diff options
| author | Jerry Jelinek <jerry.jelinek@joyent.com> | 2016-01-25 12:59:42 +0000 |
|---|---|---|
| committer | Jerry Jelinek <jerry.jelinek@joyent.com> | 2016-01-25 12:59:42 +0000 |
| commit | f9534ac90ddb8fd2ab27923d7ec4d48c58807f96 (patch) | |
| tree | a6e8e8fe5c37beca1085ccc138c95d972131ae73 /usr/src/cmd | |
| parent | 335fc67e3f2c1247d3394809bb098b29cef7e607 (diff) | |
| parent | c2b09db8b5b01162dadf9205ddd83ccf4f7d5535 (diff) | |
| download | illumos-joyent-f9534ac90ddb8fd2ab27923d7ec4d48c58807f96.tar.gz | |
[illumos-gate merge]
commit c2b09db8b5b01162dadf9205ddd83ccf4f7d5535
6465 zfs-tests/tests/functional/cli_root/zpool_upgrade/zpool_upgrade_007_pos is broken
commit 38d61036746e2273cc18f6698392e1e29f87d1bf
6450 scrub/resilver unnecessarily traverses snapshots created after the scrub started
commit 7ddce99911fbb5e44b38ac65e991a22e42267ee9
6123 SMF ipfilter support needs improvement
Diffstat (limited to 'usr/src/cmd')
35 files changed, 976 insertions, 140 deletions
diff --git a/usr/src/cmd/cmd-inet/usr.lib/mdnsd/multicast.xml b/usr/src/cmd/cmd-inet/usr.lib/mdnsd/multicast.xml index 3a37e51ab2..a6c1901c97 100644 --- a/usr/src/cmd/cmd-inet/usr.lib/mdnsd/multicast.xml +++ b/usr/src/cmd/cmd-inet/usr.lib/mdnsd/multicast.xml @@ -4,6 +4,8 @@ Copyright 2009 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. + Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org> + CDDL HEADER START The contents of this file are subject to the terms of the @@ -127,15 +129,21 @@ <property_group name='firewall_config' type='com.sun,fw_configuration'> <propval name='policy' type='astring' value='use_global' /> + <propval name='block_policy' type='astring' + value='use_global' /> <propval name='apply_to' type='astring' value='' /> + <propval name='apply_to_6' type='astring' value='' /> <propval name='exceptions' type='astring' value='' /> + <propval name='exceptions_6' type='astring' value='' /> + <propval name='target' type='astring' value='' /> + <propval name='target_6' type='astring' value='' /> <propval name='value_authorization' type='astring' value='solaris.smf.value.firewall.config' /> </property_group> </instance> - <stability value='Unstable' /> + <stability value='Unstable' /> <template> diff --git a/usr/src/cmd/cmd-inet/usr.sbin/comsat.xml b/usr/src/cmd/cmd-inet/usr.sbin/comsat.xml index dcfab5f69a..a66e18a02e 100644 --- a/usr/src/cmd/cmd-inet/usr.sbin/comsat.xml +++ b/usr/src/cmd/cmd-inet/usr.sbin/comsat.xml @@ -4,6 +4,8 @@ Copyright 2009 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. + Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org + CDDL HEADER START The contents of this file are subject to the terms of the @@ -79,8 +81,11 @@ <property_group name='firewall_config' type='com.sun,fw_configuration'> <propval name='policy' type='astring' value='use_global' /> + <propval name='block_policy' type='astring' + value='use_global' /> <propval name='apply_to' type='astring' value='' /> <propval name='exceptions' type='astring' value='' /> + <propval name='target' type='astring' value='' /> <propval name='value_authorization' type='astring' value='solaris.smf.value.firewall.config' /> </property_group> diff --git a/usr/src/cmd/cmd-inet/usr.sbin/finger.xml b/usr/src/cmd/cmd-inet/usr.sbin/finger.xml index 3fd6e5321c..2c4281d84a 100644 --- a/usr/src/cmd/cmd-inet/usr.sbin/finger.xml +++ b/usr/src/cmd/cmd-inet/usr.sbin/finger.xml @@ -4,6 +4,8 @@ Copyright 2009 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. + Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org> + CDDL HEADER START The contents of this file are subject to the terms of the @@ -72,8 +74,14 @@ <property_group name='firewall_config' type='com.sun,fw_configuration'> <propval name='policy' type='astring' value='use_global' /> + <propval name='block_policy' type='astring' + value='use_global' /> <propval name='apply_to' type='astring' value='' /> + <propval name='apply_to_6' type='astring' value='' /> <propval name='exceptions' type='astring' value='' /> + <propval name='exceptions_6' type='astring' value='' /> + <propval name='target' type='astring' value='' /> + <propval name='target_6' type='astring' value='' /> <propval name='value_authorization' type='astring' value='solaris.smf.value.firewall.config' /> </property_group> diff --git a/usr/src/cmd/cmd-inet/usr.sbin/in.routed/route.xml b/usr/src/cmd/cmd-inet/usr.sbin/in.routed/route.xml index 22d0f1b4eb..530ec5bda7 100644 --- a/usr/src/cmd/cmd-inet/usr.sbin/in.routed/route.xml +++ b/usr/src/cmd/cmd-inet/usr.sbin/in.routed/route.xml @@ -4,6 +4,8 @@ Copyright 2009 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. + Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org> + CDDL HEADER START The contents of this file are subject to the terms of the @@ -144,8 +146,11 @@ privileges='basic,proc_owner,proc_fork,proc_exec,proc_info,proc_session,file_cho <property_group name='firewall_config' type='com.sun,fw_configuration'> <propval name='policy' type='astring' value='use_global' /> + <propval name='block_policy' type='astring' + value='use_global' /> <propval name='apply_to' type='astring' value='' /> <propval name='exceptions' type='astring' value='' /> + <propval name='target' type='astring' value='' /> <propval name='value_authorization' type='astring' value='solaris.smf.value.firewall.config' /> </property_group> diff --git a/usr/src/cmd/cmd-inet/usr.sbin/in.routed/svc-route b/usr/src/cmd/cmd-inet/usr.sbin/in.routed/svc-route index 87da8c7386..aa49137cb9 100644 --- a/usr/src/cmd/cmd-inet/usr.sbin/in.routed/svc-route +++ b/usr/src/cmd/cmd-inet/usr.sbin/in.routed/svc-route @@ -23,6 +23,8 @@ # Copyright 2009 Sun Microsystems, Inc. All rights reserved. # Use is subject to license terms. # +# Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org> +# . /lib/svc/share/smf_include.sh . /lib/svc/share/routing_include.sh @@ -51,11 +53,11 @@ create_ipf_rules() uport=`$SERVINFO -p -u -s $iana_name 2>/dev/null` if [ -n "$tport" ]; then - generate_rules $FMRI $policy "tcp" "any" $tport $file + generate_rules $FMRI $policy "tcp" $tport $file fi if [ -n "$uport" ]; then - generate_rules $FMRI $policy "udp" "any" $uport $file + generate_rules $FMRI $policy "udp" $uport $file fi } diff --git a/usr/src/cmd/cmd-inet/usr.sbin/in.talkd/talk.xml b/usr/src/cmd/cmd-inet/usr.sbin/in.talkd/talk.xml index a867c40d66..c4d2494095 100644 --- a/usr/src/cmd/cmd-inet/usr.sbin/in.talkd/talk.xml +++ b/usr/src/cmd/cmd-inet/usr.sbin/in.talkd/talk.xml @@ -4,6 +4,8 @@ Copyright 2009 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. + Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org> + CDDL HEADER START The contents of this file are subject to the terms of the @@ -79,8 +81,11 @@ <property_group name='firewall_config' type='com.sun,fw_configuration'> <propval name='policy' type='astring' value='use_global' /> + <propval name='block_policy' type='astring' + value='use_global' /> <propval name='apply_to' type='astring' value='' /> <propval name='exceptions' type='astring' value='' /> + <propval name='target' type='astring' value='' /> <propval name='value_authorization' type='astring' value='solaris.smf.value.firewall.config' /> </property_group> diff --git a/usr/src/cmd/cmd-inet/usr.sbin/login.xml b/usr/src/cmd/cmd-inet/usr.sbin/login.xml index 4e5f974034..f21084da5f 100644 --- a/usr/src/cmd/cmd-inet/usr.sbin/login.xml +++ b/usr/src/cmd/cmd-inet/usr.sbin/login.xml @@ -5,6 +5,8 @@ Copyright 2009 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. + Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org> + CDDL HEADER START The contents of this file are subject to the terms of the @@ -73,8 +75,14 @@ <property_group name='firewall_config' type='com.sun,fw_configuration'> <propval name='policy' type='astring' value='use_global' /> + <propval name='block_policy' type='astring' + value='use_global' /> <propval name='apply_to' type='astring' value='' /> + <propval name='apply_to_6' type='astring' value='' /> <propval name='exceptions' type='astring' value='' /> + <propval name='exceptions_6' type='astring' value='' /> + <propval name='target' type='astring' value='' /> + <propval name='target_6' type='astring' value='' /> <propval name='value_authorization' type='astring' value='solaris.smf.value.firewall.config' /> </property_group> @@ -116,8 +124,11 @@ <property_group name='firewall_config' type='com.sun,fw_configuration'> <propval name='policy' type='astring' value='use_global' /> - <propval name='exception_list' type='astring' value='' /> - <propval name='override_list' type='astring' value='' /> + <propval name='block_policy' type='astring' + value='use_global' /> + <propval name='apply_to' type='astring' value='' /> + <propval name='exceptions' type='astring' value='' /> + <propval name='target' type='astring' value='' /> <propval name='value_authorization' type='astring' value='solaris.smf.value.firewall.config' /> </property_group> @@ -161,8 +172,11 @@ remote login with Kerberos authentication <property_group name='firewall_config' type='com.sun,fw_configuration'> <propval name='policy' type='astring' value='use_global' /> - <propval name='exception_list' type='astring' value='' /> - <propval name='override_list' type='astring' value='' /> + <propval name='block_policy' type='astring' + value='use_global' /> + <propval name='apply_to' type='astring' value='' /> + <propval name='exceptions' type='astring' value='' /> + <propval name='target' type='astring' value='' /> <propval name='value_authorization' type='astring' value='solaris.smf.value.firewall.config' /> </property_group> diff --git a/usr/src/cmd/cmd-inet/usr.sbin/rexec.xml b/usr/src/cmd/cmd-inet/usr.sbin/rexec.xml index 924ced88c4..98f83f3102 100644 --- a/usr/src/cmd/cmd-inet/usr.sbin/rexec.xml +++ b/usr/src/cmd/cmd-inet/usr.sbin/rexec.xml @@ -5,6 +5,8 @@ Copyright 2009 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. + Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org> + CDDL HEADER START The contents of this file are subject to the terms of the @@ -83,8 +85,14 @@ <property_group name='firewall_config' type='com.sun,fw_configuration'> <propval name='policy' type='astring' value='use_global' /> + <propval name='block_policy' type='astring' + value='use_global' /> <propval name='apply_to' type='astring' value='' /> + <propval name='apply_to_6' type='astring' value='' /> <propval name='exceptions' type='astring' value='' /> + <propval name='exceptions_6' type='astring' value='' /> + <propval name='target' type='astring' value='' /> + <propval name='target_6' type='astring' value='' /> <propval name='value_authorization' type='astring' value='solaris.smf.value.firewall.config' /> </property_group> diff --git a/usr/src/cmd/cmd-inet/usr.sbin/shell.xml b/usr/src/cmd/cmd-inet/usr.sbin/shell.xml index 30730380a9..b841f99961 100644 --- a/usr/src/cmd/cmd-inet/usr.sbin/shell.xml +++ b/usr/src/cmd/cmd-inet/usr.sbin/shell.xml @@ -5,6 +5,8 @@ Copyright 2009 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. + Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org> + CDDL HEADER START The contents of this file are subject to the terms of the @@ -98,8 +100,14 @@ <property_group name='firewall_config' type='com.sun,fw_configuration'> <propval name='policy' type='astring' value='use_global' /> + <propval name='block_policy' type='astring' + value='use_global' /> <propval name='apply_to' type='astring' value='' /> + <propval name='apply_to_6' type='astring' value='' /> <propval name='exceptions' type='astring' value='' /> + <propval name='exceptions_6' type='astring' value='' /> + <propval name='target' type='astring' value='' /> + <propval name='target_6' type='astring' value='' /> <propval name='value_authorization' type='astring' value='solaris.smf.value.firewall.config' /> </property_group> @@ -141,8 +149,11 @@ <property_group name='firewall_config' type='com.sun,fw_configuration'> <propval name='policy' type='astring' value='use_global' /> + <propval name='block_policy' type='astring' + value='use_global' /> <propval name='apply_to' type='astring' value='' /> <propval name='exceptions' type='astring' value='' /> + <propval name='target' type='astring' value='' /> <propval name='value_authorization' type='astring' value='solaris.smf.value.firewall.config' /> </property_group> diff --git a/usr/src/cmd/cmd-inet/usr.sbin/telnet.xml b/usr/src/cmd/cmd-inet/usr.sbin/telnet.xml index 6b0ac5dfa5..a5425c3fc1 100644 --- a/usr/src/cmd/cmd-inet/usr.sbin/telnet.xml +++ b/usr/src/cmd/cmd-inet/usr.sbin/telnet.xml @@ -4,6 +4,8 @@ Copyright 2009 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. + Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org> + CDDL HEADER START The contents of this file are subject to the terms of the @@ -72,8 +74,14 @@ <property_group name='firewall_config' type='com.sun,fw_configuration'> <propval name='policy' type='astring' value='use_global' /> + <propval name='block_policy' type='astring' + value='use_global' /> <propval name='apply_to' type='astring' value='' /> + <propval name='apply_to_6' type='astring' value='' /> <propval name='exceptions' type='astring' value='' /> + <propval name='exceptions_6' type='astring' value='' /> + <propval name='target' type='astring' value='' /> + <propval name='target_6' type='astring' value='' /> <propval name='value_authorization' type='astring' value='solaris.smf.value.firewall.config' /> </property_group> diff --git a/usr/src/cmd/fs.d/nfs/svc/nfs-server b/usr/src/cmd/fs.d/nfs/svc/nfs-server index c15fabd8eb..5c8c1a67dd 100644 --- a/usr/src/cmd/fs.d/nfs/svc/nfs-server +++ b/usr/src/cmd/fs.d/nfs/svc/nfs-server @@ -21,8 +21,9 @@ # # -# Copyright 2015 Nexenta Systems, Inc. All rights reserved. # Copyright (c) 2009, 2010, Oracle and/or its affiliates. All rights reserved. +# Copyright 2015 Nexenta Systems, Inc. All rights reserved. +# Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org> # # Start/stop processes required for server NFS @@ -47,7 +48,8 @@ zone=`smf_zonename` configure_ipfilter() { ipfile=`fmri_to_file $SMF_FMRI $IPF_SUFFIX` - [ -f "$ipfile" ] && return 0 + ip6file=`fmri_to_file $SMF_FMRI $IPF6_SUFFIX` + [ -f "$ipfile" -a -f "$ip6file" ] && return 0 # # Nothing to do if: @@ -129,20 +131,22 @@ case "$1" in # - nfs/rquota # # The following services are enabled for both nfs client and - # server so we'll treat them as client services and simply - # allow incoming traffic. + # server, if nfs/client is enabled we'll treat them as client + # services and simply allow incoming traffic. # - nfs/status # - nfs/nlockmgr # - nfs/cbd # NFS_FMRI="svc:/network/nfs/server:default" + NFSCLI_FMRI="svc:/network/nfs/client:default" RQUOTA_FMRI="svc:/network/nfs/rquota:default" FMRI=$2 file=`fmri_to_file $FMRI $IPF_SUFFIX` + file6=`fmri_to_file $FMRI $IPF6_SUFFIX` echo "# $FMRI" >$file + echo "# $FMRI" >$file6 policy=`get_policy $NFS_FMRI` - ip="any" # # nfs/server configuration is processed in the start method. @@ -157,52 +161,107 @@ case "$1" in nfs_name=`svcprop -p $FW_CONTEXT_PG/name $FMRI 2>/dev/null` tport=`$SERVINFO -p -t -s $nfs_name 2>/dev/null` if [ -n "$tport" ]; then - generate_rules $FMRI $policy "tcp" $ip $tport $file + generate_rules $FMRI $policy "tcp" $tport $file + fi + + tport6=`$SERVINFO -p -t6 -s $nfs_name 2>/dev/null` + if [ -n "$tport6" ]; then + generate_rules $FMRI $policy "tcp" $tport6 $file6 _6 fi uport=`$SERVINFO -p -u -s $nfs_name 2>/dev/null` if [ -n "$uport" ]; then - generate_rules $FMRI $policy "udp" $ip $uport $file + generate_rules $FMRI $policy "udp" $uport $file fi + uport6=`$SERVINFO -p -u6 -s $nfs_name 2>/dev/null` + if [ -n "$uport6" ]; then + generate_rules $FMRI $policy "udp" $uport6 $file6 _6 + fi + + # mountd IPv6 ports are also reachable through IPv4, so include + # them when generating IPv4 rules. tports=`$SERVINFO -R -p -t -s "mountd" 2>/dev/null` - if [ -n "$tports" ]; then + tports6=`$SERVINFO -R -p -t6 -s "mountd" 2>/dev/null` + if [ -n "$tports" -o -n "$tports6" ]; then + tports=`unique_ports $tports $tports6` for tport in $tports; do - generate_rules $FMRI $policy "tcp" $ip \ + generate_rules $FMRI $policy "tcp" \ $tport $file done fi + if [ -n "$tports6" ]; then + for tport6 in $tports6; do + generate_rules $FMRI $policy "tcp" \ + $tport6 $file6 _6 + done + fi + uports=`$SERVINFO -R -p -u -s "mountd" 2>/dev/null` - if [ -n "$uports" ]; then + uports6=`$SERVINFO -R -p -u6 -s "mountd" 2>/dev/null` + if [ -n "$uports" -o -n "$uports6" ]; then + uports=`unique_ports $uports $uports6` for uport in $uports; do - generate_rules $FMRI $policy "udp" $ip \ + generate_rules $FMRI $policy "udp" \ $uport $file done fi + if [ -n "$uports6" ]; then + for uport6 in $uports6; do + generate_rules $FMRI $policy "udp" \ + $uport6 $file6 _6 + done + fi + elif [ "$FMRI" = "$RQUOTA_FMRI" ]; then iana_name=`svcprop -p inetd/name $FMRI` + # rquota IPv6 ports are also reachable through IPv4, so include + # them when generating IPv4 rules. tports=`$SERVINFO -R -p -t -s $iana_name 2>/dev/null` - if [ -n "$tports" ]; then + tports6=`$SERVINFO -R -p -t6 -s $iana_name 2>/dev/null` + if [ -n "$tports" -o -n "$tports6" ]; then + tports=`unique_ports $tports $tports6` for tport in $tports; do generate_rules $NFS_FMRI $policy "tcp" \ - $ip $tport $file + $tport $file + done + fi + + if [ -n "$tports6" ]; then + for tport6 in $tports6; do + generate_rules $NFS_FMRI $policy "tcp" \ + $tport6 $file6 _6 done fi uports=`$SERVINFO -R -p -u -s $iana_name 2>/dev/null` - if [ -n "$uports" ]; then + uports6=`$SERVINFO -R -p -u6 -s $iana_name 2>/dev/null` + if [ -n "$uports" -o -n "$uports6" ]; then + uports=`unique_ports $uports $uports6` for uport in $uports; do generate_rules $NFS_FMRI $policy "udp" \ - $ip $uport $file + $uport $file + done + fi + + if [ -n "$uports6" ]; then + for uport6 in $uports6; do + generate_rules $NFS_FMRI $policy "udp" \ + $uport6 $file6 _6 done fi else # # Handle the client services here # + if service_check_state $NFSCLI_FMRI $SMF_ONLINE; then + policy=none + ip=any + fi + restarter=`svcprop -p general/restarter $FMRI 2>/dev/null` if [ "$restarter" = "$INETDFMRI" ]; then iana_name=`svcprop -p inetd/name $FMRI` @@ -214,24 +273,41 @@ case "$1" in if [ "$isrpc" = "true" ]; then tports=`$SERVINFO -R -p -t -s $iana_name 2>/dev/null` + tports6=`$SERVINFO -R -p -t6 -s $iana_name 2>/dev/null` uports=`$SERVINFO -R -p -u -s $iana_name 2>/dev/null` + uports6=`$SERVINFO -R -p -u6 -s $iana_name 2>/dev/null` else tports=`$SERVINFO -p -t -s $iana_name 2>/dev/null` + tports6=`$SERVINFO -p -t6 -s $iana_name 2>/dev/null` uports=`$SERVINFO -p -u -s $iana_name 2>/dev/null` + uports6=`$SERVINFO -p -u6 -s $iana_name 2>/dev/null` fi - if [ -n "$tports" ]; then + # IPv6 ports are also reachable through IPv4, so include + # them when generating IPv4 rules. + if [ -n "$tports" -o -n "$tports6" ]; then + tports=`unique_ports $tports $tports6` for tport in $tports; do - echo "pass in log quick proto tcp from any" \ - "to any port = ${tport} flags S " \ - "keep state" >>${file} + generate_rules $FMRI $policy "tcp" $tport $file + done + fi + + if [ -n "$tports6" ]; then + for tport6 in $tports6; do + generate_rules $FMRI $policy "tcp" $tport6 $file6 _6 done fi - if [ -n "$uports" ]; then + if [ -n "$uports" -o -n "$uports6" ]; then + uports=`unique_ports $uports $uports6` for uport in $uports; do - echo "pass in log quick proto udp from any" \ - "to any port = ${uport}" >>${file} + generate_rules $FMRI $policy "udp" $uport $file + done + fi + + if [ -n "$uports6" ]; then + for uport6 in $uports6; do + generate_rules $FMRI $policy "udp" $uport6 $file6 _6 done fi fi diff --git a/usr/src/cmd/fs.d/nfs/svc/rquota.xml b/usr/src/cmd/fs.d/nfs/svc/rquota.xml index 08fad0b16f..1f7e6554f3 100644 --- a/usr/src/cmd/fs.d/nfs/svc/rquota.xml +++ b/usr/src/cmd/fs.d/nfs/svc/rquota.xml @@ -5,6 +5,8 @@ Copyright 2009 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. + Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org> + CDDL HEADER START The contents of this file are subject to the terms of the @@ -90,10 +92,22 @@ <propval name='wait' type='boolean' value='true' /> </property_group> + <property_group name='firewall_context' type='com.sun,fw_definition'> + <propval name='name' type='astring' value='rquotad' /> + <propval name='ipf_method' type='astring' + value='/lib/svc/method/nfs-server ipfilter' /> + </property_group> + <property_group name='firewall_config' type='com.sun,fw_configuration'> <propval name='policy' type='astring' value='use_global' /> + <propval name='block_policy' type='astring' + value='use_global' /> <propval name='apply_to' type='astring' value='' /> + <propval name='apply_to_6' type='astring' value='' /> <propval name='exceptions' type='astring' value='' /> + <propval name='exceptions_6' type='astring' value='' /> + <propval name='target' type='astring' value='' /> + <propval name='target_6' type='astring' value='' /> <propval name='value_authorization' type='astring' value='solaris.smf.value.firewall.config' /> </property_group> diff --git a/usr/src/cmd/fs.d/nfs/svc/server.xml b/usr/src/cmd/fs.d/nfs/svc/server.xml index 3faffa1457..c963a01fcf 100644 --- a/usr/src/cmd/fs.d/nfs/svc/server.xml +++ b/usr/src/cmd/fs.d/nfs/svc/server.xml @@ -22,7 +22,8 @@ CDDL HEADER END Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved. - Copyright 2014 Nexenta Systems, Inc. All rights reserved. + Copyright 2014 Nexenta Systems, Inc. All rights reserved + Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org> NOTE: This service manifest is not editable; its contents will be overwritten by package or patch operations, including @@ -153,8 +154,14 @@ <property_group name='firewall_config' type='com.sun,fw_configuration'> <propval name='policy' type='astring' value='use_global' /> + <propval name='block_policy' type='astring' + value='use_global' /> <propval name='apply_to' type='astring' value='' /> + <propval name='apply_to_6' type='astring' value='' /> <propval name='exceptions' type='astring' value='' /> + <propval name='exceptions_6' type='astring' value='' /> + <propval name='target' type='astring' value='' /> + <propval name='target_6' type='astring' value='' /> <propval name='value_authorization' type='astring' value='solaris.smf.value.firewall.config' /> </property_group> diff --git a/usr/src/cmd/ipf/svc/ipfilter b/usr/src/cmd/ipf/svc/ipfilter index 6be1eeb7cc..2e6f2189f6 100644 --- a/usr/src/cmd/ipf/svc/ipfilter +++ b/usr/src/cmd/ipf/svc/ipfilter @@ -23,6 +23,8 @@ # Copyright 2009 Sun Microsystems, Inc. All rights reserved. # Use is subject to license terms. # +# Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org> +# . /lib/svc/share/smf_include.sh . /lib/svc/share/ipf_include.sh @@ -48,6 +50,7 @@ logmsg() load_ipf() { bad=0 ipf -IFa + ipf -6IFa for file in $IPFILOVRCONF $CONF_FILES $IPFILCONF; do if [ -r ${file} ]; then @@ -60,13 +63,16 @@ load_ipf() { fi done - if [ -r ${IP6FILCONF} ]; then - ipf -6IFa -f ${IP6FILCONF} - if [ $? != 0 ]; then - echo "$0: load of ${IP6FILCONF} into alternate set failed" - bad=1 + for file in $IP6FILOVRCONF $CONF6_FILES $IP6FILCONF; do + if [ -r ${file} ]; then + ipf -6I -f ${file} + if [ $? != 0 ]; then + echo "$0: load of ${file} into alternate set failed" + bad=1 + fi fi - fi + done + if [ $bad -eq 0 ] ; then ipf -s -y return 0 diff --git a/usr/src/cmd/ipf/svc/ipfilter.xml b/usr/src/cmd/ipf/svc/ipfilter.xml index 4729deb085..e4a70405c1 100644 --- a/usr/src/cmd/ipf/svc/ipfilter.xml +++ b/usr/src/cmd/ipf/svc/ipfilter.xml @@ -2,6 +2,7 @@ <!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1"> <!-- Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved. + Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org> CDDL HEADER START @@ -103,9 +104,15 @@ <property_group name='firewall_config_default' type='com.sun,fw_configuration'> <propval name='policy' type='astring' value='none' /> + <propval name='block_policy' type='astring' + value='none' /> <propval name='custom_policy_file' type='astring' value='' /> <propval name='apply_to' type='astring' value='' /> + <propval name='apply_to_6' type='astring' value='' /> <propval name='exceptions' type='astring' value='' /> + <propval name='exceptions_6' type='astring' value='' /> + <propval name='target' type='astring' value='' /> + <propval name='target_6' type='astring' value='' /> <propval name='open_ports' type='astring' value='' /> <propval name='version' type='count' value='0' /> <propval name='value_authorization' type='astring' @@ -115,7 +122,10 @@ <property_group name='firewall_config_override' type='com.sun,fw_configuration'> <propval name='policy' type='astring' value='none' /> + <propval name='block_policy' type='astring' + value='none' /> <propval name='apply_to' type='astring' value='' /> + <propval name='apply_to_6' type='astring' value='' /> <propval name='value_authorization' type='astring' value='solaris.smf.value.firewall.config' /> </property_group> @@ -209,6 +219,47 @@ Apply the custom ipfilter configuration stored in a custom file (custom file pro <include_values type='values'/> </choices> </prop_pattern> + <prop_pattern name='block_policy' type='astring' + required='false'> + <common_name> + <loctext xml:lang='C'> +Firewall block policy + </loctext> + </common_name> + <description> + <loctext xml:lang='C'> +Service firewall block policy. + </loctext> + </description> + <visibility value='readwrite'/> + <cardinality min='1' max='1'/> + <values> + <value name='use_global'> + <description> + <loctext xml:lang='C'> +Apply Global Default block policy, specified in network/ipfilter for the service. This is the default value. + </loctext> + </description> + </value> + <value name='none'> + <description> + <loctext xml:lang='C'> +Block by dropping packets. + </loctext> + </description> + </value> + <value name='return'> + <description> + <loctext xml:lang='C'> +Block by returning RST or ICMP messages. + </loctext> + </description> + </value> + </values> + <choices> + <include_values type='values'/> + </choices> + </prop_pattern> <prop_pattern name="apply_to" type="astring" required="false"> <common_name> @@ -218,7 +269,20 @@ Apply policy to </common_name> <description> <loctext xml:lang="C"> -The host and network IPs, network interfaces, and ippools to deny if the policy is set to deny, or accept if the policy is set to accept. +The source host and network IPv4 addresses, incoming network interfaces, and ippools to deny if the policy is set to deny, or accept if the policy is set to accept. + </loctext> + </description> + </prop_pattern> + <prop_pattern name="apply_to_6" type="astring" + required="false"> + <common_name> + <loctext xml:lang='C'> +Apply policy to + </loctext> + </common_name> + <description> + <loctext xml:lang="C"> +The source host and network IPv6 addresses, incoming network interfaces, and ippools to deny if the policy is set to deny, or accept if the policy is set to accept. </loctext> </description> </prop_pattern> @@ -231,7 +295,46 @@ Make exceptions to </common_name> <description> <loctext xml:lang="C"> -The host and network IPs, network interfaces, and ippools which will be exempted from the set policy, accept if the policy is set to deny, or deny if the policy is set to accept. +The source host and network IPv4 addresses, incoming network interfaces, and ippools which will be exempted from the set policy, accept if the policy is set to deny, or deny if the policy is set to accept. + </loctext> + </description> + </prop_pattern> + <prop_pattern name="exceptions_6" type="astring" + required="false"> + <common_name> + <loctext xml:lang='C'> +Make exceptions to + </loctext> + </common_name> + <description> + <loctext xml:lang="C"> +The source host and network IPv6 addressess, incoming network interfaces, and ippools to exempt from the set policy. That is, those to accept if the policy is set to deny, or to deny if the policy is set to accept. + </loctext> + </description> + </prop_pattern> + <prop_pattern name="target" type="astring" + required="false"> + <common_name> + <loctext xml:lang='C'> +Apply policy to + </loctext> + </common_name> + <description> + <loctext xml:lang="C"> +The destination host and network IPv4 addresses, and ippools to deny if the policy is set to deny, or accept if the policy is set to accept. + </loctext> + </description> + </prop_pattern> + <prop_pattern name="target6" type="astring" + required="false"> + <common_name> + <loctext xml:lang='C'> +Apply policy to + </loctext> + </common_name> + <description> + <loctext xml:lang="C"> +The destination host and network IPv6 addresses, and ippools to deny if the policy is set to deny, or accept if the policy is set to accept. </loctext> </description> </prop_pattern> @@ -321,6 +424,47 @@ Allow access to entities specified in 'apply_to' property. <include_values type='values'/> </choices> </prop_pattern> + <prop_pattern name='block_policy' type='astring' + required='false'> + <common_name> + <loctext xml:lang='C'> +Firewall block policy + </loctext> + </common_name> + <description> + <loctext xml:lang='C'> +Service firewall block policy. + </loctext> + </description> + <visibility value='readwrite'/> + <cardinality min='1' max='1'/> + <values> + <value name='use_global'> + <description> + <loctext xml:lang='C'> +Apply Global Default block policy, specified in network/ipfilter for the service. This is the default value. + </loctext> + </description> + </value> + <value name='none'> + <description> + <loctext xml:lang='C'> +Block by dropping packets. + </loctext> + </description> + </value> + <value name='return'> + <description> + <loctext xml:lang='C'> +Block by returning RST or ICMP messages. + </loctext> + </description> + </value> + </values> + <choices> + <include_values type='values'/> + </choices> + </prop_pattern> <prop_pattern name="apply_to" type="astring" required="false"> <common_name> diff --git a/usr/src/cmd/lp/cmd/lpsched/print-svc b/usr/src/cmd/lp/cmd/lpsched/print-svc index ff6599faf9..49b082f9a6 100644 --- a/usr/src/cmd/lp/cmd/lpsched/print-svc +++ b/usr/src/cmd/lp/cmd/lpsched/print-svc @@ -23,6 +23,7 @@ # Copyright 2009 Sun Microsystems, Inc. All rights reserved. # Use is subject to license terms. # +# Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org> # . /lib/svc/share/smf_include.sh @@ -121,23 +122,27 @@ fi IPP_FMRI="svc:/application/print/ipp-listener:default" RFC1179_FMRI="svc:/application/print/rfc1179:default" IPP_CONF=/etc/lp/ipp/httpd-standalone-ipp.conf - ip="any" policy=`get_policy $FMRI` file=`fmri_to_file $RFC1179_FMRI $IPF_SUFFIX` + file6=`fmri_to_file $RFC1179_FMRI $IPF6_SUFFIX` echo "# $RFC1179_FMRI" >$file + echo "# $RFC1179_FMRI" >$file6 service_is_enabled ${RFC1179_FMRI} if [ $? -eq 0 ]; then rfc_name=`svcprop -p inetd/name ${RFC1179_FMRI} 2>/dev/null` rfc_proto=`svcprop -p inetd/proto ${RFC1179_FMRI} 2>/dev/null | \ sed 's/6/ /'` rfc_port=`$SERVINFO -p -t -s $rfc_name` - generate_rules $FMRI $policy $rfc_proto $ip $rfc_port $file + generate_rules $FMRI $policy $rfc_proto $rfc_port $file + generate_rules $FMRI $policy $rfc_proto $rfc_port $file6 _6 fi file=`fmri_to_file $IPP_FMRI $IPF_SUFFIX` + file6=`fmri_to_file $IPP_FMRI $IPF6_SUFFIX` echo "# $IPP_FMRI" >$file + echo "# $IPP_FMRI" >$file6 service_is_enabled ${IPP_FMRI} if [ $? -eq 0 ]; then # @@ -153,7 +158,8 @@ fi fi for port in $ipp_ports; do - generate_rules $FMRI $policy "tcp" $ip $port $file + generate_rules $FMRI $policy "tcp" $port $file + generate_rules $FMRI $policy "tcp" $port $file6 _6 done fi diff --git a/usr/src/cmd/lp/cmd/lpsched/server.xml b/usr/src/cmd/lp/cmd/lpsched/server.xml index 790355f873..d8df778cd9 100644 --- a/usr/src/cmd/lp/cmd/lpsched/server.xml +++ b/usr/src/cmd/lp/cmd/lpsched/server.xml @@ -4,6 +4,8 @@ Copyright 2009 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. + Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org> + CDDL HEADER START The contents of this file are subject to the terms of the @@ -112,8 +114,14 @@ <property_group name='firewall_config' type='com.sun,fw_configuration'> <propval name='policy' type='astring' value='use_global' /> + <propval name='block_policy' type='astring' + value='use_global' /> <propval name='apply_to' type='astring' value='' /> + <propval name='apply_to_6' type='astring' value='' /> <propval name='exceptions' type='astring' value='' /> + <propval name='exceptions_6' type='astring' value='' /> + <propval name='target' type='astring' value='' /> + <propval name='target_6' type='astring' value='' /> <propval name='value_authorization' type='astring' value='solaris.smf.value.firewall.config' /> </property_group> diff --git a/usr/src/cmd/lvm/rpc.mdcommd/mdcomm.xml b/usr/src/cmd/lvm/rpc.mdcommd/mdcomm.xml index a59ca4b2e6..5c9762edf7 100644 --- a/usr/src/cmd/lvm/rpc.mdcommd/mdcomm.xml +++ b/usr/src/cmd/lvm/rpc.mdcommd/mdcomm.xml @@ -2,6 +2,7 @@ <!DOCTYPE service_bundle SYSTEM '/usr/share/lib/xml/dtd/service_bundle.dtd.1'> <!-- Copyright 2015 Nexenta Systems, Inc. All rights reserved. + Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org> Copyright 2009 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. @@ -90,8 +91,14 @@ <property_group name='firewall_config' type='com.sun,fw_configuration'> <propval name='policy' type='astring' value='use_global' /> + <propval name='block_policy' type='astring' + value='use_global' /> <propval name='apply_to' type='astring' value='' /> + <propval name='apply_to_6' type='astring' value='' /> <propval name='exceptions' type='astring' value='' /> + <propval name='exceptions_6' type='astring' value='' /> + <propval name='target' type='astring' value='' /> + <propval name='target_6' type='astring' value='' /> <propval name='value_authorization' type='astring' value='solaris.smf.value.firewall.config' /> </property_group> diff --git a/usr/src/cmd/lvm/rpc.metad/meta.xml b/usr/src/cmd/lvm/rpc.metad/meta.xml index 9d940bd2d1..83840692a2 100644 --- a/usr/src/cmd/lvm/rpc.metad/meta.xml +++ b/usr/src/cmd/lvm/rpc.metad/meta.xml @@ -2,6 +2,7 @@ <!DOCTYPE service_bundle SYSTEM '/usr/share/lib/xml/dtd/service_bundle.dtd.1'> <!-- Copyright 2015 Nexenta Systems, Inc. All rights reserved. + Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org> Copyright 2009 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. @@ -89,8 +90,14 @@ <property_group name='firewall_config' type='com.sun,fw_configuration'> <propval name='policy' type='astring' value='use_global' /> + <propval name='block_policy' type='astring' + value='use_global' /> <propval name='apply_to' type='astring' value='' /> + <propval name='apply_to_6' type='astring' value='' /> <propval name='exceptions' type='astring' value='' /> + <propval name='exceptions_6' type='astring' value='' /> + <propval name='target' type='astring' value='' /> + <propval name='target_6' type='astring' value='' /> <propval name='value_authorization' type='astring' value='solaris.smf.value.firewall.config' /> </property_group> diff --git a/usr/src/cmd/lvm/rpc.metamedd/metamed.xml b/usr/src/cmd/lvm/rpc.metamedd/metamed.xml index 2c8be3a6c7..8fc3a6c530 100644 --- a/usr/src/cmd/lvm/rpc.metamedd/metamed.xml +++ b/usr/src/cmd/lvm/rpc.metamedd/metamed.xml @@ -2,6 +2,7 @@ <!DOCTYPE service_bundle SYSTEM '/usr/share/lib/xml/dtd/service_bundle.dtd.1'> <!-- Copyright 2015 Nexenta Systems, Inc. All rights reserved. + Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org> Copyright 2009 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. @@ -89,8 +90,14 @@ <property_group name='firewall_config' type='com.sun,fw_configuration'> <propval name='policy' type='astring' value='use_global' /> + <propval name='block_policy' type='astring' + value='use_global' /> <propval name='apply_to' type='astring' value='' /> + <propval name='apply_to_6' type='astring' value='' /> <propval name='exceptions' type='astring' value='' /> + <propval name='exceptions_6' type='astring' value='' /> + <propval name='target' type='astring' value='' /> + <propval name='target_6' type='astring' value='' /> <propval name='value_authorization' type='astring' value='solaris.smf.value.firewall.config' /> </property_group> diff --git a/usr/src/cmd/lvm/rpc.metamhd/metamh.xml b/usr/src/cmd/lvm/rpc.metamhd/metamh.xml index 40b7f950f7..952a59064d 100644 --- a/usr/src/cmd/lvm/rpc.metamhd/metamh.xml +++ b/usr/src/cmd/lvm/rpc.metamhd/metamh.xml @@ -2,6 +2,7 @@ <!DOCTYPE service_bundle SYSTEM '/usr/share/lib/xml/dtd/service_bundle.dtd.1'> <!-- Copyright 2015 Nexenta Systems, Inc. All rights reserved. + Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org> Copyright 2009 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. @@ -89,8 +90,14 @@ <property_group name='firewall_config' type='com.sun,fw_configuration'> <propval name='policy' type='astring' value='use_global' /> + <propval name='block_policy' type='astring' + value='use_global' /> <propval name='apply_to' type='astring' value='' /> + <propval name='apply_to_6' type='astring' value='' /> <propval name='exceptions' type='astring' value='' /> + <propval name='exceptions_6' type='astring' value='' /> + <propval name='target' type='astring' value='' /> + <propval name='target_6' type='astring' value='' /> <propval name='value_authorization' type='astring' value='solaris.smf.value.firewall.config' /> </property_group> diff --git a/usr/src/cmd/rexd/rex.xml b/usr/src/cmd/rexd/rex.xml index 8d3e77ffb0..8b9843328d 100644 --- a/usr/src/cmd/rexd/rex.xml +++ b/usr/src/cmd/rexd/rex.xml @@ -5,6 +5,8 @@ Copyright 2009 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. + Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org> + CDDL HEADER START The contents of this file are subject to the terms of the @@ -89,8 +91,14 @@ <property_group name='firewall_config' type='com.sun,fw_configuration'> <propval name='policy' type='astring' value='use_global' /> + <propval name='block_policy' type='astring' + value='use_global' /> <propval name='apply_to' type='astring' value='' /> + <propval name='apply_to_6' type='astring' value='' /> <propval name='exceptions' type='astring' value='' /> + <propval name='exceptions_6' type='astring' value='' /> + <propval name='target' type='astring' value='' /> + <propval name='target_6' type='astring' value='' /> <propval name='value_authorization' type='astring' value='solaris.smf.value.firewall.config' /> </property_group> diff --git a/usr/src/cmd/rpcbind/bind.xml b/usr/src/cmd/rpcbind/bind.xml index fca29c8993..c1f264e5f4 100644 --- a/usr/src/cmd/rpcbind/bind.xml +++ b/usr/src/cmd/rpcbind/bind.xml @@ -21,6 +21,7 @@ CDDL HEADER END + Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org> Copyright 2015 Nexenta Systems, Inc. All rights reserved. Copyright 2014 OmniTI Computer Consulting, Inc. All rights reserved. Copyright 2009 Sun Microsystems, Inc. All rights reserved. @@ -191,8 +192,14 @@ <property_group name='firewall_config' type='com.sun,fw_configuration'> <propval name='policy' type='astring' value='use_global' /> + <propval name='block_policy' type='astring' + value='use_global' /> <propval name='apply_to' type='astring' value='' /> + <propval name='apply_to_6' type='astring' value='' /> <propval name='exceptions' type='astring' value='' /> + <propval name='exceptions_6' type='astring' value='' /> + <propval name='target' type='astring' value='' /> + <propval name='target_6' type='astring' value='' /> <propval name='value_authorization' type='astring' value='solaris.smf.value.firewall.config' /> </property_group> diff --git a/usr/src/cmd/rpcsvc/rpc.bootparamd/bootparams.xml b/usr/src/cmd/rpcsvc/rpc.bootparamd/bootparams.xml index c372d710b0..0fd6257a73 100644 --- a/usr/src/cmd/rpcsvc/rpc.bootparamd/bootparams.xml +++ b/usr/src/cmd/rpcsvc/rpc.bootparamd/bootparams.xml @@ -4,6 +4,8 @@ Copyright 2009 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. + Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org> + CDDL HEADER START The contents of this file are subject to the terms of the @@ -92,11 +94,17 @@ <property_group name='firewall_config' type='com.sun,fw_configuration'> <propval name='policy' type='astring' value='use_global' /> + <propval name='block_policy' type='astring' + value='use_global' /> <propval name='apply_to' type='astring' value='' /> + <propval name='apply_to_6' type='astring' value='' /> <propval name='exceptions' type='astring' value='' /> + <propval name='exceptions_6' type='astring' value='' /> + <propval name='target' type='astring' value='' /> + <propval name='target_6' type='astring' value='' /> <propval name='value_authorization' type='astring' value='solaris.smf.value.firewall.config' /> - </property_group> + </property_group> <stability value='Unstable' /> diff --git a/usr/src/cmd/rpcsvc/rstat.xml b/usr/src/cmd/rpcsvc/rstat.xml index cd60e85df7..7d3676eca7 100644 --- a/usr/src/cmd/rpcsvc/rstat.xml +++ b/usr/src/cmd/rpcsvc/rstat.xml @@ -5,6 +5,8 @@ Copyright 2009 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. + Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org> + CDDL HEADER START The contents of this file are subject to the terms of the @@ -90,8 +92,14 @@ <property_group name='firewall_config' type='com.sun,fw_configuration'> <propval name='policy' type='astring' value='use_global' /> + <propval name='block_policy' type='astring' + value='use_global' /> <propval name='apply_to' type='astring' value='' /> + <propval name='apply_to_6' type='astring' value='' /> <propval name='exceptions' type='astring' value='' /> + <propval name='exceptions_6' type='astring' value='' /> + <propval name='target' type='astring' value='' /> + <propval name='target_6' type='astring' value='' /> <propval name='value_authorization' type='astring' value='solaris.smf.value.firewall.config' /> </property_group> diff --git a/usr/src/cmd/rpcsvc/rusers.xml b/usr/src/cmd/rpcsvc/rusers.xml index eb3ab91ccd..c033136ac4 100644 --- a/usr/src/cmd/rpcsvc/rusers.xml +++ b/usr/src/cmd/rpcsvc/rusers.xml @@ -5,6 +5,8 @@ Copyright 2009 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. + Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org> + CDDL HEADER START The contents of this file are subject to the terms of the @@ -94,8 +96,14 @@ <property_group name='firewall_config' type='com.sun,fw_configuration'> <propval name='policy' type='astring' value='use_global' /> + <propval name='block_policy' type='astring' + value='use_global' /> <propval name='apply_to' type='astring' value='' /> + <propval name='apply_to_6' type='astring' value='' /> <propval name='exceptions' type='astring' value='' /> + <propval name='exceptions_6' type='astring' value='' /> + <propval name='target' type='astring' value='' /> + <propval name='target_6' type='astring' value='' /> <propval name='value_authorization' type='astring' value='solaris.smf.value.firewall.config' /> </property_group> diff --git a/usr/src/cmd/rpcsvc/spray.xml b/usr/src/cmd/rpcsvc/spray.xml index 2b8bb3fe5b..03f886b05e 100644 --- a/usr/src/cmd/rpcsvc/spray.xml +++ b/usr/src/cmd/rpcsvc/spray.xml @@ -5,6 +5,8 @@ Copyright 2009 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. + Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org> + CDDL HEADER START The contents of this file are subject to the terms of the @@ -90,8 +92,14 @@ <property_group name='firewall_config' type='com.sun,fw_configuration'> <propval name='policy' type='astring' value='use_global' /> + <propval name='block_policy' type='astring' + value='use_global' /> <propval name='apply_to' type='astring' value='' /> + <propval name='apply_to_6' type='astring' value='' /> <propval name='exceptions' type='astring' value='' /> + <propval name='exceptions_6' type='astring' value='' /> + <propval name='target' type='astring' value='' /> + <propval name='target_6' type='astring' value='' /> <propval name='value_authorization' type='astring' value='solaris.smf.value.firewall.config' /> </property_group> diff --git a/usr/src/cmd/rpcsvc/wall.xml b/usr/src/cmd/rpcsvc/wall.xml index 835eafe117..acf23ede82 100644 --- a/usr/src/cmd/rpcsvc/wall.xml +++ b/usr/src/cmd/rpcsvc/wall.xml @@ -5,6 +5,8 @@ Copyright 2009 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. + Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org> + CDDL HEADER START The contents of this file are subject to the terms of the @@ -90,8 +92,14 @@ <property_group name='firewall_config' type='com.sun,fw_configuration'> <propval name='policy' type='astring' value='use_global' /> + <propval name='block_policy' type='astring' + value='use_global' /> <propval name='apply_to' type='astring' value='' /> + <propval name='apply_to_6' type='astring' value='' /> <propval name='exceptions' type='astring' value='' /> + <propval name='exceptions_6' type='astring' value='' /> + <propval name='target' type='astring' value='' /> + <propval name='target_6' type='astring' value='' /> <propval name='value_authorization' type='astring' value='solaris.smf.value.firewall.config' /> </property_group> diff --git a/usr/src/cmd/sendmail/lib/smtp-sendmail.xml b/usr/src/cmd/sendmail/lib/smtp-sendmail.xml index c19403e568..168d98b4c1 100644 --- a/usr/src/cmd/sendmail/lib/smtp-sendmail.xml +++ b/usr/src/cmd/sendmail/lib/smtp-sendmail.xml @@ -23,6 +23,8 @@ Copyright 2009 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. + Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org> + NOTE: This service manifest is not editable; its contents will be overwritten by package or patch operations, including operating system upgrade. Make customizations in a different @@ -84,8 +86,14 @@ <property_group name='firewall_config' type='com.sun,fw_configuration'> <propval name='policy' type='astring' value='use_global' /> + <propval name='block_policy' type='astring' + value='use_global' /> <propval name='apply_to' type='astring' value='' /> + <propval name='apply_to_6' type='astring' value='' /> <propval name='exceptions' type='astring' value='' /> + <propval name='exceptions_6' type='astring' value='' /> + <propval name='target' type='astring' value='' /> + <propval name='target_6' type='astring' value='' /> <propval name='value_authorization' type='astring' value='solaris.smf.value.firewall.config' /> </property_group> diff --git a/usr/src/cmd/smbsrv/smbd/server.xml b/usr/src/cmd/smbsrv/smbd/server.xml index 3364a193f3..875d6d3bc0 100644 --- a/usr/src/cmd/smbsrv/smbd/server.xml +++ b/usr/src/cmd/smbsrv/smbd/server.xml @@ -23,6 +23,7 @@ CDDL HEADER END Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved. Copyright 2015 Nexenta Systems, Inc. All rights reserved. +Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org> NOTE: This service manifest is not editable; its contents will be overwritten by package or patch operations, including @@ -126,8 +127,14 @@ file. <property_group name='firewall_config' type='com.sun,fw_configuration'> <propval name='policy' type='astring' value='use_global' /> + <propval name='block_policy' type='astring' + value='use_global' /> <propval name='apply_to' type='astring' value='' /> + <propval name='apply_to_6' type='astring' value='' /> <propval name='exceptions' type='astring' value='' /> + <propval name='exceptions_6' type='astring' value='' /> + <propval name='target' type='astring' value='' /> + <propval name='target_6' type='astring' value='' /> <propval name='value_authorization' type='astring' value='solaris.smf.value.firewall.config' /> </property_group> diff --git a/usr/src/cmd/smbsrv/smbd/svc-smbd b/usr/src/cmd/smbsrv/smbd/svc-smbd index 175d2749d7..e6d4b89a23 100644 --- a/usr/src/cmd/smbsrv/smbd/svc-smbd +++ b/usr/src/cmd/smbsrv/smbd/svc-smbd @@ -22,6 +22,8 @@ # Copyright 2009 Sun Microsystems, Inc. All rights reserved. # Use is subject to license terms. # +# Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org> +# # Scripts that generate IPfilter rules for SMB server @@ -32,7 +34,7 @@ create_ipf_rules() { FMRI=$1 file=`fmri_to_file $FMRI $IPF_SUFFIX` - ip=any + file6=`fmri_to_file $FMRI $IPF6_SUFFIX` policy=`get_policy ${FMRI}` iana_names="microsoft-ds netbios-ns netbios-dgm netbios-ssn" @@ -40,13 +42,16 @@ create_ipf_rules() # Enforce policy on each port # echo "# $FMRI" >$file + echo "# $FMRI" >$file6 for name in $iana_names; do port=`$SERVINFO -p -s $name 2>/dev/null` if [ -z "$port" ]; then continue; fi - generate_rules $FMRI $policy "tcp" $ip $port $file - generate_rules $FMRI $policy "udp" $ip $port $file + generate_rules $FMRI $policy "tcp" $port $file + generate_rules $FMRI $policy "tcp" $port $file6 _6 + generate_rules $FMRI $policy "udp" $port $file + generate_rules $FMRI $policy "udp" $port $file6 _6 done } diff --git a/usr/src/cmd/svc/milestone/global.xml b/usr/src/cmd/svc/milestone/global.xml index b1fca9b3cf..dd65d9fed2 100644 --- a/usr/src/cmd/svc/milestone/global.xml +++ b/usr/src/cmd/svc/milestone/global.xml @@ -2,6 +2,7 @@ <!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1"> <!-- Copyright (c) 2008, 2010, Oracle and/or its affiliates. All rights reserved. + Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org> CDDL HEADER START @@ -730,6 +731,47 @@ Allow access to entities specified in 'apply_to' property. <include_values type='values'/> </choices> </prop_pattern> + <prop_pattern name='block_policy' type='astring' + required='false'> + <common_name> + <loctext xml:lang='C'> +Firewall block policy + </loctext> + </common_name> + <description> + <loctext xml:lang='C'> +Service firewall block policy. + </loctext> + </description> + <visibility value='readwrite'/> + <cardinality min='1' max='1'/> + <values> + <value name='use_global'> + <description> + <loctext xml:lang='C'> +Apply Global Default block policy, specified in network/ipfilter for the service. This is the default value. + </loctext> + </description> + </value> + <value name='none'> + <description> + <loctext xml:lang='C'> +Block by dropping packets. + </loctext> + </description> + </value> + <value name='return'> + <description> + <loctext xml:lang='C'> +Block by returning RST or ICMP messages. + </loctext> + </description> + </value> + </values> + <choices> + <include_values type='values'/> + </choices> + </prop_pattern> <prop_pattern name="apply_to" type="astring" required="false"> <common_name> @@ -739,7 +781,20 @@ Apply policy to </common_name> <description> <loctext xml:lang="C"> -The host and network IPs, network interfaces, and ippools to deny if the policy is set to deny, or accept if the policy is set to accept. +The source host and network IPv4 addresses, incoming network interfaces, and ippools to deny if the policy is set to deny, or accept if the policy is set to accept. + </loctext> + </description> + </prop_pattern> + <prop_pattern name="apply_to_6" type="astring" + required="false"> + <common_name> + <loctext xml:lang='C'> +Apply policy to + </loctext> + </common_name> + <description> + <loctext xml:lang="C"> +The source host and network IPv6 addresses, incoming network interfaces, and ippools to deny if the policy is set to deny, or accept if the policy is set to accept. </loctext> </description> </prop_pattern> @@ -752,7 +807,46 @@ Make exceptions to </common_name> <description> <loctext xml:lang="C"> -The host and network IPs, network interfaces, and ippools to exempt from the set policy. That is, those to accept if the policy is set to deny, or to deny if the policy is set to accept. +The source host and network IPv4 addresses, incoming network interfaces, and ippools to exempt from the set policy. That is, those to accept if the policy is set to deny, or to deny if the policy is set to accept. + </loctext> + </description> + </prop_pattern> + <prop_pattern name="exceptions_6" type="astring" + required="false"> + <common_name> + <loctext xml:lang='C'> +Make exceptions to + </loctext> + </common_name> + <description> + <loctext xml:lang="C"> +The source host and network IPv6 addressess, incoming network interfaces, and ippools to exempt from the set policy. That is, those to accept if the policy is set to deny, or to deny if the policy is set to accept. + </loctext> + </description> + </prop_pattern> + <prop_pattern name="target" type="astring" + required="false"> + <common_name> + <loctext xml:lang='C'> +Apply policy to + </loctext> + </common_name> + <description> + <loctext xml:lang="C"> +The destination host and network IPv4 addresses, and ippools to deny if the policy is set to deny, or accept if the policy is set to accept. + </loctext> + </description> + </prop_pattern> + <prop_pattern name="target6" type="astring" + required="false"> + <common_name> + <loctext xml:lang='C'> +Apply policy to + </loctext> + </common_name> + <description> + <loctext xml:lang="C"> +The destination host and network IPv6 addresses, and ippools to deny if the policy is set to deny, or accept if the policy is set to accept. </loctext> </description> </prop_pattern> diff --git a/usr/src/cmd/svc/shell/ipf_include.sh b/usr/src/cmd/svc/shell/ipf_include.sh index ac159b6946..bb41e2ac49 100644 --- a/usr/src/cmd/svc/shell/ipf_include.sh +++ b/usr/src/cmd/svc/shell/ipf_include.sh @@ -20,15 +20,11 @@ # CDDL HEADER END # # Copyright (c) 2009, 2010, Oracle and/or its affiliates. All rights reserved. +# Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org> # IPFILTER_FMRI="svc:/network/ipfilter:default" ETC_IPF_DIR=/etc/ipf -IP6FILCONF=`/usr/bin/svcprop -p config/ipf6_config_file $IPFILTER_FMRI \ - 2>/dev/null` -if [ $? -eq 1 ]; then - IP6FILCONF=$ETC_IPF_DIR/ipf6.conf -fi IPNATCONF=`/usr/bin/svcprop -p config/ipnat_config_file $IPFILTER_FMRI \ 2>/dev/null` if [ $? -eq 1 ]; then @@ -41,11 +37,15 @@ if [ $? -eq 1 ]; then fi VAR_IPF_DIR=/var/run/ipf IPFILCONF=$VAR_IPF_DIR/ipf.conf +IP6FILCONF=$VAR_IPF_DIR/ipf6.conf IPFILOVRCONF=$VAR_IPF_DIR/ipf_ovr.conf +IP6FILOVRCONF=$VAR_IPF_DIR/ipf6_ovr.conf IPF_LOCK=/var/run/ipflock CONF_FILES="" +CONF6_FILES="" NAT_FILES="" IPF_SUFFIX=".ipf" +IPF6_SUFFIX=".ipf6" NAT_SUFFIX=".nat" # version for configuration upgrades @@ -65,11 +65,17 @@ METHOD_PROP="ipf_method" FW_CONFIG_PG="firewall_config" POLICY_PROP="policy" APPLY2_PROP="apply_to" +APPLY2_6_PROP="apply_to_6" EXCEPTIONS_PROP="exceptions" +EXCEPTIONS_6_PROP="exceptions_6" +TARGET_PROP="target" +TARGET_6_PROP="target_6" +BLOCKPOL_PROP="block_policy" FW_CONFIG_DEF_PG="firewall_config_default" FW_CONFIG_OVR_PG="firewall_config_override" CUSTOM_FILE_PROP="custom_policy_file" +CUSTOM_FILE_6_PROP="custom_policy_file_6" OPEN_PORTS_PROP="open_ports" PREFIX_HOST="host:" @@ -79,6 +85,7 @@ PREFIX_IF="if:" GLOBAL_CONFIG="" GLOBAL_POLICY="" +GLOBAL_BLOCK_POLICY="" SERVINFO=/usr/lib/servinfo @@ -129,10 +136,11 @@ global_get_prop_value() # service method, it's best to read all relevant configuration via one svcprop # invocation and cache it for later use. # -# This function reads and store relevant configuration into GLOBAL_CONFIG and -# initializes GLOBAL_POLICY variable. GLOBAL_CONFIG is a string containing pg/prop -# and their corresponding values (i.e. svcprop -p pg fmri output). To get values -# for a certain pg/prop, use global_get_prop_value(). +# This function reads and stores relevant configuration into GLOBAL_CONFIG and +# initializes the GLOBAL_POLICY and GLOBAL_BLOCK_POLICY variables. GLOBAL_CONFIG +# is a string containing pg/prop and their corresponding values (i.e. svcprop -p +# pg fmri output). To get values for a certain pg/prop, use +# global_get_prop_value(). # global_init() { @@ -140,6 +148,8 @@ global_init() $IPF_FMRI 2>/dev/null | awk '{$2=" "; print $0}'` GLOBAL_POLICY=`global_get_prop_value $FW_CONFIG_DEF_PG $POLICY_PROP` + GLOBAL_BLOCK_POLICY=`global_get_prop_value $FW_CONFIG_DEF_PG \ + $BLOCKPOL_PROP` } # @@ -165,21 +175,76 @@ get_policy() } # -# Given a service, gets its firewall policy +# block policy can be set to "return", which will expand into +# separate block rules for tcp (block return-rst ...) and all other +# protocols (block return-icmp-as-dest ...) +# +get_block_policy() +{ + config_pg=`get_config_pg $1` + svcprop -p $config_pg/${BLOCKPOL_PROP} $1 2>/dev/null +} + +# +# Given a service, gets its source address exceptions for IPv4 # get_exceptions() { config_pg=`get_config_pg $1` - svcprop -p $config_pg/${EXCEPTIONS_PROP} $1 2>/dev/null + exceptions=`svcprop -p $config_pg/${EXCEPTIONS_PROP} $1 2>/dev/null` + echo $exceptions | sed -e 's/\\//g' } # -# Given a service, gets its firewall policy +# Given a service, gets its source address exceptions for IPv6 +# +get_exceptions_6() +{ + config_pg=`get_config_pg $1` + exceptions6=`svcprop -p $config_pg/${EXCEPTIONS_6_PROP} $1 2>/dev/null` + echo $exceptions6 | sed -e 's/\\//g' +} + +# +# Given a service, gets its firewalled source addresses for IPv4 # get_apply2_list() { config_pg=`get_config_pg $1` - svcprop -p $config_pg/${APPLY2_PROP} $1 2>/dev/null + apply2=`svcprop -p $config_pg/${APPLY2_PROP} $1 2>/dev/null` + echo $apply2 | sed -e 's/\\//g' +} + +# +# Given a service, gets its firewalled source addresses for IPv6 +# +get_apply2_6_list() +{ + config_pg=`get_config_pg $1` + apply2_6=`svcprop -p $config_pg/${APPLY2_6_PROP} $1 2>/dev/null` + echo $apply2_6 | sed -e 's/\\//g' +} + +# +# Given a service, gets its firewalled target addresses for IPv4 +# +get_target_list() +{ + config_pg=`get_config_pg $1` + target=`svcprop -p $config_pg/${TARGET_PROP} $1 2>/dev/null` + [ -z "$target" -o "$target" = '""' ] && target=any + echo $target | sed -e 's/\\//g' +} + +# +# Given a service, gets its firewalled target addresses for IPv6 +# +get_target_6_list() +{ + config_pg=`get_config_pg $1` + target6=`svcprop -p $config_pg/${TARGET_6_PROP} $1 2>/dev/null` + [ -z "$target6" -o "$target6" = '""' ] && target6=any + echo $target6 | sed -e 's/\\//g' } check_ipf_dir() @@ -244,15 +309,16 @@ service_check_state() get_IP() { value_is_interface $1 && return 1 - echo "$1" | sed -n -e 's,^pool:\(.*\),pool/\1,p' \ - -e 's,^host:\(.*\),\1,p' \ - -e 's,^network:\(.*\),\1,p' + echo "$1" | sed -n -e "s,^${PREFIX_POOL}\(.*\),pool/\1,p" \ + -e "s,^${PREFIX_HOST}\(.*\),\1,p" \ + -e "s,^${PREFIX_NET}\(.*\),\1,p" \ + -e "s,^any,any,p" } get_interface() { value_is_interface $1 || return 1 - scratch=`echo "$1" | sed -e 's/^if://'` + scratch=`echo "$1" | sed -e "s/^${PREFIX_IF}//"` ifconfig $scratch >/dev/null 2>&1 || return 1 echo $scratch | sed -e 's/:.*//' @@ -264,7 +330,7 @@ get_interface() value_is_interface() { [ -z "$1" ] && return 1 - echo $1 | grep "^if:" >/dev/null 2>&1 + echo $1 | grep "^${PREFIX_IF}" >/dev/null 2>&1 } # @@ -272,7 +338,7 @@ value_is_interface() # remove_rules() { - [ -f "$1" ] && ipf -r -f $1 >/dev/null 2>&1 + [ -f "$1" ] && ipf $2 -r -f $1 >/dev/null 2>&1 } remove_nat_rules() @@ -282,7 +348,7 @@ remove_nat_rules() check_ipf_syntax() { - ipf -n -f $1 >/dev/null 2>&1 + ipf $2 -n -f $1 >/dev/null 2>&1 } check_nat_syntax() @@ -290,16 +356,21 @@ check_nat_syntax() ipnat -n -f $1 >/dev/null 2>&1 } +unique_ports() +{ + echo $* | xargs -n 1 echo | sort -u +} + file_get_ports() { - ipf -n -v -f $1 2>/dev/null | sed -n -e \ + ipf $2 -n -v -f $1 2>/dev/null | sed -n -e \ 's/.*to.* port = \([a-z0-9]*\).*/\1/p' | uniq | \ awk '{if (length($0) > 1) {printf("%s ", $1)}}' } get_active_ports() { - ipfstat -io 2>/dev/null | sed -n -e \ + ipfstat $1 -io 2>/dev/null | sed -n -e \ 's/.*to.* port = \([a-z0-9]*\).*/\1/p' | uniq | \ awk '{if (length($0) > 1) {printf("%s ",$1)}}' } @@ -330,42 +401,51 @@ sets_check_duplicate() # update_check_ipf_rules() { - check_ipf_syntax $1 || return 1 + check_ipf_syntax $1 $2 || return 1 - lports=`file_get_ports $1` - lactive_ports=`get_active_ports` + lports=`file_get_ports $1 $2` + lactive_ports=`get_active_ports $2` sets_check_duplicate "$lports" "$lactive_ports" || return 1 } server_port_list="" +server_port_list_6="" # # Given a file containing ipf rules, check the syntax and verify # the rules don't conflict with already processed services. # # The list of processed services' ports are maintained in the global -# variable 'server_port_list'. +# variables 'server_port_list' and 'server_port_list_6'. # check_ipf_rules() { - check_ipf_syntax $1 || return 1 - lports=`file_get_ports $1` - sets_check_duplicate "$lports" "$server_port_list" || return 1 - server_port_list="$server_port_list $lports" + check_ipf_syntax $1 $2 || return 1 + + lports=`file_get_ports $1 $2` + + if [ "$2" = "-6" ]; then + sets_check_duplicate "$lports" "$server_port_list_6" || return 1 + server_port_list_6="$server_port_list_6 $lports" + else + sets_check_duplicate "$lports" "$server_port_list" || return 1 + server_port_list="$server_port_list $lports" + fi + return 0 } prepend_new_rules() { - check_ipf_syntax $1 && tail -r $1 | sed -e 's/^[a-z]/@0 &/' | \ - ipf -f - >/dev/null 2>&1 + check_ipf_syntax $1 $2 && tail -r $1 | sed -e 's/^[a-z]/@0 &/' | \ + ipf $2 -f - >/dev/null 2>&1 } append_new_rules() { - check_ipf_syntax $1 && ipf -f $1 >/dev/null 2>&1 + check_ipf_syntax $1 $2 && ipf $2 -f $1 >/dev/null 2>&1 } append_new_nat_rules() @@ -494,7 +574,6 @@ replace_file() process_server_svc() { service=$1 - ip="any" policy=`get_policy ${service}` # @@ -502,8 +581,10 @@ process_server_svc() # we fail here. # file=`fmri_to_file $service $IPF_SUFFIX` + file6=`fmri_to_file $service $IPF6_SUFFIX` [ -z "$file" ] && return 1 echo "# $service" >${file} + echo "# $service" >${file6} # # Nothing to do if policy is "use_global" @@ -530,19 +611,39 @@ process_server_svc() # RPC services # if [ "$isrpc" = "true" ]; then + # The ports used for IPv6 are usually also reachable + # through IPv4, so generate IPv4 rules for them, too. tports=`$SERVINFO -R -p -t -s $iana_name 2>/dev/null` - if [ -n "$tports" ]; then + tports6=`$SERVINFO -R -p -t6 -s $iana_name 2>/dev/null` + if [ -n "$tports" -o -n "$tports6" ]; then + tports=`unique_ports $tports $tports6` for tport in $tports; do generate_rules $service $policy "tcp" \ - $ip $tport $file + $tport $file + done + fi + + if [ -n "$tports6" ]; then + for tport6 in $tports6; do + generate_rules $service $policy "tcp" \ + $tport6 $file6 _6 done fi uports=`$SERVINFO -R -p -u -s $iana_name 2>/dev/null` + uports6=`$SERVINFO -R -p -u6 -s $iana_name 2>/dev/null` if [ -n "$uports" ]; then + uports=`unique_ports $uports $uports6` for uport in $uports; do generate_rules $service $policy "udp" \ - $ip $uport $file + $uport $file + done + fi + + if [ -n "$uports6" ]; then + for uport6 in $uports6; do + generate_rules $service $policy "udp" \ + $uport6 $file6 _6 done fi @@ -551,16 +652,25 @@ process_server_svc() # # Get the IANA port and supported protocols(tcp and udp) - # No support for IPv6 at this point. # tport=`$SERVINFO -p -t -s $iana_name 2>&1` if [ $? -eq 0 -a -n "$tport" ]; then - generate_rules $service $policy "tcp" $ip $tport $file + generate_rules $service $policy "tcp" $tport $file + fi + + tport6=`$SERVINFO -p -t6 -s $iana_name 2>&1` + if [ $? -eq 0 -a -n "$tport6" ]; then + generate_rules $service $policy "tcp" $tport6 $file6 _6 fi uport=`$SERVINFO -p -u -s $iana_name 2>&1` if [ $? -eq 0 -a -n "$uport" ]; then - generate_rules $service $policy "udp" $ip $uport $file + generate_rules $service $policy "udp" $uport $file + fi + + uport6=`$SERVINFO -p -u6 -s $iana_name 2>&1` + if [ $? -eq 0 -a -n "$uport6" ]; then + generate_rules $service $policy "udp" $uport6 $file6 _6 fi return 0 @@ -583,9 +693,9 @@ generate_rules() service=$1 mypolicy=$2 proto=$3 - ip=$4 - port=$5 - out=$6 + port=$4 + out=$5 + _6=$6 # # Default mode is to inherit from global's policy @@ -595,57 +705,95 @@ generate_rules() tcp_opts="" [ "$proto" = "tcp" ] && tcp_opts="flags S keep state keep frags" + block_policy=`get_block_policy $1` + if [ "$block_policy" = "use_global" ]; then + block_policy=${GLOBAL_BLOCK_POLICY} + fi + + if [ "$block_policy" = "return" ]; then + [ "$proto" = "tcp" ] && block_policy="return-rst" + [ "$proto" != "tcp" ] && block_policy="return-icmp-as-dest" + else + block_policy="" + fi + + iplist=`get_target${_6}_list $service` + # # Allow all if policy is 'none' # if [ "$mypolicy" = "none" ]; then - echo "pass in log quick proto ${proto} from any to ${ip}" \ - "port = ${port} ${tcp_opts}" >>${out} + for ip in $iplist; do + daddr=`get_IP ${ip}` + [ -z "$daddr" -o "$daddr" = '""' ] && continue + echo "pass in log quick proto ${proto} from any to ${daddr}" \ + "port = ${port} ${tcp_opts}" >>${out} + done return 0 fi # - # For now, let's concern only with incoming traffic. + # For now, let's concern ourselves only with incoming traffic. # - [ "$mypolicy" = "deny" ] && { ecmd="pass"; acmd="block"; } - [ "$mypolicy" = "allow" ] && { ecmd="block"; acmd="pass"; } + [ "$mypolicy" = "deny" ] && { ecmd="pass"; acmd="block ${block_policy}"; } + [ "$mypolicy" = "allow" ] && { ecmd="block ${block_policy}"; acmd="pass"; } - for name in `get_exceptions $service`; do + for name in `get_exceptions${_6} $service`; do [ -z "$name" -o "$name" = '""' ] && continue ifc=`get_interface $name` if [ $? -eq 0 -a -n "$ifc" ]; then - echo "${ecmd} in log quick on ${ifc} from any to" \ - "${ip} port = ${port}" >>${out} + for ip in $iplist; do + daddr=`get_IP ${ip}` + [ -z "$daddr" -o "$daddr" = '""' ] && continue + echo "${ecmd} in log quick on ${ifc} from any to" \ + "${daddr} port = ${port}" >>${out} + done continue fi - addr=`get_IP ${name}` - if [ $? -eq 0 -a -n "$addr" ]; then - echo "${ecmd} in log quick proto ${proto} from ${addr}" \ - "to ${ip} port = ${port} ${tcp_opts}" >>${out} + saddr=`get_IP ${name}` + if [ $? -eq 0 -a -n "$saddr" ]; then + for ip in $iplist; do + daddr=`get_IP ${ip}` + [ -z "$daddr" -o "$daddr" = '""' ] && continue + echo "${ecmd} in log quick proto ${proto} from ${saddr}" \ + "to ${daddr} port = ${port} ${tcp_opts}" >>${out} + done fi done - for name in `get_apply2_list $service`; do + for name in `get_apply2${_6}_list $service`; do [ -z "$name" -o "$name" = '""' ] && continue ifc=`get_interface $name` if [ $? -eq 0 -a -n "$ifc" ]; then - echo "${acmd} in log quick on ${ifc} from any to" \ - "${ip} port = ${port}" >>${out} + for ip in $iplist; do + daddr=`get_IP ${ip}` + [ -z "$daddr" -o "$daddr" = '""' ] && continue + echo "${acmd} in log quick on ${ifc} from any to" \ + "${daddr} port = ${port}" >>${out} + done continue fi - addr=`get_IP ${name}` - if [ $? -eq 0 -a -n "$addr" ]; then - echo "${acmd} in log quick proto ${proto} from ${addr}" \ - "to ${ip} port = ${port} ${tcp_opts}" >>${out} + saddr=`get_IP ${name}` + if [ $? -eq 0 -a -n "$saddr" ]; then + for ip in $iplist; do + daddr=`get_IP ${ip}` + [ -z "$daddr" -o "$daddr" = '""' ] && continue + echo "${acmd} in log quick proto ${proto} from ${saddr}" \ + "to ${daddr} port = ${port} ${tcp_opts}" >>${out} + done fi done - echo "${ecmd} in log quick proto ${proto} from any to ${ip}" \ - "port = ${port} ${tcp_opts}" >>${out} + for ip in $iplist; do + daddr=`get_IP ${ip}` + [ -z "$daddr" -o "$daddr" = '""' ] && continue + echo "${ecmd} in log quick proto ${proto} from any to ${daddr}" \ + "port = ${port} ${tcp_opts}" >>${out} + done return 0 } @@ -732,23 +880,31 @@ create_global_rules() { if [ "$GLOBAL_POLICY" = "custom" ]; then file=`global_get_prop_value $FW_CONFIG_DEF_PG $CUSTOM_FILE_PROP` + file6=`global_get_prop_value $FW_CONFIG_DEF_PG $CUSTOM_FILE_6_PROP` [ -n "$file" ] && custom_set_symlink $file + [ -n "$file6" ] && custom_set_symlink $file6 + return 0 fi TEMP=`mktemp /var/run/ipf.conf.pid$$.XXXXXX` + TEMP6=`mktemp /var/run/ipf6.conf.pid$$.XXXXXX` process_nonsvc_progs $TEMP + process_nonsvc_progs $TEMP6 echo "# Global Default rules" >>${TEMP} + echo "# Global Default rules" >>${TEMP6} if [ "$GLOBAL_POLICY" != "none" ]; then echo "pass out log quick all keep state" >>${TEMP} + echo "pass out log quick all keep state" >>${TEMP6} fi case "$GLOBAL_POLICY" in 'none') # No rules replace_file ${IPFILCONF} ${TEMP} + replace_file ${IP6FILCONF} ${TEMP6} return $? ;; @@ -782,6 +938,22 @@ create_global_rules() done + for name in `global_get_prop_value $FW_CONFIG_DEF_PG $EXCEPTIONS_6_PROP`; do + [ -z "$name" -o "$name" = '""' ] && continue + + ifc=`get_interface $name` + if [ $? -eq 0 -a -n "$ifc" ]; then + echo "${ecmd} in log quick on ${ifc} all" >>${TEMP6} + continue + fi + + addr=`get_IP ${name}` + if [ $? -eq 0 -a -n "$addr" ]; then + echo "${ecmd} in log quick from ${addr} to any" >>${TEMP6} + fi + + done + for name in `global_get_prop_value $FW_CONFIG_DEF_PG $APPLY2_PROP`; do [ -z "$name" -o "$name" = '""' ] && continue @@ -797,23 +969,41 @@ create_global_rules() fi done + for name in `global_get_prop_value $FW_CONFIG_DEF_PG $APPLY2_6_PROP`; do + [ -z "$name" -o "$name" = '""' ] && continue + + ifc=`get_interface $name` + if [ $? -eq 0 -a -n "$ifc" ]; then + echo "${acmd} in log quick on ${ifc} all" >>${TEMP6} + continue + fi + + addr=`get_IP ${name}` + if [ $? -eq 0 -a -n "$addr" ]; then + echo "${acmd} in log quick from ${addr} to any" >>${TEMP6} + fi + done + if [ "$GLOBAL_POLICY" = "allow" ]; then # - # Allow DHCP traffic if running as a DHCP client + # Allow DHCP(v6) traffic if running as a DHCP client # /sbin/netstrategy | grep dhcp >/dev/null 2>&1 if [ $? -eq 0 ]; then echo "pass out log quick from any port = 68" \ "keep state" >>${TEMP} - echo "pass out log quick from any port = 546" \ - "keep state" >>${TEMP} echo "pass in log quick from any to any port = 68" >>${TEMP} - echo "pass in log quick from any to any port = 546" >>${TEMP} + + echo "pass out log quick from any port = 546" \ + "keep state" >>${TEMP6} + echo "pass in log quick from any to any port = 546" >>${TEMP6} fi echo "block in log all" >>${TEMP} + echo "block in log all" >>${TEMP6} fi replace_file ${IPFILCONF} ${TEMP} + replace_file ${IP6FILCONF} ${TEMP6} return $? } @@ -833,6 +1023,7 @@ create_global_ovr_rules() # if [ "$GLOBAL_POLICY" = "custom" ]; then echo "# 'custom' global policy" >$IPFILOVRCONF + echo "# 'custom' global policy" >$IP6FILOVRCONF return 0 fi @@ -842,6 +1033,7 @@ create_global_ovr_rules() ovr_policy=`global_get_prop_value $FW_CONFIG_OVR_PG $POLICY_PROP` if [ "$ovr_policy" = "none" ]; then echo "# global override policy is 'none'" >$IPFILOVRCONF + echo "# global override policy is 'none'" >$IP6FILOVRCONF return 0 fi @@ -865,7 +1057,24 @@ create_global_ovr_rules() fi done + apply2_6_list=`global_get_prop_value $FW_CONFIG_OVR_PG $APPLY2_6_PROP` + for name in $apply2_6_list; do + [ -z "$name" -o "$name" = '""' ] && continue + + ifc=`get_interface $name` + if [ $? -eq 0 -a -n "$ifc" ]; then + echo "${acmd} on ${ifc} all" >>${TEMP6} + continue + fi + + addr=`get_IP ${name}` + if [ $? -eq 0 -a -n "$addr" ]; then + echo "${acmd} from ${addr} to any" >>${TEMP6} + fi + done + replace_file ${IPFILOVRCONF} ${TEMP} + replace_file ${IP6FILOVRCONF} ${TEMP6} return $? } @@ -887,6 +1096,8 @@ svc_mark_maintenance() # ipfile=`fmri_to_file $1 $IPF_SUFFIX` [ -f "$ipfile" ] && mv $ipfile "$ipfile.bak" + ip6file=`fmri_to_file $1 $IPF6_SUFFIX` + [ -f "$ip6file" ] && mv $ip6file "$ip6file.bak" natfile=`fmri_to_file $1 $NAT_SUFFIX` [ -f "$natfile" ] && mv $natfile "$natfile.bak" @@ -945,6 +1156,25 @@ create_services_rules() CONF_FILES="$CONF_FILES $ipfile" fi + ip6file=`fmri_to_file $s $IPF6_SUFFIX` + if [ -n "$ip6file" -a -r "$ip6file" ]; then + check_ipf_syntax $ip6file -6 + if [ $? -ne 0 ]; then + svc_mark_maintenance $s + continue + fi + + svc_is_server $s + if [ $? -eq 0 ]; then + check_ipf_rules $ip6file -6 + if [ $? -ne 0 ]; then + svc_mark_maintenance $s + continue + fi + fi + CONF6_FILES="$CONF6_FILES $ip6file" + fi + natfile=`fmri_to_file $s $NAT_SUFFIX` if [ -n "$natfile" -a -r "$natfile" ]; then check_nat_syntax $natfile @@ -971,9 +1201,11 @@ service_update_rules() svc=$1 ipfile=`fmri_to_file $svc $IPF_SUFFIX` - [ -z "$ipfile" ] && return 0 + ip6file=`fmri_to_file $svc $IPF6_SUFFIX` + [ -n "$ipfile" ] && remove_rules $ipfile + [ -n "$ip6file" ] && remove_rules $ip6file -6 - remove_rules $ipfile + [ -z "$ipfile" -a -z "$ip6file" ] && return 0 natfile=`fmri_to_file $svc $NAT_SUFFIX` [ -n "$natfile" ] && remove_nat_rules $natfile @@ -993,6 +1225,14 @@ service_update_rules() fi fi + if [ -f "$ip6file" ]; then + check_ipf_syntax $ip6file -6 + if [ $? -ne 0 ]; then + svc_mark_maintenance $svc + return 1 + fi + fi + if [ -f "$natfile" ]; then check_nat_syntax $natfile if [ $? -ne 0 ]; then @@ -1021,6 +1261,26 @@ service_update_rules() prepend_new_rules $IPFILOVRCONF fi + if [ -f "$ip6file" ]; then + svc_is_server $svc + if [ $? -eq 0 ]; then + update_check_ipf_rules $ip6file -6 + if [ $? -ne 0 ]; then + svc_mark_maintenance $svc + return 1 + fi + fi + + prepend_new_rules $ip6file -6 + + # + # reload Global Override rules to + # maintain correct ordering. + # + remove_rules $IP6FILOVRCONF -6 + prepend_new_rules $IP6FILOVRCONF -6 + fi + [ -f "$natfile" ] && append_new_nat_rules $natfile return 0 diff --git a/usr/src/cmd/syslogd/system-log.xml b/usr/src/cmd/syslogd/system-log.xml index 80f147f0fc..8802d363b7 100644 --- a/usr/src/cmd/syslogd/system-log.xml +++ b/usr/src/cmd/syslogd/system-log.xml @@ -23,6 +23,8 @@ Copyright 2009 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. + Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org> + NOTE: This service manifest is not editable; its contents will be overwritten by package or patch operations, including operating system upgrade. Make customizations in a different @@ -140,8 +142,14 @@ <property_group name='firewall_config' type='com.sun,fw_configuration'> <propval name='policy' type='astring' value='use_global' /> + <propval name='block_policy' type='astring' + value='use_global' /> <propval name='apply_to' type='astring' value='' /> + <propval name='apply_to_6' type='astring' value='' /> <propval name='exceptions' type='astring' value='' /> + <propval name='exceptions_6' type='astring' value='' /> + <propval name='target' type='astring' value='' /> + <propval name='target_6' type='astring' value='' /> <propval name='value_authorization' type='astring' value='solaris.smf.value.firewall.config' /> </property_group> diff --git a/usr/src/cmd/ypcmd/yp.sh b/usr/src/cmd/ypcmd/yp.sh index 0d690e65f1..277d970465 100644 --- a/usr/src/cmd/ypcmd/yp.sh +++ b/usr/src/cmd/ypcmd/yp.sh @@ -21,6 +21,7 @@ # # # Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved. +# Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org> # . /lib/svc/share/smf_include.sh @@ -32,6 +33,7 @@ create_client_ipf_rules() { FMRI=$1 file=`fmri_to_file $FMRI $IPF_SUFFIX` + file6=`fmri_to_file $FMRI $IPF6_SUFFIX` iana_name=`svcprop -p $FW_CONTEXT_PG/name $FMRI` domain=`domainname` @@ -43,44 +45,76 @@ create_client_ipf_rules() return fi echo "# $FMRI" >$file + echo "# $FMRI" >$file6 ypfile="/var/yp/binding/$domain/ypservers" if [ -f $ypfile ]; then tports=`$SERVINFO -R -p -t -s $iana_name 2>/dev/null` uports=`$SERVINFO -R -p -u -s $iana_name 2>/dev/null` + tports_6=`$SERVINFO -R -p -t6 -s $iana_name 2>/dev/null` + uports_6=`$SERVINFO -R -p -u6 -s $iana_name 2>/dev/null` server_addrs="" + server_addrs_6="" for ypsvr in `grep -v '^[ ]*#' $ypfile`; do # - # Get corresponding IPv4 address in /etc/hosts + # Get corresponding IPv4/IPv6 addresses # - servers=`grep -v '^[ ]*#' /etc/hosts | awk ' { - if ($1 !~/:/) { - for (i=2; i<=NF; i++) { - if (s == $i) printf("%s ", $1); - } } - }' s="$ypsvr"` - - [ -z "$servers" ] && continue - server_addrs="$server_addrs $servers" - done + servers=`getent ipnodes $ypsvr | awk '/^:/{ print $1 }'` + servers_6=`getent ipnodes $ypsvr | awk '/:/{ print $1 }'` - [ -z "$server_addrs" ] && return 0 - for s in $server_addrs; do - if [ -n "$tports" ]; then - for tport in $tports; do - echo "pass in log quick proto tcp" \ - "from $s to any port = $tport" >>$file - done + if [ -n "$servers" ]; then + server_addrs="$server_addrs $servers" fi - if [ -n "$uports" ]; then - for uport in $uports; do - echo "pass in log quick proto udp" \ - "from $s to any port = $uport" >>$file - done + if [ -n "$servers_6" ]; then + server_addrs_6="$server_addrs_6 $servers" fi done + + if [ -n "$server_addrs" ]; then + for s in $server_addrs; do + if [ -n "$tports" ]; then + for tport in $tports; do + echo "pass in log quick" \ + "proto tcp from $s" \ + "to any port = $tport" \ + >>$file + done + fi + + if [ -n "$uports" ]; then + for uport in $uports; do + echo "pass in log quick" \ + "proto udp from $s" \ + "to any port = $uport" \ + >>$file + done + fi + done + fi + + if [ -n "$server_addrs_6" ]; then + for s in $server_addrs_6; do + if [ -n "$tports_6" ]; then + for tport in $tports_6; do + echo "pass in log quick" \ + "proto tcp from $s" \ + "to any port = $tport" \ + >>$file6 + done + fi + + if [ -n "$uports_6" ]; then + for uport in $uports_6; do + echo "pass in log quick" \ + "proto udp from $s" \ + "to any port = $uport" \ + >>$file6 + done + fi + done + fi else # # How do we handle the client broadcast case? Server replies @@ -93,6 +127,8 @@ create_client_ipf_rules() # echo "pass in log quick proto udp from any to any" \ "port > 32768" >>$file + echo "pass in log quick proto udp from any to any" \ + "port > 32768" >>$file6 fi } |