diff options
| author | Mike Frantzen <frantzen@cvs.openbsd.org> | 2003-08-21 19:12:10 +0000 |
|---|---|---|
| committer | Mike Frantzen <frantzen@cvs.openbsd.org> | 2003-08-21 19:12:10 +0000 |
| commit | b52022c22d0099a7ee4fac807fbc3cf0d1ed41dd (patch) | |
| tree | ee69abaecaf37fc21178586105aec99dbe4500db /sys/net/pf_norm.c | |
| parent | ac8ea66182cc0e72f3c2b0178333b53707008bbc (diff) | |
Add Michal Zalewski's p0f v2 style passive OS fingerprinting to PF.
Exposes the source IP's operating system to the filter language.
Interesting policy decisions are now enforceable:
. block proto tcp from any os SCO
. block proto tcp from any os Windows to any port smtp
. rdr ... from any os "Windows 98" to port WWW -> 127.0.0.1 port 8001
Diffstat (limited to 'sys/net/pf_norm.c')
| -rw-r--r-- | sys/net/pf_norm.c | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/sys/net/pf_norm.c b/sys/net/pf_norm.c index cc49e4ed1b3..4ef322954ac 100644 --- a/sys/net/pf_norm.c +++ b/sys/net/pf_norm.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf_norm.c,v 1.71 2003/08/14 19:00:12 jason Exp $ */ +/* $OpenBSD: pf_norm.c,v 1.72 2003/08/21 19:12:08 frantzen Exp $ */ /* * Copyright 2001 Niels Provos <provos@citi.umich.edu> @@ -1211,6 +1211,10 @@ pf_normalize_tcp(int dir, struct ifnet *ifp, struct mbuf *m, int ipoff, else if (r->dst.port_op && !pf_match_port(r->dst.port_op, r->dst.port[0], r->dst.port[1], th->th_dport)) r = r->skip[PF_SKIP_DST_PORT].ptr; + else if (r->os_fingerprint != PF_OSFP_ANY && !pf_osfp_match( + pf_osfp_fingerprint(pd, m, off, th), + r->os_fingerprint)) + r = TAILQ_NEXT(r, entries); else { rm = r; break; |