diff options
| author | Keith M Wesolowski <wesolows@foobazco.org> | 2014-12-12 01:07:53 +0000 |
|---|---|---|
| committer | Keith M Wesolowski <wesolows@foobazco.org> | 2014-12-12 01:12:52 +0000 |
| commit | 9ac12c332066277450c2da11fcedba7860bfe040 (patch) | |
| tree | d70d9933eacf79cff70289fc1696c1773a3fd4a3 /usr/src | |
| parent | 86f171cce442c1619a2a5efbc1b6ec65e70975b3 (diff) | |
| parent | b7070b7dbcc2758a7f87cefb69ad42887a287152 (diff) | |
| download | illumos-joyent-9ac12c332066277450c2da11fcedba7860bfe040.tar.gz | |
[illumos-gate merge]
commit b7070b7dbcc2758a7f87cefb69ad42887a287152
5427 memory leak in libzfs when doing rollback
commit 94bdecd9e84ae1042607002db3e64a6849da5874
5198 Want alternate global zone rule set for each ipf netstack
5197 Global zone should be able to manage NGZ ipf state
commit c67987612cd8324e1f3d1b5110086552d19a2d89
5200 ipf_stack_destroy error messages when halting zones
commit 2f443e27e5988131d8b57bec58ee15f9227e0899
5096 getaddrinfo doesn't properly handle AI_ADDRCONFIG | AI_V4MAPPED
commit e48cae6f8c603e9a18cdb49fdf939cd4e1753e62
4643 nss_dns fails to obtain dns ttls
Conflicts:
usr/src/uts/intel/ipf/ipf.global-objs.debug64
usr/src/uts/common/inet/ipf/solaris.c
usr/src/uts/common/inet/ipf/netinet/ipf_stack.h
usr/src/uts/common/inet/ipf/netinet/ip_fil.h
usr/src/uts/common/inet/ipf/ip_log.c
usr/src/uts/common/inet/ipf/ip_fil_solaris.c
usr/src/uts/common/inet/ipf/fil.c
usr/src/man/man1m/ippool.1m
usr/src/man/man1m/ipnat.1m
usr/src/man/man1m/ipf.1m
usr/src/lib/nsswitch/dns/common/dns_common.c
usr/src/lib/nsswitch/dns/Makefile.com
usr/src/lib/libzfs/common/libzfs_iter.c
usr/src/cmd/ipf/tools/ippool.c
usr/src/cmd/ipf/tools/ipnat.c
usr/src/cmd/ipf/tools/ipmon.c
usr/src/cmd/ipf/tools/ipfzone.c
usr/src/cmd/ipf/tools/ipfstat.c
usr/src/cmd/ipf/tools/ipfs.c
usr/src/cmd/ipf/tools/ipf.c
usr/src/cmd/ipf/lib/common/load_poolnode.c
usr/src/cmd/ipf/lib/common/load_pool.c
usr/src/cmd/ipf/lib/common/load_hashnode.c
usr/src/cmd/ipf/lib/common/load_hash.c
Diffstat (limited to 'usr/src')
28 files changed, 341 insertions, 404 deletions
diff --git a/usr/src/cmd/ipf/lib/common/load_hash.c b/usr/src/cmd/ipf/lib/common/load_hash.c index d91a831f44..ef65c26b75 100644 --- a/usr/src/cmd/ipf/lib/common/load_hash.c +++ b/usr/src/cmd/ipf/lib/common/load_hash.c @@ -8,20 +8,15 @@ * Copyright 2006 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. * - * Copyright (c) 2012, Joyent, Inc. All rights reserved. + * Copyright (c) 2014, Joyent, Inc. All rights reserved. */ -#pragma ident "%Z%%M% %I% %E% SMI" - #include <fcntl.h> #include <sys/ioctl.h> #include "ipf.h" #include "netinet/ip_lookup.h" #include "netinet/ip_htable.h" - -#if SOLARIS #include "ipfzone.h" -#endif static int hashfd = -1; @@ -41,12 +36,10 @@ ioctlfunc_t iocfunc; hashfd = open(IPLOOKUP_NAME, O_RDWR); if ((hashfd == -1) && ((opts & OPT_DONOTHING) == 0)) return -1; -#if SOLARIS if (setzone(hashfd) != 0) { close(hashfd); return -1; } -#endif for (n = 0, a = list; a != NULL; a = a->ipe_next) n++; diff --git a/usr/src/cmd/ipf/lib/common/load_hashnode.c b/usr/src/cmd/ipf/lib/common/load_hashnode.c index dd343f3ab1..d408d511c2 100644 --- a/usr/src/cmd/ipf/lib/common/load_hashnode.c +++ b/usr/src/cmd/ipf/lib/common/load_hashnode.c @@ -8,20 +8,15 @@ * Copyright 2006 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. * - * Copyright (c) 2012, Joyent, Inc. All rights reserved. + * Copyright (c) 2014, Joyent, Inc. All rights reserved. */ -#pragma ident "%Z%%M% %I% %E% SMI" - #include <fcntl.h> #include <sys/ioctl.h> #include "ipf.h" #include "netinet/ip_lookup.h" #include "netinet/ip_htable.h" - -#if SOLARIS #include "ipfzone.h" -#endif static int hashfd = -1; @@ -40,12 +35,10 @@ ioctlfunc_t iocfunc; hashfd = open(IPLOOKUP_NAME, O_RDWR); if ((hashfd == -1) && ((opts & OPT_DONOTHING) == 0)) return -1; -#if SOLARIS if (setzone(hashfd) != 0) { close(hashfd); return -1; } -#endif op.iplo_type = IPLT_HASH; op.iplo_unit = unit; diff --git a/usr/src/cmd/ipf/lib/common/load_pool.c b/usr/src/cmd/ipf/lib/common/load_pool.c index e09f77f6b4..ba246bb449 100644 --- a/usr/src/cmd/ipf/lib/common/load_pool.c +++ b/usr/src/cmd/ipf/lib/common/load_pool.c @@ -8,20 +8,15 @@ * Copyright 2007 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. * - * Copyright (c) 2012, Joyent, Inc. All rights reserved. + * Copyright (c) 2014, Joyent, Inc. All rights reserved. */ -#pragma ident "%Z%%M% %I% %E% SMI" - #include <fcntl.h> #include <sys/ioctl.h> #include "ipf.h" #include "netinet/ip_lookup.h" #include "netinet/ip_pool.h" - -#if SOLARIS #include "ipfzone.h" -#endif static int poolfd = -1; @@ -38,12 +33,10 @@ ioctlfunc_t iocfunc; poolfd = open(IPLOOKUP_NAME, O_RDWR); if ((poolfd == -1) && ((opts & OPT_DONOTHING) == 0)) return -1; -#if SOLARIS if (setzone(poolfd) != 0) { close(poolfd); return -1; } -#endif op.iplo_unit = plp->ipo_unit; op.iplo_type = IPLT_POOL; diff --git a/usr/src/cmd/ipf/lib/common/load_poolnode.c b/usr/src/cmd/ipf/lib/common/load_poolnode.c index 37c7ef861e..4203f0faa5 100644 --- a/usr/src/cmd/ipf/lib/common/load_poolnode.c +++ b/usr/src/cmd/ipf/lib/common/load_poolnode.c @@ -5,7 +5,7 @@ * * $Id: load_poolnode.c,v 1.3.2.1 2004/03/06 14:33:29 darrenr Exp $ * - * Copyright (c) 2012, Joyent, Inc. All rights reserved. + * Copyright (c) 2014, Joyent, Inc. All rights reserved. */ #include <fcntl.h> @@ -13,10 +13,7 @@ #include "ipf.h" #include "netinet/ip_lookup.h" #include "netinet/ip_pool.h" - -#if SOLARIS #include "ipfzone.h" -#endif static int poolfd = -1; @@ -35,12 +32,10 @@ ioctlfunc_t iocfunc; poolfd = open(IPLOOKUP_NAME, O_RDWR); if ((poolfd == -1) && ((opts & OPT_DONOTHING) == 0)) return -1; -#if SOLARIS if (setzone(poolfd) != 0) { close(poolfd); return -1; } -#endif op.iplo_unit = role; op.iplo_type = IPLT_POOL; diff --git a/usr/src/cmd/ipf/tools/ipf.c b/usr/src/cmd/ipf/tools/ipf.c index 97bee67b26..7a664c80e6 100644 --- a/usr/src/cmd/ipf/tools/ipf.c +++ b/usr/src/cmd/ipf/tools/ipf.c @@ -6,7 +6,7 @@ * Copyright 2008 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. * - * Copyright (c) 2013, Joyent, Inc. All rights reserved. + * Copyright (c) 2014, Joyent, Inc. All rights reserved. */ #ifdef __FreeBSD__ @@ -22,10 +22,7 @@ #include <fcntl.h> #include <sys/ioctl.h> #include "netinet/ipl.h" - -#ifdef SOLARIS #include "ipfzone.h" -#endif #if !defined(lint) static const char sccsid[] = "@(#)ipf.c 1.23 6/5/96 (C) 1993-2000 Darren Reed"; @@ -70,12 +67,7 @@ static void usage() { fprintf(stderr, "usage: ipf [-6AdDEGInoPrRsvVyzZ] %s %s %s", "[-l block|pass|nomatch|state|nat]", "[-cc] [-F i|o|a|s|S|u]", - "[-f filename] [-T <tuneopts>]"); -#if SOLARIS - fprintf(stderr, " [zonename]\n"); -#else - fprintf(stderr, "\n"); -#endif + "[-f filename] [-T <tuneopts>] [zonename]\n"); exit(1); } @@ -90,13 +82,14 @@ char *argv[]; if (argc < 2) usage(); -#if SOLARIS /* * We need to set the zone name before calling the functions - * in the switch statement below + * in the switch statement below. Note that ipf.c differs from the other + * tools in the ipfilter suite: the zone name is specified as the + * last argument, while the other tools use the -z option. ipf + * already has a -z option, so the last argument is used instead. */ getzonearg(argc, argv, optstr); -#endif while ((c = getopt(argc, argv, optstr)) != -1) { switch (c) @@ -131,6 +124,9 @@ char *argv[]; case 'F' : flushfilter(optarg); break; + case 'G' : + /* Already handled by getzonearg() above */ + break; case 'I' : opts ^= OPT_INACTIVE; break; @@ -208,12 +204,10 @@ int check; if ((fd = open(ipfdev, O_RDONLY)) == -1) perror("open device"); -#if SOLARIS if (setzone(fd) != 0) { close(fd); - return -1; + return -2; } -#endif return fd; } @@ -335,12 +329,10 @@ char *opt; if (opts & OPT_VERBOSE) printf("set state log flag\n"); xfd = open(IPSTATE_NAME, O_RDWR); -#if SOLARIS if (xfd >= 0 && setzone(xfd) != 0) { close(xfd); xfd = -1; } -#endif if (xfd >= 0) { logopt = 0; @@ -359,12 +351,10 @@ char *opt; if (opts & OPT_VERBOSE) printf("set nat log flag\n"); xfd = open(IPNAT_NAME, O_RDWR); -#if SOLARIS if (xfd >= 0 && setzone(xfd) != 0) { close(xfd); xfd = -1; } -#endif if (xfd >= 0) { logopt = 0; @@ -558,13 +548,10 @@ static int showversion() return 1; } -#if SOLARIS if (setzone(vfd) != 0) { close(vfd); return 1; } -#endif - if (ioctl(vfd, SIOCGETFS, &ipfo)) { perror("ioctl(SIOCGETFS)"); diff --git a/usr/src/cmd/ipf/tools/ipfs.c b/usr/src/cmd/ipf/tools/ipfs.c index 72296a09d0..e84168e25d 100644 --- a/usr/src/cmd/ipf/tools/ipfs.c +++ b/usr/src/cmd/ipf/tools/ipfs.c @@ -6,7 +6,7 @@ * Copyright 2009 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. * - * Copyright (c) 2013, Joyent, Inc. All rights reserved. + * Copyright (c) 2014, Joyent, Inc. All rights reserved. */ #ifdef __FreeBSD__ @@ -46,9 +46,7 @@ #include <resolv.h> #include "ipf.h" #include "netinet/ipl.h" -#if SOLARIS #include "ipfzone.h" -#endif #if !defined(lint) static const char rcsid[] = "@(#)Id: ipfs.c,v 1.12 2003/12/01 01:56:53 darrenr Exp"; @@ -91,11 +89,7 @@ char *progname; void usage() { -#if SOLARIS const char *zoneopt = "[-G|-z zonename] "; -#else - const char *zoneopt = ""; -#endif fprintf(stderr, "usage: %s %s[-nv] -l\n", progname, zoneopt); fprintf(stderr, "usage: %s %s[-nv] -u\n", progname, zoneopt); fprintf(stderr, "usage: %s %s[-nv] [-d <dir>] -R\n", progname, zoneopt); @@ -245,11 +239,9 @@ char *argv[]; else usage(); break; -#if SOLARIS case 'G' : setzonename_global(optarg); break; -#endif case 'i' : ifs = optarg; set = 1; @@ -304,11 +296,9 @@ char *argv[]; rw = 3; set = 1; break; -#if SOLARIS case 'z' : setzonename(optarg); break; -#endif case '?' : default : usage(); @@ -378,12 +368,10 @@ char *ipfdev; if ((fd = open(ipfdev, O_RDONLY)) == -1) perror("open device"); -#if SOLARIS if (setzone(fd) != 0) { close(fd); fd = -1; } -#endif return fd; } diff --git a/usr/src/cmd/ipf/tools/ipfstat.c b/usr/src/cmd/ipf/tools/ipfstat.c index 49ee7cd23d..f50b722bde 100644 --- a/usr/src/cmd/ipf/tools/ipfstat.c +++ b/usr/src/cmd/ipf/tools/ipfstat.c @@ -6,7 +6,7 @@ * Copyright 2008 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. * - * Copyright (c) 2013, Joyent, Inc. All rights reserved. + * Copyright (c) 2014, Joyent, Inc. All rights reserved. */ #ifdef __FreeBSD__ @@ -73,6 +73,7 @@ #if defined(__NetBSD__) || (__OpenBSD__) # include <paths.h> #endif +#include "ipfzone.h" #if !defined(lint) static const char sccsid[] = "@(#)fils.c 1.21 4/20/96 (C) 1993-2000 Darren Reed"; @@ -183,9 +184,7 @@ char *name; #else fprintf(stderr, " %s -t [-C] ", name); #endif -#ifdef SOLARIS fprintf(stderr, "[-G|-z zonename] "); -#endif fprintf(stderr, "[-D destination address] [-P protocol] [-S source address] [-T refresh time]\n"); exit(1); } @@ -240,11 +239,7 @@ char *argv[]; switch (c) { case 'G' : -#if SOLARIS setzonename_global(optarg); -#else - usage(argv[0]); -#endif break; case 'M' : memf = optarg; @@ -255,11 +250,7 @@ char *argv[]; live_kernel = 0; break; case 'z' : -#if SOLARIS setzonename(optarg); -#else - usage(argv[0]); -#endif break; } } @@ -270,23 +261,22 @@ char *argv[]; perror("open(IPSTATE_NAME)"); exit(-1); } -#if SOLARIS + if (setzone(state_fd) != 0) { close(state_fd); exit(-1); } -#endif + if ((ipf_fd = open(device, O_RDONLY)) == -1) { fprintf(stderr, "open(%s)", device); perror(""); exit(-1); } -#if SOLARIS + if (setzone(ipf_fd) != 0) { close(ipf_fd); exit(-1); } -#endif } if (kern != NULL || memf != NULL) { @@ -334,6 +324,7 @@ char *argv[]; opts |= OPT_GROUPS; break; case 'G' : + /* Already handled by getzoneopt() above */ break; case 'h' : opts |= OPT_HITS; @@ -398,6 +389,7 @@ char *argv[]; opts |= OPT_UNDEF; break; case 'z' : + /* Already handled by getzoneopt() above */ break; default : usage(argv[0]); @@ -521,12 +513,10 @@ u_32_t *frfp; exit(-1); } -#if SOLARIS if (setzone(ipf_fd) != 0) { close(ipf_fd); exit(-1); } -#endif bzero((caddr_t)&ipfo, sizeof(ipfo)); ipfo.ipfo_rev = IPFILTER_VERSION; diff --git a/usr/src/cmd/ipf/tools/ipfzone.c b/usr/src/cmd/ipf/tools/ipfzone.c index c52b3e879d..d4e1bb8427 100644 --- a/usr/src/cmd/ipf/tools/ipfzone.c +++ b/usr/src/cmd/ipf/tools/ipfzone.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2013 Joyent, Inc. All rights reserved. + * Copyright (c) 2014 Joyent, Inc. All rights reserved. * Use is subject to license terms. * * See the IPFILTER.LICENCE file for details on licensing. @@ -21,12 +21,14 @@ static boolean_t do_setzone = 0; static int num_setzones = 0; extern int errno; +extern int opterr; extern int optind; extern char *optarg; /* * Get the zonename if it's the last argument and set the zonename - * in ipfzo to it + * in ipfzo to it. This is used by ipf(1m) only - all of the other tools + * specify the zone with the -z option, and therefore use getzoneopt() below. */ void getzonearg(int argc, char *argv[], const char *optstr) @@ -34,6 +36,12 @@ getzonearg(int argc, char *argv[], const char *optstr) int c; /* + * Don't warn about unknown options - let subsequent calls to + * getopt() handle this. + */ + opterr = 0; + + /* * getopt is also used here to set optind so that we can * determine if the last argument belongs to a flag or is * actually a zonename. @@ -47,10 +55,11 @@ getzonearg(int argc, char *argv[], const char *optstr) setzonename(argv[optind]); /* - * Reset optind so the next getopt call will go through all of argv - * again. + * Reset optind and opterr so the next getopt call will go through all + * of argv again and warn about unknown options. */ optind = 1; + opterr = 1; } /* @@ -61,6 +70,12 @@ getzoneopt(int argc, char *argv[], const char *optstr) { int c; + /* + * Don't warn about unknown options - let subsequent calls to + * getopt() handle this. + */ + opterr = 0; + while ((c = getopt(argc, argv, optstr)) != -1) { if (c == 'G') setzonename_global(optarg); @@ -70,14 +85,16 @@ getzoneopt(int argc, char *argv[], const char *optstr) } /* - * Reset optind so the next getopt call will go through all of argv - * again. + * Reset optind and opterr so the next getopt call will go through all + * of argv again and warn about unknown options. */ optind = 1; + opterr = 1; } /* - * Set the zonename in ipfzo to the given string + * Set the zonename in ipfzo to the given string: this is the zone all further + * ioctls will act on. */ void setzonename(const char *zonename) @@ -88,8 +105,8 @@ setzonename(const char *zonename) } /* - * Set the zonename in ipfo, and the gz flag to indicate that we want to - * act on the GZ-controlled stack + * Set the zonename in ipfo, and the gz flag. This indicates that we want all + * further ioctls to act on the GZ-controlled stack for that zone. */ void setzonename_global(const char *zonename) @@ -99,7 +116,9 @@ setzonename_global(const char *zonename) } /* - * Set the zone that all further ioctls will operate on + * Set the zone that all further ioctls will operate on. See the "GZ-controlled + * and per-zone stacks" note at the top of ip_fil_solaris.c for further + * explanation. */ int setzone(int fd) @@ -113,6 +132,13 @@ setzone(int fd) return (-1); } + if (ipzo.ipfz_gz == 1 && + getzoneidbyname(ipzo.ipfz_zonename) == GLOBAL_ZONEID) { + (void) fprintf(stderr, + "-G cannot be used with the global zone\n"); + return (-1); + } + if (ioctl(fd, SIOCIPFZONESET, &ipzo) == -1) { switch (errno) { case ENODEV: diff --git a/usr/src/cmd/ipf/tools/ipmon.c b/usr/src/cmd/ipf/tools/ipmon.c index 07d3d40be2..a91e23237a 100644 --- a/usr/src/cmd/ipf/tools/ipmon.c +++ b/usr/src/cmd/ipf/tools/ipmon.c @@ -6,7 +6,7 @@ * Copyright 2008 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. * - * Copyright (c) 2013, Joyent, Inc. All rights reserved. + * Copyright (c) 2014, Joyent, Inc. All rights reserved. */ @@ -80,9 +80,7 @@ #include "netinet/ip_state.h" #include "netinet/ip_proxy.h" #include "ipmon.h" -#if SOLARIS #include "ipfzone.h" -#endif #if !defined(lint) static const char sccsid[] = "@(#)ipmon.c 1.21 6/5/96 (C)1993-2000 Darren Reed"; @@ -1345,15 +1343,10 @@ printipflog: static void usage(prog) char *prog; { -#if SOLARIS - const char *zoneopt = " [-G|-z zonename]"; -#else - const char *zoneopt = ""; -#endif - fprintf(stderr, "%s: [-abDFhnpstvxX]%s %s %s %s %s %s %s\n", - prog, zoneopt, "[-N device]", "[ [-o [NSI]] [-O [NSI]]", - "[-P pidfile]", "[-S device]", "[-f device]", - "filename"); + fprintf(stderr, "%s: [-abDFhnpstvxX] %s %s %s %s %s %s %s\n", + prog, "[-G|-z zonename]", "[-N device]", + "[ [-o [NSI]] [-O [NSI]]", "[-P pidfile]", "[-S device]", + "[-f device]", "filename"); exit(1); } @@ -1390,12 +1383,10 @@ FILE *log; exit(1); } -#if SOLARIS if (setzone(fd) != 0) { close(fd); exit(1); } -#endif if (ioctl(fd, SIOCIPFFB, &flushed) == 0) { printf("%d bytes flushed from log buffer\n", @@ -1469,13 +1460,11 @@ char *argv[]; iplfile[1] = IPNAT_NAME; iplfile[2] = IPSTATE_NAME; -#if SOLARIS /* * We need to set the zone name before calling openlog in * the switch statement below */ getzoneopt(argc, argv, optstr); -#endif while ((c = getopt(argc, argv, optstr)) != -1) switch (c) @@ -1509,11 +1498,9 @@ char *argv[]; flushlogs(iplfile[1], log); flushlogs(iplfile[2], log); break; -#if SOLARIS case 'G' : /* Already handled by getzoneopt() above */ break; -#endif case 'n' : opts |= OPT_RESOLVE; break; @@ -1566,11 +1553,9 @@ char *argv[]; case 'X' : opts |= OPT_HEXHDR; break; -#if SOLARIS case 'z' : /* Already handled by getzoneopt() above */ break; -#endif default : case 'h' : case '?' : @@ -1608,12 +1593,11 @@ char *argv[]; /* NOTREACHED */ } -#if SOLARIS if (setzone(fd[i]) != 0) { close(fd[i]); exit(1); } -#endif + if (!(regular[i] = !S_ISCHR(sb.st_mode))) devices++; } diff --git a/usr/src/cmd/ipf/tools/ipnat.c b/usr/src/cmd/ipf/tools/ipnat.c index a7e37b0295..3a2610a235 100644 --- a/usr/src/cmd/ipf/tools/ipnat.c +++ b/usr/src/cmd/ipf/tools/ipnat.c @@ -8,7 +8,7 @@ * Copyright 2008 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. * - * Copyright (c) 2013, Joyent, Inc. All rights reserved. + * Copyright (c) 2014, Joyent, Inc. All rights reserved. */ #include <stdio.h> @@ -57,10 +57,7 @@ #include "ipf.h" #include "netinet/ipl.h" #include "kmem.h" - -#if SOLARIS #include "ipfzone.h" -#endif #ifdef __hpux # define nlist nlist64 @@ -102,11 +99,7 @@ void usage(name) char *name; { fprintf(stderr, "Usage: %s [-CdFhlnrRsv] [-f filename]", name); -#if SOLARIS fprintf(stderr, " [-G|-z zonename]\n"); -#else - fprintf(stderr, "\n"); -#endif exit(1); } @@ -143,11 +136,9 @@ char *argv[]; case 'F' : opts |= OPT_FLUSH; break; -#if SOLARIS case 'G' : setzonename_global(optarg); break; -#endif case 'h' : opts |=OPT_HITS; break; @@ -178,11 +169,9 @@ char *argv[]; case 'v' : opts |= OPT_VERBOSE; break; -#if SOLARIS case 'z' : setzonename(optarg); break; -#endif default : usage(argv[0]); } @@ -215,12 +204,11 @@ char *argv[]; STRERROR(errno)); exit(1); } -#if SOLARIS + if (setzone(fd) != 0) { close(fd); exit(1); } -#endif bzero((char *)&obj, sizeof(obj)); obj.ipfo_rev = IPFILTER_VERSION; diff --git a/usr/src/cmd/ipf/tools/ippool.c b/usr/src/cmd/ipf/tools/ippool.c index 3eca3e1776..d0296139a8 100644 --- a/usr/src/cmd/ipf/tools/ippool.c +++ b/usr/src/cmd/ipf/tools/ippool.c @@ -6,11 +6,9 @@ * Copyright 2007 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. * - * Copyright (c) 2013, Joyent, Inc. All rights reserved. + * Copyright (c) 2014, Joyent, Inc. All rights reserved. */ -#pragma ident "%Z%%M% %I% %E% SMI" - #include <sys/types.h> #include <sys/time.h> #include <sys/param.h> @@ -43,10 +41,7 @@ #include "netinet/ip_pool.h" #include "netinet/ip_htable.h" #include "kmem.h" - -#if SOLARIS #include "ipfzone.h" -#endif extern int ippool_yyparse __P((void)); extern int ippool_yydebug; @@ -77,11 +72,7 @@ int use_inet6 = 0; void usage(prog) char *prog; { -#if SOLARIS const char *zoneopt = "[-G|-z zonename] "; -#else - const char *zoneopt = ""; -#endif fprintf(stderr, "Usage:\t%s\n", prog); fprintf(stderr, "\t\t\t-a [-dnv] %s[-m <name>] [-o <role>] -i <ipaddr>[/netmask]\n", zoneopt); @@ -164,11 +155,7 @@ char *argv[]; ippool_yydebug++; break; case 'G' : -#if SOLARIS setzonename_global(optarg); -#else - usage(argv[0]); -#endif break; case 'i' : s = strchr(optarg, '/'); @@ -206,11 +193,7 @@ char *argv[]; opts |= OPT_VERBOSE; break; case 'z' : -#if SOLARIS setzonename(optarg); -#else - usage(argv[0]); -#endif break; } @@ -257,11 +240,8 @@ char *argv[]; ippool_yydebug++; break; case 'G' : -#if SOLARIS setzonename_global(optarg); -#else - usage(argv[0]); -#endif + break; case 'm' : poolname = optarg; break; @@ -292,11 +272,7 @@ char *argv[]; opts |= OPT_VERBOSE; break; case 'z' : -#if SOLARIS setzonename(optarg); -#else - usage(argv[0]); -#endif break; } @@ -359,11 +335,7 @@ char *argv[], *infile; ippool_yydebug++; break; case 'G' : -#if SOLARIS setzonename_global(optarg); -#else - usage(argv[0]); -#endif break; case 'n' : opts |= OPT_DONOTHING; @@ -378,11 +350,7 @@ char *argv[], *infile; opts |= OPT_VERBOSE; break; case 'z' : -#if SOLARIS setzonename(optarg); -#else - usage(argv[0]); -#endif break; } @@ -395,12 +363,11 @@ char *argv[], *infile; perror("open(IPLOOKUP_NAME)"); exit(1); } -#if SOLARIS + if (setzone(fd) != 0) { close(fd); exit(1); } -#endif } if (ippool_parsefile(fd, infile, ioctl) != 0) @@ -435,11 +402,7 @@ char *argv[]; opts |= OPT_DEBUG; break; case 'G' : -#if SOLARIS setzonename_global(optarg); -#else - usage(argv[0]); -#endif break; case 'm' : poolname = optarg; @@ -473,11 +436,7 @@ char *argv[]; opts |= OPT_VERBOSE; break; case 'z' : -#if SOLARIS setzonename(optarg); -#else - usage(argv[0]); -#endif break; } @@ -490,12 +449,11 @@ char *argv[]; perror("open(IPLOOKUP_NAME)"); exit(1); } -#if SOLARIS + if (setzone(fd) != 0) { close(fd); exit(1); } -#endif } bzero((char *)&op, sizeof(op)); @@ -705,11 +663,7 @@ char *argv[]; opts |= OPT_DEBUG; break; case 'G' : -#if SOLARIS setzonename_global(optarg); -#else - usage(argv[0]); -#endif break; case 'M' : live_kernel = 0; @@ -738,11 +692,7 @@ char *argv[]; opts |= OPT_VERBOSE; break; case 'z' : -#if SOLARIS setzonename(optarg); -#else - usage(argv[0]); -#endif break; } @@ -755,12 +705,11 @@ char *argv[]; perror("open(IPLOOKUP_NAME)"); exit(1); } -#if SOLARIS + if (setzone(fd) != 0) { close(fd); exit(1); } -#endif } if (type == IPLT_ALL || type == IPLT_POOL) { @@ -832,11 +781,7 @@ char *argv[]; opts |= OPT_VERBOSE; break; case 'z' : -#if SOLARIS setzonename(optarg); -#else - usage(argv[0]); -#endif break; } @@ -849,12 +794,11 @@ char *argv[]; perror("open(IPLOOKUP_NAME)"); exit(1); } -#if SOLARIS + if (setzone(fd) != 0) { close(fd); exit(1); } -#endif } bzero((char *)&flush, sizeof(flush)); diff --git a/usr/src/lib/libzfs/common/libzfs_iter.c b/usr/src/lib/libzfs/common/libzfs_iter.c index 19ac0b2625..01c059fe61 100644 --- a/usr/src/lib/libzfs/common/libzfs_iter.c +++ b/usr/src/lib/libzfs/common/libzfs_iter.c @@ -22,7 +22,7 @@ /* * Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2013 by Delphix. All rights reserved. - * Copyright 2013 Nexenta Systems, Inc. All rights reserved. + * Copyright 2014 Nexenta Systems, Inc. All rights reserved. * Copyright (c) 2012, Joyent, Inc. All rights reserved. */ @@ -194,9 +194,6 @@ zfs_iter_bookmarks(zfs_handle_t *zhp, zfs_iter_f func, void *data) fnvlist_add_boolean(props, zfs_prop_to_name(ZFS_PROP_CREATETXG)); fnvlist_add_boolean(props, zfs_prop_to_name(ZFS_PROP_CREATION)); - /* Allocate an nvlist to hold the bookmarks. */ - bmarks = fnvlist_alloc(); - if ((err = lzc_get_bookmarks(zhp->zfs_name, props, &bmarks)) != 0) goto out; diff --git a/usr/src/lib/nsswitch/dns/common/dns_common.c b/usr/src/lib/nsswitch/dns/common/dns_common.c index 0195b1847c..7a267fe60c 100644 --- a/usr/src/lib/nsswitch/dns/common/dns_common.c +++ b/usr/src/lib/nsswitch/dns/common/dns_common.c @@ -36,6 +36,16 @@ #include <ifaddrs.h> #include <net/if.h> +#pragma weak dn_expand +#pragma weak res_ninit +#pragma weak res_ndestroy +#pragma weak res_nsearch +#pragma weak res_nclose +#pragma weak ns_get16 +#pragma weak ns_get32 +#pragma weak __ns_get16 +#pragma weak __ns_get32 + #define DNS_ALIASES 0 #define DNS_ADDRLIST 1 #define DNS_MAPDLIST 2 @@ -318,16 +328,15 @@ name_is_alias(char *aliases_ptr, char *name_ptr) { return (NSS_NOTFOUND); } - static int -_nss_has_interfaces(int *v4, int *v6) +_nss_has_interfaces(boolean_t *v4, boolean_t *v6) { struct ifaddrs *ifp, *i; struct in_addr in4; struct in6_addr in6; const struct in6_addr in6addr_any = IN6ADDR_ANY_INIT; - *v4 = *v6 = 0; + *v4 = *v6 = B_FALSE; if (getifaddrs(&ifp) != 0) return (-1); @@ -339,24 +348,24 @@ _nss_has_interfaces(int *v4, int *v6) continue; if (i->ifa_addr->sa_family == AF_INET) { - if (*v4 != 0) + if (*v4 != B_FALSE) continue; if (((struct sockaddr_in *)i->ifa_addr)-> sin_addr.s_addr == INADDR_ANY) continue; - *v4 = 1; + *v4 = B_TRUE; } if (i->ifa_addr->sa_family == AF_INET6) { - if (*v6 != 0) + if (*v6 != B_FALSE) continue; if (memcmp(&in6addr_any, &((struct sockaddr_in6 *)i->ifa_addr)->sin6_addr, sizeof (struct in6_addr)) == 0) continue; - *v6 = 1; + *v6 = B_TRUE; } } @@ -420,7 +429,7 @@ _nss_dns_gethost_withttl(void *buffer, size_t bufsize, int ipnode) int af; char *ap, *apc; int hlen = 0, alen, iplen, len, isans; - int has_v4 = 0, has_v6 = 0; + boolean_t has_v4 = B_FALSE, has_v6 = B_FALSE; int flags, family, pass2 = 0; statp = &stat; @@ -502,11 +511,11 @@ _nss_dns_gethost_withttl(void *buffer, size_t bufsize, int ipnode) return (NSS_ERROR); } /* Impossible situations... */ - if (family == AF_INET && has_v4 == 0) { + if (family == AF_INET && has_v4 == B_FALSE) { res_ndestroy(statp); return (NSS_NOTFOUND); } - if (family == AF_INET6 && has_v6 == 0 && + if (family == AF_INET6 && has_v6 == B_FALSE && !(flags & AI_V4MAPPED)) { res_ndestroy(statp); return (NSS_NOTFOUND); @@ -514,10 +523,10 @@ _nss_dns_gethost_withttl(void *buffer, size_t bufsize, int ipnode) if (family == AF_INET6 && has_v6) qtype = T_AAAA; if (family == AF_INET || (family == AF_INET6 && - has_v6 == 0 && flags & AI_V4MAPPED)) + has_v6 == B_FALSE && flags & AI_V4MAPPED)) qtype = T_A; } else { - has_v4 = has_v6 = 1; + has_v4 = has_v6 = B_TRUE; if (family == AF_INET6) qtype = T_AAAA; else @@ -556,6 +565,13 @@ searchagain: if (pass2 == 2) goto out; + /* + * If we're on the second pass (eg. we need to check both for A + * and AAAA records), or we were only ever doing a search for + * one type of record and are not supposed to do a second pass, + * then we need to return that we couldn't find anything to the + * user. + */ if (pass2 == 1 || flags == 0 || family == AF_INET || (family == AF_INET6 && !(flags & AI_V4MAPPED))) { pbuf->p_herrno = HOST_NOT_FOUND; @@ -564,8 +580,14 @@ searchagain: res_ndestroy(statp); return (NSS_NOTFOUND); } + + /* + * If we were only requested to search for flags on an IPv6 + * interface or we have no IPv4 interface, we stick to only + * doing a single pass and bail now. + */ if ((flags & AI_ADDRCONFIG) && !(flags & AI_ALL) && - has_v4 == 0) { + has_v4 == B_FALSE) { pbuf->p_herrno = HOST_NOT_FOUND; pbuf->p_status = NSS_NOTFOUND; pbuf->data_len = 0; @@ -727,7 +749,8 @@ searchagain: /* Depending on our flags we may need to go back another time. */ if (qtype == T_AAAA && family == AF_INET6 && - ((flags & AI_V4MAPPED) != 0) && ((flags & AI_ALL) != 0) && has_v4) { + ((flags & AI_V4MAPPED) != 0) && ((flags & AI_ALL) != 0) && + has_v4 == B_TRUE) { qtype = T_A; pass2 = 2; /* Indicate that we found data this pass */ goto searchagain; diff --git a/usr/src/man/man1m/ipf.1m b/usr/src/man/man1m/ipf.1m index 93267db577..57a3f4bb9a 100644 --- a/usr/src/man/man1m/ipf.1m +++ b/usr/src/man/man1m/ipf.1m @@ -2,8 +2,8 @@ .\" To view license terms, attribution, and copyright for IP Filter, the default path is /usr/lib/ipf/IPFILTER.LICENCE. If the Solaris operating environment has been installed anywhere other than the default, modify the given path to access the file at the installed .\" location. .\" Portions Copyright (c) 2009, Sun Microsystems Inc. All Rights Reserved. -.\" Portions Copyright (c) 2013, Joyent, Inc. All Rights Reserved. -.TH IPF 1M "Oct 30, 2013" +.\" Portions Copyright (c) 2014, Joyent, Inc. All Rights Reserved. +.TH IPF 1M "Oct 7, 2014" .SH NAME ipf \- alter packet filtering lists for IP packet input and output .SH SYNOPSIS @@ -15,7 +15,6 @@ ipf \- alter packet filtering lists for IP packet input and output .fi .SH DESCRIPTION -.sp .LP The \fBipf\fR utility is part of a suite of commands associated with the Solaris IP Filter feature. See \fBipfilter\fR(5). @@ -35,7 +34,6 @@ matching the order in which they appear when given to \fBipf\fR. \fB/dev/ipl\fR, and \fB/dev/ipstate\fR. The default permissions of these files require \fBipf\fR to be run as root for all operations. .SS "Enabling Solaris IP Filter Feature" -.sp .LP Solaris IP Filter is installed with the Solaris operating system. However, packet filtering is not enabled by default. Use the following procedure to @@ -160,7 +158,6 @@ If you reboot your system, the IPfilter configuration is automatically activated. .RE .SH OPTIONS -.sp .LP The following options are supported: .sp @@ -472,7 +469,6 @@ affect fragment or state statistics. .RE .SH ZONES -.sp .LP Each non-global zone has two ipfilter instances: the in-zone ipfilter, which can be controlled from both the zone itself and the global zone, and the @@ -485,10 +481,12 @@ ipfilter settings for that zone, rather than the current one. The zonename option is only available in the Global Zone. Using it in any other zone will return an error. If the \fB-G\fR option is specified with this argument, the Global Zone-controlled ipfilter is operated on. If \fB-G\fR is not specified, -the in-zone ipfilter is operated on. +the in-zone ipfilter is operated on. Note that ipf differs from the other +ipfilter tools in how the zone name is specified. It takes the zone name as the +last argument, while all of the other tools take the zone name as an argument +to the \fB-G\fR and \fB-z\fR options. .SH FILES -.sp .ne 2 .na \fB\fB/dev/ipauth\fR\fR @@ -527,7 +525,6 @@ Contains numerous IP Filter examples. .RE .SH ATTRIBUTES -.sp .LP See \fBattributes\fR(5) for descriptions of the following attributes: .sp @@ -543,7 +540,6 @@ Interface Stability Committed .TE .SH SEE ALSO -.sp .LP \fBipfstat\fR(1M), \fBipmon\fR(1M), \fBipnat\fR(1M), \fBippool\fR(1M), \fBsvcadm\fR(1M), \fBsvc.ipfd\fR(1M), \fBipf\fR(4), \fBipnat.conf\fR(4), @@ -552,7 +548,6 @@ Interface Stability Committed .LP \fI\fR .SH DIAGNOSTICS -.sp .LP Needs to be run as root for the packet filtering lists to actually be affected inside the kernel. diff --git a/usr/src/man/man1m/ipfs.1m b/usr/src/man/man1m/ipfs.1m index 5514e96ea9..38a7f50c7b 100644 --- a/usr/src/man/man1m/ipfs.1m +++ b/usr/src/man/man1m/ipfs.1m @@ -43,7 +43,6 @@ ipfs \- saves and restores information for NAT and state tables .fi .SH DESCRIPTION -.sp .LP The \fBipfs\fR utility enables the saving of state information across reboots. Specifically, the utility allows state information created for NAT entries and @@ -51,7 +50,6 @@ rules using "keep state" to be locked (modification prevented) and then saved to disk. Then, after a reboot, that information is restored. The result of this state-saving is that connections are not interrupted. .SH OPTIONS -.sp .LP The following options are supported: .sp @@ -221,7 +219,6 @@ used. This command is only available in the Global Zone. See \fBZONES\fR in \fB/dev/ipnat\fR .RE .SH ATTRIBUTES -.sp .LP See \fBattributes\fR(5) for descriptions of the following attributes: .sp @@ -237,12 +234,10 @@ Interface Stability Committed .TE .SH SEE ALSO -.sp .LP \fBipf\fR(1M), \fBipmon\fR(1M), \fBipnat\fR(1M), \fBattributes\fR(5), \fBzones(5)\fR .SH DIAGNOSTICS -.sp .LP Arguably, the \fB-W\fR and \fB-R\fR operations should set the locking and, rather than undo it, restore it to what it was previously. diff --git a/usr/src/man/man1m/ipfstat.1m b/usr/src/man/man1m/ipfstat.1m index ba46c2c44b..ba47f78725 100644 --- a/usr/src/man/man1m/ipfstat.1m +++ b/usr/src/man/man1m/ipfstat.1m @@ -19,7 +19,6 @@ ipfstat \- reports on packet filter statistics and filter list .fi .SH DESCRIPTION -.sp .LP The \fBipfstat\fR command is part of a suite of commands associated with the Solaris IP Filter feature. See \fBipfilter\fR(5). @@ -133,7 +132,6 @@ Only the first \fIX\fR-5 entries that match the sort and filter criteria are displayed (where \fIX\fR is the number of rows on the display). There is no way to see additional entries. .SH OPTIONS -.sp .LP The following options are supported: .sp @@ -402,7 +400,6 @@ for more information. \fB/dev/ipstate\fR .RE .SH ATTRIBUTES -.sp .LP See \fBattributes\fR(5) for descriptions of the following attributes: .sp @@ -418,7 +415,6 @@ Interface Stability Committed .TE .SH SEE ALSO -.sp .LP \fBipf\fR(1M), \fBkstat\fR(1M), \fBkstat\fR(3KSTAT), \fBattributes\fR(5), \fBipfilter\fR(5), \fBzones(5)\fR diff --git a/usr/src/man/man1m/ipmon.1m b/usr/src/man/man1m/ipmon.1m index 07574790b9..8873fe41c1 100644 --- a/usr/src/man/man1m/ipmon.1m +++ b/usr/src/man/man1m/ipmon.1m @@ -14,7 +14,6 @@ ipmon \- monitors /dev/ipl for logged packets .fi .SH DESCRIPTION -.sp .LP The \fBipmon\fR command is part of a suite of commands associated with the Solaris IP Filter feature. See \fBipfilter\fR(5). @@ -103,7 +102,6 @@ always being \fBicmp\fR, the next being the ICMP message and submessage type, separated by a slash. For example, \fBicmp 3/3\fR for a port unreachable message. .SH OPTIONS -.sp .LP The following options are supported: .sp @@ -390,7 +388,6 @@ for more information. \fB/dev/ipstate\fR .RE .SH ATTRIBUTES -.sp .LP See \fBattributes\fR(5) for descriptions of the following attributes: .sp @@ -406,7 +403,6 @@ Interface Stability Committed .TE .SH SEE ALSO -.sp .LP \fBipf\fR(1M), \fBipfstat\fR(1M), \fBipnat\fR(1M), \fBattributes\fR(5), \fBipfilter\fR(5), \fBzones(5)\fR @@ -414,7 +410,6 @@ Interface Stability Committed .LP \fI\fR .SH DIAGNOSTICS -.sp .LP \fBipmon\fR expects data that it reads to be consistent with how it should be saved and aborts if it fails an assertion which detects an anomaly in the diff --git a/usr/src/man/man1m/ipnat.1m b/usr/src/man/man1m/ipnat.1m index ed382fa7a9..e800988bb3 100644 --- a/usr/src/man/man1m/ipnat.1m +++ b/usr/src/man/man1m/ipnat.1m @@ -13,7 +13,6 @@ ipnat \- user interface to the NAT subsystem .fi .SH DESCRIPTION -.sp .LP The \fBipnat\fR utility opens a specified file (treating \fB-\fR as stdin) and parses it for a set of rules that are to be added or removed from the IP NAT. @@ -33,7 +32,6 @@ require \fBipnat\fR to be run as root for all operations. permissions of \fB/dev/ipnat\fR require \fBipnat\fR to be run as root for all operations. .SH OPTIONS -.sp .LP The following options are supported: .sp @@ -166,7 +164,6 @@ for more information. .RE .SH FILES -.sp .ne 2 .na \fB\fB/dev/ipnat\fR\fR @@ -207,7 +204,6 @@ Contains numerous IP Filter examples. .RE .SH ATTRIBUTES -.sp .LP See \fBattributes\fR(5) for descriptions of the following attributes: .sp @@ -223,7 +219,6 @@ Interface Stability Committed .TE .SH SEE ALSO -.sp .LP \fBipf\fR(1M), \fBipfstat\fR(1M), \fBipnat\fR(4), \fBattributes\fR(5), \fBzones(5)\fR diff --git a/usr/src/man/man1m/ippool.1m b/usr/src/man/man1m/ippool.1m index c7cae2029e..b32e8355a6 100644 --- a/usr/src/man/man1m/ippool.1m +++ b/usr/src/man/man1m/ippool.1m @@ -56,7 +56,6 @@ ippool \- user interface to the IP Filter pools .fi .SH DESCRIPTION -.sp .LP The \fBippool\fR utility is used to manage information stored in the IP pools subsystem of IP Filter software. Configuration file information can be parsed @@ -77,11 +76,9 @@ and the instance-specific options. \fB/dev/ipl\fR, and \fB/dev/ipstate\fR. The default permissions of these files require \fBippool\fR to be run as root for all operations. .SH OPTIONS -.sp .LP \fBippool\fR supports the option categories described below. .SS "Global Options" -.sp .LP The following global options are supported: .sp @@ -137,7 +134,6 @@ information. .RE .SS "Instance-Specific Options" -.sp .LP The following instance-specific options are supported: .sp @@ -223,7 +219,6 @@ Display IP pool statistical information. .RE .SS "Other Options" -.sp .LP The following, additional options are supported: .sp @@ -307,7 +302,6 @@ kernel, unload it. .RE .SH FILES -.sp .ne 2 .na \fB\fB/dev/ippool\fR\fR @@ -335,7 +329,6 @@ Location of \fBippool\fR startup configuration file. .RE .SH ATTRIBUTES -.sp .LP See \fBattributes\fR(5) for descriptions of the following attributes: .sp @@ -351,7 +344,6 @@ Interface Stability Committed .TE .SH SEE ALSO -.sp .LP \fBipf\fR(1M), \fBipfstat\fR(1M), \fBippool\fR(4), \fBattributes\fR(5), \fBzones(5)\fR diff --git a/usr/src/man/man5/ipfilter.5 b/usr/src/man/man5/ipfilter.5 index dc9f213a4c..9b995d3c3b 100644 --- a/usr/src/man/man5/ipfilter.5 +++ b/usr/src/man/man5/ipfilter.5 @@ -2,11 +2,11 @@ .\" To view license terms, attribution, and copyright for IP Filter, the default path is /usr/lib/ipf/IPFILTER.LICENCE. If the Solaris operating environment has been installed anywhere other than the default, modify the given path to access the file at the installed .\" location. .\" Portions Copyright (c) 2009, Sun Microsystems Inc. All Rights Reserved. -.TH IPFILTER 5 "May 20, 2009" +.\" Portions Copyright (c) 2014, Joyent, Inc. All Rights Reserved. +.TH IPFILTER 5 "Oct 7, 2014" .SH NAME ipfilter \- IP packet filtering software .SH DESCRIPTION -.sp .LP IP Filter is software that provides packet filtering capabilities on a Solaris system. On a properly setup system, it can be used to build a firewall. @@ -16,7 +16,6 @@ Solaris IP Filter is installed with the Solaris operating system. However, packet filtering is not enabled by default. See \fBipf\fR(1M) for a procedure to enable and activate the IP Filter feature. .SH HOST-BASED FIREWALL -.sp .LP To simplify IP Filter configuration management, a firewall framework is created to allow users to configure IP Filter by expressing firewall policy at system @@ -34,14 +33,13 @@ Users can still specify their own ipf rule file if they choose not to take advantage of the framework. See \fBipf\fR(1M) and \fBipf\fR(4). .RE .SS "Model" -.sp .LP This section describes the host-based firewall framework. See svc.ipfd(1M) for details on how to configure firewall policies. .sp .LP -A three-layer approach with different precedence levels helps the user achieve -the desired behaviors. +In a given zone, a three-layer approach with different precedence levels helps +the user achieve the desired behaviors. .sp .ne 2 .na @@ -127,7 +125,6 @@ Deny all incoming traffic but allow from specified source(s). .RE .SS "Layers in Detail" -.sp .LP The first system-wide layer, Global Default, defines a firewall policy that applies to \fBany\fR incoming traffic, for example, allowing or blocking all @@ -157,7 +154,6 @@ overrides policies in the other layers, specifically overriding the needs of network services. The example is when it is desirable to block known malicious source(s) regardless of services' policies. .SS "User Interaction" -.sp .LP This framework leverages IP Filter functionality and is active only when \fBsvc:/network/ipfilter\fR is enabled and inactive when \fBnetwork/ipfilter\fR @@ -207,10 +203,95 @@ network service .el o changes to system-wide or per-service firewall policy results in an update to the system's firewall rules -.RE -.SH ATTRIBUTES + +.SS "In-Zone and Global Zone Controlled firewalls" +.LP +Each non-global zone in the system can potentially have two firewalls +configured: the in-zone firewall and the Global Zone controlled (GZ-controlled) +firewall. The in-zone firewall can be controlled and observed inside the zone +using the framework detailed above, or from the Global Zone. The GZ-controlled +firewall can only be controlled and observed from the Global Zone. The +GZ-controlled firewall is always "outermost" with respect to the zone. +.sp +.LP +For inbound traffic (from an external source to the zone), the traffic flow looks +like the following diagram. Traffic blocked by the GZ-controlled firewall will +not be processed by the in-zone firewall. +.sp +.in +2 +.nf + External Source + | + | +GZ-controlled Firewall + | + | + In-Zone Firewall + | + | + Zone +.fi +.in -2 +.sp +.LP +For outbound traffic (from the zone to an external destination), the traffic +flow looks like the following diagram. Traffic blocked by the in-zone firewall +will not be processed by the GZ-controlled firewall. +.sp +.in +2 +.nf + Zone + | + | + In-Zone Firewall + | + | +GZ-controlled Firewall + | + | + External Destination +.fi +.in -2 +.sp +.LP +Either of the in-Zone or GZ-controlled firewalls can be enabled, or both at the +same time. +.sp +.LP +The Global Zone does not have a GZ-controlled firewall, only an +in-zone firewall. For inbound traffic (from an external source to the global +zone), the traffic flow therefore looks like the following diagram. +.sp +.in +2 +.nf + External Source + | + | + In-Zone Firewall + | + | + Zone +.fi +.in -2 .sp .LP +For outbound traffic (from the global zone to an external destination), the +traffic flow looks like the following diagram. +.sp +.in +2 +.nf + Zone + | + | + In-Zone Firewall + | + | + External Destination +.fi +.in -2 + +.SH ATTRIBUTES +.LP See \fBattributes\fR(5) for a description of the following attributes: .sp @@ -225,7 +306,6 @@ Interface Stability Committed .TE .SH SEE ALSO -.sp .LP \fBsvcs\fR(1), \fBipf\fR(1M), \fBipnat\fR(1M), \fBsvcadm\fR(1M), \fBsvc.ipfd\fR(1M), \fBipf\fR(4), \fBipnat\fR(4), \fBattributes\fR(5), @@ -234,7 +314,6 @@ Interface Stability Committed .LP \fISystem Administration Guide: IP Services\fR .SH NOTES -.sp .LP The \fBipfilter\fR service is managed by the service management facility, \fBsmf\fR(5), under the service identifier: diff --git a/usr/src/uts/common/inet/ipf/fil.c b/usr/src/uts/common/inet/ipf/fil.c index f96d2780e6..67a82d2f68 100644 --- a/usr/src/uts/common/inet/ipf/fil.c +++ b/usr/src/uts/common/inet/ipf/fil.c @@ -5,7 +5,7 @@ * * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved. * - * Copyright (c) 2012, Joyent, Inc. All rights reserved. + * Copyright (c) 2014, Joyent, Inc. All rights reserved. */ #if defined(KERNEL) || defined(_KERNEL) @@ -136,7 +136,7 @@ struct file; # endif #endif #include "netinet/ipl.h" -#if defined(SOLARIS) && defined(_KERNEL) +#if defined(_KERNEL) #include <sys/sunddi.h> #endif /* END OF INCLUDES */ @@ -5709,7 +5709,7 @@ static int fr_objbytes[NUM_OBJ_TYPES][2] = { /* Set the zone ID in idsp based on the zone name in ipfzoneobj. Further */ /* ioctls will act on the IPF stack for that zone ID. */ /* ------------------------------------------------------------------------ */ -#if defined(SOLARIS) && defined(_KERNEL) +#if defined(_KERNEL) int fr_setzoneid(idsp, data) ipf_devstate_t *idsp; void *data; @@ -5725,6 +5725,13 @@ void *data; if (memchr(ipfzo.ipfz_zonename, '\0', ZONENAME_MAX) == NULL) return EFAULT; + /* + * The global zone doesn't have a GZ-controlled stack, so no + * sense in going any further + */ + if (strcmp(ipfzo.ipfz_zonename, "global") == 0) + return ENODEV; + if ((zone = zone_find_by_name(ipfzo.ipfz_zonename)) == NULL) return ENODEV; diff --git a/usr/src/uts/common/inet/ipf/ip_fil_solaris.c b/usr/src/uts/common/inet/ipf/ip_fil_solaris.c index 7ece4fead6..0c3bb327ba 100644 --- a/usr/src/uts/common/inet/ipf/ip_fil_solaris.c +++ b/usr/src/uts/common/inet/ipf/ip_fil_solaris.c @@ -115,7 +115,7 @@ vmem_t *ipf_minor; /* minor number arena */ void *ipf_state; /* DDI state */ /* - * GZ and per-zone stacks: + * GZ-controlled and per-zone stacks: * * For each non-global zone, we create two ipf stacks: the per-zone stack and * the GZ-controlled stack. The per-zone stack can be controlled and observed @@ -209,10 +209,9 @@ ipf_stack_t *ifs; #define UNDO_HOOK(_f, _b, _e, _h) \ do { \ - int tmp; \ if (ifs->_f != NULL) { \ if (ifs->_b) { \ - tmp = net_hook_unregister(ifs->_f, \ + int tmp = net_hook_unregister(ifs->_f, \ _e, ifs->_h); \ ifs->_b = (tmp != 0 && tmp != ENXIO); \ if (!ifs->_b && ifs->_h != NULL) { \ @@ -364,13 +363,15 @@ ipf_stack_t *ifs; return -1; /* - * For incoming packets, we want the GZ hooks to run before the - * per-zone hooks, regardless of what order they're are installed. + * For incoming packets, we want the GZ-controlled hooks to run before + * the per-zone hooks, regardless of what order they're are installed. + * See the "GZ-controlled and per-zone stacks" comment block at the top + * of this file. */ -#define HOOK_INIT_GZ_BEFORE(x, fn, n, gzn, a) \ - HOOK_INIT(x, fn, ifs->ifs_gz ? gzn : n, ifs); \ - (x)->h_hint = ifs->ifs_gz ? HH_BEFORE : HH_AFTER; \ - (x)->h_hintvalue = (uintptr_t) (ifs->ifs_gz ? n : gzn); +#define HOOK_INIT_GZ_BEFORE(x, fn, n, gzn, a) \ + HOOK_INIT(x, fn, ifs->ifs_gz_controlled ? gzn : n, ifs); \ + (x)->h_hint = ifs->ifs_gz_controlled ? HH_BEFORE : HH_AFTER; \ + (x)->h_hintvalue = (uintptr_t) (ifs->ifs_gz_controlled ? n : gzn); HOOK_INIT_GZ_BEFORE(ifs->ifs_ipfhook4_nicevents, ipf_nic_event_v4, hook4_nicevents, hook4_nicevents_gz, ifs); @@ -380,13 +381,15 @@ ipf_stack_t *ifs; hook4_loop_in, hook4_loop_in_gz, ifs); /* - * For outgoing packets, we want the GZ hooks to run after the - * per-zone hooks, regardless of what order they're are installed. + * For outgoing packets, we want the GZ-controlled hooks to run after + * the per-zone hooks, regardless of what order they're are installed. + * See the "GZ-controlled and per-zone stacks" comment block at the top + * of this file. */ -#define HOOK_INIT_GZ_AFTER(x, fn, n, gzn, a) \ - HOOK_INIT(x, fn, ifs->ifs_gz ? gzn : n, ifs); \ - (x)->h_hint = ifs->ifs_gz ? HH_AFTER : HH_BEFORE; \ - (x)->h_hintvalue = (uintptr_t) (ifs->ifs_gz ? n : gzn); +#define HOOK_INIT_GZ_AFTER(x, fn, n, gzn, a) \ + HOOK_INIT(x, fn, ifs->ifs_gz_controlled ? gzn : n, ifs); \ + (x)->h_hint = ifs->ifs_gz_controlled ? HH_AFTER : HH_BEFORE; \ + (x)->h_hintvalue = (uintptr_t) (ifs->ifs_gz_controlled ? n : gzn); HOOK_INIT_GZ_AFTER(ifs->ifs_ipfhook4_out, ipf_hook4_out, hook4_out, hook4_out_gz, ifs); @@ -677,7 +680,6 @@ int *rp; ipf_stack_t *ifs; zoneid_t zid; ipf_devstate_t *isp; - boolean_t gz_stack; #ifdef IPFDEBUG cmn_err(CE_CONT, "iplioctl(%x,%x,%x,%d,%x,%d)\n", @@ -697,36 +699,10 @@ int *rp; return EACCES; } - /* - * If we're in the GZ, determine if we're acting on a zone's stack, - * and whether or not that stack is the GZ-controlled or in-zone - * one. See the "GZ and per-zone stacks" note at the top of this - * file. - */ - if (zid == GLOBAL_ZONEID && (isp->ipfs_zoneid != -1)) { - /* Global zone, and we've set the zoneid for this fd already */ - - if (zid == isp->ipfs_zoneid) { - /* There's only a per-zone stack for the GZ */ - gz_stack = B_FALSE; - } else { - gz_stack = isp->ipfs_gz; - } - - zid = isp->ipfs_zoneid; - } else { - /* - * Non-global zone or GZ without having set a zoneid: act on - * the per-zone stack of the zone that this ioctl originated - * from. - */ - gz_stack = B_FALSE; - } - /* * ipf_find_stack returns with a read lock on ifs_ipf_global */ - ifs = ipf_find_stack(zid, gz_stack); + ifs = ipf_find_stack(zid, isp); if (ifs == NULL) return ENXIO; @@ -1069,7 +1045,7 @@ cred_t *cred; VERIFY(isp != NULL); isp->ipfs_minor = min; - isp->ipfs_zoneid = -1; + isp->ipfs_zoneid = IPFS_ZONE_UNSET; return 0; } @@ -1112,9 +1088,7 @@ cred_t *cp; ipf_stack_t *ifs; int ret; minor_t unit; - zoneid_t zid; ipf_devstate_t *isp; - boolean_t gz_stack; unit = getminor(dev); isp = ddi_get_soft_state(ipf_state, unit); @@ -1122,38 +1096,10 @@ cred_t *cp; return ENXIO; unit = isp->ipfs_minor; - zid = crgetzoneid(cp); - - /* - * If we're in the GZ, determine if we're acting on a zone's stack, - * and whether or not that stack is the GZ-controlled or in-zone - * one. See the "GZ and per-zone stacks" note at the top of this - * file. - */ - if (zid == GLOBAL_ZONEID && (isp->ipfs_zoneid != -1)) { - /* Global zone, and we've set the zoneid for this fd already */ - - if (zid == isp->ipfs_zoneid) { - /* There's only a per-zone stack for the GZ */ - gz_stack = B_FALSE; - } else { - gz_stack = isp->ipfs_gz; - } - - zid = isp->ipfs_zoneid; - } else { - /* - * Non-global zone or GZ without having set a zoneid: act on - * the per-zone stack of the zone that this ioctl originated - * from. - */ - gz_stack = B_FALSE; - } - /* * ipf_find_stack returns with a read lock on ifs_ipf_global */ - ifs = ipf_find_stack(zid, gz_stack); + ifs = ipf_find_stack(crgetzoneid(cp), isp); if (ifs == NULL) return ENXIO; @@ -1193,9 +1139,7 @@ cred_t *cp; { ipf_stack_t *ifs; minor_t unit; - zoneid_t zid; ipf_devstate_t *isp; - boolean_t gz_stack; unit = getminor(dev); isp = ddi_get_soft_state(ipf_state, unit); @@ -1206,35 +1150,7 @@ cred_t *cp; /* * ipf_find_stack returns with a read lock on ifs_ipf_global */ - zid = crgetzoneid(cp); - - /* - * If we're in the GZ, determine if we're acting on a zone's stack, - * and whether or not that stack is the GZ-controlled or in-zone - * one. See the "GZ and per-zone stacks" note at the top of this - * file. - */ - if (zid == GLOBAL_ZONEID && (isp->ipfs_zoneid != -1)) { - /* Global zone, and we've set the zoneid for this fd already */ - - if (zid == isp->ipfs_zoneid) { - /* There's only a per-zone stack for the GZ */ - gz_stack = B_FALSE; - } else { - gz_stack = isp->ipfs_gz; - } - - zid = isp->ipfs_zoneid; - } else { - /* - * Non-global zone or GZ without having set a zoneid: act on - * the per-zone stack of the zone that this ioctl originated - * from. - */ - gz_stack = B_FALSE; - } - - ifs = ipf_find_stack(zid, gz_stack); + ifs = ipf_find_stack(crgetzoneid(cp), isp); if (ifs == NULL) return ENXIO; diff --git a/usr/src/uts/common/inet/ipf/ip_log.c b/usr/src/uts/common/inet/ipf/ip_log.c index 5d40498671..d60a666b2d 100644 --- a/usr/src/uts/common/inet/ipf/ip_log.c +++ b/usr/src/uts/common/inet/ipf/ip_log.c @@ -8,7 +8,7 @@ * Copyright 2008 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. * - * Copyright (c) 2012, Joyent, Inc. All rights reserved. + * Copyright (c) 2014, Joyent, Inc. All rights reserved. */ #include <sys/param.h> @@ -575,7 +575,9 @@ ipf_stack_t *ifs; while (ifs->ifs_iplt[unit] == NULL) { # if SOLARIS && defined(_KERNEL) /* - * Prevent a deadlock with ipldetach() + * Prevent a deadlock with ipldetach() - see the "ipfilter + * kernel module mutexes and locking" comment block in solaris.c + * for details. */ RWLOCK_EXIT(&ifs->ifs_ipf_global); if (!cv_wait_sig(&ifs->ifs_iplwait, &ifs->ifs_ipl_mutex.ipf_lk)) { diff --git a/usr/src/uts/common/inet/ipf/ip_state.c b/usr/src/uts/common/inet/ipf/ip_state.c index adf9ff9382..c1fe642d00 100644 --- a/usr/src/uts/common/inet/ipf/ip_state.c +++ b/usr/src/uts/common/inet/ipf/ip_state.c @@ -4,6 +4,8 @@ * See the IPFILTER.LICENCE file for details on licencing. * * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved. + * + * Copyright (c) 2014, Joyent, Inc. All rights reserved. */ #if defined(KERNEL) || defined(_KERNEL) diff --git a/usr/src/uts/common/inet/ipf/netinet/ip_fil.h b/usr/src/uts/common/inet/ipf/netinet/ip_fil.h index 3de0047f3b..479a8044f4 100644 --- a/usr/src/uts/common/inet/ipf/netinet/ip_fil.h +++ b/usr/src/uts/common/inet/ipf/netinet/ip_fil.h @@ -8,13 +8,14 @@ * * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved. * - * Copyright (c) 2013, Joyent, Inc. All rights reserved. + * Copyright (c) 2014, Joyent, Inc. All rights reserved. */ #ifndef __IP_FIL_H__ #define __IP_FIL_H__ #include "netinet/ip_compat.h" +#include <sys/zone.h> #ifndef SOLARIS # define SOLARIS (defined(sun) && (defined(__svr4__) || defined(__SVR4))) @@ -108,10 +109,7 @@ #define SIOCADDFR SIOCADAFR #define SIOCDELFR SIOCRMAFR #define SIOCINSFR SIOCINAFR - -#ifdef SOLARIS # define SIOCIPFZONESET _IOWR('r', 97, struct ipfzoneobj) -#endif /* * What type of table is getting flushed? @@ -1171,16 +1169,19 @@ typedef struct ipfobj { u_char ipfo_xxxpad[32]; /* reserved for future use */ } ipfobj_t; -#if defined(SOLARIS) - -#include <sys/zone.h> - +/* + * ioctl struct for setting what zone further ioctls will act on. ipfz_gz is a + * boolean: set it to 1 to operate on the GZ-controlled stack. + */ typedef struct ipfzoneobj { - u_32_t ipfz_gz; /* GZ stack */ + u_32_t ipfz_gz; /* GZ stack boolean */ char ipfz_zonename[ZONENAME_MAX]; /* zone to act on */ } ipfzoneobj_t; #if defined(_KERNEL) +/* Set ipfs_zoneid to this if no zone has been set: */ +#define IPFS_ZONE_UNSET -2 + typedef struct ipf_devstate { zoneid_t ipfs_zoneid; minor_t ipfs_minor; @@ -1188,8 +1189,6 @@ typedef struct ipf_devstate { } ipf_devstate_t; #endif -#endif - #define IPFOBJ_FRENTRY 0 /* struct frentry */ #define IPFOBJ_IPFSTAT 1 /* struct friostat */ #define IPFOBJ_IPFINFO 2 /* struct fr_info */ @@ -1377,7 +1376,6 @@ extern void ipfilterattach __P((int)); extern int ipl_enable __P((void)); extern int ipl_disable __P((void)); # ifdef MENTAT -extern ipf_stack_t *ipf_find_stack(const zoneid_t zone, boolean_t gz); extern int fr_check __P((struct ip *, int, void *, int, void *, mblk_t **, ipf_stack_t *)); # if SOLARIS @@ -1390,6 +1388,7 @@ extern int iplioctl __P((dev_t, int, int *, int, cred_t *, int *)); extern int fr_make_rst __P((fr_info_t *)); extern int fr_make_icmp __P((fr_info_t *)); extern void fr_calc_chksum __P((fr_info_t *, mb_t *)); +extern ipf_stack_t *ipf_find_stack(const zoneid_t, ipf_devstate_t *); # endif extern int iplopen __P((dev_t *, int, int, cred_t *)); extern int iplclose __P((dev_t, int, int, cred_t *)); @@ -1601,7 +1600,7 @@ extern int ipf_earlydrop __P((int, ipftq_t *, int, ipf_stack_t *)); extern u_32_t ipf_random __P((void)); #endif -#if defined(SOLARIS) && defined(_KERNEL) +#if defined(_KERNEL) extern int fr_setzoneid __P((ipf_devstate_t *, void *)); #endif diff --git a/usr/src/uts/common/inet/ipf/netinet/ipf_stack.h b/usr/src/uts/common/inet/ipf/netinet/ipf_stack.h index f13d363bbc..9aa2478c6a 100644 --- a/usr/src/uts/common/inet/ipf/netinet/ipf_stack.h +++ b/usr/src/uts/common/inet/ipf/netinet/ipf_stack.h @@ -43,10 +43,10 @@ struct ipf_stack { struct ipf_stack *ifs_next; struct ipf_stack **ifs_pnext; - struct ipf_stack *ifs_pgz; + struct ipf_stack *ifs_gz_cont_ifs; netid_t ifs_netid; zoneid_t ifs_zone; - boolean_t ifs_gz; + boolean_t ifs_gz_controlled; /* ipf module */ fr_info_t ifs_frcache[2][8]; diff --git a/usr/src/uts/common/inet/ipf/solaris.c b/usr/src/uts/common/inet/ipf/solaris.c index 093a599649..5d56debc31 100644 --- a/usr/src/uts/common/inet/ipf/solaris.c +++ b/usr/src/uts/common/inet/ipf/solaris.c @@ -268,8 +268,9 @@ static int ipf_kstat_update(kstat_t *ksp, int rwflag); static void ipf_kstat_init(ipf_stack_t *ifs, boolean_t from_gz) { - ifs->ifs_kstatp[0] = net_kstat_create(ifs->ifs_netid, "ipf", 0, - (from_gz ? "inbound_gz" : "inbound"), "net", KSTAT_TYPE_NAMED, + ifs->ifs_kstatp[0] = net_kstat_create(ifs->ifs_netid, + (from_gz ? "ipf_gz" : "ipf"), + 0, "inbound", "net", KSTAT_TYPE_NAMED, sizeof (filter_kstats_t) / sizeof (kstat_named_t), 0); if (ifs->ifs_kstatp[0] != NULL) { bcopy(&ipf_kstat_tmp, ifs->ifs_kstatp[0]->ks_data, @@ -279,8 +280,9 @@ ipf_kstat_init(ipf_stack_t *ifs, boolean_t from_gz) kstat_install(ifs->ifs_kstatp[0]); } - ifs->ifs_kstatp[1] = net_kstat_create(ifs->ifs_netid, "ipf", 0, - (from_gz ? "outbound_gz" : "outbound"), "net", KSTAT_TYPE_NAMED, + ifs->ifs_kstatp[1] = net_kstat_create(ifs->ifs_netid, + (from_gz ? "ipf_gz" : "ipf"), + 0, "outbound", "net", KSTAT_TYPE_NAMED, sizeof (filter_kstats_t) / sizeof (kstat_named_t), 0); if (ifs->ifs_kstatp[1] != NULL) { bcopy(&ipf_kstat_tmp, ifs->ifs_kstatp[1]->ks_data, @@ -446,8 +448,8 @@ ipf_stack_create_one(const netid_t id, const zoneid_t zid, boolean_t from_gz, RWLOCK_INIT(&ifs->ifs_ipf_frcache, "ipf cache rwlock"); ifs->ifs_netid = id; ifs->ifs_zone = zid; - ifs->ifs_gz = from_gz; - ifs->ifs_pgz = ifs_gz; + ifs->ifs_gz_controlled = from_gz; + ifs->ifs_gz_cont_ifs = ifs_gz; ipf_kstat_init(ifs, from_gz); @@ -486,28 +488,65 @@ ipf_stack_create(const netid_t id) /* * Create two ipfilter stacks for a zone - the first can only be * controlled from the global zone, and the second is owned by - * the zone itself. There is no need to create a GZ-controlled + * the zone itself. There is no need to create a GZ-controlled * stack for the global zone, since we're already in the global - * zone. + * zone. See the "GZ-controlled and per-zone stacks" comment block in + * ip_fil_solaris.c for details. */ if (zid != GLOBAL_ZONEID) ifs = ipf_stack_create_one(id, zid, B_TRUE, NULL); - return ipf_stack_create_one(id, zid, B_FALSE, ifs); + return (ipf_stack_create_one(id, zid, B_FALSE, ifs)); } /* + * Find an ipfilter stack for the given zone. Return the GZ-controlled or + * per-zone stack if set by an earlier SIOCIPFZONESET ioctl call. See the + * "GZ-controlled and per-zone stacks" comment block in ip_fil_solaris.c for + * details. + * * This function returns with the ipf_stack_t's ifs_ipf_global - * read lock held (if the stack is found). + * read lock held (if the stack is found). See the "ipfilter kernel module + * mutexes and locking" comment block at the top of this file. */ ipf_stack_t * -ipf_find_stack(const zoneid_t zone, const boolean_t gz) +ipf_find_stack(const zoneid_t orig_zone, ipf_devstate_t *isp) { ipf_stack_t *ifs; + boolean_t gz_stack; + zoneid_t zone; + + /* + * If we're in the GZ, determine if we're acting on a zone's stack, + * and whether or not that stack is the GZ-controlled or in-zone + * one. See the "GZ and per-zone stacks" note at the top of this + * file. + */ + if (orig_zone == GLOBAL_ZONEID && + (isp->ipfs_zoneid != IPFS_ZONE_UNSET)) { + /* Global zone, and we've set the zoneid for this fd already */ + + if (orig_zone == isp->ipfs_zoneid) { + /* There's only a per-zone stack for the GZ */ + gz_stack = B_FALSE; + } else { + gz_stack = isp->ipfs_gz; + } + + zone = isp->ipfs_zoneid; + } else { + /* + * Non-global zone or GZ without having set a zoneid: act on + * the per-zone stack of the zone that this ioctl originated + * from. + */ + gz_stack = B_FALSE; + zone = orig_zone; + } mutex_enter(&ipf_stack_lock); for (ifs = ipf_stacks; ifs != NULL; ifs = ifs->ifs_next) { - if (ifs->ifs_zone == zone && ifs->ifs_gz == gz) + if (ifs->ifs_zone == zone && ifs->ifs_gz_controlled == gz_stack) break; } @@ -518,7 +557,6 @@ ipf_find_stack(const zoneid_t zone, const boolean_t gz) return (ifs); } - static int ipf_detach_check_zone(ipf_stack_t *ifs) { /* @@ -574,8 +612,8 @@ ipf_stack_shutdown(const netid_t id, void *arg) /* * The GZ-controlled stack */ - if (ifs->ifs_pgz != NULL) - ipf_kstat_fini(ifs->ifs_pgz); + if (ifs->ifs_gz_cont_ifs != NULL) + ipf_kstat_fini(ifs->ifs_gz_cont_ifs); /* * The per-zone stack @@ -637,7 +675,8 @@ ipf_stack_destroy_one(const netid_t id, ipf_stack_t *ifs) /* * Destroy things for ipf for both the per-zone ipf stack and the - * GZ-controlled stack for the same zone, if it exists. + * GZ-controlled stack for the same zone, if it exists. See the "GZ-controlled + * and per-zone stacks" comment block in ip_fil_solaris.c for details. */ /* ARGSUSED */ static void @@ -648,8 +687,8 @@ ipf_stack_destroy(const netid_t id, void *arg) /* * The GZ-controlled stack */ - if (ifs->ifs_pgz != NULL) - ipf_stack_destroy_one(id, ifs->ifs_pgz); + if (ifs->ifs_gz_cont_ifs != NULL) + ipf_stack_destroy_one(id, ifs->ifs_gz_cont_ifs); /* * The per-zone stack diff --git a/usr/src/uts/sparc/ipf/ipf.global-objs.debug64 b/usr/src/uts/sparc/ipf/ipf.global-objs.debug64 index 26a0777190..cb3e5485b2 100644 --- a/usr/src/uts/sparc/ipf/ipf.global-objs.debug64 +++ b/usr/src/uts/sparc/ipf/ipf.global-objs.debug64 @@ -22,6 +22,8 @@ # Copyright 2008 Sun Microsystems, Inc. All rights reserved. # Use is subject to license terms. # +# Copyright 2013 Joyent, Inc. All rights reserved +# hook4_vnd_in hook4_vnd_out @@ -31,6 +33,26 @@ fr_availfuncs fr_features fr_objbytes hdrsizes +hook4_in +hook4_in_gz +hook4_loop_in +hook4_loop_in_gz +hook4_loop_out +hook4_loop_out_gz +hook4_nicevents +hook4_nicevents_gz +hook4_out +hook4_out_gz +hook6_in +hook6_in_gz +hook6_loop_in +hook6_loop_in_gz +hook6_loop_out +hook6_loop_out_gz +hook6_nicevents +hook6_nicevents_gz +hook6_out +hook6_out_gz icmpreplytype4 icmpreplytype6 icmptoicmp6types @@ -41,10 +63,12 @@ ipf_cb_ops ipf_dev_info ipf_devfiles ipf_kstat_tmp +ipf_minor ipf_ops ipf_proxy_debug ipf_stack_lock ipf_stacks +ipf_state ipfilter_version ipfncb ipl_magic @@ -60,9 +84,9 @@ rcsid sccsid secopt tcpopts +lastx _drand48_a _drand48_c _drand48_x init48done seed_lock -lastx |