summaryrefslogtreecommitdiff
path: root/usr/src/cmd/ipf
diff options
context:
space:
mode:
Diffstat (limited to 'usr/src/cmd/ipf')
-rw-r--r--usr/src/cmd/ipf/svc/ipfilter18
-rw-r--r--usr/src/cmd/ipf/svc/ipfilter.xml148
2 files changed, 158 insertions, 8 deletions
diff --git a/usr/src/cmd/ipf/svc/ipfilter b/usr/src/cmd/ipf/svc/ipfilter
index 6be1eeb7cc..2e6f2189f6 100644
--- a/usr/src/cmd/ipf/svc/ipfilter
+++ b/usr/src/cmd/ipf/svc/ipfilter
@@ -23,6 +23,8 @@
# Copyright 2009 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
#
+# Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org>
+#
. /lib/svc/share/smf_include.sh
. /lib/svc/share/ipf_include.sh
@@ -48,6 +50,7 @@ logmsg()
load_ipf() {
bad=0
ipf -IFa
+ ipf -6IFa
for file in $IPFILOVRCONF $CONF_FILES $IPFILCONF; do
if [ -r ${file} ]; then
@@ -60,13 +63,16 @@ load_ipf() {
fi
done
- if [ -r ${IP6FILCONF} ]; then
- ipf -6IFa -f ${IP6FILCONF}
- if [ $? != 0 ]; then
- echo "$0: load of ${IP6FILCONF} into alternate set failed"
- bad=1
+ for file in $IP6FILOVRCONF $CONF6_FILES $IP6FILCONF; do
+ if [ -r ${file} ]; then
+ ipf -6I -f ${file}
+ if [ $? != 0 ]; then
+ echo "$0: load of ${file} into alternate set failed"
+ bad=1
+ fi
fi
- fi
+ done
+
if [ $bad -eq 0 ] ; then
ipf -s -y
return 0
diff --git a/usr/src/cmd/ipf/svc/ipfilter.xml b/usr/src/cmd/ipf/svc/ipfilter.xml
index 4729deb085..e4a70405c1 100644
--- a/usr/src/cmd/ipf/svc/ipfilter.xml
+++ b/usr/src/cmd/ipf/svc/ipfilter.xml
@@ -2,6 +2,7 @@
<!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1">
<!--
Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.
+ Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org>
CDDL HEADER START
@@ -103,9 +104,15 @@
<property_group name='firewall_config_default'
type='com.sun,fw_configuration'>
<propval name='policy' type='astring' value='none' />
+ <propval name='block_policy' type='astring'
+ value='none' />
<propval name='custom_policy_file' type='astring' value='' />
<propval name='apply_to' type='astring' value='' />
+ <propval name='apply_to_6' type='astring' value='' />
<propval name='exceptions' type='astring' value='' />
+ <propval name='exceptions_6' type='astring' value='' />
+ <propval name='target' type='astring' value='' />
+ <propval name='target_6' type='astring' value='' />
<propval name='open_ports' type='astring' value='' />
<propval name='version' type='count' value='0' />
<propval name='value_authorization' type='astring'
@@ -115,7 +122,10 @@
<property_group name='firewall_config_override'
type='com.sun,fw_configuration'>
<propval name='policy' type='astring' value='none' />
+ <propval name='block_policy' type='astring'
+ value='none' />
<propval name='apply_to' type='astring' value='' />
+ <propval name='apply_to_6' type='astring' value='' />
<propval name='value_authorization' type='astring'
value='solaris.smf.value.firewall.config' />
</property_group>
@@ -209,6 +219,47 @@ Apply the custom ipfilter configuration stored in a custom file (custom file pro
<include_values type='values'/>
</choices>
</prop_pattern>
+ <prop_pattern name='block_policy' type='astring'
+ required='false'>
+ <common_name>
+ <loctext xml:lang='C'>
+Firewall block policy
+ </loctext>
+ </common_name>
+ <description>
+ <loctext xml:lang='C'>
+Service firewall block policy.
+ </loctext>
+ </description>
+ <visibility value='readwrite'/>
+ <cardinality min='1' max='1'/>
+ <values>
+ <value name='use_global'>
+ <description>
+ <loctext xml:lang='C'>
+Apply Global Default block policy, specified in network/ipfilter for the service. This is the default value.
+ </loctext>
+ </description>
+ </value>
+ <value name='none'>
+ <description>
+ <loctext xml:lang='C'>
+Block by dropping packets.
+ </loctext>
+ </description>
+ </value>
+ <value name='return'>
+ <description>
+ <loctext xml:lang='C'>
+Block by returning RST or ICMP messages.
+ </loctext>
+ </description>
+ </value>
+ </values>
+ <choices>
+ <include_values type='values'/>
+ </choices>
+ </prop_pattern>
<prop_pattern name="apply_to" type="astring"
required="false">
<common_name>
@@ -218,7 +269,20 @@ Apply policy to
</common_name>
<description>
<loctext xml:lang="C">
-The host and network IPs, network interfaces, and ippools to deny if the policy is set to deny, or accept if the policy is set to accept.
+The source host and network IPv4 addresses, incoming network interfaces, and ippools to deny if the policy is set to deny, or accept if the policy is set to accept.
+ </loctext>
+ </description>
+ </prop_pattern>
+ <prop_pattern name="apply_to_6" type="astring"
+ required="false">
+ <common_name>
+ <loctext xml:lang='C'>
+Apply policy to
+ </loctext>
+ </common_name>
+ <description>
+ <loctext xml:lang="C">
+The source host and network IPv6 addresses, incoming network interfaces, and ippools to deny if the policy is set to deny, or accept if the policy is set to accept.
</loctext>
</description>
</prop_pattern>
@@ -231,7 +295,46 @@ Make exceptions to
</common_name>
<description>
<loctext xml:lang="C">
-The host and network IPs, network interfaces, and ippools which will be exempted from the set policy, accept if the policy is set to deny, or deny if the policy is set to accept.
+The source host and network IPv4 addresses, incoming network interfaces, and ippools which will be exempted from the set policy, accept if the policy is set to deny, or deny if the policy is set to accept.
+ </loctext>
+ </description>
+ </prop_pattern>
+ <prop_pattern name="exceptions_6" type="astring"
+ required="false">
+ <common_name>
+ <loctext xml:lang='C'>
+Make exceptions to
+ </loctext>
+ </common_name>
+ <description>
+ <loctext xml:lang="C">
+The source host and network IPv6 addressess, incoming network interfaces, and ippools to exempt from the set policy. That is, those to accept if the policy is set to deny, or to deny if the policy is set to accept.
+ </loctext>
+ </description>
+ </prop_pattern>
+ <prop_pattern name="target" type="astring"
+ required="false">
+ <common_name>
+ <loctext xml:lang='C'>
+Apply policy to
+ </loctext>
+ </common_name>
+ <description>
+ <loctext xml:lang="C">
+The destination host and network IPv4 addresses, and ippools to deny if the policy is set to deny, or accept if the policy is set to accept.
+ </loctext>
+ </description>
+ </prop_pattern>
+ <prop_pattern name="target6" type="astring"
+ required="false">
+ <common_name>
+ <loctext xml:lang='C'>
+Apply policy to
+ </loctext>
+ </common_name>
+ <description>
+ <loctext xml:lang="C">
+The destination host and network IPv6 addresses, and ippools to deny if the policy is set to deny, or accept if the policy is set to accept.
</loctext>
</description>
</prop_pattern>
@@ -321,6 +424,47 @@ Allow access to entities specified in 'apply_to' property.
<include_values type='values'/>
</choices>
</prop_pattern>
+ <prop_pattern name='block_policy' type='astring'
+ required='false'>
+ <common_name>
+ <loctext xml:lang='C'>
+Firewall block policy
+ </loctext>
+ </common_name>
+ <description>
+ <loctext xml:lang='C'>
+Service firewall block policy.
+ </loctext>
+ </description>
+ <visibility value='readwrite'/>
+ <cardinality min='1' max='1'/>
+ <values>
+ <value name='use_global'>
+ <description>
+ <loctext xml:lang='C'>
+Apply Global Default block policy, specified in network/ipfilter for the service. This is the default value.
+ </loctext>
+ </description>
+ </value>
+ <value name='none'>
+ <description>
+ <loctext xml:lang='C'>
+Block by dropping packets.
+ </loctext>
+ </description>
+ </value>
+ <value name='return'>
+ <description>
+ <loctext xml:lang='C'>
+Block by returning RST or ICMP messages.
+ </loctext>
+ </description>
+ </value>
+ </values>
+ <choices>
+ <include_values type='values'/>
+ </choices>
+ </prop_pattern>
<prop_pattern name="apply_to" type="astring"
required="false">
<common_name>
generated by cgit v1.2.3 (git 2.46.0) at 2025-12-04 10:15:08 +0000