diff options
| author | Truong Nguyen <Truong.Q.Nguyen@Sun.COM> | 2009-02-14 00:35:26 -0800 |
|---|---|---|
| committer | Truong Nguyen <Truong.Q.Nguyen@Sun.COM> | 2009-02-14 00:35:26 -0800 |
| commit | eb1a34638eba7c5add1421327f3eb225a8ea7518 (patch) | |
| tree | 8248473bb88d0ad643e80e3c976123d722e5f944 /usr/src/cmd/fs.d/nfs/svc | |
| parent | f5c9e9f9ca94d949afcf832822366734d6daf6ea (diff) | |
| download | illumos-joyent-eb1a34638eba7c5add1421327f3eb225a8ea7518.tar.gz | |
6761070 PSARC 2008/580 Solaris host-based firewall
6236609 svc.startd resets auxiliary state on svcadm mark maintenance
6762307 SMF - expressing a service's maintenance state by request of another service
Diffstat (limited to 'usr/src/cmd/fs.d/nfs/svc')
| -rw-r--r-- | usr/src/cmd/fs.d/nfs/svc/cbd.xml | 16 | ||||
| -rw-r--r-- | usr/src/cmd/fs.d/nfs/svc/nfs-server | 156 | ||||
| -rw-r--r-- | usr/src/cmd/fs.d/nfs/svc/nlockmgr.xml | 11 | ||||
| -rw-r--r-- | usr/src/cmd/fs.d/nfs/svc/rquota.xml | 17 | ||||
| -rw-r--r-- | usr/src/cmd/fs.d/nfs/svc/server.xml | 42 | ||||
| -rw-r--r-- | usr/src/cmd/fs.d/nfs/svc/status.xml | 16 |
6 files changed, 220 insertions, 38 deletions
diff --git a/usr/src/cmd/fs.d/nfs/svc/cbd.xml b/usr/src/cmd/fs.d/nfs/svc/cbd.xml index 2e2ddbc95d..fed8bd027d 100644 --- a/usr/src/cmd/fs.d/nfs/svc/cbd.xml +++ b/usr/src/cmd/fs.d/nfs/svc/cbd.xml @@ -1,15 +1,14 @@ <?xml version="1.0"?> <!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1"> <!-- - Copyright 2005 Sun Microsystems, Inc. All rights reserved. + Copyright 2009 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. CDDL HEADER START The contents of this file are subject to the terms of the - Common Development and Distribution License, Version 1.0 only - (the "License"). You may not use this file except in compliance - with the License. + Common Development and Distribution License (the "License"). + You may not use this file except in compliance with the License. You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. @@ -24,8 +23,6 @@ CDDL HEADER END - ident "%Z%%M% %I% %E% SMI" - NOTE: This service manifest is not editable; its contents will be overwritten by package or patch operations, including operating system upgrade. Make customizations in a different @@ -87,6 +84,13 @@ exec=':kill' timeout_seconds='60' /> + <property_group name='firewall_context' type='com.sun,fw_definition'> + <propval name='isrpc' type='boolean' value='true' /> + <propval name='name' type='astring' value='1073741824' /> + <propval name='ipf_method' type='astring' + value='/lib/svc/method/nfs-server ipfilter' /> + </property_group> + <property_group name='application' type='framework'> <stability value='Evolving' /> <propval name='auto_enable' type='boolean' value='true' /> diff --git a/usr/src/cmd/fs.d/nfs/svc/nfs-server b/usr/src/cmd/fs.d/nfs/svc/nfs-server index 5aca9ecc66..35f78b4fa1 100644 --- a/usr/src/cmd/fs.d/nfs/svc/nfs-server +++ b/usr/src/cmd/fs.d/nfs/svc/nfs-server @@ -20,16 +20,47 @@ # CDDL HEADER END # # -# Copyright 2008 Sun Microsystems, Inc. All rights reserved. +# Copyright 2009 Sun Microsystems, Inc. All rights reserved. # Use is subject to license terms. # -#pragma ident "%Z%%M% %I% %E% SMI" # Start/stop processes required for server NFS . /lib/svc/share/smf_include.sh +. /lib/svc/share/ipf_include.sh zone=`smf_zonename` +# +# Handling a corner case here. If we were in offline state due to an +# unsatisfied dependency, the ipf_method process wouldn't have generated +# the ipfilter configuration. When we transition to online because the +# dependency is satisfied, the start method will have to generate the +# ipfilter configuration. To avoid all possible deadlock scenarios, +# we restart ipfilter which will regenerate the ipfilter configuration +# for the entire system. +# +# The ipf_method process signals that it didn't generate ipf rules by +# removing the service's ipf file. Thus we only restart network/ipfilter +# when the file is missing. +# +configure_ipfilter() +{ + ipfile=`fmri_to_file $SMF_FMRI $IPF_SUFFIX` + [ -f "$ipfile" ] && return 0 + + # + # Nothing to do if: + # - ipfilter isn't online + # - global policy is 'custom' + # - service's policy is 'use_global' + # + service_check_state $IPF_FMRI $SMF_ONLINE || return 0 + [ "`get_global_def_policy`" = "custom" ] && return 0 + [ "`get_policy $SMF_FMRI`" = "use_global" ] && return 0 + + svcadm restart $IPF_FMRI +} + case "$1" in 'start') # The NFS server is not supported in a local zone @@ -81,6 +112,8 @@ case "$1" in sleep 5 & exit $SMF_EXIT_ERR_FATAL fi + + configure_ipfilter else /usr/sbin/svcadm disable -t svc:/network/nfs/server echo "No NFS filesystems are shared" @@ -125,6 +158,125 @@ case "$1" in [ $? -ne 0 ] && exit 1 ;; +'ipfilter') + # + # NFS related services are RPC. nfs/server has nfsd which has + # well-defined port number but mountd is an RPC daemon. + # + # Essentially, we generate rules for the following "services" + # - nfs/server which has nfsd and mountd + # - nfs/rquota + # + # The following services are enabled for both nfs client and + # server so we'll treat them as client services and simply + # allow incoming traffic. + # - nfs/status + # - nfs/nlockmgr + # - nfs/cbd + # + NFS_FMRI="svc:/network/nfs/server:default" + RQUOTA_FMRI="svc:/network/nfs/rquota:default" + FMRI=$2 + + file=`fmri_to_file $FMRI $IPF_SUFFIX` + echo "# $FMRI" >$file + policy=`get_policy $NFS_FMRI` + ip="any" + + # + # nfs/server configuration is processed in the start method. + # + if [ "$FMRI" = "$NFS_FMRI" ]; then + service_check_state $FMRI $SMF_ONLINE + if [ $? -ne 0 ]; then + rm $file + exit $SMF_EXIT_OK + fi + + nfs_name=`svcprop -p $FW_CONTEXT_PG/name $FMRI 2>/dev/null` + tport=`$SERVINFO -p -t -s $nfs_name 2>/dev/null` + if [ -n "$tport" ]; then + generate_rules $FMRI $policy "tcp" $ip $tport $file + fi + + uport=`$SERVINFO -p -u -s $nfs_name 2>/dev/null` + if [ -n "$uport" ]; then + generate_rules $FMRI $policy "udp" $ip $uport $file + fi + + tports=`$SERVINFO -R -p -t -s "mountd" 2>/dev/null` + if [ -n "$tports" ]; then + for tport in $tports; do + generate_rules $FMRI $policy "tcp" $ip \ + $tport $file + done + fi + + uports=`$SERVINFO -R -p -u -s "mountd" 2>/dev/null` + if [ -n "$uports" ]; then + for uport in $uports; do + generate_rules $FMRI $policy "udp" $ip \ + $uport $file + done + fi + + elif [ "$FMRI" = "$RQUOTA_FMRI" ]; then + iana_name=`svcprop -p inetd/name $FMRI` + + tports=`$SERVINFO -R -p -t -s $iana_name 2>/dev/null` + if [ -n "$tports" ]; then + for tport in $tports; do + generate_rules $NFS_FMRI $policy "tcp" \ + $ip $tport $file + done + fi + + uports=`$SERVINFO -R -p -u -s $iana_name 2>/dev/null` + if [ -n "$uports" ]; then + for uport in $uports; do + generate_rules $NFS_FMRI $policy "udp" \ + $ip $uport $file + done + fi + else + # + # Handle the client services here + # + restarter=`svcprop -p general/restarter $FMRI 2>/dev/null` + if [ "$restarter" = "$INETDFMRI" ]; then + iana_name=`svcprop -p inetd/name $FMRI` + isrpc=`svcprop -p inetd/isrpc $FMRI` + else + iana_name=`svcprop -p $FW_CONTEXT_PG/name $FMRI` + isrpc=`svcprop -p $FW_CONTEXT_PG/isrpc $FMRI` + fi + + if [ "$isrpc" = "true" ]; then + tports=`$SERVINFO -R -p -t -s $iana_name 2>/dev/null` + uports=`$SERVINFO -R -p -u -s $iana_name 2>/dev/null` + else + tports=`$SERVINFO -p -t -s $iana_name 2>/dev/null` + uports=`$SERVINFO -p -u -s $iana_name 2>/dev/null` + fi + + if [ -n "$tports" ]; then + for tport in $tports; do + echo "pass in log quick proto tcp from any" \ + "to any port = ${tport} flags S " \ + "keep state" >>${file} + done + fi + + if [ -n "$uports" ]; then + for uport in $uports; do + echo "pass in log quick proto udp from any" \ + "to any port = ${uport}" >>${file} + done + fi + fi + + ;; + *) echo "Usage: $0 { start | stop | refresh }" exit 1 diff --git a/usr/src/cmd/fs.d/nfs/svc/nlockmgr.xml b/usr/src/cmd/fs.d/nfs/svc/nlockmgr.xml index 42ec7152a2..3f7309f31a 100644 --- a/usr/src/cmd/fs.d/nfs/svc/nlockmgr.xml +++ b/usr/src/cmd/fs.d/nfs/svc/nlockmgr.xml @@ -1,7 +1,7 @@ <?xml version="1.0"?> <!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1"> <!-- - Copyright 2006 Sun Microsystems, Inc. All rights reserved. + Copyright 2009 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. CDDL HEADER START @@ -23,8 +23,6 @@ CDDL HEADER END - ident "%Z%%M% %I% %E% SMI" - NOTE: This service manifest is not editable; its contents will be overwritten by package or patch operations, including operating system upgrade. Make customizations in a different @@ -86,6 +84,13 @@ exec=':kill' timeout_seconds='60' /> + <property_group name='firewall_context' type='com.sun,fw_definition'> + <propval name='isrpc' type='boolean' value='true' /> + <propval name='name' type='astring' value='nlockmgr' /> + <propval name='ipf_method' type='astring' + value='/lib/svc/method/nfs-server ipfilter' /> + </property_group> + <property_group name='application' type='framework'> <stability value='Evolving' /> <propval name='auto_enable' type='boolean' value='true' /> diff --git a/usr/src/cmd/fs.d/nfs/svc/rquota.xml b/usr/src/cmd/fs.d/nfs/svc/rquota.xml index 74ae40b6c9..08fad0b16f 100644 --- a/usr/src/cmd/fs.d/nfs/svc/rquota.xml +++ b/usr/src/cmd/fs.d/nfs/svc/rquota.xml @@ -2,15 +2,14 @@ <!DOCTYPE service_bundle SYSTEM '/usr/share/lib/xml/dtd/service_bundle.dtd.1'> <!-- - Copyright 2005 Sun Microsystems, Inc. All rights reserved. + Copyright 2009 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. CDDL HEADER START The contents of this file are subject to the terms of the - Common Development and Distribution License, Version 1.0 only - (the "License"). You may not use this file except in compliance - with the License. + Common Development and Distribution License (the "License"). + You may not use this file except in compliance with the License. You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. @@ -25,8 +24,6 @@ CDDL HEADER END - ident "%Z%%M% %I% %E% SMI" - NOTE: This service manifest is not editable; its contents will be overwritten by package or patch operations, including operating system upgrade. Make customizations in a different @@ -93,6 +90,14 @@ <propval name='wait' type='boolean' value='true' /> </property_group> + <property_group name='firewall_config' type='com.sun,fw_configuration'> + <propval name='policy' type='astring' value='use_global' /> + <propval name='apply_to' type='astring' value='' /> + <propval name='exceptions' type='astring' value='' /> + <propval name='value_authorization' type='astring' + value='solaris.smf.value.firewall.config' /> + </property_group> + <stability value='Stable' /> <template> diff --git a/usr/src/cmd/fs.d/nfs/svc/server.xml b/usr/src/cmd/fs.d/nfs/svc/server.xml index e1621ff08a..e709cc8b36 100644 --- a/usr/src/cmd/fs.d/nfs/svc/server.xml +++ b/usr/src/cmd/fs.d/nfs/svc/server.xml @@ -4,28 +4,26 @@ CDDL HEADER START - The contents of this file are subject to the terms of the - Common Development and Distribution License (the "License"). - You may not use this file except in compliance with the License. + The contents of this file are subject to the terms of the + Common Development and Distribution License (the "License"). + You may not use this file except in compliance with the License. - You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE - or http://www.opensolaris.org/os/licensing. - See the License for the specific language governing permissions - and limitations under the License. + You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE + or http://www.opensolaris.org/os/licensing. + See the License for the specific language governing permissions + and limitations under the License. - When distributing Covered Code, include this CDDL HEADER in each - file and include the License file at usr/src/OPENSOLARIS.LICENSE. - If applicable, add the following below this CDDL HEADER, with the - fields enclosed by brackets "[]" replaced with your own identifying - information: Portions Copyright [yyyy] [name of copyright owner] + When distributing Covered Code, include this CDDL HEADER in each + file and include the License file at usr/src/OPENSOLARIS.LICENSE. + If applicable, add the following below this CDDL HEADER, with the + fields enclosed by brackets "[]" replaced with your own identifying + information: Portions Copyright [yyyy] [name of copyright owner] CDDL HEADER END - Copyright 2006 Sun Microsystems, Inc. All rights reserved. + Copyright 2009 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. - ident "%Z%%M% %I% %E% SMI" - NOTE: This service manifest is not editable; its contents will be overwritten by package or patch operations, including operating system upgrade. Make customizations in a different @@ -144,6 +142,20 @@ <propval name='auto_enable' type='boolean' value='true' /> </property_group> + <property_group name='firewall_context' type='com.sun,fw_definition'> + <propval name='name' type='astring' value='nfsd' /> + <propval name='ipf_method' type='astring' + value='/lib/svc/method/nfs-server ipfilter' /> + </property_group> + + <property_group name='firewall_config' type='com.sun,fw_configuration'> + <propval name='policy' type='astring' value='use_global' /> + <propval name='apply_to' type='astring' value='' /> + <propval name='exceptions' type='astring' value='' /> + <propval name='value_authorization' type='astring' + value='solaris.smf.value.firewall.config' /> + </property_group> + <stability value='Stable' /> <template> diff --git a/usr/src/cmd/fs.d/nfs/svc/status.xml b/usr/src/cmd/fs.d/nfs/svc/status.xml index 043aab0485..8412fd8bac 100644 --- a/usr/src/cmd/fs.d/nfs/svc/status.xml +++ b/usr/src/cmd/fs.d/nfs/svc/status.xml @@ -1,15 +1,14 @@ <?xml version="1.0"?> <!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1"> <!-- - Copyright 2005 Sun Microsystems, Inc. All rights reserved. + Copyright 2009 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. CDDL HEADER START The contents of this file are subject to the terms of the - Common Development and Distribution License, Version 1.0 only - (the "License"). You may not use this file except in compliance - with the License. + Common Development and Distribution License (the "License"). + You may not use this file except in compliance with the License. You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. @@ -24,8 +23,6 @@ CDDL HEADER END - ident "%Z%%M% %I% %E% SMI" - NOTE: This service manifest is not editable; its contents will be overwritten by package or patch operations, including operating system upgrade. Make customizations in a different @@ -80,6 +77,13 @@ exec=':kill' timeout_seconds='60' /> + <property_group name='firewall_context' type='com.sun,fw_definition'> + <propval name='isrpc' type='boolean' value='true' /> + <propval name='name' type='astring' value='status' /> + <propval name='ipf_method' type='astring' + value='/lib/svc/method/nfs-server ipfilter' /> + </property_group> + <property_group name='application' type='framework'> <stability value='Evolving' /> <propval name='auto_enable' type='boolean' value='true' /> |