diff options
| author | Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org> | 2016-04-10 20:17:36 +0200 |
|---|---|---|
| committer | Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org> | 2016-05-01 22:11:51 +0200 |
| commit | 545f15ae81ab124ab97b965c15f2873e0228fcb3 (patch) | |
| tree | 485a5e91b3006a5cf485e5c08bf022ac7a7fd8b3 /usr/src | |
| parent | 2bd8b3545dceb97f56401b7ad2a327e08d520574 (diff) | |
| download | illumos-joyent-545f15ae81ab124ab97b965c15f2873e0228fcb3.tar.gz | |
6883 SMF nis/client ipfilter support needs improvement
Reviewed by: Cody Mello <melloc@joyent.com>
Approved by: Robert Mustacchi <rm@joyent.com>
Diffstat (limited to 'usr/src')
| -rw-r--r-- | usr/src/cmd/ypcmd/yp.sh | 58 |
1 files changed, 43 insertions, 15 deletions
diff --git a/usr/src/cmd/ypcmd/yp.sh b/usr/src/cmd/ypcmd/yp.sh index 277d970465..773f74810e 100644 --- a/usr/src/cmd/ypcmd/yp.sh +++ b/usr/src/cmd/ypcmd/yp.sh @@ -36,6 +36,12 @@ create_client_ipf_rules() file6=`fmri_to_file $FMRI $IPF6_SUFFIX` iana_name=`svcprop -p $FW_CONTEXT_PG/name $FMRI` domain=`domainname` + block_policy=$GLOBAL_BLOCK_POLICY + + if [ "$block_policy" = "return" ]; then + block_policy_tcp="return-rst" + block_policy_udp="return-icmp-as-dest" + fi if [ -z "$domain" ]; then return 0 @@ -60,31 +66,43 @@ create_client_ipf_rules() # # Get corresponding IPv4/IPv6 addresses # - servers=`getent ipnodes $ypsvr | awk '/^:/{ print $1 }'` - servers_6=`getent ipnodes $ypsvr | awk '/:/{ print $1 }'` + servers=`getent ipnodes $ypsvr | \ + /usr/xpg4/bin/awk '$1 ~ !/:/{ print $1 }'` + servers_6=`getent ipnodes $ypsvr | \ + /usr/xpg4/bin/awk '$1 ~ /:/{ print $1 }'` if [ -n "$servers" ]; then server_addrs="$server_addrs $servers" fi if [ -n "$servers_6" ]; then - server_addrs_6="$server_addrs_6 $servers" + server_addrs_6="$server_addrs_6 $servers_6" fi done - if [ -n "$server_addrs" ]; then - for s in $server_addrs; do - if [ -n "$tports" ]; then - for tport in $tports; do + if [ -n "$tports" -o -n "$tports_6" ]; then + for tport in $tports $tports_6; do + echo "block $block_policy_tcp in log" \ + "proto tcp from any to any" \ + "port = $tport" >>$file + if [ -n "$server_addrs" ]; then + for s in $server_addrs; do echo "pass in log quick" \ "proto tcp from $s" \ "to any port = $tport" \ >>$file done fi + done + fi - if [ -n "$uports" ]; then - for uport in $uports; do + if [ -n "$uports" -o -n "$uports_6" ]; then + for uport in $uports $uports_6; do + echo "block $block_policy_udp in log" \ + "proto udp from any to any" \ + "port = $uport" >>$file + if [ -n "$server_addrs" ]; then + for s in $server_addrs; do echo "pass in log quick" \ "proto udp from $s" \ "to any port = $uport" \ @@ -94,19 +112,29 @@ create_client_ipf_rules() done fi - if [ -n "$server_addrs_6" ]; then - for s in $server_addrs_6; do - if [ -n "$tports_6" ]; then - for tport in $tports_6; do + if [ -n "$tports_6" ]; then + for tport in $tports_6; do + echo "block $block_policy_tcp in log" \ + "proto tcp from any to any" \ + "port = $tport" >>$file6 + if [ -n "$server_addrs_6" ]; then + for s in $server_addrs_6; do echo "pass in log quick" \ "proto tcp from $s" \ "to any port = $tport" \ >>$file6 done fi + done + fi - if [ -n "$uports_6" ]; then - for uport in $uports_6; do + if [ -n "$uports_6" ]; then + for uport in $uports_6; do + echo "block $block_policy_udp in log" \ + "proto udp from any to any" \ + "port = $uport" >>$file6 + if [ -n "$server_addrs_6" ]; then + for s in $server_addrs_6; do echo "pass in log quick" \ "proto udp from $s" \ "to any port = $uport" \ |