Home | History | Annotate | Line # | Download | only in net
pf_osfp.c revision 1.1.1.3 
      1 /*	$NetBSD: pf_osfp.c,v 1.1.1.3 2009/12/01 07:03:14 martti Exp $	*/
      2 /*	$OpenBSD: pf_osfp.c,v 1.12 2006/12/13 18:14:10 itojun Exp $ */
      3 
      4 /*
      5  * Copyright (c) 2003 Mike Frantzen <frantzen (at) w4g.org>
      6  *
      7  * Permission to use, copy, modify, and distribute this software for any
      8  * purpose with or without fee is hereby granted, provided that the above
      9  * copyright notice and this permission notice appear in all copies.
     10  *
     11  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
     12  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
     13  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
     14  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
     15  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
     16  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
     17  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
     18  *
     19  */
     20 
     21 #include <sys/param.h>
     22 #include <sys/socket.h>
     23 #ifdef _KERNEL
     24 # include <sys/systm.h>
     25 #endif /* _KERNEL */
     26 #include <sys/mbuf.h>
     27 
     28 #include <netinet/in.h>
     29 #include <netinet/in_systm.h>
     30 #include <netinet/ip.h>
     31 #include <netinet/tcp.h>
     32 
     33 #include <net/if.h>
     34 #include <net/pfvar.h>
     35 
     36 #include <netinet/ip6.h>
     37 #ifdef _KERNEL
     38 #include <netinet6/in6_var.h>
     39 #endif
     40 
     41 
     42 #ifdef _KERNEL
     43 # define DPFPRINTF(format, x...)		\
     44 	if (pf_status.debug >= PF_DEBUG_NOISY)	\
     45 		printf(format , ##x)
     46 typedef struct pool pool_t;
     47 
     48 #else
     49 /* Userland equivalents so we can lend code to tcpdump et al. */
     50 
     51 # include <arpa/inet.h>
     52 # include <errno.h>
     53 # include <stdio.h>
     54 # include <stdlib.h>
     55 # include <string.h>
     56 # include <netdb.h>
     57 # define pool_t			int
     58 # define pool_get(pool, flags)	malloc(*(pool))
     59 # define pool_put(pool, item)	free(item)
     60 # define pool_init(pool, size, a, ao, f, m, p)	(*(pool)) = (size)
     61 
     62 # ifdef PFDEBUG
     63 #  include <sys/stdarg.h>
     64 #  define DPFPRINTF(format, x...)	fprintf(stderr, format , ##x)
     65 # else
     66 #  define DPFPRINTF(format, x...)	((void)0)
     67 # endif /* PFDEBUG */
     68 #endif /* _KERNEL */
     69 
     70 
     71 SLIST_HEAD(pf_osfp_list, pf_os_fingerprint) pf_osfp_list;
     72 pool_t pf_osfp_entry_pl;
     73 pool_t pf_osfp_pl;
     74 
     75 struct pf_os_fingerprint	*pf_osfp_find(struct pf_osfp_list *,
     76 				    struct pf_os_fingerprint *, u_int8_t);
     77 struct pf_os_fingerprint	*pf_osfp_find_exact(struct pf_osfp_list *,
     78 				    struct pf_os_fingerprint *);
     79 void				 pf_osfp_insert(struct pf_osfp_list *,
     80 				    struct pf_os_fingerprint *);
     81 
     82 
     83 #ifdef _KERNEL
     84 /*
     85  * Passively fingerprint the OS of the host (IPv4 TCP SYN packets only)
     86  * Returns the list of possible OSes.
     87  */
     88 struct pf_osfp_enlist *
     89 pf_osfp_fingerprint(struct pf_pdesc *pd, struct mbuf *m, int off,
     90     const struct tcphdr *tcp)
     91 {
     92 	struct ip *ip;
     93 	struct ip6_hdr *ip6;
     94 	char hdr[60];
     95 
     96 	if ((pd->af != PF_INET && pd->af != PF_INET6) ||
     97 	    pd->proto != IPPROTO_TCP || (tcp->th_off << 2) < sizeof(*tcp))
     98 		return (NULL);
     99 
    100 	if (pd->af == PF_INET) {
    101 		ip = mtod(m, struct ip *);
    102 		ip6 = (struct ip6_hdr *)NULL;
    103 	} else {
    104 		ip = (struct ip *)NULL;
    105 		ip6 = mtod(m, struct ip6_hdr *);
    106 	}
    107 	if (!pf_pull_hdr(m, off, hdr, tcp->th_off << 2, NULL, NULL,
    108 	    pd->af)) return (NULL);
    109 
    110 	return (pf_osfp_fingerprint_hdr(ip, ip6, (struct tcphdr *)hdr));
    111 }
    112 #endif /* _KERNEL */
    113 
    114 struct pf_osfp_enlist *
    115 pf_osfp_fingerprint_hdr(const struct ip *ip, const struct ip6_hdr *ip6, const struct tcphdr *tcp)
    116 {
    117 	struct pf_os_fingerprint fp, *fpresult;
    118 	int cnt, optlen = 0;
    119 	const u_int8_t *optp;
    120 #ifdef _KERNEL
    121 	char srcname[128];
    122 #else
    123 	char srcname[NI_MAXHOST];
    124 #endif
    125 
    126 	if ((tcp->th_flags & (TH_SYN|TH_ACK)) != TH_SYN)
    127 		return (NULL);
    128 	if (ip) {
    129 		if ((ip->ip_off & htons(IP_OFFMASK)) != 0)
    130 			return (NULL);
    131 	}
    132 
    133 	memset(&fp, 0, sizeof(fp));
    134 
    135 	if (ip) {
    136 #ifndef _KERNEL
    137 		struct sockaddr_in sin;
    138 #endif
    139 
    140 		fp.fp_psize = ntohs(ip->ip_len);
    141 		fp.fp_ttl = ip->ip_ttl;
    142 		if (ip->ip_off & htons(IP_DF))
    143 			fp.fp_flags |= PF_OSFP_DF;
    144 #ifdef _KERNEL
    145 		strlcpy(srcname, inet_ntoa(ip->ip_src), sizeof(srcname));
    146 #else
    147 		memset(&sin, 0, sizeof(sin));
    148 		sin.sin_family = AF_INET;
    149 		sin.sin_len = sizeof(struct sockaddr_in);
    150 		sin.sin_addr = ip->ip_src;
    151 		(void)getnameinfo((struct sockaddr *)&sin,
    152 		    sizeof(struct sockaddr_in), srcname, sizeof(srcname),
    153 		    NULL, 0, NI_NUMERICHOST);
    154 #endif
    155 	}
    156 #ifdef INET6
    157 	else if (ip6) {
    158 #ifndef _KERNEL
    159 		struct sockaddr_in6 sin6;
    160 #endif
    161 
    162 		/* jumbo payload? */
    163 		fp.fp_psize = sizeof(struct ip6_hdr) + ntohs(ip6->ip6_plen);
    164 		fp.fp_ttl = ip6->ip6_hlim;
    165 		fp.fp_flags |= PF_OSFP_DF;
    166 		fp.fp_flags |= PF_OSFP_INET6;
    167 #ifdef _KERNEL
    168 		strlcpy(srcname, ip6_sprintf((struct in6_addr *)&ip6->ip6_src),
    169 		    sizeof(srcname));
    170 #else
    171 		memset(&sin6, 0, sizeof(sin6));
    172 		sin6.sin6_family = AF_INET6;
    173 		sin6.sin6_len = sizeof(struct sockaddr_in6);
    174 		sin6.sin6_addr = ip6->ip6_src;
    175 		(void)getnameinfo((struct sockaddr *)&sin6,
    176 		    sizeof(struct sockaddr_in6), srcname, sizeof(srcname),
    177 		    NULL, 0, NI_NUMERICHOST);
    178 #endif
    179 	}
    180 #endif
    181 	else
    182 		return (NULL);
    183 	fp.fp_wsize = ntohs(tcp->th_win);
    184 
    185 
    186 	cnt = (tcp->th_off << 2) - sizeof(*tcp);
    187 	optp = (const u_int8_t *)((const char *)tcp + sizeof(*tcp));
    188 	for (; cnt > 0; cnt -= optlen, optp += optlen) {
    189 		if (*optp == TCPOPT_EOL)
    190 			break;
    191 
    192 		fp.fp_optcnt++;
    193 		if (*optp == TCPOPT_NOP) {
    194 			fp.fp_tcpopts = (fp.fp_tcpopts << PF_OSFP_TCPOPT_BITS) |
    195 			    PF_OSFP_TCPOPT_NOP;
    196 			optlen = 1;
    197 		} else {
    198 			if (cnt < 2)
    199 				return (NULL);
    200 			optlen = optp[1];
    201 			if (optlen > cnt || optlen < 2)
    202 				return (NULL);
    203 			switch (*optp) {
    204 			case TCPOPT_MAXSEG:
    205 				if (optlen >= TCPOLEN_MAXSEG)
    206 					memcpy(&fp.fp_mss, &optp[2],
    207 					    sizeof(fp.fp_mss));
    208 				fp.fp_tcpopts = (fp.fp_tcpopts <<
    209 				    PF_OSFP_TCPOPT_BITS) | PF_OSFP_TCPOPT_MSS;
    210 				NTOHS(fp.fp_mss);
    211 				break;
    212 			case TCPOPT_WINDOW:
    213 				if (optlen >= TCPOLEN_WINDOW)
    214 					memcpy(&fp.fp_wscale, &optp[2],
    215 					    sizeof(fp.fp_wscale));
    216 				NTOHS(fp.fp_wscale);
    217 				fp.fp_tcpopts = (fp.fp_tcpopts <<
    218 				    PF_OSFP_TCPOPT_BITS) |
    219 				    PF_OSFP_TCPOPT_WSCALE;
    220 				break;
    221 			case TCPOPT_SACK_PERMITTED:
    222 				fp.fp_tcpopts = (fp.fp_tcpopts <<
    223 				    PF_OSFP_TCPOPT_BITS) | PF_OSFP_TCPOPT_SACK;
    224 				break;
    225 			case TCPOPT_TIMESTAMP:
    226 				if (optlen >= TCPOLEN_TIMESTAMP) {
    227 					u_int32_t ts;
    228 					memcpy(&ts, &optp[2], sizeof(ts));
    229 					if (ts == 0)
    230 						fp.fp_flags |= PF_OSFP_TS0;
    231 
    232 				}
    233 				fp.fp_tcpopts = (fp.fp_tcpopts <<
    234 				    PF_OSFP_TCPOPT_BITS) | PF_OSFP_TCPOPT_TS;
    235 				break;
    236 			default:
    237 				return (NULL);
    238 			}
    239 		}
    240 		optlen = MAX(optlen, 1);	/* paranoia */
    241 	}
    242 
    243 	DPFPRINTF("fingerprinted %s:%d  %d:%d:%d:%d:%llx (%d) "
    244 	    "(TS=%s,M=%s%d,W=%s%d)\n",
    245 	    srcname, ntohs(tcp->th_sport),
    246 	    fp.fp_wsize, fp.fp_ttl, (fp.fp_flags & PF_OSFP_DF) != 0,
    247 	    fp.fp_psize, (long long int)fp.fp_tcpopts, fp.fp_optcnt,
    248 	    (fp.fp_flags & PF_OSFP_TS0) ? "0" : "",
    249 	    (fp.fp_flags & PF_OSFP_MSS_MOD) ? "%" :
    250 	    (fp.fp_flags & PF_OSFP_MSS_DC) ? "*" : "",
    251 	    fp.fp_mss,
    252 	    (fp.fp_flags & PF_OSFP_WSCALE_MOD) ? "%" :
    253 	    (fp.fp_flags & PF_OSFP_WSCALE_DC) ? "*" : "",
    254 	    fp.fp_wscale);
    255 
    256 	if ((fpresult = pf_osfp_find(&pf_osfp_list, &fp,
    257 	    PF_OSFP_MAXTTL_OFFSET)))
    258 		return (&fpresult->fp_oses);
    259 	return (NULL);
    260 }
    261 
    262 /* Match a fingerprint ID against a list of OSes */
    263 int
    264 pf_osfp_match(struct pf_osfp_enlist *list, pf_osfp_t os)
    265 {
    266 	struct pf_osfp_entry *entry;
    267 	int os_class, os_version, os_subtype;
    268 	int en_class, en_version, en_subtype;
    269 
    270 	if (os == PF_OSFP_ANY)
    271 		return (1);
    272 	if (list == NULL) {
    273 		DPFPRINTF("osfp no match against %x\n", os);
    274 		return (os == PF_OSFP_UNKNOWN);
    275 	}
    276 	PF_OSFP_UNPACK(os, os_class, os_version, os_subtype);
    277 	SLIST_FOREACH(entry, list, fp_entry) {
    278 		PF_OSFP_UNPACK(entry->fp_os, en_class, en_version, en_subtype);
    279 		if ((os_class == PF_OSFP_ANY || en_class == os_class) &&
    280 		    (os_version == PF_OSFP_ANY || en_version == os_version) &&
    281 		    (os_subtype == PF_OSFP_ANY || en_subtype == os_subtype)) {
    282 			DPFPRINTF("osfp matched %s %s %s  %x==%x\n",
    283 			    entry->fp_class_nm, entry->fp_version_nm,
    284 			    entry->fp_subtype_nm, os, entry->fp_os);
    285 			return (1);
    286 		}
    287 	}
    288 	DPFPRINTF("fingerprint 0x%x didn't match\n", os);
    289 	return (0);
    290 }
    291 
    292 /* Initialize the OS fingerprint system */
    293 void
    294 pf_osfp_initialize(void)
    295 {
    296 	pool_init(&pf_osfp_entry_pl, sizeof(struct pf_osfp_entry), 0, 0, 0,
    297 	    "pfosfpen", &pool_allocator_nointr);
    298 	pool_init(&pf_osfp_pl, sizeof(struct pf_os_fingerprint), 0, 0, 0,
    299 	    "pfosfp", &pool_allocator_nointr);
    300 	SLIST_INIT(&pf_osfp_list);
    301 }
    302 
    303 /* Flush the fingerprint list */
    304 void
    305 pf_osfp_flush(void)
    306 {
    307 	struct pf_os_fingerprint *fp;
    308 	struct pf_osfp_entry *entry;
    309 
    310 	while ((fp = SLIST_FIRST(&pf_osfp_list))) {
    311 		SLIST_REMOVE_HEAD(&pf_osfp_list, fp_next);
    312 		while ((entry = SLIST_FIRST(&fp->fp_oses))) {
    313 			SLIST_REMOVE_HEAD(&fp->fp_oses, fp_entry);
    314 			pool_put(&pf_osfp_entry_pl, entry);
    315 		}
    316 		pool_put(&pf_osfp_pl, fp);
    317 	}
    318 }
    319 
    320 
    321 /* Add a fingerprint */
    322 int
    323 pf_osfp_add(struct pf_osfp_ioctl *fpioc)
    324 {
    325 	struct pf_os_fingerprint *fp, fpadd;
    326 	struct pf_osfp_entry *entry;
    327 
    328 	memset(&fpadd, 0, sizeof(fpadd));
    329 	fpadd.fp_tcpopts = fpioc->fp_tcpopts;
    330 	fpadd.fp_wsize = fpioc->fp_wsize;
    331 	fpadd.fp_psize = fpioc->fp_psize;
    332 	fpadd.fp_mss = fpioc->fp_mss;
    333 	fpadd.fp_flags = fpioc->fp_flags;
    334 	fpadd.fp_optcnt = fpioc->fp_optcnt;
    335 	fpadd.fp_wscale = fpioc->fp_wscale;
    336 	fpadd.fp_ttl = fpioc->fp_ttl;
    337 
    338 	DPFPRINTF("adding osfp %s %s %s = %s%d:%d:%d:%s%d:0x%llx %d "
    339 	    "(TS=%s,M=%s%d,W=%s%d) %x\n",
    340 	    fpioc->fp_os.fp_class_nm, fpioc->fp_os.fp_version_nm,
    341 	    fpioc->fp_os.fp_subtype_nm,
    342 	    (fpadd.fp_flags & PF_OSFP_WSIZE_MOD) ? "%" :
    343 	    (fpadd.fp_flags & PF_OSFP_WSIZE_MSS) ? "S" :
    344 	    (fpadd.fp_flags & PF_OSFP_WSIZE_MTU) ? "T" :
    345 	    (fpadd.fp_flags & PF_OSFP_WSIZE_DC) ? "*" : "",
    346 	    fpadd.fp_wsize,
    347 	    fpadd.fp_ttl,
    348 	    (fpadd.fp_flags & PF_OSFP_DF) ? 1 : 0,
    349 	    (fpadd.fp_flags & PF_OSFP_PSIZE_MOD) ? "%" :
    350 	    (fpadd.fp_flags & PF_OSFP_PSIZE_DC) ? "*" : "",
    351 	    fpadd.fp_psize,
    352 	    (long long int)fpadd.fp_tcpopts, fpadd.fp_optcnt,
    353 	    (fpadd.fp_flags & PF_OSFP_TS0) ? "0" : "",
    354 	    (fpadd.fp_flags & PF_OSFP_MSS_MOD) ? "%" :
    355 	    (fpadd.fp_flags & PF_OSFP_MSS_DC) ? "*" : "",
    356 	    fpadd.fp_mss,
    357 	    (fpadd.fp_flags & PF_OSFP_WSCALE_MOD) ? "%" :
    358 	    (fpadd.fp_flags & PF_OSFP_WSCALE_DC) ? "*" : "",
    359 	    fpadd.fp_wscale,
    360 	    fpioc->fp_os.fp_os);
    361 
    362 
    363 	if ((fp = pf_osfp_find_exact(&pf_osfp_list, &fpadd))) {
    364 		 SLIST_FOREACH(entry, &fp->fp_oses, fp_entry) {
    365 			if (PF_OSFP_ENTRY_EQ(entry, &fpioc->fp_os))
    366 				return (EEXIST);
    367 		}
    368 		if ((entry = pool_get(&pf_osfp_entry_pl, PR_NOWAIT)) == NULL)
    369 			return (ENOMEM);
    370 	} else {
    371 		if ((fp = pool_get(&pf_osfp_pl, PR_NOWAIT)) == NULL)
    372 			return (ENOMEM);
    373 		memset(fp, 0, sizeof(*fp));
    374 		fp->fp_tcpopts = fpioc->fp_tcpopts;
    375 		fp->fp_wsize = fpioc->fp_wsize;
    376 		fp->fp_psize = fpioc->fp_psize;
    377 		fp->fp_mss = fpioc->fp_mss;
    378 		fp->fp_flags = fpioc->fp_flags;
    379 		fp->fp_optcnt = fpioc->fp_optcnt;
    380 		fp->fp_wscale = fpioc->fp_wscale;
    381 		fp->fp_ttl = fpioc->fp_ttl;
    382 		SLIST_INIT(&fp->fp_oses);
    383 		if ((entry = pool_get(&pf_osfp_entry_pl, PR_NOWAIT)) == NULL) {
    384 			pool_put(&pf_osfp_pl, fp);
    385 			return (ENOMEM);
    386 		}
    387 		pf_osfp_insert(&pf_osfp_list, fp);
    388 	}
    389 	memcpy(entry, &fpioc->fp_os, sizeof(*entry));
    390 
    391 	/* Make sure the strings are NUL terminated */
    392 	entry->fp_class_nm[sizeof(entry->fp_class_nm)-1] = '\0';
    393 	entry->fp_version_nm[sizeof(entry->fp_version_nm)-1] = '\0';
    394 	entry->fp_subtype_nm[sizeof(entry->fp_subtype_nm)-1] = '\0';
    395 
    396 	SLIST_INSERT_HEAD(&fp->fp_oses, entry, fp_entry);
    397 
    398 #ifdef PFDEBUG
    399 	if ((fp = pf_osfp_validate()))
    400 		printf("Invalid fingerprint list\n");
    401 #endif /* PFDEBUG */
    402 	return (0);
    403 }
    404 
    405 
    406 /* Find a fingerprint in the list */
    407 struct pf_os_fingerprint *
    408 pf_osfp_find(struct pf_osfp_list *list, struct pf_os_fingerprint *find,
    409     u_int8_t ttldiff)
    410 {
    411 	struct pf_os_fingerprint *f;
    412 
    413 #define MATCH_INT(_MOD, _DC, _field)					\
    414 	if ((f->fp_flags & _DC) == 0) {					\
    415 		if ((f->fp_flags & _MOD) == 0) {			\
    416 			if (f->_field != find->_field)			\
    417 				continue;				\
    418 		} else {						\
    419 			if (f->_field == 0 || find->_field % f->_field)	\
    420 				continue;				\
    421 		}							\
    422 	}
    423 
    424 	SLIST_FOREACH(f, list, fp_next) {
    425 		if (f->fp_tcpopts != find->fp_tcpopts ||
    426 		    f->fp_optcnt != find->fp_optcnt ||
    427 		    f->fp_ttl < find->fp_ttl ||
    428 		    f->fp_ttl - find->fp_ttl > ttldiff ||
    429 		    (f->fp_flags & (PF_OSFP_DF|PF_OSFP_TS0)) !=
    430 		    (find->fp_flags & (PF_OSFP_DF|PF_OSFP_TS0)))
    431 			continue;
    432 
    433 		MATCH_INT(PF_OSFP_PSIZE_MOD, PF_OSFP_PSIZE_DC, fp_psize)
    434 		MATCH_INT(PF_OSFP_MSS_MOD, PF_OSFP_MSS_DC, fp_mss)
    435 		MATCH_INT(PF_OSFP_WSCALE_MOD, PF_OSFP_WSCALE_DC, fp_wscale)
    436 		if ((f->fp_flags & PF_OSFP_WSIZE_DC) == 0) {
    437 			if (f->fp_flags & PF_OSFP_WSIZE_MSS) {
    438 				if (find->fp_mss == 0)
    439 					continue;
    440 
    441 /* Some "smart" NAT devices and DSL routers will tweak the MSS size and
    442  * will set it to whatever is suitable for the link type.
    443  */
    444 #define SMART_MSS	1460
    445 				if ((find->fp_wsize % find->fp_mss ||
    446 				    find->fp_wsize / find->fp_mss !=
    447 				    f->fp_wsize) &&
    448 				    (find->fp_wsize % SMART_MSS ||
    449 				    find->fp_wsize / SMART_MSS !=
    450 				    f->fp_wsize))
    451 					continue;
    452 			} else if (f->fp_flags & PF_OSFP_WSIZE_MTU) {
    453 				if (find->fp_mss == 0)
    454 					continue;
    455 
    456 #define MTUOFF	(sizeof(struct ip) + sizeof(struct tcphdr))
    457 #define SMART_MTU	(SMART_MSS + MTUOFF)
    458 				if ((find->fp_wsize % (find->fp_mss + MTUOFF) ||
    459 				    find->fp_wsize / (find->fp_mss + MTUOFF) !=
    460 				    f->fp_wsize) &&
    461 				    (find->fp_wsize % SMART_MTU ||
    462 				    find->fp_wsize / SMART_MTU !=
    463 				    f->fp_wsize))
    464 					continue;
    465 			} else if (f->fp_flags & PF_OSFP_WSIZE_MOD) {
    466 				if (f->fp_wsize == 0 || find->fp_wsize %
    467 				    f->fp_wsize)
    468 					continue;
    469 			} else {
    470 				if (f->fp_wsize != find->fp_wsize)
    471 					continue;
    472 			}
    473 		}
    474 		return (f);
    475 	}
    476 
    477 	return (NULL);
    478 }
    479 
    480 /* Find an exact fingerprint in the list */
    481 struct pf_os_fingerprint *
    482 pf_osfp_find_exact(struct pf_osfp_list *list, struct pf_os_fingerprint *find)
    483 {
    484 	struct pf_os_fingerprint *f;
    485 
    486 	SLIST_FOREACH(f, list, fp_next) {
    487 		if (f->fp_tcpopts == find->fp_tcpopts &&
    488 		    f->fp_wsize == find->fp_wsize &&
    489 		    f->fp_psize == find->fp_psize &&
    490 		    f->fp_mss == find->fp_mss &&
    491 		    f->fp_flags == find->fp_flags &&
    492 		    f->fp_optcnt == find->fp_optcnt &&
    493 		    f->fp_wscale == find->fp_wscale &&
    494 		    f->fp_ttl == find->fp_ttl)
    495 			return (f);
    496 	}
    497 
    498 	return (NULL);
    499 }
    500 
    501 /* Insert a fingerprint into the list */
    502 void
    503 pf_osfp_insert(struct pf_osfp_list *list, struct pf_os_fingerprint *ins)
    504 {
    505 	struct pf_os_fingerprint *f, *prev = NULL;
    506 
    507 	/* XXX need to go semi tree based.  can key on tcp options */
    508 
    509 	SLIST_FOREACH(f, list, fp_next)
    510 		prev = f;
    511 	if (prev)
    512 		SLIST_INSERT_AFTER(prev, ins, fp_next);
    513 	else
    514 		SLIST_INSERT_HEAD(list, ins, fp_next);
    515 }
    516 
    517 /* Fill a fingerprint by its number (from an ioctl) */
    518 int
    519 pf_osfp_get(struct pf_osfp_ioctl *fpioc)
    520 {
    521 	struct pf_os_fingerprint *fp;
    522 	struct pf_osfp_entry *entry;
    523 	int num = fpioc->fp_getnum;
    524 	int i = 0;
    525 
    526 
    527 	memset(fpioc, 0, sizeof(*fpioc));
    528 	SLIST_FOREACH(fp, &pf_osfp_list, fp_next) {
    529 		SLIST_FOREACH(entry, &fp->fp_oses, fp_entry) {
    530 			if (i++ == num) {
    531 				fpioc->fp_mss = fp->fp_mss;
    532 				fpioc->fp_wsize = fp->fp_wsize;
    533 				fpioc->fp_flags = fp->fp_flags;
    534 				fpioc->fp_psize = fp->fp_psize;
    535 				fpioc->fp_ttl = fp->fp_ttl;
    536 				fpioc->fp_wscale = fp->fp_wscale;
    537 				fpioc->fp_getnum = num;
    538 				memcpy(&fpioc->fp_os, entry,
    539 				    sizeof(fpioc->fp_os));
    540 				return (0);
    541 			}
    542 		}
    543 	}
    544 
    545 	return (EBUSY);
    546 }
    547 
    548 
    549 /* Validate that each signature is reachable */
    550 struct pf_os_fingerprint *
    551 pf_osfp_validate(void)
    552 {
    553 	struct pf_os_fingerprint *f, *f2, find;
    554 
    555 	SLIST_FOREACH(f, &pf_osfp_list, fp_next) {
    556 		memcpy(&find, f, sizeof(find));
    557 
    558 		/* We do a few MSS/th_win percolations to make things unique */
    559 		if (find.fp_mss == 0)
    560 			find.fp_mss = 128;
    561 		if (f->fp_flags & PF_OSFP_WSIZE_MSS)
    562 			find.fp_wsize *= find.fp_mss, 1;
    563 		else if (f->fp_flags & PF_OSFP_WSIZE_MTU)
    564 			find.fp_wsize *= (find.fp_mss + 40);
    565 		else if (f->fp_flags & PF_OSFP_WSIZE_MOD)
    566 			find.fp_wsize *= 2;
    567 		if (f != (f2 = pf_osfp_find(&pf_osfp_list, &find, 0))) {
    568 			if (f2)
    569 				printf("Found \"%s %s %s\" instead of "
    570 				    "\"%s %s %s\"\n",
    571 				    SLIST_FIRST(&f2->fp_oses)->fp_class_nm,
    572 				    SLIST_FIRST(&f2->fp_oses)->fp_version_nm,
    573 				    SLIST_FIRST(&f2->fp_oses)->fp_subtype_nm,
    574 				    SLIST_FIRST(&f->fp_oses)->fp_class_nm,
    575 				    SLIST_FIRST(&f->fp_oses)->fp_version_nm,
    576 				    SLIST_FIRST(&f->fp_oses)->fp_subtype_nm);
    577 			else
    578 				printf("Couldn't find \"%s %s %s\"\n",
    579 				    SLIST_FIRST(&f->fp_oses)->fp_class_nm,
    580 				    SLIST_FIRST(&f->fp_oses)->fp_version_nm,
    581 				    SLIST_FIRST(&f->fp_oses)->fp_subtype_nm);
    582 			return (f);
    583 		}
    584 	}
    585 	return (NULL);
    586 }
    587