OS-2544 ipf rules from the GZ should be add to in-zone rules, not replace them

author: Rob Gulewich <robert.gulewich@joyent.com> 2013-10-31 08:30:21 +0000
committer: Rob Gulewich <robert.gulewich@joyent.com> 2013-10-31 08:48:00 +0000
commit: 9e752db2cdf20c29448931b05df26b85cb493303 (patch)
tree: aec5a05a255c03f4dd58244a1511f8ffcf2eab15 /usr/src/cmd/ipf
parent: b0f1f47849931c946259bb874d1fc19d9513be7f (diff)
download: illumos-joyent-9e752db2cdf20c29448931b05df26b85cb493303.tar.gz
8 files changed, 130 insertions, 31 deletions
diff --git a/usr/src/cmd/ipf/tools/ipf.c b/usr/src/cmd/ipf/tools/ipf.c
index 5f1406fbf5..97bee67b26 100644
--- a/usr/src/cmd/ipf/tools/ipf.c
+++ b/usr/src/cmd/ipf/tools/ipf.c
@@ -6,7 +6,7 @@
  * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  *
- * Copyright (c) 2012, Joyent, Inc.  All rights reserved.
+ * Copyright (c) 2013, Joyent, Inc.  All rights reserved.
  */
 
 #ifdef	__FreeBSD__
@@ -68,7 +68,7 @@ static	ioctlfunc_t	iocfunctions[IPL_LOGSIZE] = { ioctl, ioctl, ioctl,
 
 static void usage()
 {
-	fprintf(stderr, "usage: ipf [-6AdDEInoPrRsvVyzZ] %s %s %s",
+	fprintf(stderr, "usage: ipf [-6AdDEGInoPrRsvVyzZ] %s %s %s",
 		"[-l block|pass|nomatch|state|nat]", "[-cc] [-F i|o|a|s|S|u]",
 		"[-f filename] [-T <tuneopts>]");
 #if SOLARIS
@@ -85,7 +85,7 @@ int argc;
 char *argv[];
 {
 	int c;
-	const char *optstr = "6Ac:dDEf:F:Il:noPrRsT:vVyzZ";
+	const char *optstr = "6Ac:dDEf:F:GIl:noPrRsT:vVyzZ";
 
 	if (argc < 2)
 		usage();
diff --git a/usr/src/cmd/ipf/tools/ipfs.c b/usr/src/cmd/ipf/tools/ipfs.c
index b5b9eebac1..72296a09d0 100644
--- a/usr/src/cmd/ipf/tools/ipfs.c
+++ b/usr/src/cmd/ipf/tools/ipfs.c
@@ -6,7 +6,7 @@
  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  *
- * Copyright (c) 2012, Joyent, Inc.  All rights reserved.
+ * Copyright (c) 2013, Joyent, Inc.  All rights reserved.
  */
 
 #ifdef	__FreeBSD__
@@ -92,7 +92,7 @@ char	*progname;
 void usage()
 {
 #if SOLARIS
-	const char *zoneopt = "[-z zonename] ";
+	const char *zoneopt = "[-G|-z zonename] ";
 #else
 	const char *zoneopt = "";
 #endif
@@ -230,7 +230,7 @@ char *argv[];
 	char *dirname = NULL, *filename = NULL, *ifs = NULL;
 
 	progname = argv[0];
-	while ((c = getopt(argc, argv, "d:f:lNnSRruvWwz:")) != -1)
+	while ((c = getopt(argc, argv, "d:f:G:lNnSRruvWwz:")) != -1)
 		switch (c)
 		{
 		case 'd' :
@@ -245,6 +245,11 @@ char *argv[];
 			else
 				usage();
 			break;
+#if SOLARIS
+		case 'G' :
+			setzonename_global(optarg);
+			break;
+#endif
 		case 'i' :
 			ifs = optarg;
 			set = 1;
diff --git a/usr/src/cmd/ipf/tools/ipfstat.c b/usr/src/cmd/ipf/tools/ipfstat.c
index 916d75277b..49ee7cd23d 100644
--- a/usr/src/cmd/ipf/tools/ipfstat.c
+++ b/usr/src/cmd/ipf/tools/ipfstat.c
@@ -6,7 +6,7 @@
  * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  *
- * Copyright (c) 2012, Joyent, Inc.  All rights reserved.
+ * Copyright (c) 2013, Joyent, Inc.  All rights reserved.
  */
 
 #ifdef __FreeBSD__
@@ -184,7 +184,7 @@ char *name;
 	fprintf(stderr, "       %s -t [-C] ", name);
 #endif
 #ifdef	SOLARIS
-	fprintf(stderr, "[-z zonename] ");
+	fprintf(stderr, "[-G|-z zonename] ");
 #endif
 	fprintf(stderr, "[-D destination address] [-P protocol] [-S source address] [-T refresh time]\n");
 	exit(1);
@@ -216,9 +216,9 @@ char *argv[];
 	u_32_t frf;
 
 #ifdef	USE_INET6
-	options = "6aACdfghIilnostvD:M:N:P:RS:T:z:";
+	options = "6aACdfgG:hIilnostvD:M:N:P:RS:T:z:";
 #else
-	options = "aACdfghIilnostvD:M:N:P:RS:T:z:";
+	options = "aACdfgG:hIilnostvD:M:N:P:RS:T:z:";
 #endif
 
 	saddr.in4.s_addr = INADDR_ANY; 	/* default any v4 source addr */
@@ -232,13 +232,20 @@ char *argv[];
 	opterr = 0;
 
 	/*
-	 * Parse these three arguments now lest there be any buffer overflows
+	 * Parse these four arguments now lest there be any buffer overflows
 	 * in the parsing of the rest.
 	 */
 	myoptind = optind;
 	while ((c = getopt(argc, argv, options)) != -1) {
 		switch (c)
 		{
+		case 'G' :
+#if SOLARIS
+			setzonename_global(optarg);
+#else
+			usage(argv[0]);
+#endif
+			break;
 		case 'M' :
 			memf = optarg;
 			live_kernel = 0;
@@ -252,7 +259,6 @@ char *argv[];
 			setzonename(optarg);
 #else
 			usage(argv[0]);
-			break;
 #endif
 			break;
 		}
@@ -327,6 +333,8 @@ char *argv[];
 		case 'g' :
 			opts |= OPT_GROUPS;
 			break;
+		case 'G' :
+			break;
 		case 'h' :
 			opts |= OPT_HITS;
 			break;
diff --git a/usr/src/cmd/ipf/tools/ipfzone.c b/usr/src/cmd/ipf/tools/ipfzone.c
index 1dabbcd447..c52b3e879d 100644
--- a/usr/src/cmd/ipf/tools/ipfzone.c
+++ b/usr/src/cmd/ipf/tools/ipfzone.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012 Joyent, Inc.  All rights reserved.
+ * Copyright (c) 2013 Joyent, Inc.  All rights reserved.
  * Use is subject to license terms.
  *
  * See the IPFILTER.LICENCE file for details on licensing.
@@ -17,7 +17,8 @@
 #include "ipfzone.h"
 
 static ipfzoneobj_t	ipzo;
-static int	do_setzone = 0;
+static boolean_t	do_setzone = 0;
+static int		num_setzones = 0;
 
 extern int	errno;
 extern int	optind;
@@ -30,11 +31,17 @@ extern char	*optarg;
 void
 getzonearg(int argc, char *argv[], const char *optstr)
 {
+	int c;
+
 	/*
-	 * Let getopt figure out if the last argument belongs to a flag or is
+	 * getopt is also used here to set optind so that we can
+	 * determine if the last argument belongs to a flag or is
 	 * actually a zonename.
 	 */
-	while (getopt(argc, argv, optstr) != -1) { }
+	while ((c = getopt(argc, argv, optstr)) != -1) {
+		if (c == 'G')
+			ipzo.ipfz_gz = 1;
+	}
 
 	if (optind < argc)
 		setzonename(argv[optind]);
@@ -55,6 +62,9 @@ getzoneopt(int argc, char *argv[], const char *optstr)
 	int c;
 
 	while ((c = getopt(argc, argv, optstr)) != -1) {
+		if (c == 'G')
+			setzonename_global(optarg);
+
 		if (c == 'z')
 			setzonename(optarg);
 	}
@@ -73,7 +83,19 @@ void
 setzonename(const char *zonename)
 {
 	memcpy(ipzo.ipfz_zonename, zonename, sizeof (ipzo.ipfz_zonename));
-	do_setzone = 1;
+	do_setzone = B_TRUE;
+	num_setzones++;
+}
+
+/*
+ * Set the zonename in ipfo, and the gz flag to indicate that we want to
+ * act on the GZ-controlled stack
+ */
+void
+setzonename_global(const char *zonename)
+{
+	setzonename(zonename);
+	ipzo.ipfz_gz = 1;
 }
 
 /*
@@ -85,6 +107,12 @@ setzone(int fd)
 	if (!do_setzone)
 		return (0);
 
+	if (num_setzones > 1) {
+		(void) fprintf(stderr,
+		    "Only one of -G and -z may be set\n");
+		return (-1);
+	}
+
 	if (ioctl(fd, SIOCIPFZONESET, &ipzo) == -1) {
 		switch (errno) {
 		case ENODEV:
diff --git a/usr/src/cmd/ipf/tools/ipfzone.h b/usr/src/cmd/ipf/tools/ipfzone.h
index a62747af7d..ca6f42ec6a 100644
--- a/usr/src/cmd/ipf/tools/ipfzone.h
+++ b/usr/src/cmd/ipf/tools/ipfzone.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012 Joyent, Inc.  All rights reserved.
+ * Copyright (c) 2013 Joyent, Inc.  All rights reserved.
  * Use is subject to license terms.
  *
  * See the IPFILTER.LICENCE file for details on licensing.
@@ -12,5 +12,6 @@ void getzonearg(int, char *[], const char *);
 void getzoneopt(int, char *[], const char *);
 int setzone(int);
 void setzonename(const char *);
+void setzonename_global(const char *);
 
 #endif /* __IPFZONE_H__ */
diff --git a/usr/src/cmd/ipf/tools/ipmon.c b/usr/src/cmd/ipf/tools/ipmon.c
index 0c025b8c56..cf10eece9b 100644
--- a/usr/src/cmd/ipf/tools/ipmon.c
+++ b/usr/src/cmd/ipf/tools/ipmon.c
@@ -6,7 +6,7 @@
  * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  *
- * Copyright (c) 2012, Joyent, Inc.  All rights reserved.
+ * Copyright (c) 2013, Joyent, Inc.  All rights reserved.
  */
 
 
@@ -1346,7 +1346,7 @@ static void usage(prog)
 char *prog;
 {
 #if SOLARIS
-	const char *zoneopt = " [-z zonename]";
+	const char *zoneopt = " [-G|-z zonename]";
 #else
 	const char *zoneopt = "";
 #endif
@@ -1461,7 +1461,7 @@ char *argv[];
 	char	buf[DEFAULT_IPFLOGSIZE], *iplfile[3], *s;
 	extern	int	optind;
 	extern	char	*optarg;
-	const	char	*optstr = "?abB:C:Df:FhnN:o:O:pP:sS:tvxXz:";
+	const	char	*optstr = "?abB:C:Df:G:FhnN:o:O:pP:sS:tvxXz:";
 
 	fd[0] = fd[1] = fd[2] = -1;
 	fdt[0] = fdt[1] = fdt[2] = -1;
@@ -1509,6 +1509,10 @@ char *argv[];
 			flushlogs(iplfile[1], log);
 			flushlogs(iplfile[2], log);
 			break;
+#if SOLARIS
+		case 'G' :
+			break;
+#endif
 		case 'n' :
 			opts |= OPT_RESOLVE;
 			break;
diff --git a/usr/src/cmd/ipf/tools/ipnat.c b/usr/src/cmd/ipf/tools/ipnat.c
index 1f320a606f..a7e37b0295 100644
--- a/usr/src/cmd/ipf/tools/ipnat.c
+++ b/usr/src/cmd/ipf/tools/ipnat.c
@@ -8,7 +8,7 @@
  * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  *
- * Copyright (c) 2012, Joyent, Inc.  All rights reserved.
+ * Copyright (c) 2013, Joyent, Inc.  All rights reserved.
  */
 
 #include <stdio.h>
@@ -103,7 +103,7 @@ char *name;
 {
 	fprintf(stderr, "Usage: %s [-CdFhlnrRsv] [-f filename]", name);
 #if SOLARIS
-	fprintf(stderr, " [-z zonename]\n");
+	fprintf(stderr, " [-G|-z zonename]\n");
 #else
 	fprintf(stderr, "\n");
 #endif
@@ -128,7 +128,7 @@ char *argv[];
 	kernel = NULL;
 	mode = O_RDWR;
 
-	while ((c = getopt(argc, argv, "CdFf:hlM:N:nrRsvz:")) != -1)
+	while ((c = getopt(argc, argv, "CdFf:G:hlM:N:nrRsvz:")) != -1)
 		switch (c)
 		{
 		case 'C' :
@@ -143,6 +143,11 @@ char *argv[];
 		case 'F' :
 			opts |= OPT_FLUSH;
 			break;
+#if SOLARIS
+		case 'G' :
+			setzonename_global(optarg);
+			break;
+#endif
 		case 'h' :
 			opts |=OPT_HITS;
 			break;
diff --git a/usr/src/cmd/ipf/tools/ippool.c b/usr/src/cmd/ipf/tools/ippool.c
index adf6ba7b69..d918af8e10 100644
--- a/usr/src/cmd/ipf/tools/ippool.c
+++ b/usr/src/cmd/ipf/tools/ippool.c
@@ -6,7 +6,7 @@
  * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  *
- * Copyright (c) 2012, Joyent, Inc.  All rights reserved.
+ * Copyright (c) 2013, Joyent, Inc.  All rights reserved.
  */
 
 #pragma ident	"%Z%%M%	%I%	%E% SMI"
@@ -78,7 +78,7 @@ void usage(prog)
 char *prog;
 {
 #if SOLARIS
-	const char *zoneopt = "[-z zonename] ";
+	const char *zoneopt = "[-G|-z zonename] ";
 #else
 	const char *zoneopt = "";
 #endif
@@ -156,13 +156,19 @@ char *argv[];
 	role = IPL_LOGIPF;
 	bzero((char *)&node, sizeof(node));
 
-	while ((c = getopt(argc, argv, "di:m:no:Rvz:")) != -1)
+	while ((c = getopt(argc, argv, "di:G:m:no:Rvz:")) != -1)
 		switch (c)
 		{
 		case 'd' :
 			opts |= OPT_DEBUG;
 			ippool_yydebug++;
 			break;
+		case 'G' :
+#if SOLARIS
+			setzonename_global(optarg);
+#else
+			usage(argv[0]);
+#endif
 		case 'i' :
 			s = strchr(optarg, '/');
 			if (s == NULL)
@@ -198,6 +204,13 @@ char *argv[];
 		case 'v' :
 			opts |= OPT_VERBOSE;
 			break;
+		case 'z' :
+#if SOLARIS
+			setzonename(optarg);
+#else
+			usage(argv[0]);
+#endif
+			break;
 		}
 
 	if (opts & OPT_DEBUG)
@@ -235,13 +248,19 @@ char *argv[];
 	bzero((char *)&iph, sizeof(iph));
 	bzero((char *)&pool, sizeof(pool));
 
-	while ((c = getopt(argc, argv, "dm:no:RS:t:vz:")) != -1)
+	while ((c = getopt(argc, argv, "dG:m:no:RS:t:vz:")) != -1)
 		switch (c)
 		{
 		case 'd' :
 			opts |= OPT_DEBUG;
 			ippool_yydebug++;
 			break;
+		case 'G' :
+#if SOLARIS
+			setzonename_global(optarg);
+#else
+			usage(argv[0]);
+#endif
 		case 'm' :
 			poolname = optarg;
 			break;
@@ -271,6 +290,13 @@ char *argv[];
 		case 'v' :
 			opts |= OPT_VERBOSE;
 			break;
+		case 'z' :
+#if SOLARIS
+			setzonename(optarg);
+#else
+			usage(argv[0]);
+#endif
+			break;
 		}
 
 	if (opts & OPT_DEBUG)
@@ -324,13 +350,20 @@ char *argv[], *infile;
 
 	infile = optarg;
 
-	while ((c = getopt(argc, argv, "dnRuvz:")) != -1)
+	while ((c = getopt(argc, argv, "dG:nRuvz:")) != -1)
 		switch (c)
 		{
 		case 'd' :
 			opts |= OPT_DEBUG;
 			ippool_yydebug++;
 			break;
+		case 'G' :
+#if SOLARIS
+			setzonename_global(optarg);
+#else
+			usage(argv[0]);
+#endif
+			break;
 		case 'n' :
 			opts |= OPT_DONOTHING;
 			break;
@@ -394,12 +427,19 @@ char *argv[];
 	poolname = NULL;
 	role = IPL_LOGALL;
 
-	while ((c = getopt(argc, argv, "dm:M:N:o:Rt:vz:")) != -1)
+	while ((c = getopt(argc, argv, "dG:m:M:N:o:Rt:vz:")) != -1)
 		switch (c)
 		{
 		case 'd' :
 			opts |= OPT_DEBUG;
 			break;
+		case 'G' :
+#if SOLARIS
+			setzonename_global(optarg);
+#else
+			usage(argv[0]);
+#endif
+			break;
 		case 'm' :
 			poolname = optarg;
 			break;
@@ -657,12 +697,19 @@ char *argv[];
 
 	bzero((char *)&op, sizeof(op));
 
-	while ((c = getopt(argc, argv, "dM:N:o:t:vz:")) != -1)
+	while ((c = getopt(argc, argv, "dG:M:N:o:t:vz:")) != -1)
 		switch (c)
 		{
 		case 'd' :
 			opts |= OPT_DEBUG;
 			break;
+		case 'G' :
+#if SOLARIS
+			setzonename_global(optarg);
+#else
+			usage(argv[0]);
+#endif
+			break;
 		case 'M' :
 			live_kernel = 0;
 			core = optarg;
@@ -695,6 +742,7 @@ char *argv[];
 #else
 			usage(argv[0]);
 #endif
+			break;
 		}
 
 	if (opts & OPT_DEBUG)
author	Rob Gulewich <robert.gulewich@joyent.com>	2013-10-31 08:30:21 +0000
committer	Rob Gulewich <robert.gulewich@joyent.com>	2013-10-31 08:48:00 +0000
commit	9e752db2cdf20c29448931b05df26b85cb493303 (patch)
tree	aec5a05a255c03f4dd58244a1511f8ffcf2eab15 /usr/src/cmd/ipf
parent	b0f1f47849931c946259bb874d1fc19d9513be7f (diff)
download	illumos-joyent-9e752db2cdf20c29448931b05df26b85cb493303.tar.gz