diff options
| author | Jerry Jelinek <jerry.jelinek@joyent.com> | 2016-05-02 11:41:50 +0000 |
|---|---|---|
| committer | Jerry Jelinek <jerry.jelinek@joyent.com> | 2016-05-02 11:41:50 +0000 |
| commit | 7aee23a10c59bb8b0a3f41e8b38fa2d7072ae8fa (patch) | |
| tree | d8bfb80066f431c42ee8176bf4ad5775005b7cbb | |
| parent | d006a4cbd4e9a251a94eec493f1618a9e452992a (diff) | |
| parent | 545f15ae81ab124ab97b965c15f2873e0228fcb3 (diff) | |
| download | illumos-joyent-7aee23a10c59bb8b0a3f41e8b38fa2d7072ae8fa.tar.gz | |
[illumos-gate merge]
commit 545f15ae81ab124ab97b965c15f2873e0228fcb3
6883 SMF nis/client ipfilter support needs improvement
commit 2bd8b3545dceb97f56401b7ad2a327e08d520574
6881 SMF ipfilter tries to unload module in zones
6882 SMF ipfilter lacks a property for a IPv6 custom policy file
6884 SMF ipfilter tuple_get_port needs to remove backslashes
commit d14b1d19b404dcc4795d8a76751a186717a0ddaa
6934 add kstat to track anon memory reservation failure (ENOMEM)
commit c22cda1b41022b307ea9fda8c9dc19e6329a109a
6847 syscall header declaration incorrect
Conflicts:
usr/src/uts/common/vm/vm_anon.c
usr/src/uts/common/sys/zone.h
usr/src/uts/common/os/zone.c
| -rw-r--r-- | usr/src/cmd/ipf/svc/ipfilter | 2 | ||||
| -rw-r--r-- | usr/src/cmd/ipf/svc/ipfilter.xml | 5 | ||||
| -rw-r--r-- | usr/src/cmd/svc/shell/ipf_include.sh | 20 | ||||
| -rw-r--r-- | usr/src/cmd/ypcmd/yp.sh | 58 | ||||
| -rw-r--r-- | usr/src/lib/libc/sparc/sys/syscall.s | 4 |
5 files changed, 68 insertions, 21 deletions
diff --git a/usr/src/cmd/ipf/svc/ipfilter b/usr/src/cmd/ipf/svc/ipfilter index 2e6f2189f6..48e3e2e915 100644 --- a/usr/src/cmd/ipf/svc/ipfilter +++ b/usr/src/cmd/ipf/svc/ipfilter @@ -214,7 +214,7 @@ case "$1" in fi ipf -D - [ -n "$ipfid" ] && modunload -i $ipfid + [ "$zone" = "global" -a -n "$ipfid" ] && modunload -i $ipfid ;; pause) diff --git a/usr/src/cmd/ipf/svc/ipfilter.xml b/usr/src/cmd/ipf/svc/ipfilter.xml index e4a70405c1..5f088f5344 100644 --- a/usr/src/cmd/ipf/svc/ipfilter.xml +++ b/usr/src/cmd/ipf/svc/ipfilter.xml @@ -106,7 +106,10 @@ <propval name='policy' type='astring' value='none' /> <propval name='block_policy' type='astring' value='none' /> - <propval name='custom_policy_file' type='astring' value='' /> + <propval name='custom_policy_file' type='astring' + value='/etc/ipf/ipf.conf' /> + <propval name='custom_policy_file_6' type='astring' + value='/etc/ipf/ipf6.conf' /> <propval name='apply_to' type='astring' value='' /> <propval name='apply_to_6' type='astring' value='' /> <propval name='exceptions' type='astring' value='' /> diff --git a/usr/src/cmd/svc/shell/ipf_include.sh b/usr/src/cmd/svc/shell/ipf_include.sh index bb41e2ac49..5082f2a9e0 100644 --- a/usr/src/cmd/svc/shell/ipf_include.sh +++ b/usr/src/cmd/svc/shell/ipf_include.sh @@ -458,7 +458,7 @@ append_new_nat_rules() # tuple_get_port() { - port_str=`echo "$1" | sed -e 's/ //g; s/.*://' 2>/dev/null` + port_str=`echo "$1" | sed -e 's/ //g; s/\\\//g; s/.*://' 2>/dev/null` [ -z "$port_str" ] && return 1 echo $port_str | grep "-" >/dev/null @@ -546,6 +546,22 @@ custom_set_symlink() } # +# Make IP6FILCONF, /var/tmp/ipf/ipf6.conf, a symlink to the input file argument. +# +custom_set_symlink_6() +{ + # + # Nothing to do if the input file doesn't exist. + # + [ ! -f "$1" ] && return 0 + + check_ipf_dir || return 1 + + rm $IP6FILCONF >/dev/null 2>&1 + ln -s $1 $IP6FILCONF >/dev/null 2>&1 +} + +# # New file replaces original file if they have different content # replace_file() @@ -883,7 +899,7 @@ create_global_rules() file6=`global_get_prop_value $FW_CONFIG_DEF_PG $CUSTOM_FILE_6_PROP` [ -n "$file" ] && custom_set_symlink $file - [ -n "$file6" ] && custom_set_symlink $file6 + [ -n "$file6" ] && custom_set_symlink_6 $file6 return 0 fi diff --git a/usr/src/cmd/ypcmd/yp.sh b/usr/src/cmd/ypcmd/yp.sh index 277d970465..773f74810e 100644 --- a/usr/src/cmd/ypcmd/yp.sh +++ b/usr/src/cmd/ypcmd/yp.sh @@ -36,6 +36,12 @@ create_client_ipf_rules() file6=`fmri_to_file $FMRI $IPF6_SUFFIX` iana_name=`svcprop -p $FW_CONTEXT_PG/name $FMRI` domain=`domainname` + block_policy=$GLOBAL_BLOCK_POLICY + + if [ "$block_policy" = "return" ]; then + block_policy_tcp="return-rst" + block_policy_udp="return-icmp-as-dest" + fi if [ -z "$domain" ]; then return 0 @@ -60,31 +66,43 @@ create_client_ipf_rules() # # Get corresponding IPv4/IPv6 addresses # - servers=`getent ipnodes $ypsvr | awk '/^:/{ print $1 }'` - servers_6=`getent ipnodes $ypsvr | awk '/:/{ print $1 }'` + servers=`getent ipnodes $ypsvr | \ + /usr/xpg4/bin/awk '$1 ~ !/:/{ print $1 }'` + servers_6=`getent ipnodes $ypsvr | \ + /usr/xpg4/bin/awk '$1 ~ /:/{ print $1 }'` if [ -n "$servers" ]; then server_addrs="$server_addrs $servers" fi if [ -n "$servers_6" ]; then - server_addrs_6="$server_addrs_6 $servers" + server_addrs_6="$server_addrs_6 $servers_6" fi done - if [ -n "$server_addrs" ]; then - for s in $server_addrs; do - if [ -n "$tports" ]; then - for tport in $tports; do + if [ -n "$tports" -o -n "$tports_6" ]; then + for tport in $tports $tports_6; do + echo "block $block_policy_tcp in log" \ + "proto tcp from any to any" \ + "port = $tport" >>$file + if [ -n "$server_addrs" ]; then + for s in $server_addrs; do echo "pass in log quick" \ "proto tcp from $s" \ "to any port = $tport" \ >>$file done fi + done + fi - if [ -n "$uports" ]; then - for uport in $uports; do + if [ -n "$uports" -o -n "$uports_6" ]; then + for uport in $uports $uports_6; do + echo "block $block_policy_udp in log" \ + "proto udp from any to any" \ + "port = $uport" >>$file + if [ -n "$server_addrs" ]; then + for s in $server_addrs; do echo "pass in log quick" \ "proto udp from $s" \ "to any port = $uport" \ @@ -94,19 +112,29 @@ create_client_ipf_rules() done fi - if [ -n "$server_addrs_6" ]; then - for s in $server_addrs_6; do - if [ -n "$tports_6" ]; then - for tport in $tports_6; do + if [ -n "$tports_6" ]; then + for tport in $tports_6; do + echo "block $block_policy_tcp in log" \ + "proto tcp from any to any" \ + "port = $tport" >>$file6 + if [ -n "$server_addrs_6" ]; then + for s in $server_addrs_6; do echo "pass in log quick" \ "proto tcp from $s" \ "to any port = $tport" \ >>$file6 done fi + done + fi - if [ -n "$uports_6" ]; then - for uport in $uports_6; do + if [ -n "$uports_6" ]; then + for uport in $uports_6; do + echo "block $block_policy_udp in log" \ + "proto udp from any to any" \ + "port = $uport" >>$file6 + if [ -n "$server_addrs_6" ]; then + for s in $server_addrs_6; do echo "pass in log quick" \ "proto udp from $s" \ "to any port = $uport" \ diff --git a/usr/src/lib/libc/sparc/sys/syscall.s b/usr/src/lib/libc/sparc/sys/syscall.s index 70f3618642..41af4eb8d9 100644 --- a/usr/src/lib/libc/sparc/sys/syscall.s +++ b/usr/src/lib/libc/sparc/sys/syscall.s @@ -28,8 +28,8 @@ /* All Rights Reserved */ /* - * C library -- int syscall(int sysnum, ...); - * C library -- int __systemcall(sysret_t *, int sysnum, ...); + * C library -- long syscall(int sysnum, ...); + * C library -- long __systemcall(sysret_t *, int sysnum, ...); * * Interpret a given system call * |