diff options
Diffstat (limited to 'usr/src/man')
| -rw-r--r-- | usr/src/man/man1m/ipf.1m | 45 | ||||
| -rw-r--r-- | usr/src/man/man1m/ipfs.1m | 49 | ||||
| -rw-r--r-- | usr/src/man/man1m/ipfstat.1m | 35 | ||||
| -rw-r--r-- | usr/src/man/man1m/ipmon.1m | 38 | ||||
| -rw-r--r-- | usr/src/man/man1m/ipnat.1m | 37 | ||||
| -rw-r--r-- | usr/src/man/man1m/ippool.1m | 56 | ||||
| -rw-r--r-- | usr/src/man/man5/ipfilter.5 | 103 |
7 files changed, 284 insertions, 79 deletions
diff --git a/usr/src/man/man1m/ipf.1m b/usr/src/man/man1m/ipf.1m index 69cdacf689..57a3f4bb9a 100644 --- a/usr/src/man/man1m/ipf.1m +++ b/usr/src/man/man1m/ipf.1m @@ -2,19 +2,19 @@ .\" To view license terms, attribution, and copyright for IP Filter, the default path is /usr/lib/ipf/IPFILTER.LICENCE. If the Solaris operating environment has been installed anywhere other than the default, modify the given path to access the file at the installed .\" location. .\" Portions Copyright (c) 2009, Sun Microsystems Inc. All Rights Reserved. -.TH IPF 1M "Feb 25, 2009" +.\" Portions Copyright (c) 2014, Joyent, Inc. All Rights Reserved. +.TH IPF 1M "Oct 7, 2014" .SH NAME ipf \- alter packet filtering lists for IP packet input and output .SH SYNOPSIS .LP .nf -\fBipf\fR [\fB-6AdDEInoPRrsvVyzZ\fR] [\fB-l\fR block | pass | nomatch] +\fBipf\fR [\fB-6AdDEGInoPRrsvVyzZ\fR] [\fB-l\fR block | pass | nomatch] [\fB-T\fR \fIoptionlist\fR] [\fB-F\fR i | o | a | s | S] \fB-f\fR \fIfilename\fR - [\fB-f\fR \fIfilename\fR...] + [\fB-f\fR \fIfilename\fR...] [\fIzonename\fR] .fi .SH DESCRIPTION -.sp .LP The \fBipf\fR utility is part of a suite of commands associated with the Solaris IP Filter feature. See \fBipfilter\fR(5). @@ -34,7 +34,6 @@ matching the order in which they appear when given to \fBipf\fR. \fB/dev/ipl\fR, and \fB/dev/ipstate\fR. The default permissions of these files require \fBipf\fR to be run as root for all operations. .SS "Enabling Solaris IP Filter Feature" -.sp .LP Solaris IP Filter is installed with the Solaris operating system. However, packet filtering is not enabled by default. Use the following procedure to @@ -159,7 +158,6 @@ If you reboot your system, the IPfilter configuration is automatically activated. .RE .SH OPTIONS -.sp .LP The following options are supported: .sp @@ -257,6 +255,17 @@ packet filter rule lists. .sp .ne 2 .na +\fB\fB-G\fR\fR +.ad +.sp .6 +.RS 4n +Make changes to the Global Zone-controlled ipfilter for the zone given as an +argument. See the \fBZONES\fR section for more information. +.RE + +.sp +.ne 2 +.na \fB\fB-I\fR\fR .ad .sp .6 @@ -459,8 +468,25 @@ Zero global statistics held in the kernel for filtering only. This does not affect fragment or state statistics. .RE +.SH ZONES +.LP +Each non-global zone has two ipfilter instances: the in-zone ipfilter, which +can be controlled from both the zone itself and the global zone, and the +Global Zone-controlled (GZ-controlled) instance, which can only be controlled +from the Global Zone. The non-global zone is not able to observe or control +the GZ-controlled ipfilter. + +ipf optionally takes a zone name as an argument, which will change the +ipfilter settings for that zone, rather than the current one. The zonename +option is only available in the Global Zone. Using it in any other zone will +return an error. If the \fB-G\fR option is specified with this argument, the +Global Zone-controlled ipfilter is operated on. If \fB-G\fR is not specified, +the in-zone ipfilter is operated on. Note that ipf differs from the other +ipfilter tools in how the zone name is specified. It takes the zone name as the +last argument, while all of the other tools take the zone name as an argument +to the \fB-G\fR and \fB-z\fR options. + .SH FILES -.sp .ne 2 .na \fB\fB/dev/ipauth\fR\fR @@ -499,7 +525,6 @@ Contains numerous IP Filter examples. .RE .SH ATTRIBUTES -.sp .LP See \fBattributes\fR(5) for descriptions of the following attributes: .sp @@ -515,16 +540,14 @@ Interface Stability Committed .TE .SH SEE ALSO -.sp .LP \fBipfstat\fR(1M), \fBipmon\fR(1M), \fBipnat\fR(1M), \fBippool\fR(1M), \fBsvcadm\fR(1M), \fBsvc.ipfd\fR(1M), \fBipf\fR(4), \fBipnat.conf\fR(4), -\fBippool\fR(4), \fBattributes\fR(5), \fBipfilter\fR(5) +\fBippool\fR(4), \fBattributes\fR(5), \fBipfilter\fR(5), \fBzones(5)\fR .sp .LP \fI\fR .SH DIAGNOSTICS -.sp .LP Needs to be run as root for the packet filtering lists to actually be affected inside the kernel. diff --git a/usr/src/man/man1m/ipfs.1m b/usr/src/man/man1m/ipfs.1m index ea2f16c065..38a7f50c7b 100644 --- a/usr/src/man/man1m/ipfs.1m +++ b/usr/src/man/man1m/ipfs.1m @@ -2,47 +2,47 @@ .\" To view license terms, attribution, and copyright for IP Filter, the default path is /usr/lib/ipf/IPFILTER.LICENCE. If the Solaris operating environment has been installed anywhere other than the default, modify the given path to access the file at the installed .\" location. .\" Portions Copyright (c) 2008, Sun Microsystems Inc. All Rights Reserved. -.TH IPFS 1M "Apr 3, 2008" +.\" Portions Copyright (c) 2013, Joyent, Inc. All Rights Reserved. +.TH IPFS 1M "Oct 30, 2013" .SH NAME ipfs \- saves and restores information for NAT and state tables .SH SYNOPSIS .LP .nf -\fBipfs\fR [\fB-nv\fR] \fB-l\fR +\fBipfs\fR [\fB-G\fR | \fB-z\fR \fIzonename\fR] [\fB-nv\fR] \fB-l\fR .fi .LP .nf -\fBipfs\fR [\fB-nv\fR] \fB-u\fR +\fBipfs\fR [\fB-G\fR | \fB-z\fR \fIzonename\fR] [\fB-nv\fR] \fB-u\fR .fi .LP .nf -\fBipfs\fR [\fB-nv\fR] [\fB-d\fR \fIdirname\fR] \fB-R\fR +\fBipfs\fR [\fB-G\fR | \fB-z\fR \fIzonename\fR] [\fB-nv\fR] [\fB-d\fR \fIdirname\fR] \fB-R\fR .fi .LP .nf -\fBipfs\fR [\fB-nv\fR] [\fB-d\fR \fIdirname\fR] \fB-W\fR +\fBipfs\fR [\fB-G\fR | \fB-z\fR \fIzonename\fR] [\fB-nv\fR] [\fB-d\fR \fIdirname\fR] \fB-W\fR .fi .LP .nf -\fBipfs\fR [\fB-nNSv\fR] [\fB-f\fR \fIfilename\fR] \fB-r\fR +\fBipfs\fR [\fB-G\fR | \fB-z\fR \fIzonename\fR] [\fB-nNSv\fR] [\fB-f\fR \fIfilename\fR] \fB-r\fR .fi .LP .nf -\fBipfs\fR [\fB-nNSv\fR] [\fB-f\fR \fIfilename\fR] \fB-w\fR +\fBipfs\fR [\fB-G\fR | \fB-z\fR \fIzonename\fR] [\fB-nNSv\fR] [\fB-f\fR \fIfilename\fR] \fB-w\fR .fi .LP .nf -\fBipfs\fR [\fB-nNSv\fR] \fB-f\fR \fIfilename\fR \fB-i\fR \fI<if1>\fR,\fI<if2>\fR +\fBipfs\fR [\fB-G\fR | \fB-z\fR \fIzonename\fR] [\fB-nNSv\fR] \fB-f\fR \fIfilename\fR \fB-i\fR \fI<if1>\fR,\fI<if2>\fR .fi .SH DESCRIPTION -.sp .LP The \fBipfs\fR utility enables the saving of state information across reboots. Specifically, the utility allows state information created for NAT entries and @@ -50,7 +50,6 @@ rules using "keep state" to be locked (modification prevented) and then saved to disk. Then, after a reboot, that information is restored. The result of this state-saving is that connections are not interrupted. .SH OPTIONS -.sp .LP The following options are supported: .sp @@ -164,6 +163,30 @@ can be changed with the \fB-d\fR option. The state tables are locked at the beginning of this operation and unlocked once complete. .RE +.sp +.ne 2 +.na +\fB\fB-z\fR \fIzonename\fR\fR +.ad +.RS 6n +Operate on the in-zone state information for the specified zone. If neither +this option nor \fB-G\fR is specified, the current zone is used. This command +is only available in the Global Zone. See \fBZONES\fR in \fBipf\fR(1m) for +more information. +.RE + +.sp +.ne 2 +.na +\fB\fB-G\fR \fIzonename\fR\fR +.ad +.RS 6n +Operate on the global zone controlled state information for the specified +zone. If neither this option nor \fB-z\fR is specified, the current zone is +used. This command is only available in the Global Zone. See \fBZONES\fR in +\fBipf\fR(1m) for more information. +.RE + .SH FILES .RS +4 .TP @@ -196,7 +219,6 @@ beginning of this operation and unlocked once complete. \fB/dev/ipnat\fR .RE .SH ATTRIBUTES -.sp .LP See \fBattributes\fR(5) for descriptions of the following attributes: .sp @@ -212,11 +234,10 @@ Interface Stability Committed .TE .SH SEE ALSO -.sp .LP -\fBipf\fR(1M), \fBipmon\fR(1M), \fBipnat\fR(1M), \fBattributes\fR(5) +\fBipf\fR(1M), \fBipmon\fR(1M), \fBipnat\fR(1M), \fBattributes\fR(5), +\fBzones(5)\fR .SH DIAGNOSTICS -.sp .LP Arguably, the \fB-W\fR and \fB-R\fR operations should set the locking and, rather than undo it, restore it to what it was previously. diff --git a/usr/src/man/man1m/ipfstat.1m b/usr/src/man/man1m/ipfstat.1m index 212de841a9..ba47f78725 100644 --- a/usr/src/man/man1m/ipfstat.1m +++ b/usr/src/man/man1m/ipfstat.1m @@ -2,7 +2,8 @@ .\" To view license terms, attribution, and copyright for IP Filter, the default path is /usr/lib/ipf/IPFILTER.LICENCE. If the Solaris operating environment has been installed anywhere other than the default, modify the given path to access the file at the installed .\" location. .\" Portions Copyright (c) 2008, Sun Microsystems Inc. All Rights Reserved. -.TH IPFSTAT 1M "Apr 3, 2008" +.\" Portions Copyright (c) 2013, Joyent, Inc. All Rights Reserved. +.TH IPFSTAT 1M "Oct 30, 2013" .SH NAME ipfstat \- reports on packet filter statistics and filter list .SH SYNOPSIS @@ -14,11 +15,10 @@ ipfstat \- reports on packet filter statistics and filter list .LP .nf \fBipfstat\fR [\fB-C\fR] [\fB-D\fR \fIaddrport\fR] [\fB-P\fR \fIprotocol\fR] [\fB-S\fR \fIaddrport\fR] - [\fB-T\fR \fIrefreshtime\fR] + [\fB-T\fR \fIrefreshtime\fR] [\fB-G\fR | \fB-z\fR \fIzonename\fR] .fi .SH DESCRIPTION -.sp .LP The \fBipfstat\fR command is part of a suite of commands associated with the Solaris IP Filter feature. See \fBipfilter\fR(5). @@ -132,7 +132,6 @@ Only the first \fIX\fR-5 entries that match the sort and filter criteria are displayed (where \fIX\fR is the number of rows on the display). There is no way to see additional entries. .SH OPTIONS -.sp .LP The following options are supported: .sp @@ -351,6 +350,30 @@ shows the process table. States can be sorted in a number of different ways. Turn verbose mode on. Displays additional debugging information. .RE +.sp +.ne 2 +.na +\fB\fB-z\fR \fIzonename\fR\fR +.ad +.RS 18n +Report the in-zone statistics for the specified zone. If neither this option +nor \fB-G\fR is specified, the current zone is used. This command is only +available in the Global Zone. See \fBZONES\fR in \fBipf\fR(1m) for more +information. +.RE + +.sp +.ne 2 +.na +\fB\fB-G\fR \fIzonename\fR\fR +.ad +.RS 18n +Report the global zone controlled statistics for the specified zone. If +neither this option nor \fB-z\fR is specified, the current zone is used. This +command is only available in the Global Zone. See \fBZONES\fR in \fBipf\fR(1m) +for more information. +.RE + .SH FILES .RS +4 .TP @@ -377,7 +400,6 @@ Turn verbose mode on. Displays additional debugging information. \fB/dev/ipstate\fR .RE .SH ATTRIBUTES -.sp .LP See \fBattributes\fR(5) for descriptions of the following attributes: .sp @@ -393,10 +415,9 @@ Interface Stability Committed .TE .SH SEE ALSO -.sp .LP \fBipf\fR(1M), \fBkstat\fR(1M), \fBkstat\fR(3KSTAT), \fBattributes\fR(5), -\fBipfilter\fR(5) +\fBipfilter\fR(5), \fBzones(5)\fR .sp .LP \fI\fR diff --git a/usr/src/man/man1m/ipmon.1m b/usr/src/man/man1m/ipmon.1m index 2094979915..8873fe41c1 100644 --- a/usr/src/man/man1m/ipmon.1m +++ b/usr/src/man/man1m/ipmon.1m @@ -2,18 +2,18 @@ .\" To view license terms, attribution, and copyright for IP Filter, the default path is /usr/lib/ipf/IPFILTER.LICENCE. If the Solaris operating environment has been installed anywhere other than the default, modify the given path to access the file at the installed .\" location. .\" Portions Copyright (c) 2008, Sun Microsystems Inc. All Rights Reserved. -.TH IPMON 1M "Apr 3, 2008" +.\" Portions Copyright (c) 2013, Joyent, Inc. All Rights Reserved. +.TH IPMON 1M "Oct 30, 2013" .SH NAME ipmon \- monitors /dev/ipl for logged packets .SH SYNOPSIS .LP .nf \fBipmon\fR [\fB-abDFhnpstvxX\fR] [\fB-N\fR \fIdevice\fR] [ [o] [NSI]] [\fB-O\fR [NSI]] - [\fB-P\fR \fIpidfile\fR] [\fB-S\fR \fIdevice\fR] [\fB-f\fR \fIdevice\fR] [\fIfilename\fR] + [\fB-P\fR \fIpidfile\fR] [\fB-S\fR \fIdevice\fR] [\fB-f\fR \fIdevice\fR] [\fB-G\fR | \fB-z\fR \fIzonename\fR] [\fIfilename\fR] .fi .SH DESCRIPTION -.sp .LP The \fBipmon\fR command is part of a suite of commands associated with the Solaris IP Filter feature. See \fBipfilter\fR(5). @@ -102,7 +102,6 @@ always being \fBicmp\fR, the next being the ICMP message and submessage type, separated by a slash. For example, \fBicmp 3/3\fR for a port unreachable message. .SH OPTIONS -.sp .LP The following options are supported: .sp @@ -343,6 +342,32 @@ Show the packet data in hex. Show the log header record data in hex. .RE +.sp +.ne 2 +.na +\fB\fB-z\fR \fIzonename\fR\fR +.ad +.sp .6 +.RS 4n +Monitor packets the specified zone's in-zone filter. If neither this option +nor \fB-G\fR is specified, the current zone is used. This command is only +available in the Global Zone. See \fBZONES\fR in \fBipf\fR(1m) for more +information. +.RE + +.sp +.ne 2 +.na +\fB\fB-G\fR \fIzonename\fR\fR +.ad +.sp .6 +.RS 4n +Monitor packets for the specified zone's global zone controlled filter. If +neither this option nor \fB-z\fR is specified, the current zone is used. This +command is only available in the Global Zone. See \fBZONES\fR in \fBipf\fR(1m) +for more information. +.RE + .SH FILES .RS +4 .TP @@ -363,7 +388,6 @@ Show the log header record data in hex. \fB/dev/ipstate\fR .RE .SH ATTRIBUTES -.sp .LP See \fBattributes\fR(5) for descriptions of the following attributes: .sp @@ -379,15 +403,13 @@ Interface Stability Committed .TE .SH SEE ALSO -.sp .LP \fBipf\fR(1M), \fBipfstat\fR(1M), \fBipnat\fR(1M), \fBattributes\fR(5), -\fBipfilter\fR(5) +\fBipfilter\fR(5), \fBzones(5)\fR .sp .LP \fI\fR .SH DIAGNOSTICS -.sp .LP \fBipmon\fR expects data that it reads to be consistent with how it should be saved and aborts if it fails an assertion which detects an anomaly in the diff --git a/usr/src/man/man1m/ipnat.1m b/usr/src/man/man1m/ipnat.1m index 6e36a50e26..e800988bb3 100644 --- a/usr/src/man/man1m/ipnat.1m +++ b/usr/src/man/man1m/ipnat.1m @@ -2,17 +2,17 @@ .\" To view license terms, attribution, and copyright for IP Filter, the default path is /usr/lib/ipf/IPFILTER.LICENCE. If the Solaris operating environment has been installed anywhere other than the default, modify the given path to access the file at the installed .\" location. .\" Portions Copyright (c) 2008, Sun Microsystems Inc. All Rights Reserved. -.TH IPNAT 1M "Apr 3, 2008" +.\" Portions Copyright (c) 2013, Joyent, Inc. All Rights Reserved. +.TH IPNAT 1M "Oct 30, 2013" .SH NAME ipnat \- user interface to the NAT subsystem .SH SYNOPSIS .LP .nf -\fBipnat\fR [\fB-CdFhlnRrsv\fR] \fB-f\fR \fIfilename\fR +\fBipnat\fR [\fB-CdFhlnRrsv\fR] [\fB-G\fR | \fB-z\fR \fIzonename\fR] \fB-f\fR \fIfilename\fR .fi .SH DESCRIPTION -.sp .LP The \fBipnat\fR utility opens a specified file (treating \fB-\fR as stdin) and parses it for a set of rules that are to be added or removed from the IP NAT. @@ -32,7 +32,6 @@ require \fBipnat\fR to be run as root for all operations. permissions of \fB/dev/ipnat\fR require \fBipnat\fR to be run as root for all operations. .SH OPTIONS -.sp .LP The following options are supported: .sp @@ -140,10 +139,33 @@ Turn verbose mode on. Displays information relating to rule processing and active rules/table entries. .RE -.SH FILES .sp .ne 2 .na +\fB\fB-z\fR \fIzonename\fR\fR +.ad +.RS 15n +Operate on the in-zone IP NAT for the specified zone. If neither this option +nor \fB-G\fR is specified, the current zone is used. This command is only +available in the Global Zone. See \fBZONES\fR in \fBipf\fR(1m) for more +information. +.RE + +.sp +.ne 2 +.na +\fB\fB-G\fR \fIzonename\fR\fR +.ad +.RS 15n +Operate on the global zone controlled IP NAT for the specified zone. If +neither this option nor \fB-z\fR is specified, the current zone is used. This +command is only available in the Global Zone. See \fBZONES\fR in \fBipf\fR(1m) +for more information. +.RE + +.SH FILES +.ne 2 +.na \fB\fB/dev/ipnat\fR\fR .ad .sp .6 @@ -182,7 +204,6 @@ Contains numerous IP Filter examples. .RE .SH ATTRIBUTES -.sp .LP See \fBattributes\fR(5) for descriptions of the following attributes: .sp @@ -198,6 +219,6 @@ Interface Stability Committed .TE .SH SEE ALSO -.sp .LP -\fBipf\fR(1M), \fBipfstat\fR(1M), \fBipnat\fR(4), \fBattributes\fR(5) +\fBipf\fR(1M), \fBipfstat\fR(1M), \fBipnat\fR(4), \fBattributes\fR(5), +\fBzones(5)\fR diff --git a/usr/src/man/man1m/ippool.1m b/usr/src/man/man1m/ippool.1m index 38e7cc19e6..b32e8355a6 100644 --- a/usr/src/man/man1m/ippool.1m +++ b/usr/src/man/man1m/ippool.1m @@ -2,60 +2,60 @@ .\" To view license terms, attribution, and copyright for IP Filter, the default path is /usr/lib/ipf/IPFILTER.LICENCE. If the Solaris operating environment has been installed anywhere other than the default, modify the given path to access the file at the installed .\" location. .\" Portions Copyright (c) 2008, Sun Microsystems Inc. All Rights Reserved. -.TH IPPOOL 1M "Apr 3, 2008" +.\" Portions Copyright (c) 2012, Joyent, Inc. All Rights Reserved. +.TH IPPOOL 1M "Nov 26, 2012" .SH NAME ippool \- user interface to the IP Filter pools .SH SYNOPSIS .LP .nf -\fBippool\fR \fB-a\fR [\fB-dnv\fR] [\fB-m\fR \fIpoolname\fR] [\fB-o\fR \fIrole\fR] \fB-i\fR \fIipaddr\fR +\fBippool\fR \fB-a\fR [\fB-dnv\fR] [\fB-G\fR | \fB-z\fR \fIzonename\fR] [\fB-m\fR \fIpoolname\fR] [\fB-o\fR \fIrole\fR] \fB-i\fR \fIipaddr\fR [/\fInetmask\fR] .fi .LP .nf -\fBippool\fR \fB-A\fR [\fB-dnv\fR] [\fB-m\fR \fIpoolname\fR] [\fB-o\fR \fIrole\fR] [\fB-S\fR \fIseed\fR] +\fBippool\fR \fB-A\fR [\fB-dnv\fR] [\fB-G\fR | \fB-z\fR \fIzonename\fR] [\fB-m\fR \fIpoolname\fR] [\fB-o\fR \fIrole\fR] [\fB-S\fR \fIseed\fR] [\fB-t\fR \fItype\fR] .fi .LP .nf -\fBippool\fR \fB-f\fR \fIfile\fR [\fB-dnuv\fR] +\fBippool\fR \fB-f\fR \fIfile\fR [\fB-G\fR | \fB-z\fR \fIzonename\fR] [\fB-dnuv\fR] .fi .LP .nf -\fBippool\fR \fB-F\fR [\fB-dv\fR] [\fB-o\fR \fIrole\fR] [\fB-t\fR \fItype\fR] +\fBippool\fR \fB-F\fR [\fB-dv\fR] [\fB-G\fR | \fB-z\fR \fIzonename\fR] [\fB-o\fR \fIrole\fR] [\fB-t\fR \fItype\fR] .fi .LP .nf -\fBippool\fR \fB-h\fR [\fB-dv\fR] [\fB-m\fR \fIpoolname\fR] [\fB-t\fR \fItype\fR] +\fBippool\fR \fB-h\fR [\fB-dv\fR] [\fB-G\fR | \fB-z\fR \fIzonename\fR] [\fB-m\fR \fIpoolname\fR] [\fB-t\fR \fItype\fR] .fi .LP .nf -\fBippool\fR \fB-l\fR [\fB-dv\fR] [\fB-m\fR \fIpoolname\fR] [\fB-t\fR \fItype\fR] +\fBippool\fR \fB-l\fR [\fB-dv\fR] [\fB-G\fR | \fB-z\fR \fIzonename\fR] [\fB-m\fR \fIpoolname\fR] [\fB-t\fR \fItype\fR] .fi .LP .nf -\fBippool\fR \fB-r\fR [\fB-dnv\fR] [\fB-m\fR \fIpoolname\fR] [\fB-o\fR \fIrole\fR] \fB-i\fR \fIipaddr\fR +\fBippool\fR \fB-r\fR [\fB-dnv\fR] [\fB-G\fR | \fB-z\fR \fIzonename\fR] [\fB-m\fR \fIpoolname\fR] [\fB-o\fR \fIrole\fR] \fB-i\fR \fIipaddr\fR [/\fInetmask\fR] .fi .LP .nf -\fBippool\fR \fB-R\fR [\fB-dnv\fR] [\fB-m\fR \fIpoolname\fR] [\fB-o\fR \fIrole\fR] [\fB-t\fR \fItype\fR] +\fBippool\fR \fB-R\fR [\fB-dnv\fR] [\fB-G\fR | \fB-z\fR \fIzonename\fR] [\fB-m\fR \fIpoolname\fR] [\fB-o\fR \fIrole\fR] [\fB-t\fR \fItype\fR] .fi .LP .nf -\fBippool\fR \fB-s\fR [\fB-dtv\fR] [\fB-M\fR \fIcore\fR] [\fB-N\fR \fInamelist\fR] +\fBippool\fR \fB-s\fR [\fB-dtv\fR] [\fB-G\fR | \fB-z\fR \fIzonename\fR] [\fB-M\fR \fIcore\fR] [\fB-N\fR \fInamelist\fR] .fi .SH DESCRIPTION -.sp .LP The \fBippool\fR utility is used to manage information stored in the IP pools subsystem of IP Filter software. Configuration file information can be parsed @@ -76,11 +76,9 @@ and the instance-specific options. \fB/dev/ipl\fR, and \fB/dev/ipstate\fR. The default permissions of these files require \fBippool\fR to be run as root for all operations. .SH OPTIONS -.sp .LP \fBippool\fR supports the option categories described below. .SS "Global Options" -.sp .LP The following global options are supported: .sp @@ -111,8 +109,31 @@ would alter the currently running kernel. Turn verbose mode on. .RE -.SS "Instance-Specific Options" .sp +.ne 2 +.na +\fB\fB-z\fR \fIzonename\fR\fR +.ad +.RS 6n +Manage the specified zone's in-zone IP pools. If neither this option nor +\fB-G\fR is specified, the current zone is used. This command is only +available in the Global Zone. See \fBZONES\fR in \fBipf\fR(1m) for more +information. +.RE + +.sp +.ne 2 +.na +\fB\fB-G\fR \fIzonename\fR\fR +.ad +.RS 6n +Manage the specified zone's global zone controlled IP pools. If neither this +option nor \fB-z\fR is specified, the current zone is used. This command is +only available in the Global Zone. See \fBZONES\fR in \fBipf\fR(1m) for more +information. +.RE + +.SS "Instance-Specific Options" .LP The following instance-specific options are supported: .sp @@ -198,7 +219,6 @@ Display IP pool statistical information. .RE .SS "Other Options" -.sp .LP The following, additional options are supported: .sp @@ -282,7 +302,6 @@ kernel, unload it. .RE .SH FILES -.sp .ne 2 .na \fB\fB/dev/ippool\fR\fR @@ -310,7 +329,6 @@ Location of \fBippool\fR startup configuration file. .RE .SH ATTRIBUTES -.sp .LP See \fBattributes\fR(5) for descriptions of the following attributes: .sp @@ -326,6 +344,6 @@ Interface Stability Committed .TE .SH SEE ALSO -.sp .LP -\fBipf\fR(1M), \fBipfstat\fR(1M), \fBippool\fR(4), \fBattributes\fR(5) +\fBipf\fR(1M), \fBipfstat\fR(1M), \fBippool\fR(4), \fBattributes\fR(5), +\fBzones(5)\fR diff --git a/usr/src/man/man5/ipfilter.5 b/usr/src/man/man5/ipfilter.5 index dc9f213a4c..9b995d3c3b 100644 --- a/usr/src/man/man5/ipfilter.5 +++ b/usr/src/man/man5/ipfilter.5 @@ -2,11 +2,11 @@ .\" To view license terms, attribution, and copyright for IP Filter, the default path is /usr/lib/ipf/IPFILTER.LICENCE. If the Solaris operating environment has been installed anywhere other than the default, modify the given path to access the file at the installed .\" location. .\" Portions Copyright (c) 2009, Sun Microsystems Inc. All Rights Reserved. -.TH IPFILTER 5 "May 20, 2009" +.\" Portions Copyright (c) 2014, Joyent, Inc. All Rights Reserved. +.TH IPFILTER 5 "Oct 7, 2014" .SH NAME ipfilter \- IP packet filtering software .SH DESCRIPTION -.sp .LP IP Filter is software that provides packet filtering capabilities on a Solaris system. On a properly setup system, it can be used to build a firewall. @@ -16,7 +16,6 @@ Solaris IP Filter is installed with the Solaris operating system. However, packet filtering is not enabled by default. See \fBipf\fR(1M) for a procedure to enable and activate the IP Filter feature. .SH HOST-BASED FIREWALL -.sp .LP To simplify IP Filter configuration management, a firewall framework is created to allow users to configure IP Filter by expressing firewall policy at system @@ -34,14 +33,13 @@ Users can still specify their own ipf rule file if they choose not to take advantage of the framework. See \fBipf\fR(1M) and \fBipf\fR(4). .RE .SS "Model" -.sp .LP This section describes the host-based firewall framework. See svc.ipfd(1M) for details on how to configure firewall policies. .sp .LP -A three-layer approach with different precedence levels helps the user achieve -the desired behaviors. +In a given zone, a three-layer approach with different precedence levels helps +the user achieve the desired behaviors. .sp .ne 2 .na @@ -127,7 +125,6 @@ Deny all incoming traffic but allow from specified source(s). .RE .SS "Layers in Detail" -.sp .LP The first system-wide layer, Global Default, defines a firewall policy that applies to \fBany\fR incoming traffic, for example, allowing or blocking all @@ -157,7 +154,6 @@ overrides policies in the other layers, specifically overriding the needs of network services. The example is when it is desirable to block known malicious source(s) regardless of services' policies. .SS "User Interaction" -.sp .LP This framework leverages IP Filter functionality and is active only when \fBsvc:/network/ipfilter\fR is enabled and inactive when \fBnetwork/ipfilter\fR @@ -207,10 +203,95 @@ network service .el o changes to system-wide or per-service firewall policy results in an update to the system's firewall rules -.RE -.SH ATTRIBUTES + +.SS "In-Zone and Global Zone Controlled firewalls" +.LP +Each non-global zone in the system can potentially have two firewalls +configured: the in-zone firewall and the Global Zone controlled (GZ-controlled) +firewall. The in-zone firewall can be controlled and observed inside the zone +using the framework detailed above, or from the Global Zone. The GZ-controlled +firewall can only be controlled and observed from the Global Zone. The +GZ-controlled firewall is always "outermost" with respect to the zone. +.sp +.LP +For inbound traffic (from an external source to the zone), the traffic flow looks +like the following diagram. Traffic blocked by the GZ-controlled firewall will +not be processed by the in-zone firewall. +.sp +.in +2 +.nf + External Source + | + | +GZ-controlled Firewall + | + | + In-Zone Firewall + | + | + Zone +.fi +.in -2 +.sp +.LP +For outbound traffic (from the zone to an external destination), the traffic +flow looks like the following diagram. Traffic blocked by the in-zone firewall +will not be processed by the GZ-controlled firewall. +.sp +.in +2 +.nf + Zone + | + | + In-Zone Firewall + | + | +GZ-controlled Firewall + | + | + External Destination +.fi +.in -2 +.sp +.LP +Either of the in-Zone or GZ-controlled firewalls can be enabled, or both at the +same time. +.sp +.LP +The Global Zone does not have a GZ-controlled firewall, only an +in-zone firewall. For inbound traffic (from an external source to the global +zone), the traffic flow therefore looks like the following diagram. +.sp +.in +2 +.nf + External Source + | + | + In-Zone Firewall + | + | + Zone +.fi +.in -2 .sp .LP +For outbound traffic (from the global zone to an external destination), the +traffic flow looks like the following diagram. +.sp +.in +2 +.nf + Zone + | + | + In-Zone Firewall + | + | + External Destination +.fi +.in -2 + +.SH ATTRIBUTES +.LP See \fBattributes\fR(5) for a description of the following attributes: .sp @@ -225,7 +306,6 @@ Interface Stability Committed .TE .SH SEE ALSO -.sp .LP \fBsvcs\fR(1), \fBipf\fR(1M), \fBipnat\fR(1M), \fBsvcadm\fR(1M), \fBsvc.ipfd\fR(1M), \fBipf\fR(4), \fBipnat\fR(4), \fBattributes\fR(5), @@ -234,7 +314,6 @@ Interface Stability Committed .LP \fISystem Administration Guide: IP Services\fR .SH NOTES -.sp .LP The \fBipfilter\fR service is managed by the service management facility, \fBsmf\fR(5), under the service identifier: |