1 /*-
2 * SPDX-License-Identifier: ISC
3 *
4 * Copyright (c) 2003 Mike Frantzen <frantzen@w4g.org>
5 *
6 * Permission to use, copy, modify, and distribute this software for any
7 * purpose with or without fee is hereby granted, provided that the above
8 * copyright notice and this permission notice appear in all copies.
9 *
10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17 *
18 * $OpenBSD: pf_osfp.c,v 1.14 2008/06/12 18:17:01 henning Exp $
19 */
20
21 #include <sys/cdefs.h>
22 #include "opt_inet6.h"
23
24 #include <sys/param.h>
25 #include <sys/kernel.h>
26 #include <sys/lock.h>
27 #include <sys/mbuf.h>
28 #include <sys/socket.h>
29
30 #include <netinet/in.h>
31 #include <netinet/ip.h>
32 #include <netinet/tcp.h>
33
34 #include <net/if.h>
35 #include <net/vnet.h>
36 #include <net/pfvar.h>
37
38 #ifdef INET6
39 #include <netinet/ip6.h>
40 #endif
41
42 static MALLOC_DEFINE(M_PFOSFP, "pf_osfp", "pf(4) operating system fingerprints");
43
44 SLIST_HEAD(pf_osfp_list, pf_os_fingerprint);
45 VNET_DEFINE_STATIC(struct pf_osfp_list, pf_osfp_list) =
46 SLIST_HEAD_INITIALIZER();
47 #define V_pf_osfp_list VNET(pf_osfp_list)
48
49 static struct pf_osfp_enlist *pf_osfp_fingerprint_hdr(const struct ip *,
50 const struct ip6_hdr *,
51 const struct tcphdr *);
52 static struct pf_os_fingerprint *pf_osfp_find(struct pf_osfp_list *,
53 struct pf_os_fingerprint *, u_int8_t);
54 static struct pf_os_fingerprint *pf_osfp_find_exact(struct pf_osfp_list *,
55 struct pf_os_fingerprint *);
56 static void pf_osfp_insert(struct pf_osfp_list *,
57 struct pf_os_fingerprint *);
58 #ifdef PFDEBUG
59 static struct pf_os_fingerprint *pf_osfp_validate(void);
60 #endif
61
62 /*
63 * Passively fingerprint the OS of the host (IPv4 TCP SYN packets only)
64 * Returns the list of possible OSes.
65 */
66 struct pf_osfp_enlist *
pf_osfp_fingerprint(struct pf_pdesc * pd,const struct tcphdr * tcp)67 pf_osfp_fingerprint(struct pf_pdesc *pd, const struct tcphdr *tcp)
68 {
69 struct ip *ip = NULL;
70 struct ip6_hdr *ip6 = NULL;
71 char hdr[60];
72
73 if (pd->proto != IPPROTO_TCP || (tcp->th_off << 2) < sizeof(*tcp))
74 return (NULL);
75
76 switch (pd->af) {
77 case AF_INET:
78 ip = mtod(pd->m, struct ip *);
79 ip6 = (struct ip6_hdr *)NULL;
80 break;
81 case AF_INET6:
82 ip6 = mtod(pd->m, struct ip6_hdr *);
83 break;
84 }
85 if (!pf_pull_hdr(pd->m, pd->off, hdr, tcp->th_off << 2, NULL, NULL,
86 pd->af)) return (NULL);
87
88 return (pf_osfp_fingerprint_hdr(ip, ip6, (struct tcphdr *)hdr));
89 }
90
91 static struct pf_osfp_enlist *
pf_osfp_fingerprint_hdr(const struct ip * ip,const struct ip6_hdr * ip6,const struct tcphdr * tcp)92 pf_osfp_fingerprint_hdr(const struct ip *ip, const struct ip6_hdr *ip6, const struct tcphdr *tcp)
93 {
94 struct pf_os_fingerprint fp, *fpresult;
95 int cnt, optlen = 0;
96 const u_int8_t *optp;
97 #ifdef INET6
98 char srcname[INET6_ADDRSTRLEN];
99 #else
100 char srcname[INET_ADDRSTRLEN];
101 #endif
102
103 if ((tcp_get_flags(tcp) & (TH_SYN|TH_ACK)) != TH_SYN)
104 return (NULL);
105 if (ip) {
106 if ((ip->ip_off & htons(IP_OFFMASK)) != 0)
107 return (NULL);
108 }
109
110 memset(&fp, 0, sizeof(fp));
111
112 if (ip) {
113 fp.fp_psize = ntohs(ip->ip_len);
114 fp.fp_ttl = ip->ip_ttl;
115 if (ip->ip_off & htons(IP_DF))
116 fp.fp_flags |= PF_OSFP_DF;
117 inet_ntoa_r(ip->ip_src, srcname);
118 }
119 #ifdef INET6
120 else if (ip6) {
121 /* jumbo payload? */
122 fp.fp_psize = sizeof(struct ip6_hdr) + ntohs(ip6->ip6_plen);
123 fp.fp_ttl = ip6->ip6_hlim;
124 fp.fp_flags |= PF_OSFP_DF;
125 fp.fp_flags |= PF_OSFP_INET6;
126 ip6_sprintf(srcname, (const struct in6_addr *)&ip6->ip6_src);
127 }
128 #endif
129 else
130 return (NULL);
131 fp.fp_wsize = ntohs(tcp->th_win);
132
133 cnt = (tcp->th_off << 2) - sizeof(*tcp);
134 optp = (const u_int8_t *)((const char *)tcp + sizeof(*tcp));
135 for (; cnt > 0; cnt -= optlen, optp += optlen) {
136 if (*optp == TCPOPT_EOL)
137 break;
138
139 fp.fp_optcnt++;
140 if (*optp == TCPOPT_NOP) {
141 fp.fp_tcpopts = (fp.fp_tcpopts << PF_OSFP_TCPOPT_BITS) |
142 PF_OSFP_TCPOPT_NOP;
143 optlen = 1;
144 } else {
145 if (cnt < 2)
146 return (NULL);
147 optlen = optp[1];
148 if (optlen > cnt || optlen < 2)
149 return (NULL);
150 switch (*optp) {
151 case TCPOPT_MAXSEG:
152 if (optlen >= TCPOLEN_MAXSEG)
153 memcpy(&fp.fp_mss, &optp[2],
154 sizeof(fp.fp_mss));
155 fp.fp_tcpopts = (fp.fp_tcpopts <<
156 PF_OSFP_TCPOPT_BITS) | PF_OSFP_TCPOPT_MSS;
157 fp.fp_mss = ntohs(fp.fp_mss);
158 break;
159 case TCPOPT_WINDOW:
160 if (optlen >= TCPOLEN_WINDOW)
161 memcpy(&fp.fp_wscale, &optp[2],
162 sizeof(fp.fp_wscale));
163 fp.fp_wscale = ntohs(fp.fp_wscale);
164 fp.fp_tcpopts = (fp.fp_tcpopts <<
165 PF_OSFP_TCPOPT_BITS) |
166 PF_OSFP_TCPOPT_WSCALE;
167 break;
168 case TCPOPT_SACK_PERMITTED:
169 fp.fp_tcpopts = (fp.fp_tcpopts <<
170 PF_OSFP_TCPOPT_BITS) | PF_OSFP_TCPOPT_SACK;
171 break;
172 case TCPOPT_TIMESTAMP:
173 if (optlen >= TCPOLEN_TIMESTAMP) {
174 u_int32_t ts;
175 memcpy(&ts, &optp[2], sizeof(ts));
176 if (ts == 0)
177 fp.fp_flags |= PF_OSFP_TS0;
178 }
179 fp.fp_tcpopts = (fp.fp_tcpopts <<
180 PF_OSFP_TCPOPT_BITS) | PF_OSFP_TCPOPT_TS;
181 break;
182 default:
183 return (NULL);
184 }
185 }
186 optlen = MAX(optlen, 1); /* paranoia */
187 }
188
189 DPFPRINTF(PF_DEBUG_NOISY, "fingerprinted %s:%d %d:%d:%d:%d:%llx (%d) "
190 "(TS=%s,M=%s%d,W=%s%d)",
191 srcname, ntohs(tcp->th_sport),
192 fp.fp_wsize, fp.fp_ttl, (fp.fp_flags & PF_OSFP_DF) != 0,
193 fp.fp_psize, (long long int)fp.fp_tcpopts, fp.fp_optcnt,
194 (fp.fp_flags & PF_OSFP_TS0) ? "0" : "",
195 (fp.fp_flags & PF_OSFP_MSS_MOD) ? "%" :
196 (fp.fp_flags & PF_OSFP_MSS_DC) ? "*" : "",
197 fp.fp_mss,
198 (fp.fp_flags & PF_OSFP_WSCALE_MOD) ? "%" :
199 (fp.fp_flags & PF_OSFP_WSCALE_DC) ? "*" : "",
200 fp.fp_wscale);
201
202 if ((fpresult = pf_osfp_find(&V_pf_osfp_list, &fp,
203 PF_OSFP_MAXTTL_OFFSET)))
204 return (&fpresult->fp_oses);
205 return (NULL);
206 }
207
208 /* Match a fingerprint ID against a list of OSes */
209 int
pf_osfp_match(struct pf_osfp_enlist * list,pf_osfp_t os)210 pf_osfp_match(struct pf_osfp_enlist *list, pf_osfp_t os)
211 {
212 struct pf_osfp_entry *entry;
213 int os_class, os_version, os_subtype;
214 int en_class, en_version, en_subtype;
215
216 if (os == PF_OSFP_ANY)
217 return (1);
218 if (list == NULL) {
219 DPFPRINTF(PF_DEBUG_NOISY, "osfp no match against %x", os);
220 return (os == PF_OSFP_UNKNOWN);
221 }
222 PF_OSFP_UNPACK(os, os_class, os_version, os_subtype);
223 SLIST_FOREACH(entry, list, fp_entry) {
224 PF_OSFP_UNPACK(entry->fp_os, en_class, en_version, en_subtype);
225 if ((os_class == PF_OSFP_ANY || en_class == os_class) &&
226 (os_version == PF_OSFP_ANY || en_version == os_version) &&
227 (os_subtype == PF_OSFP_ANY || en_subtype == os_subtype)) {
228 DPFPRINTF(PF_DEBUG_NOISY, "osfp matched %s %s %s %x==%x",
229 entry->fp_class_nm, entry->fp_version_nm,
230 entry->fp_subtype_nm, os, entry->fp_os);
231 return (1);
232 }
233 }
234 DPFPRINTF(PF_DEBUG_NOISY, "fingerprint 0x%x didn't match", os);
235 return (0);
236 }
237
238 /* Flush the fingerprint list */
239 void
pf_osfp_flush(void)240 pf_osfp_flush(void)
241 {
242 struct pf_os_fingerprint *fp;
243 struct pf_osfp_entry *entry;
244
245 while ((fp = SLIST_FIRST(&V_pf_osfp_list))) {
246 SLIST_REMOVE_HEAD(&V_pf_osfp_list, fp_next);
247 while ((entry = SLIST_FIRST(&fp->fp_oses))) {
248 SLIST_REMOVE_HEAD(&fp->fp_oses, fp_entry);
249 free(entry, M_PFOSFP);
250 }
251 free(fp, M_PFOSFP);
252 }
253 }
254
255 /* Add a fingerprint */
256 int
pf_osfp_add(struct pf_osfp_ioctl * fpioc)257 pf_osfp_add(struct pf_osfp_ioctl *fpioc)
258 {
259 struct pf_os_fingerprint *fp, fpadd;
260 struct pf_osfp_entry *entry;
261
262 PF_RULES_WASSERT();
263
264 memset(&fpadd, 0, sizeof(fpadd));
265 fpadd.fp_tcpopts = fpioc->fp_tcpopts;
266 fpadd.fp_wsize = fpioc->fp_wsize;
267 fpadd.fp_psize = fpioc->fp_psize;
268 fpadd.fp_mss = fpioc->fp_mss;
269 fpadd.fp_flags = fpioc->fp_flags;
270 fpadd.fp_optcnt = fpioc->fp_optcnt;
271 fpadd.fp_wscale = fpioc->fp_wscale;
272 fpadd.fp_ttl = fpioc->fp_ttl;
273
274 #if 0 /* XXX RYAN wants to fix logging */
275 DPFPRINTF(PF_DEBUG_NOISY, "adding osfp %s %s %s ="
276 " %s%d:%d:%d:%s%d:0x%llx %d (TS=%s,M=%s%d,W=%s%d) %x",
277 fpioc->fp_os.fp_class_nm, fpioc->fp_os.fp_version_nm,
278 fpioc->fp_os.fp_subtype_nm,
279 (fpadd.fp_flags & PF_OSFP_WSIZE_MOD) ? "%" :
280 (fpadd.fp_flags & PF_OSFP_WSIZE_MSS) ? "S" :
281 (fpadd.fp_flags & PF_OSFP_WSIZE_MTU) ? "T" :
282 (fpadd.fp_flags & PF_OSFP_WSIZE_DC) ? "*" : "",
283 fpadd.fp_wsize,
284 fpadd.fp_ttl,
285 (fpadd.fp_flags & PF_OSFP_DF) ? 1 : 0,
286 (fpadd.fp_flags & PF_OSFP_PSIZE_MOD) ? "%" :
287 (fpadd.fp_flags & PF_OSFP_PSIZE_DC) ? "*" : "",
288 fpadd.fp_psize,
289 (long long int)fpadd.fp_tcpopts, fpadd.fp_optcnt,
290 (fpadd.fp_flags & PF_OSFP_TS0) ? "0" : "",
291 (fpadd.fp_flags & PF_OSFP_MSS_MOD) ? "%" :
292 (fpadd.fp_flags & PF_OSFP_MSS_DC) ? "*" : "",
293 fpadd.fp_mss,
294 (fpadd.fp_flags & PF_OSFP_WSCALE_MOD) ? "%" :
295 (fpadd.fp_flags & PF_OSFP_WSCALE_DC) ? "*" : "",
296 fpadd.fp_wscale,
297 fpioc->fp_os.fp_os);
298 #endif
299
300 if ((fp = pf_osfp_find_exact(&V_pf_osfp_list, &fpadd))) {
301 SLIST_FOREACH(entry, &fp->fp_oses, fp_entry) {
302 if (PF_OSFP_ENTRY_EQ(entry, &fpioc->fp_os))
303 return (EEXIST);
304 }
305 if ((entry = malloc(sizeof(*entry), M_PFOSFP, M_NOWAIT))
306 == NULL)
307 return (ENOMEM);
308 } else {
309 if ((fp = malloc(sizeof(*fp), M_PFOSFP, M_ZERO | M_NOWAIT))
310 == NULL)
311 return (ENOMEM);
312 fp->fp_tcpopts = fpioc->fp_tcpopts;
313 fp->fp_wsize = fpioc->fp_wsize;
314 fp->fp_psize = fpioc->fp_psize;
315 fp->fp_mss = fpioc->fp_mss;
316 fp->fp_flags = fpioc->fp_flags;
317 fp->fp_optcnt = fpioc->fp_optcnt;
318 fp->fp_wscale = fpioc->fp_wscale;
319 fp->fp_ttl = fpioc->fp_ttl;
320 SLIST_INIT(&fp->fp_oses);
321 if ((entry = malloc(sizeof(*entry), M_PFOSFP, M_NOWAIT))
322 == NULL) {
323 free(fp, M_PFOSFP);
324 return (ENOMEM);
325 }
326 pf_osfp_insert(&V_pf_osfp_list, fp);
327 }
328 memcpy(entry, &fpioc->fp_os, sizeof(*entry));
329
330 /* Make sure the strings are NUL terminated */
331 entry->fp_class_nm[sizeof(entry->fp_class_nm)-1] = '\0';
332 entry->fp_version_nm[sizeof(entry->fp_version_nm)-1] = '\0';
333 entry->fp_subtype_nm[sizeof(entry->fp_subtype_nm)-1] = '\0';
334
335 SLIST_INSERT_HEAD(&fp->fp_oses, entry, fp_entry);
336
337 #ifdef PFDEBUG
338 if ((fp = pf_osfp_validate()))
339 printf("Invalid fingerprint list\n");
340 #endif /* PFDEBUG */
341 return (0);
342 }
343
344 /* Find a fingerprint in the list */
345 static struct pf_os_fingerprint *
pf_osfp_find(struct pf_osfp_list * list,struct pf_os_fingerprint * find,u_int8_t ttldiff)346 pf_osfp_find(struct pf_osfp_list *list, struct pf_os_fingerprint *find,
347 u_int8_t ttldiff)
348 {
349 struct pf_os_fingerprint *f;
350
351 #define MATCH_INT(_MOD, _DC, _field) \
352 if ((f->fp_flags & _DC) == 0) { \
353 if ((f->fp_flags & _MOD) == 0) { \
354 if (f->_field != find->_field) \
355 continue; \
356 } else { \
357 if (f->_field == 0 || find->_field % f->_field) \
358 continue; \
359 } \
360 }
361
362 SLIST_FOREACH(f, list, fp_next) {
363 if (f->fp_tcpopts != find->fp_tcpopts ||
364 f->fp_optcnt != find->fp_optcnt ||
365 f->fp_ttl < find->fp_ttl ||
366 f->fp_ttl - find->fp_ttl > ttldiff ||
367 (f->fp_flags & (PF_OSFP_DF|PF_OSFP_TS0)) !=
368 (find->fp_flags & (PF_OSFP_DF|PF_OSFP_TS0)))
369 continue;
370
371 MATCH_INT(PF_OSFP_PSIZE_MOD, PF_OSFP_PSIZE_DC, fp_psize)
372 MATCH_INT(PF_OSFP_MSS_MOD, PF_OSFP_MSS_DC, fp_mss)
373 MATCH_INT(PF_OSFP_WSCALE_MOD, PF_OSFP_WSCALE_DC, fp_wscale)
374 if ((f->fp_flags & PF_OSFP_WSIZE_DC) == 0) {
375 if (f->fp_flags & PF_OSFP_WSIZE_MSS) {
376 if (find->fp_mss == 0)
377 continue;
378
379 /*
380 * Some "smart" NAT devices and DSL routers will tweak the MSS size and
381 * will set it to whatever is suitable for the link type.
382 */
383 #define SMART_MSS 1460
384 if ((find->fp_wsize % find->fp_mss ||
385 find->fp_wsize / find->fp_mss !=
386 f->fp_wsize) &&
387 (find->fp_wsize % SMART_MSS ||
388 find->fp_wsize / SMART_MSS !=
389 f->fp_wsize))
390 continue;
391 } else if (f->fp_flags & PF_OSFP_WSIZE_MTU) {
392 if (find->fp_mss == 0)
393 continue;
394
395 #define MTUOFF (sizeof(struct ip) + sizeof(struct tcphdr))
396 #define SMART_MTU (SMART_MSS + MTUOFF)
397 if ((find->fp_wsize % (find->fp_mss + MTUOFF) ||
398 find->fp_wsize / (find->fp_mss + MTUOFF) !=
399 f->fp_wsize) &&
400 (find->fp_wsize % SMART_MTU ||
401 find->fp_wsize / SMART_MTU !=
402 f->fp_wsize))
403 continue;
404 } else if (f->fp_flags & PF_OSFP_WSIZE_MOD) {
405 if (f->fp_wsize == 0 || find->fp_wsize %
406 f->fp_wsize)
407 continue;
408 } else {
409 if (f->fp_wsize != find->fp_wsize)
410 continue;
411 }
412 }
413 return (f);
414 }
415
416 return (NULL);
417 }
418
419 /* Find an exact fingerprint in the list */
420 static struct pf_os_fingerprint *
pf_osfp_find_exact(struct pf_osfp_list * list,struct pf_os_fingerprint * find)421 pf_osfp_find_exact(struct pf_osfp_list *list, struct pf_os_fingerprint *find)
422 {
423 struct pf_os_fingerprint *f;
424
425 SLIST_FOREACH(f, list, fp_next) {
426 if (f->fp_tcpopts == find->fp_tcpopts &&
427 f->fp_wsize == find->fp_wsize &&
428 f->fp_psize == find->fp_psize &&
429 f->fp_mss == find->fp_mss &&
430 f->fp_flags == find->fp_flags &&
431 f->fp_optcnt == find->fp_optcnt &&
432 f->fp_wscale == find->fp_wscale &&
433 f->fp_ttl == find->fp_ttl)
434 return (f);
435 }
436
437 return (NULL);
438 }
439
440 /* Insert a fingerprint into the list */
441 static void
pf_osfp_insert(struct pf_osfp_list * list,struct pf_os_fingerprint * ins)442 pf_osfp_insert(struct pf_osfp_list *list, struct pf_os_fingerprint *ins)
443 {
444 struct pf_os_fingerprint *f, *prev = NULL;
445
446 /* XXX need to go semi tree based. can key on tcp options */
447
448 SLIST_FOREACH(f, list, fp_next)
449 prev = f;
450 if (prev)
451 SLIST_INSERT_AFTER(prev, ins, fp_next);
452 else
453 SLIST_INSERT_HEAD(list, ins, fp_next);
454 }
455
456 /* Fill a fingerprint by its number (from an ioctl) */
457 int
pf_osfp_get(struct pf_osfp_ioctl * fpioc)458 pf_osfp_get(struct pf_osfp_ioctl *fpioc)
459 {
460 struct pf_os_fingerprint *fp;
461 struct pf_osfp_entry *entry;
462 int num = fpioc->fp_getnum;
463 int i = 0;
464
465 memset(fpioc, 0, sizeof(*fpioc));
466 SLIST_FOREACH(fp, &V_pf_osfp_list, fp_next) {
467 SLIST_FOREACH(entry, &fp->fp_oses, fp_entry) {
468 if (i++ == num) {
469 fpioc->fp_mss = fp->fp_mss;
470 fpioc->fp_wsize = fp->fp_wsize;
471 fpioc->fp_flags = fp->fp_flags;
472 fpioc->fp_psize = fp->fp_psize;
473 fpioc->fp_ttl = fp->fp_ttl;
474 fpioc->fp_wscale = fp->fp_wscale;
475 fpioc->fp_getnum = num;
476 memcpy(&fpioc->fp_os, entry,
477 sizeof(fpioc->fp_os));
478 return (0);
479 }
480 }
481 }
482
483 return (EBUSY);
484 }
485
486 #ifdef PFDEBUG
487 /* Validate that each signature is reachable */
488 static struct pf_os_fingerprint *
pf_osfp_validate(void)489 pf_osfp_validate(void)
490 {
491 struct pf_os_fingerprint *f, *f2, find;
492
493 SLIST_FOREACH(f, &V_pf_osfp_list, fp_next) {
494 memcpy(&find, f, sizeof(find));
495
496 /* We do a few MSS/th_win percolations to make things unique */
497 if (find.fp_mss == 0)
498 find.fp_mss = 128;
499 if (f->fp_flags & PF_OSFP_WSIZE_MSS)
500 find.fp_wsize *= find.fp_mss;
501 else if (f->fp_flags & PF_OSFP_WSIZE_MTU)
502 find.fp_wsize *= (find.fp_mss + 40);
503 else if (f->fp_flags & PF_OSFP_WSIZE_MOD)
504 find.fp_wsize *= 2;
505 if (f != (f2 = pf_osfp_find(&V_pf_osfp_list, &find, 0))) {
506 if (f2)
507 printf("Found \"%s %s %s\" instead of "
508 "\"%s %s %s\"\n",
509 SLIST_FIRST(&f2->fp_oses)->fp_class_nm,
510 SLIST_FIRST(&f2->fp_oses)->fp_version_nm,
511 SLIST_FIRST(&f2->fp_oses)->fp_subtype_nm,
512 SLIST_FIRST(&f->fp_oses)->fp_class_nm,
513 SLIST_FIRST(&f->fp_oses)->fp_version_nm,
514 SLIST_FIRST(&f->fp_oses)->fp_subtype_nm);
515 else
516 printf("Couldn't find \"%s %s %s\"\n",
517 SLIST_FIRST(&f->fp_oses)->fp_class_nm,
518 SLIST_FIRST(&f->fp_oses)->fp_version_nm,
519 SLIST_FIRST(&f->fp_oses)->fp_subtype_nm);
520 return (f);
521 }
522 }
523 return (NULL);
524 }
525 #endif /* PFDEBUG */
526