingerprinting requires "

+ "the SYN TCP flag (flags S/SA)");

+ YYERROR;

+ }

+#endif

}

r.tos = $9.tos;

@@ -1452,7 +1480,7 @@ pfrule : action dir logquick interface route af proto fromto

free($9.queues.pqname);

}

- expand_rule(&r, $4, $5.host, $7,

+ expand_rule(&r, $4, $5.host, $7, $8.src_os,

$8.src.host, $8.src.port, $8.dst.host, $8.dst.port,

$9.uid, $9.gid, $9.icmpspec);

}

@@ -1716,10 +1744,34 @@ fromto : ALL {

$$.src.port = NULL;

$$.dst.host = NULL;

$$.dst.port = NULL;

+ $$.src_os = NULL;

}

- | from to {

+ | from os to {

$$.src = $1;

- $$.dst = $2;

+ $$.src_os = $2;

+ $$.dst = $3;

+ }

+ ;

+os : /* empty */ { $$ = NULL; }

+ | OS xos { $$ = $2; }

+ | OS '{' os_list '}' { $$ = $3; }

+ ;

+xos : STRING {

+ $$ = calloc(1, sizeof(struct node_os));

+ if ($$ == NULL)

+ err(1, "os: calloc");

+ $$->os = $1;

+ $$->tail = $$;

+ }

+ ;

+os_list : xos { $$ = $1; }

+ | os_list comma xos {

+ $1->tail->next = $3;

+ $1->tail = $3;

+ $$ = $1;

}

;

@@ -2690,8 +2742,8 @@ natrule : nataction interface af proto fromto tag redirpool pooltype

}

expand_rule(&r, $2, $7 == NULL ? NULL : $7->host, $4,

- $5.src.host, $5.src.port, $5.dst.host, $5.dst.port,

- 0, 0, 0);

+ $5.src_os, $5.src.host, $5.src.port, $5.dst.host,

+ $5.dst.port, 0, 0, 0);

free($7);

}

;

@@ -3654,10 +3706,10 @@ expand_queue(struct pf_altq *a, struct node_if *interfaces,

void

expand_rule(struct pf_rule *r,

struct node_if *interfaces, struct node_host *rpool_hosts,

- struct node_proto *protos, struct node_host *src_hosts,

- struct node_port *src_ports, struct node_host *dst_hosts,

- struct node_port *dst_ports, struct node_uid *uids,

- struct node_gid *gids, struct node_icmp *icmp_types)

+ struct node_proto *protos, struct node_os *src_oses,

+ struct node_host *src_hosts, struct node_port *src_ports,

+ struct node_host *dst_hosts, struct node_port *dst_ports,

+ struct node_uid *uids, struct node_gid *gids, struct node_icmp *icmp_types)

{

sa_family_t af = r->af;

int added = 0, error = 0;

@@ -3677,6 +3729,7 @@ expand_rule(struct pf_rule *r,

LOOP_THROUGH(struct node_icmp, icmp_type, icmp_types,

LOOP_THROUGH(struct node_host, src_host, src_hosts,

LOOP_THROUGH(struct node_port, src_port, src_ports,

+ LOOP_THROUGH(struct node_os, src_os, src_oses,

LOOP_THROUGH(struct node_host, dst_host, dst_hosts,

LOOP_THROUGH(struct node_port, dst_port, dst_ports,

LOOP_THROUGH(struct node_uid, uid, uids,

@@ -3749,6 +3802,17 @@ expand_rule(struct pf_rule *r,

error++;

}

+ if (src_os && src_os->os) {

+ r->os_fingerprint = pfctl_get_fingerprint(src_os->os);

+ if ((pf->opts & PF_OPT_VERBOSE2) &&

+ r->os_fingerprint == PF_OSFP_NOMATCH)

+ fprintf(stderr,

+ "warning: unknown '%s' OS fingerprint\n",

+ src_os->os);

+ } else {

+ r->os_fingerprint = PF_OSFP_ANY;

+ }

TAILQ_INIT(&r->rpool.list);

for (h = rpool_hosts; h != NULL; h = h->next) {

pa = calloc(1, sizeof(struct pf_pooladdr));

@@ -3773,12 +3837,13 @@ expand_rule(struct pf_rule *r,

added++;

}

- )))))))));

+ ))))))))));

FREE_LIST(struct node_if, interfaces);

FREE_LIST(struct node_proto, protos);

FREE_LIST(struct node_host, src_hosts);

FREE_LIST(struct node_port, src_ports);

+ FREE_LIST(struct node_os, src_oses);

FREE_LIST(struct node_host, dst_hosts);

FREE_LIST(struct node_port, dst_ports);

FREE_LIST(struct node_uid, uids);

@@ -3836,6 +3901,7 @@ lookup(char *s)

{ "dup-to", DUPTO},

{ "fastroute", FASTROUTE},

{ "file", FILENAME},

+ { "fingerprints", FINGERPRINTS},

{ "flags", FLAGS},

{ "for", FOR},

{ "fragment", FRAGMENT},

@@ -3866,6 +3932,7 @@ lookup(char *s)

{ "no-route", NOROUTE},

{ "on", ON},

{ "optimization", OPTIMIZATION},

+ { "os", OS},

{ "out", OUT},

{ "pass", PASS},

{ "port", PORT},

diff --git a/sbin/pfctl/pfctl.8 b/sbin/pfctl/pfctl.8
index 396763b01ae..d03d45a20f2 100644
--- a/sbin/pfctl/pfctl.8
+++ b/sbin/pfctl/pfctl.8

@@ -1,4 +1,4 @@

-.\" $OpenBSD: pfctl.8,v 1.97 2003/05/24 17:50:16 jmc Exp $

+.\" $OpenBSD: pfctl.8,v 1.98 2003/08/21 19:12:08 frantzen Exp $

.\"

@@ -160,6 +160,8 @@ Flush the state table (NAT and filter).

Flush the filter information (statistics that are not bound to rules).

.It Fl F Ar Tables

Flush the tables.

+.It Fl F Ar osfp

+Flush the passive operating system fingerprints.

.It Fl F Ar all

Flush all of the above.

.El

@@ -252,6 +254,13 @@ Show the current global timeouts.

Show the current pool memory hard limits.

.It Fl s Ar Tables

Show the list of tables.

+.It Fl s Ar osfp

+Show the list of operating system fingerprints.

+Can be used in combination with

+.Fl o Ar file

+to list the fingerprints in a

+.Xr pf.os 5

+file.

.It Fl s Ar all

Show all of the above.

.El

@@ -435,7 +444,7 @@ tables of the same name in sub-rulesets (anchors).

Produce more verbose output.

A second use of

.Fl v

-will produce even more verbose output.

+will produce even more verbose output including ruleset warnings.

See previous section for its effect on table commands.

.It Fl x Ar level

Set the debug

@@ -448,6 +457,8 @@ Don't generate debug messages.

Generate debug messages only for serious errors.

.It Fl x Ar misc

Generate debug messages for various errors.

+.It Fl x Ar loud

+Generate debug messages for common conditons.

.El

.It Fl z

Clear per-rule statistics.

@@ -460,6 +471,7 @@ Packet filter rules file.

.Sh SEE ALSO

.Xr pf 4 ,

.Xr pf.conf 5 ,

+.Xr pf.os 5

.Xr sysctl.conf 5 ,

.Xr ftp-proxy 8 ,

.Xr rc 8 ,

diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c
index 6bf234b9f64..a06d538d5a7 100644
--- a/sbin/pfctl/pfctl.c
+++ b/sbin/pfctl/pfctl.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: pfctl.c,v 1.185 2003/08/04 17:29:44 dhartmei Exp $ */

+/* $OpenBSD: pfctl.c,v 1.186 2003/08/21 19:12:08 frantzen Exp $ */

@@ -156,12 +156,12 @@ static const struct {

};

static const char *clearopt_list[] = {

- "nat", "queue", "rules", "state", "info", "Tables", "all", NULL

+ "nat", "queue", "rules", "state", "info", "Tables", "osfp", "all", NULL

};

static const char *showopt_list[] = {

"nat", "queue", "rules", "Anchors", "state", "info", "labels",

- "timeouts", "memory", "Tables", "all", NULL

+ "timeouts", "memory", "Tables", "osfp", "all", NULL

};

static const char *tblcmdopt_list[] = {

@@ -170,7 +170,7 @@ static const char *tblcmdopt_list[] = {

};

static const char *debugopt_list[] = {

- "none", "urgent", "misc", NULL

+ "none", "urgent", "misc", "loud", NULL

};

@@ -1197,6 +1197,9 @@ pfctl_debug(int dev, u_int32_t level, int opts)

case PF_DEBUG_MISC:

fprintf(stderr, "misc");

break;

+ case PF_DEBUG_NOISY:

+ fprintf(stderr, "loud");

+ break;

default:

fprintf(stderr, "<invalid>");

break;

@@ -1486,14 +1489,17 @@ main(int argc, char *argv[])

pfctl_show_anchors(dev, opts, anchorname);

break;

case 'r':

+ pfctl_load_fingerprints(dev, opts);

pfctl_show_rules(dev, opts, 0, anchorname,

rulesetname);

break;

case 'l':

+ pfctl_load_fingerprints(dev, opts);

pfctl_show_rules(dev, opts, 1, anchorname,

rulesetname);

break;

case 'n':

+ pfctl_load_fingerprints(dev, opts);

pfctl_show_nat(dev, opts, anchorname, rulesetname);

break;

case 'q':

@@ -1512,6 +1518,8 @@ main(int argc, char *argv[])

pfctl_show_limits(dev);

break;

case 'a':

+ pfctl_load_fingerprints(dev, opts);

pfctl_show_rules(dev, opts, 0, anchorname,

rulesetname);

pfctl_show_nat(dev, opts, anchorname, rulesetname);

@@ -1522,10 +1530,15 @@ main(int argc, char *argv[])

pfctl_show_timeouts(dev);

pfctl_show_limits(dev);

pfctl_show_tables(anchorname, rulesetname, opts);

+ pfctl_show_fingerprints(opts);

break;

case 'T':

pfctl_show_tables(anchorname, rulesetname, opts);

break;

+ case 'o':

+ pfctl_load_fingerprints(dev, opts);

+ pfctl_show_fingerprints(opts);

+ break;

}

@@ -1553,6 +1566,10 @@ main(int argc, char *argv[])

pfctl_clear_states(dev, opts);

pfctl_clear_stats(dev, opts);

pfctl_clear_tables(anchorname, rulesetname, opts);

+ pfctl_clear_fingerprints(dev, opts);

+ break;

+ case 'o':

+ pfctl_clear_fingerprints(dev, opts);

break;

case 'T':

pfctl_clear_tables(anchorname, rulesetname, opts);

@@ -1562,6 +1579,9 @@ main(int argc, char *argv[])

if (state_killers)

pfctl_kill_states(dev, opts);

+ if (rulesopt && pfctl_file_fingerprints(dev, opts, PF_OSFP_FILE))

+ error = 1;

if (tblcmdopt != NULL) {

error = pfctl_command_tables(argc, argv, tableopt,

tblcmdopt, rulesopt, anchorname, rulesetname, opts);

@@ -1587,6 +1607,9 @@ main(int argc, char *argv[])

case 'm':

pfctl_debug(dev, PF_DEBUG_MISC, opts);

break;

+ case 'l':

+ pfctl_debug(dev, PF_DEBUG_NOISY, opts);

+ break;

}

diff --git a/sbin/pfctl/pfctl_osfp.c b/sbin/pfctl/pfctl_osfp.c
new file mode 100644
index 00000000000..d8045239bd2
--- /dev/null
+++ b/sbin/pfctl/pfctl_osfp.c

@@ -0,0 +1,1093 @@

+/* $OpenBSD: pfctl_osfp.c,v 1.1 2003/08/21 19:12:08 frantzen Exp $ */

+/*

+ *

+ * Permission to use, copy, modify, and distribute this software for any

+ * purpose with or without fee is hereby granted, provided that the above

+ * copyright notice and this permission notice appear in all copies.

+ *

+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES

+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF

+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR

+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES

+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN

+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF

+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

+ */

+#include <sys/types.h>

+#include <sys/ioctl.h>

+#include <sys/socket.h>

+#include <net/if.h>

+#include <net/pfvar.h>

+#include <ctype.h>

+#include <err.h>

+#include <errno.h>

+#include <stdio.h>

+#include <stdlib.h>

+#include <string.h>

+#include "pfctl_parser.h"

+#ifndef MIN

+# define MIN(a,b) (((a) < (b)) ? (a) : (b))

+#endif /* MIN */

+#ifndef MAX

+# define MAX(a,b) (((a) > (b)) ? (a) : (b))

+#endif /* MAX */

+#if 0

+# define DEBUG(fp, str, v...) \

+ fprintf(stderr, "%s:%s:%s " str "\n", (fp)->fp_os.fp_class_nm, \

+ (fp)->fp_os.fp_version_nm, (fp)->fp_os.fp_subtype_nm , ## v);

+#else

+# define DEBUG(fp, str, v...) ((void)0)

+#endif

+struct name_entry;

+LIST_HEAD(name_list, name_entry);

+struct name_entry {

+ LIST_ENTRY(name_entry) nm_entry;

+ int nm_num;

+ char nm_name[PF_OSFP_LEN];

+ struct name_list nm_sublist;

+ int nm_sublist_num;

+};

+struct name_list classes = LIST_HEAD_INITIALIZER(&classes);

+int class_count;

+int fingerprint_count;

+void add_fingerprint(int, int, struct pf_osfp_ioctl *);

+struct name_entry *fingerprint_name_entry(struct name_list *, char *);

+void pfctl_flush_my_fingerprints(struct name_list *);

+char *get_field(char **, size_t *, int *);

+int get_int(char **, size_t *, int *, int *, const char *,

+ int, int, const char *, int);

+int get_str(char **, size_t *, char **, const char *, int,

+ const char *, int);

+int get_tcpopts(const char *, int, const char *,

+ pf_tcpopts_t *, int *, int *, int *, int *, int *,

+ int *);

+void import_fingerprint(struct pf_osfp_ioctl *);

+const char *print_ioctl(struct pf_osfp_ioctl *);

+void print_name_list(int, struct name_list *, const char *);

+void sort_name_list(int, struct name_list *);

+struct name_entry *lookup_name_list(struct name_list *, const char *);

+/* Load fingerprints from a file */

+int

+pfctl_file_fingerprints(int dev, int opts, const char *fp_filename)

+ FILE *in;

+ char *line;

+ size_t len;

+ int i, lineno = 0;

+ int window, w_mod, ttl, df, psize, p_mod, mss, mss_mod, wscale,

+ wscale_mod, optcnt, ts0;

+ pf_tcpopts_t packed_tcpopts;

+ char *class, *version, *subtype, *desc, *tcpopts;

+ struct pf_osfp_ioctl fp;

+ pfctl_flush_my_fingerprints(&classes);

+ if ((in = fopen(fp_filename, "r")) == NULL) {

+ warn("fopen(%s)", fp_filename);

+ return (1);

+ }

+ class = version = subtype = desc = tcpopts = NULL;

+ if ((opts & PF_OPT_NOACTION) == 0)

+ pfctl_clear_fingerprints(dev, opts);

+ while ((line = fgetln(in, &len)) != NULL) {

+ lineno++;

+ if (class)

+ free(class);

+ if (version)

+ free(version);

+ if (subtype)

+ free(subtype);

+ if (desc)

+ free(desc);

+ if (tcpopts)

+ free(tcpopts);

+ class = version = subtype = desc = tcpopts = NULL;

+ memset(&fp, 0, sizeof(fp));

+ /* Chop off comment */

+ for (i = 0; i < len; i++)

+ if (line[i] == '#') {

+ len = i;

+ break;

+ }

+ /* Chop off whitespace */

+ while (len > 0 && isspace(line[len - 1]))

+ len--;

+ while (len > 0 && isspace(line[0])) {

+ len--;

+ line++;

+ }

+ if (len == 0)

+ continue;

+#define T_DC 0x01 /* Allow don't care */

+#define T_MSS 0x02 /* Allow MSS multiple */

+#define T_MTU 0x04 /* Allow MTU multiple */

+#define T_MOD 0x08 /* Allow modulus */

+#define GET_INT(v, mod, n, ty, mx) \

+ get_int(&line, &len, &v, mod, n, ty, mx, fp_filename, lineno)

+#define GET_STR(v, n, mn) \

+ get_str(&line, &len, &v, n, mn, fp_filename, lineno)

+ if (GET_INT(window, &w_mod, "window size", T_DC|T_MSS|T_MTU|

+ T_MOD, 0xffff) ||

+ GET_INT(ttl, NULL, "ttl", 0, 0xff) ||

+ GET_INT(df, NULL, "don't fragment frag", 0, 1) ||

+ GET_INT(psize, &p_mod, "overall packet size", T_MOD|T_DC,

+ 8192) ||

+ GET_STR(tcpopts, "TCP Options", 1) ||

+ GET_STR(class, "OS class", 1) ||

+ GET_STR(version, "OS version", 0) ||

+ GET_STR(subtype, "OS subtype", 0) ||

+ GET_STR(desc, "OS description", 2))

+ continue;

+ if (get_tcpopts(fp_filename, lineno, tcpopts, &packed_tcpopts,

+ &optcnt, &mss, &mss_mod, &wscale, &wscale_mod, &ts0))

+ continue;

+ if (len != 0) {

+ fprintf(stderr, "%s:%d excess field\n", fp_filename,

+ lineno);

+ continue;

+ }

+ fp.fp_ttl = ttl;

+ if (df)

+ fp.fp_flags |= PF_OSFP_DF;

+ switch (w_mod) {

+ case 0:

+ break;

+ case T_DC:

+ fp.fp_flags |= PF_OSFP_WSIZE_DC;

+ break;

+ case T_MSS:

+ fp.fp_flags |= PF_OSFP_WSIZE_MSS;

+ break;

+ case T_MTU:

+ fp.fp_flags |= PF_OSFP_WSIZE_MTU;

+ break;

+ case T_MOD:

+ fp.fp_flags |= PF_OSFP_WSIZE_MOD;

+ break;

+ }

+ fp.fp_wsize = window;

+ switch (p_mod) {

+ case T_DC:

+ fp.fp_flags |= PF_OSFP_PSIZE_DC;

+ break;

+ case T_MOD:

+ fp.fp_flags |= PF_OSFP_PSIZE_MOD;

+ }

+ fp.fp_psize = psize;

+ switch (wscale_mod) {

+ case T_DC:

+ fp.fp_flags |= PF_OSFP_WSCALE_DC;

+ break;

+ case T_MOD:

+ fp.fp_flags |= PF_OSFP_WSCALE_MOD;

+ }

+ fp.fp_wscale = wscale;

+ switch (mss_mod) {

+ case T_DC:

+ fp.fp_flags |= PF_OSFP_MSS_DC;

+ break;

+ case T_MOD:

+ fp.fp_flags |= PF_OSFP_MSS_MOD;

+ break;

+ }

+ fp.fp_mss = mss;

+ fp.fp_tcpopts = packed_tcpopts;

+ fp.fp_optcnt = optcnt;

+ if (ts0)

+ fp.fp_flags |= PF_OSFP_TS0;

+ if (class[0] == '@')

+ fp.fp_os.fp_enflags |= PF_OSFP_GENERIC;

+ if (class[0] == '*')

+ fp.fp_os.fp_enflags |= PF_OSFP_NODETAIL;

+ if (class[0] == '@' || class[0] == '*')

+ strlcpy(fp.fp_os.fp_class_nm, class + 1,

+ sizeof(fp.fp_os.fp_class_nm));

+ else

+ strlcpy(fp.fp_os.fp_class_nm, class,

+ sizeof(fp.fp_os.fp_class_nm));

+ strlcpy(fp.fp_os.fp_version_nm, version,

+ sizeof(fp.fp_os.fp_version_nm));

+ strlcpy(fp.fp_os.fp_subtype_nm, subtype,

+ sizeof(fp.fp_os.fp_subtype_nm));

+ add_fingerprint(dev, opts, &fp);

+ }

+ if (class)

+ free(class);

+ if (version)

+ free(version);

+ if (subtype)

+ free(subtype);

+ if (desc)

+ free(desc);

+ fclose(in);

+ if (opts & PF_OPT_VERBOSE2)

+ printf("Loaded %d passive OS fingerprints\n",

+ fingerprint_count);

+ return (0);

+/* flush the kernel's fingerprints */

+void

+pfctl_clear_fingerprints(int dev, int opts)

+ if (ioctl(dev, DIOCOSFPFLUSH))

+ err(1, "DIOCOSFPFLUSH");

+/* flush pfctl's view of the fingerprints */

+void

+pfctl_flush_my_fingerprints(struct name_list *list)

+ struct name_entry *nm;

+ while ((nm = LIST_FIRST(list)) != NULL) {

+ LIST_REMOVE(nm, nm_entry);

+ pfctl_flush_my_fingerprints(&nm->nm_sublist);

+ fingerprint_count--;

+ free(nm);

+ }

+ class_count = 0;

+/* Fetch the active fingerprints from the kernel */

+int

+pfctl_load_fingerprints(int dev, int opts)

+ struct pf_osfp_ioctl io;

+ int i;

+ pfctl_flush_my_fingerprints(&classes);

+ for (i = 0; i >= 0; i++) {

+ memset(&io, 0, sizeof(io));

+ io.fp_getnum = i;

+ if (ioctl(dev, DIOCOSFPGET, &io)) {

+ if (errno == EBUSY)

+ break;

+ warn("DIOCOSFPGET");

+ return (1);

+ }

+ import_fingerprint(&io);

+ }

+ return (0);

+/* List the fingerprints */

+void

+pfctl_show_fingerprints(int opts)

+ printf("Passive OS Fingerprints:\n");

+ printf("\tClass\tVersion\tSubtype(subversion)\n");

+ printf("\t-----\t-------\t-------------------\n");

+ sort_name_list(opts, &classes);

+ print_name_list(opts, &classes, "\t");

+/* Lookup a fingerprint */

+pf_osfp_t

+pfctl_get_fingerprint(const char *name)

+ struct name_entry *nm, *class_nm, *version_nm, *subtype_nm;

+ pf_osfp_t ret = PF_OSFP_NOMATCH;

+ int class, version, subtype;

+ int unp_class, unp_version, unp_subtype;

+ int wr_len, version_len, subtype_len;

+ char *ptr, *wr_name;

+ if (strcasecmp(name, "unknown") == 0)

+ return (PF_OSFP_UNKNOWN);

+ /* Try most likely no version and no subtype */

+ if ((nm = lookup_name_list(&classes, name))) {

+ class = nm->nm_num;

+ version = PF_OSFP_ANY;

+ subtype = PF_OSFP_ANY;

+ goto found;

+ } else {

+ /* Chop it up into class/version/subtype */

+ if ((wr_name = strdup(name)) == NULL)

+ err(1, "malloc");

+ if ((ptr = index(wr_name, ' ')) == NULL) {

+ free(wr_name);

+ return (PF_OSFP_NOMATCH);

+ }

+ *ptr++ = '\0';

+ /* The class is easy to find since it is delimited by a space */

+ if ((class_nm = lookup_name_list(&classes, wr_name)) == NULL) {

+ free(wr_name);

+ return (PF_OSFP_NOMATCH);

+ }

+ class = class_nm->nm_num;

+ /* Try no subtype */

+ if ((version_nm = lookup_name_list(&class_nm->nm_sublist, ptr)))

+ {

+ version = version_nm->nm_num;

+ subtype = PF_OSFP_ANY;

+ free(wr_name);

+ goto found;

+ }

+ /*

+ * There must be a version and a subtype.

+ * We'll do some fuzzy matching to pick up things like:

+ * Linux 2.2.14 (version=2.2 subtype=14)

+ * FreeBSD 4.0-STABLE (version=4.0 subtype=STABLE)

+ * Windows 2000 SP2 (versoin=2000 subtype=SP2)

+ */

+#define CONNECTOR(x) ((x) == '.' || (x) == ' ' || (x) == '\t' || (x) == '-')

+ wr_len = strlen(ptr);

+ LIST_FOREACH(version_nm, &class_nm->nm_sublist, nm_entry) {

+ version_len = strlen(version_nm->nm_name);

+ if (wr_len < version_len + 2 ||

+ !CONNECTOR(ptr[version_len]))

+ continue;

+ /* first part of the string must be version */

+ if (strncasecmp(ptr, version_nm->nm_name,

+ version_len))

+ continue;

+ LIST_FOREACH(subtype_nm, &version_nm->nm_sublist,

+ nm_entry) {

+ subtype_len = strlen(subtype_nm->nm_name);

+ if (wr_len != version_len + subtype_len + 1)

+ continue;

+ /* last part of the string must be subtype */

+ if (strcasecmp(&ptr[version_len+1],

+ subtype_nm->nm_name) != 0)

+ continue;

+ /* Found it!! */

+ version = version_nm->nm_num;

+ subtype = subtype_nm->nm_num;

+ free(wr_name);

+ goto found;

+ }

+ free(wr_name);

+ return (PF_OSFP_NOMATCH);

+ }

+found:

+ PF_OSFP_PACK(ret, class, version, subtype);

+ if (ret != PF_OSFP_NOMATCH) {

+ PF_OSFP_UNPACK(ret, unp_class, unp_version, unp_subtype);

+ if (class != unp_class) {

+ fprintf(stderr, "warning: fingerprint table overflowed "

+ "classes\n");

+ return (PF_OSFP_NOMATCH);

+ }

+ if (version != unp_version) {

+ fprintf(stderr, "warning: fingerprint table overflowed "

+ "versions\n");

+ return (PF_OSFP_NOMATCH);

+ }

+ if (subtype != unp_subtype) {

+ fprintf(stderr, "warning: fingerprint table overflowed "

+ "subtypes\n");

+ return (PF_OSFP_NOMATCH);

+ }

+ if (ret == PF_OSFP_ANY) {

+ /* should never happen */

+ fprintf(stderr, "warning: fingerprint packed to 'any'\n");

+ return (PF_OSFP_NOMATCH);

+ }

+ return (ret);

+/* Lookup a fingerprint name by ID */

+char *

+pfctl_lookup_fingerprint(pf_osfp_t fp, char *buf, size_t len)

+ int class, version, subtype;

+ struct name_list *list;

+ struct name_entry *nm;

+ char *class_name, *version_name, *subtype_name;

+ class_name = version_name = subtype_name = NULL;

+ if (fp == PF_OSFP_UNKNOWN) {

+ strlcpy(buf, "unknown", len);

+ return (buf);

+ }

+ if (fp == PF_OSFP_ANY) {

+ strlcpy(buf, "any", len);

+ return (buf);

+ }

+ PF_OSFP_UNPACK(fp, class, version, subtype);

+ if (class >= (1 << _FP_CLASS_BITS) ||

+ version >= (1 << _FP_VERSION_BITS) ||

+ subtype >= (1 << _FP_SUBTYPE_BITS)) {

+ warnx("PF_OSFP_UNPACK(0x%x) failed!!", fp);

+ strlcpy(buf, "nomatch", len);

+ return (buf);

+ }

+ LIST_FOREACH(nm, &classes, nm_entry) {

+ if (nm->nm_num == class) {

+ class_name = nm->nm_name;

+ if (version == PF_OSFP_ANY)

+ goto found;

+ list = &nm->nm_sublist;

+ LIST_FOREACH(nm, list, nm_entry) {

+ if (nm->nm_num == version) {

+ version_name = nm->nm_name;

+ if (subtype == PF_OSFP_ANY)

+ goto found;

+ list = &nm->nm_sublist;

+ LIST_FOREACH(nm, list, nm_entry) {

+ if (nm->nm_num == subtype) {

+ subtype_name =

+ nm->nm_name;

+ goto found;

+ }

+ } /* foreach subtype */

+ strlcpy(buf, "nomatch", len);

+ return (buf);

+ }

+ } /* foreach version */

+ strlcpy(buf, "nomatch", len);

+ return (buf);

+ }

+ } /* foreach class */

+ strlcpy(buf, "nomatch", len);

+ return (buf);

+found:

+ snprintf(buf, len, "%s", class_name);

+ if (version_name) {

+ strlcat(buf, " ", len);

+ strlcat(buf, version_name, len);

+ if (subtype_name) {

+ if (index(version_name, ' '))

+ strlcat(buf, " ", len);

+ else if (index(version_name, '.') &&

+ isdigit(*subtype_name))

+ strlcat(buf, ".", len);

+ else

+ strlcat(buf, " ", len);

+ strlcat(buf, subtype_name, len);

+ }

+ return (buf);

+/* lookup a name in a list */

+struct name_entry *

+lookup_name_list(struct name_list *list, const char *name)

+ struct name_entry *nm;

+ LIST_FOREACH(nm, list, nm_entry)

+ if (strcasecmp(name, nm->nm_name) == 0)

+ return (nm);

+ return (NULL);

+void

+add_fingerprint(int dev, int opts, struct pf_osfp_ioctl *fp)

+ struct pf_osfp_ioctl fptmp;

+ struct name_entry *nm_class, *nm_version, *nm_subtype;

+ int class, version, subtype;

+/* We expand #-# or #.#-#.# version/subtypes into multiple fingerprints */

+#define EXPAND(field) do { \

+ int _dot = -1, _start = -1, _end = -1, _i = 0; \

+ /* pick major version out of #.# */ \

+ if (isdigit(fp->field[_i]) && fp->field[_i+1] == '.') { \

+ _dot = fp->field[_i] - '0'; \

+ _i += 2; \

+ } \

+ if (isdigit(fp->field[_i])) \

+ _start = fp->field[_i++] - '0'; \

+ else \

+ break; \

+ if (isdigit(fp->field[_i])) \

+ _start = (_start * 10) + fp->field[_i++] - '0'; \

+ if (fp->field[_i++] != '-') \

+ break; \

+ if (isdigit(fp->field[_i]) && fp->field[_i+1] == '.' && \

+ fp->field[_i] - '0' == _dot) \

+ _i += 2; \

+ else if (_dot != -1) \

+ break; \

+ if (isdigit(fp->field[_i])) \

+ _end = fp->field[_i++] - '0'; \

+ else \

+ break; \

+ if (isdigit(fp->field[_i])) \

+ _end = (_end * 10) + fp->field[_i++] - '0'; \

+ if (isdigit(fp->field[_i])) \

+ _end = (_end * 10) + fp->field[_i++] - '0'; \

+ if (fp->field[_i] != '\0') \

+ break; \

+ memcpy(&fptmp, fp, sizeof(fptmp)); \

+ for (;_start <= _end; _start++) { \

+ memset(fptmp.field, 0, sizeof(fptmp.field)); \

+ fptmp.fp_os.fp_enflags |= PF_OSFP_EXPANDED; \

+ if (_dot == -1) \

+ snprintf(fptmp.field, sizeof(fptmp.field), \

+ "%d", _start); \

+ else \

+ snprintf(fptmp.field, sizeof(fptmp.field), \

+ "%d.%d", _dot, _start); \

+ add_fingerprint(dev, opts, &fptmp); \

+ } \

+} while(0)

+ /* We allow "#-#" as a version or subtype and we'll expand it */

+ EXPAND(fp_os.fp_version_nm);

+ EXPAND(fp_os.fp_subtype_nm);

+ if (strcasecmp(fp->fp_os.fp_class_nm, "nomatch") == 0)

+ errx(1, "fingerprint class \"nomatch\" is reserved");

+ version = PF_OSFP_ANY;

+ subtype = PF_OSFP_ANY;

+ nm_class = fingerprint_name_entry(&classes, fp->fp_os.fp_class_nm);

+ if (nm_class->nm_num == 0)

+ nm_class->nm_num = ++class_count;

+ class = nm_class->nm_num;

+ nm_version = fingerprint_name_entry(&nm_class->nm_sublist,

+ fp->fp_os.fp_version_nm);

+ if (nm_version) {

+ if (nm_version->nm_num == 0)

+ nm_version->nm_num = ++nm_class->nm_sublist_num;

+ version = nm_version->nm_num;

+ nm_subtype = fingerprint_name_entry(&nm_version->nm_sublist,

+ fp->fp_os.fp_subtype_nm);

+ if (nm_subtype) {

+ if (nm_subtype->nm_num == 0)

+ nm_subtype->nm_num =

+ ++nm_version->nm_sublist_num;

+ subtype = nm_subtype->nm_num;

+ }

+ DEBUG(fp, "\tsignature %d:%d:%d %s", class, version, subtype,

+ print_ioctl(fp));

+ PF_OSFP_PACK(fp->fp_os.fp_os, class, version, subtype);

+ fingerprint_count++;

+#ifdef FAKE_PF_KERNEL

+ /* Linked to the sys/net/pf_osfp.c. Call pf_osfp_add() */

+ if ((errno = pf_osfp_add(fp)))

+#else

+ if ((opts & PF_OPT_NOACTION) == 0 && ioctl(dev, DIOCOSFPADD, fp))

+#endif /* FAKE_PF_KERNEL */

+ {

+ if (errno == EEXIST) {

+ warn("Duplicate signature for %s %s %s",

+ fp->fp_os.fp_class_nm,

+ fp->fp_os.fp_version_nm,

+ fp->fp_os.fp_subtype_nm);

+ } else {

+ err(1, "DIOCOSFPADD");

+ }

+/* import a fingerprint from the kernel */

+void

+import_fingerprint(struct pf_osfp_ioctl *fp)

+ struct name_entry *nm_class, *nm_version, *nm_subtype;

+ int class, version, subtype;

+ PF_OSFP_UNPACK(fp->fp_os.fp_os, class, version, subtype);

+ nm_class = fingerprint_name_entry(&classes, fp->fp_os.fp_class_nm);

+ if (nm_class->nm_num == 0) {

+ nm_class->nm_num = class;

+ class_count = MAX(class_count, class);

+ }

+ nm_version = fingerprint_name_entry(&nm_class->nm_sublist,

+ fp->fp_os.fp_version_nm);

+ if (nm_version) {

+ if (nm_version->nm_num == 0) {

+ nm_version->nm_num = version;

+ nm_class->nm_sublist_num = MAX(nm_class->nm_sublist_num,

+ version);

+ }

+ nm_subtype = fingerprint_name_entry(&nm_version->nm_sublist,

+ fp->fp_os.fp_subtype_nm);

+ if (nm_subtype) {

+ if (nm_subtype->nm_num == 0) {

+ nm_subtype->nm_num = subtype;

+ nm_version->nm_sublist_num =

+ MAX(nm_version->nm_sublist_num, subtype);

+ }

+ fingerprint_count++;

+ DEBUG(fp, "import signature %d:%d:%d", class, version, subtype);

+/* Find an entry for a fingerprints class/version/subtype */

+struct name_entry *

+fingerprint_name_entry(struct name_list *list, char *name)

+ struct name_entry *nm_entry;

+ if (name == NULL || strlen(name) == 0)

+ return (NULL);

+ LIST_FOREACH(nm_entry, list, nm_entry) {

+ if (strcasecmp(nm_entry->nm_name, name) == 0) {

+ /* We'll move this to the front of the list later */

+ LIST_REMOVE(nm_entry, nm_entry);

+ break;

+ }

+ if (nm_entry == NULL) {

+ nm_entry = calloc(1, sizeof(*nm_entry));

+ if (nm_entry == NULL)

+ err(1, "calloc");

+ LIST_INIT(&nm_entry->nm_sublist);

+ strlcpy(nm_entry->nm_name, name,

+ sizeof(nm_entry->nm_name));

+ }

+ LIST_INSERT_HEAD(list, nm_entry, nm_entry);

+ return (nm_entry);

+void

+print_name_list(int opts, struct name_list *nml, const char *prefix)

+ char newprefix[32];

+ struct name_entry *nm;

+ LIST_FOREACH(nm, nml, nm_entry) {

+ snprintf(newprefix, sizeof(newprefix), "%s%s\t", prefix,

+ nm->nm_name);

+ printf("%s\n", newprefix);

+ print_name_list(opts, &nm->nm_sublist, newprefix);

+ }

+void

+sort_name_list(int opts, struct name_list *nml)

+ struct name_list new;

+ struct name_entry *nm, *nmsearch, *nmlast;

+ /* yes yes, it's a very slow sort. so sue me */

+ LIST_INIT(&new);

+ while ((nm = LIST_FIRST(nml)) != NULL) {

+ LIST_REMOVE(nm, nm_entry);

+ nmlast = NULL;

+ LIST_FOREACH(nmsearch, &new, nm_entry) {

+ if (strcasecmp(nmsearch->nm_name, nm->nm_name) > 0) {

+ LIST_INSERT_BEFORE(nmsearch, nm, nm_entry);

+ break;

+ }

+ nmlast = nmsearch;

+ }

+ if (nmsearch == NULL) {

+ if (nmlast)

+ LIST_INSERT_AFTER(nmlast, nm, nm_entry);

+ else

+ LIST_INSERT_HEAD(&new, nm, nm_entry);

+ }

+ sort_name_list(opts, &nm->nm_sublist);

+ }

+ nmlast = NULL;

+ while ((nm = LIST_FIRST(&new)) != NULL) {

+ LIST_REMOVE(nm, nm_entry);

+ if (nmlast == NULL)

+ LIST_INSERT_HEAD(nml, nm, nm_entry);

+ else

+ LIST_INSERT_AFTER(nmlast, nm, nm_entry);

+ nmlast = nm;

+ }

+ return;

+/* parse the next integer in a formatted config file line */

+int

+get_int(char **line, size_t *len, int *var, int *mod,

+ const char *name, int flags, int max, const char *filename, int lineno)

+ int fieldlen, i;

+ char *field;

+ long val = 0;

+ if (mod)

+ *mod = 0;

+ *var = 0;

+ field = get_field(line, len, &fieldlen);

+ if (field == NULL)

+ return (1);

+ if (fieldlen == 0) {

+ fprintf(stderr, "%s:%d empty %s\n", filename, lineno, name);

+ return (1);

+ }

+ i = 0;

+ if ((*field == '%' || *field == 'S' || *field == 'T' || *field == '*')

+ && fieldlen >= 1) {

+ switch (*field) {

+ case 'S':

+ if (mod && (flags & T_MSS))

+ *mod = T_MSS;

+ if (fieldlen == 1)

+ return (0);

+ break;

+ case 'T':

+ if (mod && (flags & T_MTU))

+ *mod = T_MTU;

+ if (fieldlen == 1)

+ return (0);

+ break;

+ case '*':

+ if (fieldlen != 1) {

+ fprintf(stderr, "%s:%d long '%c' %s\n",

+ filename, lineno, *field, name);

+ return (1);

+ }

+ if (mod && (flags & T_DC)) {

+ *mod = T_DC;

+ return (0);

+ }

+ case '%':

+ if (mod && (flags & T_MOD))

+ *mod = T_MOD;

+ if (fieldlen == 1) {

+ fprintf(stderr, "%s:%d modulus %s must have a "

+ "value\n", filename, lineno, name);

+ return (1);

+ }

+ break;

+ }

+ if (mod == NULL || *mod == 0) {

+ fprintf(stderr, "%s:%d does not allow %c' %s\n",

+ filename, lineno, *field, name);

+ return (1);

+ }

+ i++;

+ }

+ for (; i < fieldlen; i++) {

+ if (field[i] < '0' || field[i] > '9') {

+ fprintf(stderr, "%s:%d non-digit character in %s\n",

+ filename, lineno, name);

+ return (1);

+ }

+ val = val * 10 + field[i] - '0';

+ if (val < 0) {

+ fprintf(stderr, "%s:%d %s overflowed\n", filename,

+ lineno, name);

+ return (1);

+ }

+ if (val > max) {

+ fprintf(stderr, "%s:%d %s value %ld > %d\n", filename, lineno,

+ name, val, max);

+ return (1);

+ }

+ *var = (int)val;

+ return (0);

+/* parse the next string in a formatted config file line */

+int

+get_str(char **line, size_t *len, char **v, const char *name, int minlen,

+ const char *filename, int lineno)

+ int fieldlen;

+ char *ptr;

+ ptr = get_field(line, len, &fieldlen);

+ if (ptr == NULL)

+ return (1);

+ if (fieldlen < minlen) {

+ fprintf(stderr, "%s:%d too short %s\n", filename, lineno, name);

+ return (1);

+ }

+ if ((*v = malloc(fieldlen + 1)) == NULL) {

+ perror("malloc()");

+ return (1);

+ }

+ memcpy(*v, ptr, fieldlen);

+ (*v)[fieldlen] = '\0';

+ return (0);

+/* Parse out the TCP opts */

+int

+get_tcpopts(const char *filename, int lineno, const char *tcpopts,

+ pf_tcpopts_t *packed, int *optcnt, int *mss, int *mss_mod, int *wscale,

+ int *wscale_mod, int *ts0)

+ int i, opt;

+ *packed = 0;

+ *optcnt = 0;

+ *wscale = 0;

+ *wscale_mod = T_DC;

+ *mss = 0;

+ *mss_mod = T_DC;

+ *ts0 = 0;

+ if (strcmp(tcpopts, ".") == 0)

+ return(0);

+ for (i = 0; tcpopts[i] && *optcnt < PF_OSFP_MAX_OPTS;) {

+ switch ((opt = toupper(tcpopts[i++]))) {

+ case 'N': /* FALLTHROUGH */

+ case 'S':

+ *packed = (*packed << PF_OSFP_TCPOPT_BITS) |

+ (opt == 'N' ? PF_OSFP_TCPOPT_NOP :

+ PF_OSFP_TCPOPT_SACK);

+ break;

+ case 'W': /* FALLTHROUGH */

+ case 'M': {

+ int *this_mod, *this;

+ if (opt == 'W') {

+ this = wscale;

+ this_mod = wscale_mod;

+ } else {

+ this = mss;

+ this_mod = mss_mod;

+ }

+ *this = 0;

+ *this_mod = 0;

+ *packed = (*packed << PF_OSFP_TCPOPT_BITS) |

+ (opt == 'W' ? PF_OSFP_TCPOPT_WSCALE :

+ PF_OSFP_TCPOPT_MSS);

+ if (tcpopts[i] == '*' && (tcpopts[i + 1] == '\0' ||

+ tcpopts[i + 1] == ',')) {

+ *this_mod = T_DC;

+ i++;

+ break;

+ }

+ if (tcpopts[i] == '%') {

+ *this_mod = T_MOD;

+ i++;

+ } else

+ do {

+ if (!isdigit(tcpopts[i])) {

+ fprintf(stderr, "%s:%d unknown "

+ "character '%c' in %c TCP opt\n",

+ filename, lineno, tcpopts[i], opt);

+ return (1);

+ }

+ *this = (*this * 10) + tcpopts[i++] - '0';

+ } while(tcpopts[i] != ',' && tcpopts[i] != '\0');

+ break;

+ }

+ case 'T':

+ if (tcpopts[i] == '0') {

+ *ts0 = 1;

+ i++;

+ }

+ *packed = (*packed << PF_OSFP_TCPOPT_BITS) |

+ PF_OSFP_TCPOPT_TS;

+ break;

+ }

+ (*optcnt) ++;

+ if (tcpopts[i] == '\0')

+ break;

+ if (tcpopts[i] != ',') {

+ fprintf(stderr, "%s:%d unknown option to %c TCP opt\n",

+ filename, lineno, opt);

+ return (1);

+ }

+ i++;

+ }

+ return (0);

+/* rip the next field ouf of a formatted config file line */

+char *

+get_field(char **line, size_t *len, int *fieldlen)

+ char *ret, *ptr = *line;

+ size_t plen = *len;

+ while (plen && isspace(*ptr)) {

+ plen--;

+ ptr++;

+ }

+ ret = ptr;

+ *fieldlen = 0;

+ for (; plen > 0 && *ptr != ':'; plen--, ptr++)

+ (*fieldlen)++;

+ if (plen) {

+ *line = ptr + 1;

+ *len = plen - 1;

+ } else {

+ *len = 0;

+ }

+ while (*fieldlen && isspace(ret[*fieldlen - 1]))

+ (*fieldlen)--;

+ return (ret);

+const char *

+print_ioctl(struct pf_osfp_ioctl *fp)

+ static char buf[1024];

+ char tmp[32];

+ int i, opt;

+ *buf = '\0';

+ if (fp->fp_flags & PF_OSFP_WSIZE_DC)

+ strlcat(buf, "*", sizeof(buf));

+ else if (fp->fp_flags & PF_OSFP_WSIZE_MSS)

+ strlcat(buf, "S", sizeof(buf));

+ else if (fp->fp_flags & PF_OSFP_WSIZE_MTU)

+ strlcat(buf, "T", sizeof(buf));

+ else {

+ if (fp->fp_flags & PF_OSFP_WSIZE_MOD)

+ strlcat(buf, "%", sizeof(buf));

+ snprintf(tmp, sizeof(tmp), "%d", fp->fp_wsize);

+ strlcat(buf, tmp, sizeof(buf));

+ }

+ strlcat(buf, ":", sizeof(buf));

+ snprintf(tmp, sizeof(tmp), "%d", fp->fp_ttl);

+ strlcat(buf, tmp, sizeof(buf));

+ strlcat(buf, ":", sizeof(buf));

+ if (fp->fp_flags & PF_OSFP_DF)

+ strlcat(buf, "1", sizeof(buf));

+ else

+ strlcat(buf, "0", sizeof(buf));

+ strlcat(buf, ":", sizeof(buf));

+ if (fp->fp_flags & PF_OSFP_PSIZE_DC)

+ strlcat(buf, "*", sizeof(buf));

+ else {

+ if (fp->fp_flags & PF_OSFP_PSIZE_MOD)

+ strlcat(buf, "%", sizeof(buf));

+ snprintf(tmp, sizeof(tmp), "%d", fp->fp_psize);

+ strlcat(buf, tmp, sizeof(buf));

+ }

+ strlcat(buf, ":", sizeof(buf));

+ if (fp->fp_optcnt == 0)

+ strlcat(buf, ".", sizeof(buf));

+ for (i = fp->fp_optcnt - 1; i >= 0; i--) {

+ opt = fp->fp_tcpopts >> (i * PF_OSFP_TCPOPT_BITS);

+ opt &= (1 << PF_OSFP_TCPOPT_BITS) - 1;

+ switch (opt) {

+ case PF_OSFP_TCPOPT_NOP:

+ strlcat(buf, "N", sizeof(buf));

+ break;

+ case PF_OSFP_TCPOPT_SACK:

+ strlcat(buf, "S", sizeof(buf));

+ break;

+ case PF_OSFP_TCPOPT_TS:

+ strlcat(buf, "T", sizeof(buf));

+ if (fp->fp_flags & PF_OSFP_TS0)

+ strlcat(buf, "0", sizeof(buf));

+ break;

+ case PF_OSFP_TCPOPT_MSS:

+ strlcat(buf, "M", sizeof(buf));

+ if (fp->fp_flags & PF_OSFP_MSS_DC)

+ strlcat(buf, "*", sizeof(buf));

+ else {

+ if (fp->fp_flags & PF_OSFP_MSS_MOD)

+ strlcat(buf, "%", sizeof(buf));

+ snprintf(tmp, sizeof(tmp), "%d", fp->fp_mss);

+ strlcat(buf, tmp, sizeof(buf));

+ }

+ break;

+ case PF_OSFP_TCPOPT_WSCALE:

+ strlcat(buf, "W", sizeof(buf));

+ if (fp->fp_flags & PF_OSFP_WSCALE_DC)

+ strlcat(buf, "*", sizeof(buf));

+ else {

+ if (fp->fp_flags & PF_OSFP_WSCALE_MOD)

+ strlcat(buf, "%", sizeof(buf));

+ snprintf(tmp, sizeof(tmp), "%d", fp->fp_wscale);

+ strlcat(buf, tmp, sizeof(buf));

+ }

+ break;

+ }

+ if (i != 0)

+ strlcat(buf, ",", sizeof(buf));

+ }

+ strlcat(buf, ":", sizeof(buf));

+ strlcat(buf, fp->fp_os.fp_class_nm, sizeof(buf));

+ strlcat(buf, ":", sizeof(buf));

+ strlcat(buf, fp->fp_os.fp_version_nm, sizeof(buf));

+ strlcat(buf, ":", sizeof(buf));

+ strlcat(buf, fp->fp_os.fp_subtype_nm, sizeof(buf));

+ strlcat(buf, ":", sizeof(buf));

+ snprintf(tmp, sizeof(tmp), "TcpOpts %d 0x%llx", fp->fp_optcnt,

+ (long long int)fp->fp_tcpopts);

+ strlcat(buf, tmp, sizeof(buf));

+ return (buf);

diff --git a/sbin/pfctl/pfctl_parser.c b/sbin/pfctl/pfctl_parser.c
index c51923dd531..2c7c91a6511 100644
--- a/sbin/pfctl/pfctl_parser.c
+++ b/sbin/pfctl/pfctl_parser.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: pfctl_parser.c,v 1.172 2003/07/29 19:47:22 cedric Exp $ */

+/* $OpenBSD: pfctl_parser.c,v 1.173 2003/08/21 19:12:08 frantzen Exp $ */

@@ -58,8 +58,8 @@ void print_op (u_int8_t, const char *, const char *);

void print_port (u_int8_t, u_int16_t, u_int16_t, const char *);

void print_ugid (u_int8_t, unsigned, unsigned, const char *, unsigned);

void print_flags (u_int8_t);

-void print_fromto(struct pf_rule_addr *, struct pf_rule_addr *,

- u_int8_t, u_int8_t, int);

+void print_fromto(struct pf_rule_addr *, pf_osfp_t,

+ struct pf_rule_addr *, u_int8_t, u_int8_t, int);

struct node_host *host_if(const char *, int);

struct node_host *host_v4(const char *, int);

@@ -349,9 +349,10 @@ print_flags(u_int8_t f)

}

void

-print_fromto(struct pf_rule_addr *src, struct pf_rule_addr *dst,

+print_fromto(struct pf_rule_addr *src, pf_osfp_t osfp, struct pf_rule_addr *dst,

sa_family_t af, u_int8_t proto, int verbose)

{

+ char buf[PF_OSFP_LEN*3];

if (src->addr.type == PF_ADDR_ADDRMASK &&

dst->addr.type == PF_ADDR_ADDRMASK &&

PF_AZERO(&src->addr.v.a.addr, AF_INET6) &&

@@ -359,7 +360,8 @@ print_fromto(struct pf_rule_addr *src, struct pf_rule_addr *dst,

PF_AZERO(&dst->addr.v.a.addr, AF_INET6) &&

PF_AZERO(&dst->addr.v.a.mask, AF_INET6) &&

!src->not && !dst->not &&

- !src->port_op && !dst->port_op)

+ !src->port_op && !dst->port_op &&

+ osfp == PF_OSFP_ANY)

printf(" all");

else {

printf(" from ");

@@ -370,6 +372,9 @@ print_fromto(struct pf_rule_addr *src, struct pf_rule_addr *dst,

print_port(src->port_op, src->port[0],

src->port[1],

proto == IPPROTO_TCP ? "tcp" : "udp");

+ if (osfp != PF_OSFP_ANY)

+ printf(" os \"%s\"", pfctl_lookup_fingerprint(osfp, buf,

+ sizeof(buf)));

printf(" to ");

if (dst->not)

@@ -651,7 +656,8 @@ print_rule(struct pf_rule *r, int verbose)

else

printf(" proto %u", r->proto);

}

- print_fromto(&r->src, &r->dst, r->af, r->proto, verbose);

+ print_fromto(&r->src, r->os_fingerprint, &r->dst, r->af, r->proto,

+ verbose);

if (r->uid.op)

print_ugid(r->uid.op, r->uid.uid[0], r->uid.uid[1], "user",

UID_MAX);

diff --git a/sbin/pfctl/pfctl_parser.h b/sbin/pfctl/pfctl_parser.h
index b8331a5b725..88047e59732 100644
--- a/sbin/pfctl/pfctl_parser.h
+++ b/sbin/pfctl/pfctl_parser.h

@@ -1,4 +1,4 @@

-/* $OpenBSD: pfctl_parser.h,v 1.66 2003/07/31 22:25:54 cedric Exp $ */

+/* $OpenBSD: pfctl_parser.h,v 1.67 2003/08/21 19:12:09 frantzen Exp $ */

@@ -33,6 +33,8 @@

#ifndef _PFCTL_PARSER_H_

#define _PFCTL_PARSER_H_

+#define PF_OSFP_FILE "/etc/pf.os"

#define PF_OPT_DISABLE 0x0001

#define PF_OPT_ENABLE 0x0002

#define PF_OPT_VERBOSE 0x0004

@@ -97,6 +99,13 @@ struct node_host {

struct node_host *tail;

};

+struct node_os {

+ char *os;

+ pf_osfp_t fingerprint;

+ struct node_os *next;

+ struct node_os *tail;

+};

struct node_queue_bw {

u_int32_t bw_absolute;

u_int16_t bw_percent;

@@ -168,6 +177,14 @@ void print_queue(const struct pf_altq *, unsigned, struct node_queue_bw *,

int pfctl_define_table(char *, int, int, const char *, const char *,

struct pfr_buffer *, u_int32_t);

+void pfctl_clear_fingerprints(int, int);

+int pfctl_file_fingerprints(int, int, const char *);

+pf_osfp_t pfctl_get_fingerprint(const char *);

+int pfctl_load_fingerprints(int, int);

+char *pfctl_lookup_fingerprint(pf_osfp_t, char *, size_t);

+void pfctl_show_fingerprints(int);

struct icmptypeent {

const char *name;

u_int8_t type;