diff options
| author | Ryan Thomas McBride <mcbride@cvs.openbsd.org> | 2011-07-24 12:13:11 +0000 |
|---|---|---|
| committer | Ryan Thomas McBride <mcbride@cvs.openbsd.org> | 2011-07-24 12:13:11 +0000 |
| commit | bfccd3907c3785d14b0c9ad61d44b66d5ba90902 (patch) | |
| tree | 33b4d43508b90b0dfdf99a30b0bcea272b6eb082 /sys | |
| parent | f521ab373c697516923d51b78cc3c2f47efc1505 (diff) | |
OS fingerprinting can only be done on rules that explicitly specify TCP
now, put it in the IPPROTO_TCP case of the pf_test_rule() inner loop.
ok henning sthen
Diffstat (limited to 'sys')
| -rw-r--r-- | sys/net/pf.c | 11 |
1 files changed, 5 insertions, 6 deletions
diff --git a/sys/net/pf.c b/sys/net/pf.c index e1d10b999d8..8af51bcacd3 100644 --- a/sys/net/pf.c +++ b/sys/net/pf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf.c,v 1.767 2011/07/23 21:17:47 bluhm Exp $ */ +/* $OpenBSD: pf.c,v 1.768 2011/07/24 12:13:10 mcbride Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -2868,6 +2868,10 @@ pf_test_rule(struct pf_rule **rm, struct pf_state **sm, int direction, case IPPROTO_TCP: PF_TEST_ATTRIB(((r->flagset & th->th_flags) != r->flags), TAILQ_NEXT(r, entries)); + PF_TEST_ATTRIB((r->os_fingerprint != PF_OSFP_ANY && + !pf_osfp_match(pf_osfp_fingerprint(pd, m, off, th), + r->os_fingerprint)), + TAILQ_NEXT(r, entries)); /* FALLTHROUGH */ case IPPROTO_UDP: @@ -2913,11 +2917,6 @@ pf_test_rule(struct pf_rule **rm, struct pf_state **sm, int direction, PF_TEST_ATTRIB((r->rule_flag & PFRULE_FRAGMENT && pd->virtual_proto != PF_VPROTO_FRAGMENT), TAILQ_NEXT(r, entries)); - PF_TEST_ATTRIB((r->os_fingerprint != PF_OSFP_ANY && - (pd->virtual_proto != IPPROTO_TCP || !pf_osfp_match( - pf_osfp_fingerprint(pd, m, off, th), - r->os_fingerprint))), - TAILQ_NEXT(r, entries)); PF_TEST_ATTRIB((r->tos && !(r->tos == pd->tos)), TAILQ_NEXT(r, entries)); PF_TEST_ATTRIB((r->prob && |