5198 Want alternate global zone rule set for each ipf netstack

5197 Global zone should be able to manage NGZ ipf state
Reviewed by: Jerry Jelinek <jerry.jelinek@joyent.com>
Reviewed by: Robert Mustacchi <rm@joyent.com>
Reviewed by: Dan McDonald <danmcd@omniti.com>
Reviewed by: Darren Reed <darrenr@fastmail.net>
Approved by: Richard Lowe <richlowe@richlowe.net>

13 files changed, 442 insertions, 51 deletions

diff --git a/usr/src/cmd/ipf/lib/common/load_hash.c b/usr/src/cmd/ipf/lib/common/load_hash.c
index e43ddf54a3..ef65c26b75 100644
--- a/usr/src/cmd/ipf/lib/common/load_hash.c
+++ b/usr/src/cmd/ipf/lib/common/load_hash.c
@@ -7,15 +7,16 @@
  *
  * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
+ *
+ * Copyright (c) 2014, Joyent, Inc.  All rights reserved.
  */
 
-#pragma ident	"%Z%%M%	%I%	%E% SMI"
-
 #include <fcntl.h>
 #include <sys/ioctl.h>
 #include "ipf.h"
 #include "netinet/ip_lookup.h"
 #include "netinet/ip_htable.h"
+#include "ipfzone.h"
 
 static int hashfd = -1;
 
@@ -35,6 +36,10 @@ ioctlfunc_t iocfunc;
 		hashfd = open(IPLOOKUP_NAME, O_RDWR);
 	if ((hashfd == -1) && ((opts & OPT_DONOTHING) == 0))
 		return -1;
+	if (setzone(hashfd) != 0) {
+		close(hashfd);
+		return -1;
+	}
 
 	for (n = 0, a = list; a != NULL; a = a->ipe_next)
 		n++;
diff --git a/usr/src/cmd/ipf/lib/common/load_hashnode.c b/usr/src/cmd/ipf/lib/common/load_hashnode.c
index 8cf1bb2c67..d408d511c2 100644
--- a/usr/src/cmd/ipf/lib/common/load_hashnode.c
+++ b/usr/src/cmd/ipf/lib/common/load_hashnode.c
@@ -7,15 +7,16 @@
  *
  * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
+ *
+ * Copyright (c) 2014, Joyent, Inc.  All rights reserved.
  */
 
-#pragma ident	"%Z%%M%	%I%	%E% SMI"
-
 #include <fcntl.h>
 #include <sys/ioctl.h>
 #include "ipf.h"
 #include "netinet/ip_lookup.h"
 #include "netinet/ip_htable.h"
+#include "ipfzone.h"
 
 static int hashfd = -1;
 
@@ -34,6 +35,10 @@ ioctlfunc_t iocfunc;
 		hashfd = open(IPLOOKUP_NAME, O_RDWR);
 	if ((hashfd == -1) && ((opts & OPT_DONOTHING) == 0))
 		return -1;
+	if (setzone(hashfd) != 0) {
+		close(hashfd);
+		return -1;
+	}
 
 	op.iplo_type = IPLT_HASH;
 	op.iplo_unit = unit;
diff --git a/usr/src/cmd/ipf/lib/common/load_pool.c b/usr/src/cmd/ipf/lib/common/load_pool.c
index b8146c060c..ba246bb449 100644
--- a/usr/src/cmd/ipf/lib/common/load_pool.c
+++ b/usr/src/cmd/ipf/lib/common/load_pool.c
@@ -7,15 +7,16 @@
  *
  * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
+ *
+ * Copyright (c) 2014, Joyent, Inc.  All rights reserved.
  */
 
-#pragma ident	"%Z%%M%	%I%	%E% SMI"
-
 #include <fcntl.h>
 #include <sys/ioctl.h>
 #include "ipf.h"
 #include "netinet/ip_lookup.h"
 #include "netinet/ip_pool.h"
+#include "ipfzone.h"
 
 static int poolfd = -1;
 
@@ -32,6 +33,10 @@ ioctlfunc_t iocfunc;
 		poolfd = open(IPLOOKUP_NAME, O_RDWR);
 	if ((poolfd == -1) && ((opts & OPT_DONOTHING) == 0))
 		return -1;
+	if (setzone(poolfd) != 0) {
+		close(poolfd);
+		return -1;
+	}
 
 	op.iplo_unit = plp->ipo_unit;
 	op.iplo_type = IPLT_POOL;
diff --git a/usr/src/cmd/ipf/lib/common/load_poolnode.c b/usr/src/cmd/ipf/lib/common/load_poolnode.c
index e992a80281..4203f0faa5 100644
--- a/usr/src/cmd/ipf/lib/common/load_poolnode.c
+++ b/usr/src/cmd/ipf/lib/common/load_poolnode.c
@@ -4,6 +4,8 @@
  * See the IPFILTER.LICENCE file for details on licencing.
  *
  * $Id: load_poolnode.c,v 1.3.2.1 2004/03/06 14:33:29 darrenr Exp $
+ *
+ * Copyright (c) 2014, Joyent, Inc.  All rights reserved.
  */
 
 #include <fcntl.h>
@@ -11,6 +13,7 @@
 #include "ipf.h"
 #include "netinet/ip_lookup.h"
 #include "netinet/ip_pool.h"
+#include "ipfzone.h"
 
 static int poolfd = -1;
 
@@ -29,6 +32,10 @@ ioctlfunc_t iocfunc;
 		poolfd = open(IPLOOKUP_NAME, O_RDWR);
 	if ((poolfd == -1) && ((opts & OPT_DONOTHING) == 0))
 		return -1;
+	if (setzone(poolfd) != 0) {
+		close(poolfd);
+		return -1;
+	}
 
 	op.iplo_unit = role;
 	op.iplo_type = IPLT_POOL;
diff --git a/usr/src/cmd/ipf/tools/Makefile.tools b/usr/src/cmd/ipf/tools/Makefile.tools
index 5d8bee1d04..7c1e151762 100644
--- a/usr/src/cmd/ipf/tools/Makefile.tools
+++ b/usr/src/cmd/ipf/tools/Makefile.tools
@@ -24,17 +24,19 @@
 #
 # Copyright 2013 Nexenta Systems, Inc.  All rights reserved.
 #
+# Copyright (c) 2012, Joyent Inc. All rights reserved.
+#
 
 PROG=		ipf ipfs ipmon ipnat ippool ipfstat
 IPFPROG=	ipftest
 
-IPF_OBJS=	ipf.o ipfcomp.o ipf_y.o ipf_l.o
-IPFS_OBJS=	ipfs.o
-IPFSTAT_OBJS=	ipfstat.o
-IPMON_OBJS=	ipmon.o ipmon_y.o ipmon_l.o
-IPNAT_OBJS=	ipnat.o ipnat_y.o ipnat_l.o
-IPPOOL_OBJS=	ippool.o ippool_y.o ippool_l.o
-IPFTEST_OBJS=	ipftest.o  \
+IPF_OBJS=	ipf.o ipfcomp.o ipfzone.o ipf_y.o ipf_l.o
+IPFS_OBJS=	ipfs.o ipfzone.o
+IPFSTAT_OBJS=	ipfstat.o ipfzone.o
+IPMON_OBJS=	ipmon.o ipfzone.o ipmon_y.o ipmon_l.o
+IPNAT_OBJS=	ipnat.o ipfzone.o ipnat_y.o ipnat_l.o
+IPPOOL_OBJS=	ippool.o ipfzone.o ippool_y.o ippool_l.o
+IPFTEST_OBJS=	ipftest.o ipfzone.o \
 		ip_fil.o ip_state.o ip_compat.o \
 		ip_frag.o ip_nat.o ip_nat6.o fil.o \
 		ip_htable.o ip_lookup.o \
diff --git a/usr/src/cmd/ipf/tools/ipf.c b/usr/src/cmd/ipf/tools/ipf.c
index e81389b342..7a664c80e6 100644
--- a/usr/src/cmd/ipf/tools/ipf.c
+++ b/usr/src/cmd/ipf/tools/ipf.c
@@ -5,6 +5,8 @@
  *
  * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
+ *
+ * Copyright (c) 2014, Joyent, Inc.  All rights reserved.
  */
 
 #ifdef	__FreeBSD__
@@ -20,6 +22,7 @@
 #include <fcntl.h>
 #include <sys/ioctl.h>
 #include "netinet/ipl.h"
+#include "ipfzone.h"
 
 #if !defined(lint)
 static const char sccsid[] = "@(#)ipf.c	1.23 6/5/96 (C) 1993-2000 Darren Reed";
@@ -62,9 +65,9 @@ static	ioctlfunc_t	iocfunctions[IPL_LOGSIZE] = { ioctl, ioctl, ioctl,
 
 static void usage()
 {
-	fprintf(stderr, "usage: ipf [-6AdDEInoPrRsvVyzZ] %s %s %s\n",
+	fprintf(stderr, "usage: ipf [-6AdDEGInoPrRsvVyzZ] %s %s %s",
 		"[-l block|pass|nomatch|state|nat]", "[-cc] [-F i|o|a|s|S|u]",
-		"[-f filename] [-T <tuneopts>]");
+		"[-f filename] [-T <tuneopts>] [zonename]\n");
 	exit(1);
 }
 
@@ -74,11 +77,21 @@ int argc;
 char *argv[];
 {
 	int c;
+	const char *optstr = "6Ac:dDEf:F:GIl:noPrRsT:vVyzZ";
 
 	if (argc < 2)
 		usage();
 
-	while ((c = getopt(argc, argv, "6Ac:dDEf:F:Il:noPrRsT:vVyzZ")) != -1) {
+	/*
+	 * We need to set the zone name before calling the functions
+	 * in the switch statement below. Note that ipf.c differs from the other
+	 * tools in the ipfilter suite: the zone name is specified as the
+	 * last argument, while the other tools use the -z option. ipf
+	 * already has a -z option, so the last argument is used instead.
+	 */
+	getzonearg(argc, argv, optstr);
+
+	while ((c = getopt(argc, argv, optstr)) != -1) {
 		switch (c)
 		{
 		case '?' :
@@ -111,6 +124,9 @@ char *argv[];
 		case 'F' :
 			flushfilter(optarg);
 			break;
+		case 'G' :
+			/* Already handled by getzonearg() above */
+			break;
 		case 'I' :
 			opts ^= OPT_INACTIVE;
 			break;
@@ -187,6 +203,12 @@ int check;
 		if ((fd = open(ipfdev, O_RDWR)) == -1)
 			if ((fd = open(ipfdev, O_RDONLY)) == -1)
 				perror("open device");
+
+	if (setzone(fd) != 0) {
+		close(fd);
+		return -2;
+	}
+
 	return fd;
 }
 
@@ -307,6 +329,11 @@ char	*opt;
 		if (opts & OPT_VERBOSE)
 			printf("set state log flag\n");
 		xfd = open(IPSTATE_NAME, O_RDWR);
+		if (xfd >= 0 && setzone(xfd) != 0) {
+			close(xfd);
+			xfd = -1;
+		}
+
 		if (xfd >= 0) {
 			logopt = 0;
 			if (ioctl(xfd, SIOCGETLG, &logopt))
@@ -324,6 +351,11 @@ char	*opt;
 		if (opts & OPT_VERBOSE)
 			printf("set nat log flag\n");
 		xfd = open(IPNAT_NAME, O_RDWR);
+		if (xfd >= 0 && setzone(xfd) != 0) {
+			close(xfd);
+			xfd = -1;
+		}
+
 		if (xfd >= 0) {
 			logopt = 0;
 			if (ioctl(xfd, SIOCGETLG, &logopt))
@@ -516,6 +548,11 @@ static int showversion()
 		return 1;
 	}
 
+	if (setzone(vfd) != 0) {
+		close(vfd);
+		return 1;
+	}
+
 	if (ioctl(vfd, SIOCGETFS, &ipfo)) {
 		perror("ioctl(SIOCGETFS)");
 		close(vfd);
diff --git a/usr/src/cmd/ipf/tools/ipfs.c b/usr/src/cmd/ipf/tools/ipfs.c
index da8387324a..e84168e25d 100644
--- a/usr/src/cmd/ipf/tools/ipfs.c
+++ b/usr/src/cmd/ipf/tools/ipfs.c
@@ -5,6 +5,8 @@
  *
  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
+ *
+ * Copyright (c) 2014, Joyent, Inc.  All rights reserved.
  */
 
 #ifdef	__FreeBSD__
@@ -44,6 +46,7 @@
 #include <resolv.h>
 #include "ipf.h"
 #include "netinet/ipl.h"
+#include "ipfzone.h"
 
 #if !defined(lint)
 static const char rcsid[] = "@(#)Id: ipfs.c,v 1.12 2003/12/01 01:56:53 darrenr Exp";
@@ -86,14 +89,17 @@ char	*progname;
 
 void usage()
 {
-	fprintf(stderr, "usage: %s [-nv] -l\n", progname);
-	fprintf(stderr, "usage: %s [-nv] -u\n", progname);
-	fprintf(stderr, "usage: %s [-nv] [-d <dir>] -R\n", progname);
-	fprintf(stderr, "usage: %s [-nv] [-d <dir>] -W\n", progname);
-	fprintf(stderr, "usage: %s [-nv] [-N|-S] [-f <file>] -r\n", progname);
-	fprintf(stderr, "usage: %s [-nv] [-N|-S] [-f <file>] -w\n", progname);
-	fprintf(stderr, "usage: %s [-nv] [-N|-S] -f <file> -i <if1>,<if2>\n",
-		progname);
+	const char *zoneopt = "[-G|-z zonename] ";
+	fprintf(stderr, "usage: %s %s[-nv] -l\n", progname, zoneopt);
+	fprintf(stderr, "usage: %s %s[-nv] -u\n", progname, zoneopt);
+	fprintf(stderr, "usage: %s %s[-nv] [-d <dir>] -R\n", progname, zoneopt);
+	fprintf(stderr, "usage: %s %s[-nv] [-d <dir>] -W\n", progname, zoneopt);
+	fprintf(stderr, "usage: %s %s[-nv] [-N|-S] [-f <file>] -r\n", progname,
+		zoneopt);
+	fprintf(stderr, "usage: %s %s[-nv] [-N|-S] [-f <file>] -w\n", progname,
+		zoneopt);
+	fprintf(stderr, "usage: %s %s[-nv] [-N|-S] -f <file> -i <if1>,<if2>\n",
+		progname, zoneopt);
 	exit(1);
 }
 
@@ -218,7 +224,7 @@ char *argv[];
 	char *dirname = NULL, *filename = NULL, *ifs = NULL;
 
 	progname = argv[0];
-	while ((c = getopt(argc, argv, "d:f:lNnSRruvWw")) != -1)
+	while ((c = getopt(argc, argv, "d:f:G:lNnSRruvWwz:")) != -1)
 		switch (c)
 		{
 		case 'd' :
@@ -233,6 +239,9 @@ char *argv[];
 			else
 				usage();
 			break;
+		case 'G' :
+			setzonename_global(optarg);
+			break;
 		case 'i' :
 			ifs = optarg;
 			set = 1;
@@ -287,6 +296,9 @@ char *argv[];
 			rw = 3;
 			set = 1;
 			break;
+		case 'z' :
+			setzonename(optarg);
+			break;
 		case '?' :
 		default :
 			usage();
@@ -355,6 +367,12 @@ char *ipfdev;
 	if ((fd = open(ipfdev, O_RDWR)) == -1)
 		if ((fd = open(ipfdev, O_RDONLY)) == -1)
 			perror("open device");
+
+	if (setzone(fd) != 0) {
+		close(fd);
+		fd = -1;
+	}
+
 	return fd;
 }
 
diff --git a/usr/src/cmd/ipf/tools/ipfstat.c b/usr/src/cmd/ipf/tools/ipfstat.c
index 27b018e273..fd39556465 100644
--- a/usr/src/cmd/ipf/tools/ipfstat.c
+++ b/usr/src/cmd/ipf/tools/ipfstat.c
@@ -5,6 +5,8 @@
  *
  * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
+ *
+ * Copyright (c) 2014, Joyent, Inc.  All rights reserved.
  */
 
 #ifdef __FreeBSD__
@@ -71,6 +73,7 @@
 #if defined(__NetBSD__) || (__OpenBSD__)
 # include <paths.h>
 #endif
+#include "ipfzone.h"
 
 #if !defined(lint)
 static const char sccsid[] = "@(#)fils.c	1.21 4/20/96 (C) 1993-2000 Darren Reed";
@@ -177,6 +180,7 @@ char *name;
 #else
 	fprintf(stderr, "       %s -t [-C] ", name);
 #endif
+	fprintf(stderr, "[-G|-z zonename] ");
 	fprintf(stderr, "[-D destination address] [-P protocol] [-S source address] [-T refresh time]\n");
 	exit(1);
 }
@@ -207,9 +211,9 @@ char *argv[];
 	u_32_t frf;
 
 #ifdef	USE_INET6
-	options = "6aACdfghIilnostvD:M:N:P:RS:T:";
+	options = "6aACdfgG:hIilnostvD:M:N:P:RS:T:z:";
 #else
-	options = "aACdfghIilnostvD:M:N:P:RS:T:";
+	options = "aACdfgG:hIilnostvD:M:N:P:RS:T:z:";
 #endif
 
 	saddr.in4.s_addr = INADDR_ANY; 	/* default any v4 source addr */
@@ -223,13 +227,16 @@ char *argv[];
 	opterr = 0;
 
 	/*
-	 * Parse these two arguments now lest there be any buffer overflows
+	 * Parse these four arguments now lest there be any buffer overflows
 	 * in the parsing of the rest.
 	 */
 	myoptind = optind;
 	while ((c = getopt(argc, argv, options)) != -1) {
 		switch (c)
 		{
+		case 'G' :
+			setzonename_global(optarg);
+			break;
 		case 'M' :
 			memf = optarg;
 			live_kernel = 0;
@@ -238,6 +245,9 @@ char *argv[];
 			kern = optarg;
 			live_kernel = 0;
 			break;
+		case 'z' :
+			setzonename(optarg);
+			break;
 		}
 	}
 	optind = myoptind;
@@ -247,11 +257,22 @@ char *argv[];
 			perror("open(IPSTATE_NAME)");
 			exit(-1);
 		}
+
+		if (setzone(state_fd) != 0) {
+			close(state_fd);
+			exit(-1);
+		}
+
 		if ((ipf_fd = open(device, O_RDONLY)) == -1) {
 			fprintf(stderr, "open(%s)", device);
 			perror("");
 			exit(-1);
 		}
+
+		if (setzone(ipf_fd) != 0) {
+			close(ipf_fd);
+			exit(-1);
+		}
 	}
 
 	if (kern != NULL || memf != NULL) {
@@ -298,6 +319,9 @@ char *argv[];
 		case 'g' :
 			opts |= OPT_GROUPS;
 			break;
+		case 'G' :
+			/* Already handled by getzoneopt() above */
+			break;
 		case 'h' :
 			opts |= OPT_HITS;
 			break;
@@ -360,6 +384,9 @@ char *argv[];
 			opts |= OPT_VERBOSE;
 			opts |= OPT_UNDEF;
 			break;
+		case 'z' :
+			/* Already handled by getzoneopt() above */
+			break;
 		default :
 			usage(argv[0]);
 			break;
@@ -482,6 +509,11 @@ u_32_t *frfp;
 			exit(-1);
 		}
 
+		if (setzone(ipf_fd) != 0) {
+			close(ipf_fd);
+			exit(-1);
+		}
+
 		bzero((caddr_t)&ipfo, sizeof(ipfo));
 		ipfo.ipfo_rev = IPFILTER_VERSION;
 		ipfo.ipfo_size = sizeof(fr_authstat_t);
diff --git a/usr/src/cmd/ipf/tools/ipfzone.c b/usr/src/cmd/ipf/tools/ipfzone.c
new file mode 100644
index 0000000000..d4e1bb8427
--- /dev/null
+++ b/usr/src/cmd/ipf/tools/ipfzone.c
@@ -0,0 +1,161 @@
+/*
+ * Copyright (c) 2014 Joyent, Inc.  All rights reserved.
+ * Use is subject to license terms.
+ *
+ * See the IPFILTER.LICENCE file for details on licensing.
+ */
+
+
+#include <errno.h>
+#include <net/if.h>
+#include <stdio.h>
+#include <string.h>
+#include <unistd.h>
+#include <zone.h>
+
+#include "netinet/ip_fil.h"
+#include "ipfzone.h"
+
+static ipfzoneobj_t	ipzo;
+static boolean_t	do_setzone = 0;
+static int		num_setzones = 0;
+
+extern int	errno;
+extern int	opterr;
+extern int	optind;
+extern char	*optarg;
+
+/*
+ * Get the zonename if it's the last argument and set the zonename
+ * in ipfzo to it. This is used by ipf(1m) only - all of the other tools
+ * specify the zone with the -z option, and therefore use getzoneopt() below.
+ */
+void
+getzonearg(int argc, char *argv[], const char *optstr)
+{
+	int c;
+
+	/*
+	 * Don't warn about unknown options - let subsequent calls to
+	 * getopt() handle this.
+	 */
+	opterr = 0;
+
+	/*
+	 * getopt is also used here to set optind so that we can
+	 * determine if the last argument belongs to a flag or is
+	 * actually a zonename.
+	 */
+	while ((c = getopt(argc, argv, optstr)) != -1) {
+		if (c == 'G')
+			ipzo.ipfz_gz = 1;
+	}
+
+	if (optind < argc)
+		setzonename(argv[optind]);
+
+	/*
+	 * Reset optind and opterr so the next getopt call will go through all
+	 * of argv again and warn about unknown options.
+	 */
+	optind = 1;
+	opterr = 1;
+}
+
+/*
+ * Get a -z option from argv and set the zonename in ipfzo accordingly
+ */
+void
+getzoneopt(int argc, char *argv[], const char *optstr)
+{
+	int c;
+
+	/*
+	 * Don't warn about unknown options - let subsequent calls to
+	 * getopt() handle this.
+	 */
+	opterr = 0;
+
+	while ((c = getopt(argc, argv, optstr)) != -1) {
+		if (c == 'G')
+			setzonename_global(optarg);
+
+		if (c == 'z')
+			setzonename(optarg);
+	}
+
+	/*
+	 * Reset optind and opterr so the next getopt call will go through all
+	 * of argv again and warn about unknown options.
+	 */
+	optind = 1;
+	opterr = 1;
+}
+
+/*
+ * Set the zonename in ipfzo to the given string: this is the zone all further
+ * ioctls will act on.
+ */
+void
+setzonename(const char *zonename)
+{
+	memcpy(ipzo.ipfz_zonename, zonename, sizeof (ipzo.ipfz_zonename));
+	do_setzone = B_TRUE;
+	num_setzones++;
+}
+
+/*
+ * Set the zonename in ipfo, and the gz flag. This indicates that we want all
+ * further ioctls to act on the GZ-controlled stack for that zone.
+ */
+void
+setzonename_global(const char *zonename)
+{
+	setzonename(zonename);
+	ipzo.ipfz_gz = 1;
+}
+
+/*
+ * Set the zone that all further ioctls will operate on. See the "GZ-controlled
+ * and per-zone stacks" note at the top of ip_fil_solaris.c for further
+ * explanation.
+ */
+int
+setzone(int fd)
+{
+	if (!do_setzone)
+		return (0);
+
+	if (num_setzones > 1) {
+		(void) fprintf(stderr,
+		    "Only one of -G and -z may be set\n");
+		return (-1);
+	}
+
+	if (ipzo.ipfz_gz == 1 &&
+	    getzoneidbyname(ipzo.ipfz_zonename) == GLOBAL_ZONEID) {
+		(void) fprintf(stderr,
+		    "-G cannot be used with the global zone\n");
+		return (-1);
+	}
+
+	if (ioctl(fd, SIOCIPFZONESET, &ipzo) == -1) {
+		switch (errno) {
+		case ENODEV:
+			(void) fprintf(stderr,
+			    "Could not find running zone: %s\n",
+			    ipzo.ipfz_zonename);
+			break;
+		case EACCES:
+			(void) fprintf(stderr,
+			    "Permission denied setting zone: %s\n",
+			    ipzo.ipfz_zonename);
+			break;
+		default:
+			perror("Error setting zone");
+		}
+		return (-1);
+	}
+
+	return (0);
+}
diff --git a/usr/src/cmd/ipf/tools/ipfzone.h b/usr/src/cmd/ipf/tools/ipfzone.h
new file mode 100644
index 0000000000..ca6f42ec6a
--- /dev/null
+++ b/usr/src/cmd/ipf/tools/ipfzone.h
@@ -0,0 +1,17 @@
+/*
+ * Copyright (c) 2013 Joyent, Inc.  All rights reserved.
+ * Use is subject to license terms.
+ *
+ * See the IPFILTER.LICENCE file for details on licensing.
+ */
+
+#ifndef	__IPFZONE_H__
+#define	__IPFZONE_H__
+
+void getzonearg(int, char *[], const char *);
+void getzoneopt(int, char *[], const char *);
+int setzone(int);
+void setzonename(const char *);
+void setzonename_global(const char *);
+
+#endif /* __IPFZONE_H__ */
diff --git a/usr/src/cmd/ipf/tools/ipmon.c b/usr/src/cmd/ipf/tools/ipmon.c
index d4a351b015..a91e23237a 100644
--- a/usr/src/cmd/ipf/tools/ipmon.c
+++ b/usr/src/cmd/ipf/tools/ipmon.c
@@ -5,6 +5,8 @@
  *
  * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
+ *
+ * Copyright (c) 2014, Joyent, Inc.  All rights reserved.
  */
 
 
@@ -78,6 +80,7 @@
 #include "netinet/ip_state.h"
 #include "netinet/ip_proxy.h"
 #include "ipmon.h"
+#include "ipfzone.h"
 
 #if !defined(lint)
 static const char sccsid[] = "@(#)ipmon.c	1.21 6/5/96 (C)1993-2000 Darren Reed";
@@ -1340,10 +1343,10 @@ printipflog:
 static void usage(prog)
 char *prog;
 {
-	fprintf(stderr, "%s: [-abDFhnpstvxX] %s %s %s %s %s %s\n",
-		prog, "[-N device]", "[ [-o [NSI]] [-O [NSI]]",
-		"[-P pidfile]", "[-S device]", "[-f device]",
-		"filename");
+	fprintf(stderr, "%s: [-abDFhnpstvxX] %s %s %s %s %s %s %s\n",
+		prog, "[-G|-z zonename]", "[-N device]",
+		"[ [-o [NSI]] [-O [NSI]]", "[-P pidfile]", "[-S device]",
+		"[-f device]", "filename");
 	exit(1);
 }
 
@@ -1380,6 +1383,11 @@ FILE *log;
 		exit(1);
 	}
 
+	if (setzone(fd) != 0) {
+		close(fd);
+		exit(1);
+	}
+
 	if (ioctl(fd, SIOCIPFFB, &flushed) == 0) {
 		printf("%d bytes flushed from log buffer\n",
 			flushed);
@@ -1444,6 +1452,7 @@ char *argv[];
 	char	buf[DEFAULT_IPFLOGSIZE], *iplfile[3], *s;
 	extern	int	optind;
 	extern	char	*optarg;
+	const	char	*optstr = "?abB:C:Df:G:FhnN:o:O:pP:sS:tvxXz:";
 
 	fd[0] = fd[1] = fd[2] = -1;
 	fdt[0] = fdt[1] = fdt[2] = -1;
@@ -1451,7 +1460,13 @@ char *argv[];
 	iplfile[1] = IPNAT_NAME;
 	iplfile[2] = IPSTATE_NAME;
 
-	while ((c = getopt(argc, argv, "?abB:C:Df:FhnN:o:O:pP:sS:tvxX")) != -1)
+	/*
+	 * We need to set the zone name before calling openlog in
+	 * the switch statement below
+	 */
+	getzoneopt(argc, argv, optstr);
+
+	while ((c = getopt(argc, argv, optstr)) != -1)
 		switch (c)
 		{
 		case 'a' :
@@ -1483,6 +1498,9 @@ char *argv[];
 			flushlogs(iplfile[1], log);
 			flushlogs(iplfile[2], log);
 			break;
+		case 'G' :
+			/* Already handled by getzoneopt() above */
+			break;
 		case 'n' :
 			opts |= OPT_RESOLVE;
 			break;
@@ -1535,6 +1553,9 @@ char *argv[];
 		case 'X' :
 			opts |= OPT_HEXHDR;
 			break;
+		case 'z' :
+			/* Already handled by getzoneopt() above */
+			break;
 		default :
 		case 'h' :
 		case '?' :
@@ -1571,6 +1592,12 @@ char *argv[];
 				exit(1);
 				/* NOTREACHED */
 			}
+
+			if (setzone(fd[i]) != 0) {
+				close(fd[i]);
+				exit(1);
+			}
+
 			if (!(regular[i] = !S_ISCHR(sb.st_mode)))
 				devices++;
 		}
diff --git a/usr/src/cmd/ipf/tools/ipnat.c b/usr/src/cmd/ipf/tools/ipnat.c
index 4a9a37a4a9..3a2610a235 100644
--- a/usr/src/cmd/ipf/tools/ipnat.c
+++ b/usr/src/cmd/ipf/tools/ipnat.c
@@ -7,6 +7,8 @@
  *
  * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
+ *
+ * Copyright (c) 2014, Joyent, Inc.  All rights reserved.
  */
 
 #include <stdio.h>
@@ -55,6 +57,7 @@
 #include "ipf.h"
 #include "netinet/ipl.h"
 #include "kmem.h"
+#include "ipfzone.h"
 
 #ifdef	__hpux
 # define	nlist	nlist64
@@ -95,7 +98,8 @@ int	opts;
 void usage(name)
 char *name;
 {
-	fprintf(stderr, "Usage: %s [-CdFhlnrRsv] [-f filename]\n", name);
+	fprintf(stderr, "Usage: %s [-CdFhlnrRsv] [-f filename]", name);
+	fprintf(stderr, " [-G|-z zonename]\n");
 	exit(1);
 }
 
@@ -117,7 +121,7 @@ char *argv[];
 	kernel = NULL;
 	mode = O_RDWR;
 
-	while ((c = getopt(argc, argv, "CdFf:hlM:N:nrRsv")) != -1)
+	while ((c = getopt(argc, argv, "CdFf:G:hlM:N:nrRsvz:")) != -1)
 		switch (c)
 		{
 		case 'C' :
@@ -132,6 +136,9 @@ char *argv[];
 		case 'F' :
 			opts |= OPT_FLUSH;
 			break;
+		case 'G' :
+			setzonename_global(optarg);
+			break;
 		case 'h' :
 			opts |=OPT_HITS;
 			break;
@@ -162,6 +169,9 @@ char *argv[];
 		case 'v' :
 			opts |= OPT_VERBOSE;
 			break;
+		case 'z' :
+			setzonename(optarg);
+			break;
 		default :
 			usage(argv[0]);
 		}
@@ -195,6 +205,11 @@ char *argv[];
 			exit(1);
 		}
 
+		if (setzone(fd) != 0) {
+			close(fd);
+			exit(1);
+		}
+
 		bzero((char *)&obj, sizeof(obj));
 		obj.ipfo_rev = IPFILTER_VERSION;
 		obj.ipfo_size = sizeof(*nsp);
diff --git a/usr/src/cmd/ipf/tools/ippool.c b/usr/src/cmd/ipf/tools/ippool.c
index 5f18379420..d0296139a8 100644
--- a/usr/src/cmd/ipf/tools/ippool.c
+++ b/usr/src/cmd/ipf/tools/ippool.c
@@ -5,10 +5,10 @@
  *
  * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
+ *
+ * Copyright (c) 2014, Joyent, Inc.  All rights reserved.
  */
 
-#pragma ident	"%Z%%M%	%I%	%E% SMI"
-
 #include <sys/types.h>
 #include <sys/time.h>
 #include <sys/param.h>
@@ -41,6 +41,7 @@
 #include "netinet/ip_pool.h"
 #include "netinet/ip_htable.h"
 #include "kmem.h"
+#include "ipfzone.h"
 
 extern	int	ippool_yyparse __P((void));
 extern	int	ippool_yydebug;
@@ -71,15 +72,21 @@ int	use_inet6 = 0;
 void usage(prog)
 char *prog;
 {
+	const char *zoneopt = "[-G|-z zonename] ";
 	fprintf(stderr, "Usage:\t%s\n", prog);
-	fprintf(stderr, "\t\t\t-a [-dnv] [-m <name>] [-o <role>] -i <ipaddr>[/netmask]\n");
-	fprintf(stderr, "\t\t\t-A [-dnv] [-m <name>] [-o <role>] [-S <seed>] [-t <type>]\n");
-	fprintf(stderr, "\t\t\t-f <file> [-dnuv]\n");
-	fprintf(stderr, "\t\t\t-F [-dv] [-o <role>] [-t <type>]\n");
-	fprintf(stderr, "\t\t\t-l [-dv] [-m <name>] [-t <type>]\n");
-	fprintf(stderr, "\t\t\t-r [-dnv] [-m <name>] [-o <role>] -i <ipaddr>[/netmask]\n");
-	fprintf(stderr, "\t\t\t-R [-dnv] [-m <name>] [-o <role>] [-t <type>]\n");
-	fprintf(stderr, "\t\t\t-s [-dtv] [-M <core>] [-N <namelist>]\n");
+	fprintf(stderr, "\t\t\t-a [-dnv] %s[-m <name>] [-o <role>] -i <ipaddr>[/netmask]\n",
+	    zoneopt);
+	fprintf(stderr, "\t\t\t-A [-dnv] %s[-m <name>] [-o <role>] [-S <seed>] [-t <type>]\n",
+	    zoneopt);
+	fprintf(stderr, "\t\t\t-f <file> %s[-dnuv]\n", zoneopt);
+	fprintf(stderr, "\t\t\t-F [-dv] %s[-o <role>] [-t <type>]\n", zoneopt);
+	fprintf(stderr, "\t\t\t-l [-dv] %s[-m <name>] [-t <type>]\n", zoneopt);
+	fprintf(stderr, "\t\t\t-r [-dnv] %s[-m <name>] [-o <role>] -i <ipaddr>[/netmask]\n",
+	    zoneopt);
+	fprintf(stderr, "\t\t\t-R [-dnv] %s[-m <name>] [-o <role>] [-t <type>]\n",
+	    zoneopt);
+	fprintf(stderr, "\t\t\t-s [-dtv] %s[-M <core>] [-N <namelist>]\n",
+	    zoneopt);
 	exit(1);
 }
 
@@ -140,13 +147,16 @@ char *argv[];
 	role = IPL_LOGIPF;
 	bzero((char *)&node, sizeof(node));
 
-	while ((c = getopt(argc, argv, "di:m:no:Rv")) != -1)
+	while ((c = getopt(argc, argv, "di:G:m:no:Rvz:")) != -1)
 		switch (c)
 		{
 		case 'd' :
 			opts |= OPT_DEBUG;
 			ippool_yydebug++;
 			break;
+		case 'G' :
+			setzonename_global(optarg);
+			break;
 		case 'i' :
 			s = strchr(optarg, '/');
 			if (s == NULL)
@@ -182,6 +192,9 @@ char *argv[];
 		case 'v' :
 			opts |= OPT_VERBOSE;
 			break;
+		case 'z' :
+			setzonename(optarg);
+			break;
 		}
 
 	if (opts & OPT_DEBUG)
@@ -219,13 +232,16 @@ char *argv[];
 	bzero((char *)&iph, sizeof(iph));
 	bzero((char *)&pool, sizeof(pool));
 
-	while ((c = getopt(argc, argv, "dm:no:RS:t:v")) != -1)
+	while ((c = getopt(argc, argv, "dG:m:no:RS:t:vz:")) != -1)
 		switch (c)
 		{
 		case 'd' :
 			opts |= OPT_DEBUG;
 			ippool_yydebug++;
 			break;
+		case 'G' :
+			setzonename_global(optarg);
+			break;
 		case 'm' :
 			poolname = optarg;
 			break;
@@ -255,6 +271,9 @@ char *argv[];
 		case 'v' :
 			opts |= OPT_VERBOSE;
 			break;
+		case 'z' :
+			setzonename(optarg);
+			break;
 		}
 
 	if (opts & OPT_DEBUG)
@@ -308,13 +327,16 @@ char *argv[], *infile;
 
 	infile = optarg;
 
-	while ((c = getopt(argc, argv, "dnRuv")) != -1)
+	while ((c = getopt(argc, argv, "dG:nRuvz:")) != -1)
 		switch (c)
 		{
 		case 'd' :
 			opts |= OPT_DEBUG;
 			ippool_yydebug++;
 			break;
+		case 'G' :
+			setzonename_global(optarg);
+			break;
 		case 'n' :
 			opts |= OPT_DONOTHING;
 			break;
@@ -327,6 +349,9 @@ char *argv[], *infile;
 		case 'v' :
 			opts |= OPT_VERBOSE;
 			break;
+		case 'z' :
+			setzonename(optarg);
+			break;
 		}
 
 	if (opts & OPT_DEBUG)
@@ -338,6 +363,11 @@ char *argv[], *infile;
 			perror("open(IPLOOKUP_NAME)");
 			exit(1);
 		}
+
+		if (setzone(fd) != 0) {
+			close(fd);
+			exit(1);
+		}
 	}
 
 	if (ippool_parsefile(fd, infile, ioctl) != 0)
@@ -365,12 +395,15 @@ char *argv[];
 	poolname = NULL;
 	role = IPL_LOGALL;
 
-	while ((c = getopt(argc, argv, "dm:M:N:o:Rt:v")) != -1)
+	while ((c = getopt(argc, argv, "dG:m:M:N:o:Rt:vz:")) != -1)
 		switch (c)
 		{
 		case 'd' :
 			opts |= OPT_DEBUG;
 			break;
+		case 'G' :
+			setzonename_global(optarg);
+			break;
 		case 'm' :
 			poolname = optarg;
 			break;
@@ -402,6 +435,9 @@ char *argv[];
 		case 'v' :
 			opts |= OPT_VERBOSE;
 			break;
+		case 'z' :
+			setzonename(optarg);
+			break;
 		}
 
 	if (opts & OPT_DEBUG)
@@ -413,6 +449,11 @@ char *argv[];
 			perror("open(IPLOOKUP_NAME)");
 			exit(1);
 		}
+
+		if (setzone(fd) != 0) {
+			close(fd);
+			exit(1);
+		}
 	}
 
 	bzero((char *)&op, sizeof(op));
@@ -615,12 +656,15 @@ char *argv[];
 
 	bzero((char *)&op, sizeof(op));
 
-	while ((c = getopt(argc, argv, "dM:N:o:t:v")) != -1)
+	while ((c = getopt(argc, argv, "dG:M:N:o:t:vz:")) != -1)
 		switch (c)
 		{
 		case 'd' :
 			opts |= OPT_DEBUG;
 			break;
+		case 'G' :
+			setzonename_global(optarg);
+			break;
 		case 'M' :
 			live_kernel = 0;
 			core = optarg;
@@ -647,6 +691,9 @@ char *argv[];
 		case 'v' :
 			opts |= OPT_VERBOSE;
 			break;
+		case 'z' :
+			setzonename(optarg);
+			break;
 		}
 
 	if (opts & OPT_DEBUG)
@@ -658,6 +705,11 @@ char *argv[];
 			perror("open(IPLOOKUP_NAME)");
 			exit(1);
 		}
+
+		if (setzone(fd) != 0) {
+			close(fd);
+			exit(1);
+		}
 	}
 
 	if (type == IPLT_ALL || type == IPLT_POOL) {
@@ -705,7 +757,7 @@ char *argv[];
 	type = IPLT_ALL;
 	role = IPL_LOGALL;
 
-	while ((c = getopt(argc, argv, "do:t:v")) != -1)
+	while ((c = getopt(argc, argv, "do:t:vz:")) != -1)
 		switch (c)
 		{
 		case 'd' :
@@ -728,6 +780,9 @@ char *argv[];
 		case 'v' :
 			opts |= OPT_VERBOSE;
 			break;
+		case 'z' :
+			setzonename(optarg);
+			break;
 		}
 
 	if (opts & OPT_DEBUG)
@@ -739,6 +794,11 @@ char *argv[];
 			perror("open(IPLOOKUP_NAME)");
 			exit(1);
 		}
+
+		if (setzone(fd) != 0) {
+			close(fd);
+			exit(1);
+		}
 	}
 
 	bzero((char *)&flush, sizeof(flush));