1 /* $OpenBSD: pf_osfp.c,v 1.12 2006/12/13 18:14:10 itojun Exp $ */
4 * Copyright (c) 2003 Mike Frantzen <frantzen@w4g.org>
6 * Permission to use, copy, modify, and distribute this software for any
7 * purpose with or without fee is hereby granted, provided that the above
8 * copyright notice and this permission notice appear in all copies.
10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
21 #include <sys/cdefs.h>
22 __FBSDID("$FreeBSD$");
25 #include <sys/param.h>
26 #include <sys/socket.h>
28 # include <sys/systm.h>
32 #include <netinet/in.h>
33 #include <netinet/in_systm.h>
34 #include <netinet/ip.h>
35 #include <netinet/tcp.h>
38 #include <net/pfvar.h>
40 #include <netinet/ip6.h>
42 #include <netinet6/in6_var.h>
46 # define DPFPRINTF(format, x...) \
47 if (pf_status.debug >= PF_DEBUG_NOISY) \
50 typedef uma_zone_t pool_t;
52 typedef struct pool pool_t;
56 /* Userland equivalents so we can lend code to tcpdump et al. */
58 # include <arpa/inet.h>
65 # define pool_get(pool, flags) malloc(*(pool))
66 # define pool_put(pool, item) free(item)
67 # define pool_init(pool, size, a, ao, f, m, p) (*(pool)) = (size)
70 # define NTOHS(x) (x) = ntohs((u_int16_t)(x))
74 # include <sys/stdarg.h>
75 # define DPFPRINTF(format, x...) fprintf(stderr, format , ##x)
77 # define DPFPRINTF(format, x...) ((void)0)
82 SLIST_HEAD(pf_osfp_list, pf_os_fingerprint) pf_osfp_list;
83 pool_t pf_osfp_entry_pl;
86 struct pf_os_fingerprint *pf_osfp_find(struct pf_osfp_list *,
87 struct pf_os_fingerprint *, u_int8_t);
88 struct pf_os_fingerprint *pf_osfp_find_exact(struct pf_osfp_list *,
89 struct pf_os_fingerprint *);
90 void pf_osfp_insert(struct pf_osfp_list *,
91 struct pf_os_fingerprint *);
96 * Passively fingerprint the OS of the host (IPv4 TCP SYN packets only)
97 * Returns the list of possible OSes.
99 struct pf_osfp_enlist *
100 pf_osfp_fingerprint(struct pf_pdesc *pd, struct mbuf *m, int off,
101 const struct tcphdr *tcp)
107 if ((pd->af != PF_INET && pd->af != PF_INET6) ||
108 pd->proto != IPPROTO_TCP || (tcp->th_off << 2) < sizeof(*tcp))
111 if (pd->af == PF_INET) {
112 ip = mtod(m, struct ip *);
113 ip6 = (struct ip6_hdr *)NULL;
115 ip = (struct ip *)NULL;
116 ip6 = mtod(m, struct ip6_hdr *);
118 if (!pf_pull_hdr(m, off, hdr, tcp->th_off << 2, NULL, NULL,
119 pd->af)) return (NULL);
121 return (pf_osfp_fingerprint_hdr(ip, ip6, (struct tcphdr *)hdr));
125 struct pf_osfp_enlist *
126 pf_osfp_fingerprint_hdr(const struct ip *ip, const struct ip6_hdr *ip6, const struct tcphdr *tcp)
128 struct pf_os_fingerprint fp, *fpresult;
130 const u_int8_t *optp;
134 char srcname[NI_MAXHOST];
137 if ((tcp->th_flags & (TH_SYN|TH_ACK)) != TH_SYN)
140 if ((ip->ip_off & htons(IP_OFFMASK)) != 0)
144 memset(&fp, 0, sizeof(fp));
148 struct sockaddr_in sin;
151 fp.fp_psize = ntohs(ip->ip_len);
152 fp.fp_ttl = ip->ip_ttl;
153 if (ip->ip_off & htons(IP_DF))
154 fp.fp_flags |= PF_OSFP_DF;
156 strlcpy(srcname, inet_ntoa(ip->ip_src), sizeof(srcname));
158 memset(&sin, 0, sizeof(sin));
159 sin.sin_family = AF_INET;
160 sin.sin_len = sizeof(struct sockaddr_in);
161 sin.sin_addr = ip->ip_src;
162 (void)getnameinfo((struct sockaddr *)&sin,
163 sizeof(struct sockaddr_in), srcname, sizeof(srcname),
164 NULL, 0, NI_NUMERICHOST);
170 struct sockaddr_in6 sin6;
174 fp.fp_psize = sizeof(struct ip6_hdr) + ntohs(ip6->ip6_plen);
175 fp.fp_ttl = ip6->ip6_hlim;
176 fp.fp_flags |= PF_OSFP_DF;
177 fp.fp_flags |= PF_OSFP_INET6;
179 strlcpy(srcname, ip6_sprintf((struct in6_addr *)&ip6->ip6_src),
182 memset(&sin6, 0, sizeof(sin6));
183 sin6.sin6_family = AF_INET6;
184 sin6.sin6_len = sizeof(struct sockaddr_in6);
185 sin6.sin6_addr = ip6->ip6_src;
186 (void)getnameinfo((struct sockaddr *)&sin6,
187 sizeof(struct sockaddr_in6), srcname, sizeof(srcname),
188 NULL, 0, NI_NUMERICHOST);
194 fp.fp_wsize = ntohs(tcp->th_win);
197 cnt = (tcp->th_off << 2) - sizeof(*tcp);
198 optp = (const u_int8_t *)((const char *)tcp + sizeof(*tcp));
199 for (; cnt > 0; cnt -= optlen, optp += optlen) {
200 if (*optp == TCPOPT_EOL)
204 if (*optp == TCPOPT_NOP) {
205 fp.fp_tcpopts = (fp.fp_tcpopts << PF_OSFP_TCPOPT_BITS) |
212 if (optlen > cnt || optlen < 2)
216 if (optlen >= TCPOLEN_MAXSEG)
217 memcpy(&fp.fp_mss, &optp[2],
219 fp.fp_tcpopts = (fp.fp_tcpopts <<
220 PF_OSFP_TCPOPT_BITS) | PF_OSFP_TCPOPT_MSS;
224 if (optlen >= TCPOLEN_WINDOW)
225 memcpy(&fp.fp_wscale, &optp[2],
226 sizeof(fp.fp_wscale));
228 fp.fp_tcpopts = (fp.fp_tcpopts <<
229 PF_OSFP_TCPOPT_BITS) |
230 PF_OSFP_TCPOPT_WSCALE;
232 case TCPOPT_SACK_PERMITTED:
233 fp.fp_tcpopts = (fp.fp_tcpopts <<
234 PF_OSFP_TCPOPT_BITS) | PF_OSFP_TCPOPT_SACK;
236 case TCPOPT_TIMESTAMP:
237 if (optlen >= TCPOLEN_TIMESTAMP) {
239 memcpy(&ts, &optp[2], sizeof(ts));
241 fp.fp_flags |= PF_OSFP_TS0;
244 fp.fp_tcpopts = (fp.fp_tcpopts <<
245 PF_OSFP_TCPOPT_BITS) | PF_OSFP_TCPOPT_TS;
251 optlen = MAX(optlen, 1); /* paranoia */
254 DPFPRINTF("fingerprinted %s:%d %d:%d:%d:%d:%llx (%d) "
255 "(TS=%s,M=%s%d,W=%s%d)\n",
256 srcname, ntohs(tcp->th_sport),
257 fp.fp_wsize, fp.fp_ttl, (fp.fp_flags & PF_OSFP_DF) != 0,
258 fp.fp_psize, (long long int)fp.fp_tcpopts, fp.fp_optcnt,
259 (fp.fp_flags & PF_OSFP_TS0) ? "0" : "",
260 (fp.fp_flags & PF_OSFP_MSS_MOD) ? "%" :
261 (fp.fp_flags & PF_OSFP_MSS_DC) ? "*" : "",
263 (fp.fp_flags & PF_OSFP_WSCALE_MOD) ? "%" :
264 (fp.fp_flags & PF_OSFP_WSCALE_DC) ? "*" : "",
267 if ((fpresult = pf_osfp_find(&pf_osfp_list, &fp,
268 PF_OSFP_MAXTTL_OFFSET)))
269 return (&fpresult->fp_oses);
273 /* Match a fingerprint ID against a list of OSes */
275 pf_osfp_match(struct pf_osfp_enlist *list, pf_osfp_t os)
277 struct pf_osfp_entry *entry;
278 int os_class, os_version, os_subtype;
279 int en_class, en_version, en_subtype;
281 if (os == PF_OSFP_ANY)
284 DPFPRINTF("osfp no match against %x\n", os);
285 return (os == PF_OSFP_UNKNOWN);
287 PF_OSFP_UNPACK(os, os_class, os_version, os_subtype);
288 SLIST_FOREACH(entry, list, fp_entry) {
289 PF_OSFP_UNPACK(entry->fp_os, en_class, en_version, en_subtype);
290 if ((os_class == PF_OSFP_ANY || en_class == os_class) &&
291 (os_version == PF_OSFP_ANY || en_version == os_version) &&
292 (os_subtype == PF_OSFP_ANY || en_subtype == os_subtype)) {
293 DPFPRINTF("osfp matched %s %s %s %x==%x\n",
294 entry->fp_class_nm, entry->fp_version_nm,
295 entry->fp_subtype_nm, os, entry->fp_os);
299 DPFPRINTF("fingerprint 0x%x didn't match\n", os);
303 /* Initialize the OS fingerprint system */
309 pf_osfp_initialize(void)
311 #if defined(__FreeBSD__) && defined(_KERNEL)
315 pf_osfp_entry_pl = pf_osfp_pl = NULL;
316 UMA_CREATE(pf_osfp_entry_pl, struct pf_osfp_entry, "pfospfen");
317 UMA_CREATE(pf_osfp_pl, struct pf_os_fingerprint, "pfosfp");
321 pool_init(&pf_osfp_entry_pl, sizeof(struct pf_osfp_entry), 0, 0, 0,
322 "pfosfpen", &pool_allocator_nointr);
323 pool_init(&pf_osfp_pl, sizeof(struct pf_os_fingerprint), 0, 0, 0,
324 "pfosfp", &pool_allocator_nointr);
326 SLIST_INIT(&pf_osfp_list);
336 #if defined(__FreeBSD__) && (_KERNEL)
338 pf_osfp_cleanup(void)
340 UMA_DESTROY(pf_osfp_entry_pl);
341 UMA_DESTROY(pf_osfp_pl);
345 /* Flush the fingerprint list */
349 struct pf_os_fingerprint *fp;
350 struct pf_osfp_entry *entry;
352 while ((fp = SLIST_FIRST(&pf_osfp_list))) {
353 SLIST_REMOVE_HEAD(&pf_osfp_list, fp_next);
354 while ((entry = SLIST_FIRST(&fp->fp_oses))) {
355 SLIST_REMOVE_HEAD(&fp->fp_oses, fp_entry);
356 pool_put(&pf_osfp_entry_pl, entry);
358 pool_put(&pf_osfp_pl, fp);
363 /* Add a fingerprint */
365 pf_osfp_add(struct pf_osfp_ioctl *fpioc)
367 struct pf_os_fingerprint *fp, fpadd;
368 struct pf_osfp_entry *entry;
370 memset(&fpadd, 0, sizeof(fpadd));
371 fpadd.fp_tcpopts = fpioc->fp_tcpopts;
372 fpadd.fp_wsize = fpioc->fp_wsize;
373 fpadd.fp_psize = fpioc->fp_psize;
374 fpadd.fp_mss = fpioc->fp_mss;
375 fpadd.fp_flags = fpioc->fp_flags;
376 fpadd.fp_optcnt = fpioc->fp_optcnt;
377 fpadd.fp_wscale = fpioc->fp_wscale;
378 fpadd.fp_ttl = fpioc->fp_ttl;
380 DPFPRINTF("adding osfp %s %s %s = %s%d:%d:%d:%s%d:0x%llx %d "
381 "(TS=%s,M=%s%d,W=%s%d) %x\n",
382 fpioc->fp_os.fp_class_nm, fpioc->fp_os.fp_version_nm,
383 fpioc->fp_os.fp_subtype_nm,
384 (fpadd.fp_flags & PF_OSFP_WSIZE_MOD) ? "%" :
385 (fpadd.fp_flags & PF_OSFP_WSIZE_MSS) ? "S" :
386 (fpadd.fp_flags & PF_OSFP_WSIZE_MTU) ? "T" :
387 (fpadd.fp_flags & PF_OSFP_WSIZE_DC) ? "*" : "",
390 (fpadd.fp_flags & PF_OSFP_DF) ? 1 : 0,
391 (fpadd.fp_flags & PF_OSFP_PSIZE_MOD) ? "%" :
392 (fpadd.fp_flags & PF_OSFP_PSIZE_DC) ? "*" : "",
394 (long long int)fpadd.fp_tcpopts, fpadd.fp_optcnt,
395 (fpadd.fp_flags & PF_OSFP_TS0) ? "0" : "",
396 (fpadd.fp_flags & PF_OSFP_MSS_MOD) ? "%" :
397 (fpadd.fp_flags & PF_OSFP_MSS_DC) ? "*" : "",
399 (fpadd.fp_flags & PF_OSFP_WSCALE_MOD) ? "%" :
400 (fpadd.fp_flags & PF_OSFP_WSCALE_DC) ? "*" : "",
405 if ((fp = pf_osfp_find_exact(&pf_osfp_list, &fpadd))) {
406 SLIST_FOREACH(entry, &fp->fp_oses, fp_entry) {
407 if (PF_OSFP_ENTRY_EQ(entry, &fpioc->fp_os))
410 if ((entry = pool_get(&pf_osfp_entry_pl, PR_NOWAIT)) == NULL)
413 if ((fp = pool_get(&pf_osfp_pl, PR_NOWAIT)) == NULL)
415 memset(fp, 0, sizeof(*fp));
416 fp->fp_tcpopts = fpioc->fp_tcpopts;
417 fp->fp_wsize = fpioc->fp_wsize;
418 fp->fp_psize = fpioc->fp_psize;
419 fp->fp_mss = fpioc->fp_mss;
420 fp->fp_flags = fpioc->fp_flags;
421 fp->fp_optcnt = fpioc->fp_optcnt;
422 fp->fp_wscale = fpioc->fp_wscale;
423 fp->fp_ttl = fpioc->fp_ttl;
424 SLIST_INIT(&fp->fp_oses);
425 if ((entry = pool_get(&pf_osfp_entry_pl, PR_NOWAIT)) == NULL) {
426 pool_put(&pf_osfp_pl, fp);
429 pf_osfp_insert(&pf_osfp_list, fp);
431 memcpy(entry, &fpioc->fp_os, sizeof(*entry));
433 /* Make sure the strings are NUL terminated */
434 entry->fp_class_nm[sizeof(entry->fp_class_nm)-1] = '\0';
435 entry->fp_version_nm[sizeof(entry->fp_version_nm)-1] = '\0';
436 entry->fp_subtype_nm[sizeof(entry->fp_subtype_nm)-1] = '\0';
438 SLIST_INSERT_HEAD(&fp->fp_oses, entry, fp_entry);
441 if ((fp = pf_osfp_validate()))
442 printf("Invalid fingerprint list\n");
448 /* Find a fingerprint in the list */
449 struct pf_os_fingerprint *
450 pf_osfp_find(struct pf_osfp_list *list, struct pf_os_fingerprint *find,
453 struct pf_os_fingerprint *f;
455 #define MATCH_INT(_MOD, _DC, _field) \
456 if ((f->fp_flags & _DC) == 0) { \
457 if ((f->fp_flags & _MOD) == 0) { \
458 if (f->_field != find->_field) \
461 if (f->_field == 0 || find->_field % f->_field) \
466 SLIST_FOREACH(f, list, fp_next) {
467 if (f->fp_tcpopts != find->fp_tcpopts ||
468 f->fp_optcnt != find->fp_optcnt ||
469 f->fp_ttl < find->fp_ttl ||
470 f->fp_ttl - find->fp_ttl > ttldiff ||
471 (f->fp_flags & (PF_OSFP_DF|PF_OSFP_TS0)) !=
472 (find->fp_flags & (PF_OSFP_DF|PF_OSFP_TS0)))
475 MATCH_INT(PF_OSFP_PSIZE_MOD, PF_OSFP_PSIZE_DC, fp_psize)
476 MATCH_INT(PF_OSFP_MSS_MOD, PF_OSFP_MSS_DC, fp_mss)
477 MATCH_INT(PF_OSFP_WSCALE_MOD, PF_OSFP_WSCALE_DC, fp_wscale)
478 if ((f->fp_flags & PF_OSFP_WSIZE_DC) == 0) {
479 if (f->fp_flags & PF_OSFP_WSIZE_MSS) {
480 if (find->fp_mss == 0)
483 /* Some "smart" NAT devices and DSL routers will tweak the MSS size and
484 * will set it to whatever is suitable for the link type.
486 #define SMART_MSS 1460
487 if ((find->fp_wsize % find->fp_mss ||
488 find->fp_wsize / find->fp_mss !=
490 (find->fp_wsize % SMART_MSS ||
491 find->fp_wsize / SMART_MSS !=
494 } else if (f->fp_flags & PF_OSFP_WSIZE_MTU) {
495 if (find->fp_mss == 0)
498 #define MTUOFF (sizeof(struct ip) + sizeof(struct tcphdr))
499 #define SMART_MTU (SMART_MSS + MTUOFF)
500 if ((find->fp_wsize % (find->fp_mss + MTUOFF) ||
501 find->fp_wsize / (find->fp_mss + MTUOFF) !=
503 (find->fp_wsize % SMART_MTU ||
504 find->fp_wsize / SMART_MTU !=
507 } else if (f->fp_flags & PF_OSFP_WSIZE_MOD) {
508 if (f->fp_wsize == 0 || find->fp_wsize %
512 if (f->fp_wsize != find->fp_wsize)
522 /* Find an exact fingerprint in the list */
523 struct pf_os_fingerprint *
524 pf_osfp_find_exact(struct pf_osfp_list *list, struct pf_os_fingerprint *find)
526 struct pf_os_fingerprint *f;
528 SLIST_FOREACH(f, list, fp_next) {
529 if (f->fp_tcpopts == find->fp_tcpopts &&
530 f->fp_wsize == find->fp_wsize &&
531 f->fp_psize == find->fp_psize &&
532 f->fp_mss == find->fp_mss &&
533 f->fp_flags == find->fp_flags &&
534 f->fp_optcnt == find->fp_optcnt &&
535 f->fp_wscale == find->fp_wscale &&
536 f->fp_ttl == find->fp_ttl)
543 /* Insert a fingerprint into the list */
545 pf_osfp_insert(struct pf_osfp_list *list, struct pf_os_fingerprint *ins)
547 struct pf_os_fingerprint *f, *prev = NULL;
549 /* XXX need to go semi tree based. can key on tcp options */
551 SLIST_FOREACH(f, list, fp_next)
554 SLIST_INSERT_AFTER(prev, ins, fp_next);
556 SLIST_INSERT_HEAD(list, ins, fp_next);
559 /* Fill a fingerprint by its number (from an ioctl) */
561 pf_osfp_get(struct pf_osfp_ioctl *fpioc)
563 struct pf_os_fingerprint *fp;
564 struct pf_osfp_entry *entry;
565 int num = fpioc->fp_getnum;
569 memset(fpioc, 0, sizeof(*fpioc));
570 SLIST_FOREACH(fp, &pf_osfp_list, fp_next) {
571 SLIST_FOREACH(entry, &fp->fp_oses, fp_entry) {
573 fpioc->fp_mss = fp->fp_mss;
574 fpioc->fp_wsize = fp->fp_wsize;
575 fpioc->fp_flags = fp->fp_flags;
576 fpioc->fp_psize = fp->fp_psize;
577 fpioc->fp_ttl = fp->fp_ttl;
578 fpioc->fp_wscale = fp->fp_wscale;
579 fpioc->fp_getnum = num;
580 memcpy(&fpioc->fp_os, entry,
581 sizeof(fpioc->fp_os));
591 /* Validate that each signature is reachable */
592 struct pf_os_fingerprint *
593 pf_osfp_validate(void)
595 struct pf_os_fingerprint *f, *f2, find;
597 SLIST_FOREACH(f, &pf_osfp_list, fp_next) {
598 memcpy(&find, f, sizeof(find));
600 /* We do a few MSS/th_win percolations to make things unique */
601 if (find.fp_mss == 0)
603 if (f->fp_flags & PF_OSFP_WSIZE_MSS)
604 find.fp_wsize *= find.fp_mss, 1;
605 else if (f->fp_flags & PF_OSFP_WSIZE_MTU)
606 find.fp_wsize *= (find.fp_mss + 40);
607 else if (f->fp_flags & PF_OSFP_WSIZE_MOD)
609 if (f != (f2 = pf_osfp_find(&pf_osfp_list, &find, 0))) {
611 printf("Found \"%s %s %s\" instead of "
613 SLIST_FIRST(&f2->fp_oses)->fp_class_nm,
614 SLIST_FIRST(&f2->fp_oses)->fp_version_nm,
615 SLIST_FIRST(&f2->fp_oses)->fp_subtype_nm,
616 SLIST_FIRST(&f->fp_oses)->fp_class_nm,
617 SLIST_FIRST(&f->fp_oses)->fp_version_nm,
618 SLIST_FIRST(&f->fp_oses)->fp_subtype_nm);
620 printf("Couldn't find \"%s %s %s\"\n",
621 SLIST_FIRST(&f->fp_oses)->fp_class_nm,
622 SLIST_FIRST(&f->fp_oses)->fp_version_nm,
623 SLIST_FIRST(&f->fp_oses)->fp_subtype_nm);
projects / FreeBSD / releng / 8.1.git / blob