diff options
Diffstat (limited to 'usr/src/cmd/ipf')
| -rw-r--r-- | usr/src/cmd/ipf/etc/Makefile | 27 | ||||
| -rw-r--r-- | usr/src/cmd/ipf/etc/smartos_version | 1 | ||||
| -rw-r--r-- | usr/src/cmd/ipf/lib/common/printfr.c | 18 | ||||
| -rw-r--r-- | usr/src/cmd/ipf/svc/ipfilter | 20 | ||||
| -rw-r--r-- | usr/src/cmd/ipf/svc/ipfilter.xml | 7 | ||||
| -rw-r--r-- | usr/src/cmd/ipf/tools/Makefile.tools | 17 | ||||
| -rw-r--r-- | usr/src/cmd/ipf/tools/ipf_y.y | 17 | ||||
| -rw-r--r-- | usr/src/cmd/ipf/tools/ipfstat.c | 4 | ||||
| -rw-r--r-- | usr/src/cmd/ipf/tools/ipmon_y.y | 5 | ||||
| -rw-r--r-- | usr/src/cmd/ipf/tools/ipnat_y.y | 4 | ||||
| -rw-r--r-- | usr/src/cmd/ipf/tools/ippool_y.y | 4 | ||||
| -rw-r--r-- | usr/src/cmd/ipf/tools/lexer.c | 37 | ||||
| -rw-r--r-- | usr/src/cmd/ipf/tools/lexer.h | 5 |
13 files changed, 132 insertions, 34 deletions
diff --git a/usr/src/cmd/ipf/etc/Makefile b/usr/src/cmd/ipf/etc/Makefile index 3e06187ae9..a5eb399f56 100644 --- a/usr/src/cmd/ipf/etc/Makefile +++ b/usr/src/cmd/ipf/etc/Makefile @@ -22,42 +22,31 @@ # Copyright 2009 Sun Microsystems, Inc. All rights reserved. # Use is subject to license terms. # -#cmd/ipf/etc/Makefile +# Copyright 2019 Joyent, Inc. # -IPFCONF= ipf.conf -IPFPROG= $(IPFCONF) +IPFFILES = ipf.conf smartos_version include ../../Makefile.cmd - ETCIPF= $(ROOTETC)/ipf -DIRS= $(ETCIPF) - -ETCIPFPROG= $(IPFPROG:%=$(ETCIPF)/%) +ROOTETCIPFFILES = $(IPFFILES:%=$(ETCIPF)/%) -$(ETCIPFPROG):= FILEMODE= 0644 +$(ETCIPF)/ipf.conf := FILEMODE= 0644 +$(ETCIPF)/smartos_version := FILEMODE= 0444 .KEEP_STATE: -all: $(IPFPROG) $(DIRS) $(ETCIPFPROG) - -install: all $(DIRS) +all: -$(PFILAP): - $(SH) $@.sh +install: all $(ROOTETCIPFFILES) -$(ETCIPF)/% : % $(ETCIPF) +$(ETCIPF)/% : % $(INS.file) -$(DIRS): - $(INS.dir) - clean: clobber: -lint: - .PARALLEL: diff --git a/usr/src/cmd/ipf/etc/smartos_version b/usr/src/cmd/ipf/etc/smartos_version new file mode 100644 index 0000000000..0cfbf08886 --- /dev/null +++ b/usr/src/cmd/ipf/etc/smartos_version @@ -0,0 +1 @@ +2 diff --git a/usr/src/cmd/ipf/lib/common/printfr.c b/usr/src/cmd/ipf/lib/common/printfr.c index 063eb87c07..b096c46e0e 100644 --- a/usr/src/cmd/ipf/lib/common/printfr.c +++ b/usr/src/cmd/ipf/lib/common/printfr.c @@ -7,9 +7,10 @@ * * Copyright 2008 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. + * Copyright 2019 Joyent, Inc. */ -#pragma ident "%Z%%M% %I% %E% SMI" +#include <uuid/uuid.h> #include "ipf.h" @@ -386,7 +387,8 @@ ioctlfunc_t iocfunc; printf(" head %s", fp->fr_grhead); if (*fp->fr_group != '\0') printf(" group %s", fp->fr_group); - if (fp->fr_logtag != FR_NOLOGTAG || *fp->fr_nattag.ipt_tag) { + if (fp->fr_logtag != FR_NOLOGTAG || *fp->fr_nattag.ipt_tag || + (fp->fr_flags & FR_CFWLOG) || !uuid_is_null(fp->fr_uuid)) { char *s = ""; printf(" set-tag("); @@ -397,6 +399,18 @@ ioctlfunc_t iocfunc; if (*fp->fr_nattag.ipt_tag) { printf("%snat=%-.*s", s, IPFTAG_LEN, fp->fr_nattag.ipt_tag); + s = ", "; + } + if (fp->fr_flags & FR_CFWLOG) { + printf("cfwlog"); + s = ", "; + } + + if (!uuid_is_null(fp->fr_uuid)) { + char uuid[UUID_PRINTABLE_STRING_LENGTH]; + + uuid_unparse(fp->fr_uuid, uuid); + printf("%suuid=%s", s, uuid); } printf(")"); } diff --git a/usr/src/cmd/ipf/svc/ipfilter b/usr/src/cmd/ipf/svc/ipfilter index 48e3e2e915..bb25316b44 100644 --- a/usr/src/cmd/ipf/svc/ipfilter +++ b/usr/src/cmd/ipf/svc/ipfilter @@ -23,9 +23,12 @@ # Copyright 2009 Sun Microsystems, Inc. All rights reserved. # Use is subject to license terms. # +# Copyright (c) 2013, Joyent, Inc. All rights reserved. # Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org> # +set -o xtrace + . /lib/svc/share/smf_include.sh . /lib/svc/share/ipf_include.sh @@ -152,8 +155,25 @@ upgrade_config() svcadm refresh $SMF_FMRI >/dev/null 2>&1 } +symlink_persistent_file() +{ + persist_file=/var/fw/$1 + etc_file=$ETC_IPF_DIR/$1 + + [ ! -e $persist_file ] && return 0 + [ -L $etc_file ] && return 0 + + [ -e $etc_file ] && mv $etc_file{,.orig} + + ln -s $persist_file $etc_file +} + + configure_firewall() { + symlink_persistent_file ipnat.conf + symlink_persistent_file ipf.conf + symlink_persistent_file ipf6.conf create_global_rules || exit $SMF_EXIT_ERR_CONFIG create_global_ovr_rules || exit $SMF_EXIT_ERR_CONFIG create_services_rules || exit $SMF_EXIT_ERR_CONFIG diff --git a/usr/src/cmd/ipf/svc/ipfilter.xml b/usr/src/cmd/ipf/svc/ipfilter.xml index 44bc52a41b..1dade14f5b 100644 --- a/usr/src/cmd/ipf/svc/ipfilter.xml +++ b/usr/src/cmd/ipf/svc/ipfilter.xml @@ -4,6 +4,7 @@ Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved. Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org> + CDDL HEADER START The contents of this file are subject to the terms of the @@ -97,13 +98,13 @@ type='method' name='refresh' exec='/lib/svc/method/ipfilter reload' - timeout_seconds='120' > + timeout_seconds='1200' > </exec_method> - <instance name='default' enabled='false'> + <instance name='default' enabled='true'> <property_group name='firewall_config_default' type='com.sun,fw_configuration'> - <propval name='policy' type='astring' value='none' /> + <propval name='policy' type='astring' value='custom' /> <propval name='block_policy' type='astring' value='none' /> <propval name='custom_policy_file' type='astring' diff --git a/usr/src/cmd/ipf/tools/Makefile.tools b/usr/src/cmd/ipf/tools/Makefile.tools index 15b1634758..2bea0cd0b0 100644 --- a/usr/src/cmd/ipf/tools/Makefile.tools +++ b/usr/src/cmd/ipf/tools/Makefile.tools @@ -23,8 +23,7 @@ # Use is subject to license terms. # # Copyright 2013 Nexenta Systems, Inc. All rights reserved. -# -# Copyright (c) 2012, Joyent Inc. All rights reserved. +# Copyright 2020 Joyent, Inc. # PROG= ipf ipfs ipmon ipnat ippool ipfstat @@ -36,7 +35,7 @@ IPFSTAT_OBJS= ipfstat.o ipfzone.o IPMON_OBJS= ipmon.o ipfzone.o ipmon_y.o ipmon_l.o IPNAT_OBJS= ipnat.o ipfzone.o ipnat_y.o ipnat_l.o IPPOOL_OBJS= ippool.o ipfzone.o ippool_y.o ippool_l.o -IPFTEST_OBJS= ipftest.o ipfzone.o \ +IPFTEST_OBJS= cfw.o ipftest.o ipfzone.o \ ip_fil.o ip_state.o ip_compat.o \ ip_frag.o ip_nat.o ip_nat6.o fil.o \ ip_htable.o ip_lookup.o \ @@ -65,12 +64,12 @@ CPPFLAGS += -I. -DIPFILTER_LOOKUP -DIPFILTER_LOG ipfstat.o := CPPFLAGS += -DSTATETOP ipfstat := LDLIBS += -lcurses -ipf := LDLIBS += -lsocket -lnsl -ipftest := LDLIBS += -lsocket -lnsl -lmd -ipfstat := LDLIBS += -lsocket -lnsl -lkvm -lelf -ipmon := LDLIBS += -lsocket -lnsl -ipnat := LDLIBS += -lsocket -lnsl -lkvm -lelf -ippool := LDLIBS += -lsocket -lnsl -lkvm -lelf +ipf := LDLIBS += -lsocket -lnsl -luuid +ipftest := LDLIBS += -lsocket -lnsl -lmd -luuid +ipfstat := LDLIBS += -lsocket -lnsl -lkvm -lelf -luuid +ipmon := LDLIBS += -lsocket -lnsl -luuid +ipnat := LDLIBS += -lsocket -lnsl -lkvm -lelf -luuid +ippool := LDLIBS += -lsocket -lnsl -lkvm -lelf -luuid CLEANFILES += $(OBJS) CLOBBERFILES += $(IPFPROG) diff --git a/usr/src/cmd/ipf/tools/ipf_y.y b/usr/src/cmd/ipf/tools/ipf_y.y index 7689d676c7..c8909b4e92 100644 --- a/usr/src/cmd/ipf/tools/ipf_y.y +++ b/usr/src/cmd/ipf/tools/ipf_y.y @@ -6,6 +6,7 @@ * * Copyright 2009 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. + * Copyright 2019 Joyent, Inc. */ #include "ipf.h" @@ -16,6 +17,7 @@ # define _NET_BPF_H_ # include <pcap.h> #endif +#include <uuid/uuid.h> #include "netinet/ip_pool.h" #include "netinet/ip_htable.h" #include "netinet/ipl.h" @@ -98,6 +100,7 @@ static int set_ipv6_addr = 0; union i6addr m; } ipp; union i6addr ip6; + uuid_t uuid; }; %type <port> portnum @@ -117,6 +120,7 @@ static int set_ipv6_addr = 0; %token YY_CMP_EQ YY_CMP_NE YY_CMP_LE YY_CMP_GE YY_CMP_LT YY_CMP_GT %token YY_RANGE_OUT YY_RANGE_IN %token <ip6> YY_IPV6 +%token <uuid> YY_UUID %token IPFY_PASS IPFY_BLOCK IPFY_COUNT IPFY_CALL %token IPFY_RETICMP IPFY_RETRST IPFY_RETICMPASDST @@ -127,6 +131,7 @@ static int set_ipv6_addr = 0; %token IPFY_HEAD IPFY_GROUP %token IPFY_AUTH IPFY_PREAUTH %token IPFY_LOG IPFY_BODY IPFY_FIRST IPFY_LEVEL IPFY_ORBLOCK +%token IPFY_UUID IPFY_CFWLOG %token IPFY_LOGTAG IPFY_MATCHTAG IPFY_SETTAG IPFY_SKIP %token IPFY_FROM IPFY_ALL IPFY_ANY IPFY_BPFV4 IPFY_BPFV6 IPFY_POOL IPFY_HASH %token IPFY_PPS @@ -518,6 +523,8 @@ taginlist: taginspec: logtag |nattag + |uuidtag + |cfwtag ; nattag: IPFY_NAT '=' YY_STR { DOALL(strncpy(fr->fr_nattag.ipt_tag,\ @@ -530,6 +537,12 @@ nattag: IPFY_NAT '=' YY_STR { DOALL(strncpy(fr->fr_nattag.ipt_tag,\ logtag: IPFY_LOG '=' YY_NUMBER { DOALL(fr->fr_logtag = $3;) } ; +cfwtag: IPFY_CFWLOG { DOALL(fr->fr_flags |= FR_CFWLOG;) } + ; + +uuidtag: IPFY_UUID '=' YY_UUID { DOALL(uuid_copy(fr->fr_uuid, $3);) } + ; + settagout: | IPFY_SETTAG '(' tagoutlist ')' ; @@ -542,6 +555,8 @@ tagoutlist: tagoutspec: logtag | nattag + | uuidtag + | cfwtag ; matchtagin: @@ -1566,6 +1581,7 @@ static struct wordtab ipfwords[96] = { { "bpf-v6", IPFY_BPFV6 }, #endif { "call", IPFY_CALL }, + { "cfwlog", IPFY_CFWLOG }, { "code", IPFY_ICMPCODE }, { "count", IPFY_COUNT }, { "dup-to", IPFY_DUPTO }, @@ -1641,6 +1657,7 @@ static struct wordtab ipfwords[96] = { { "to", IPFY_TO }, { "ttl", IPFY_TTL }, { "udp", IPFY_UDP }, + { "uuid", IPFY_UUID }, { "v6hdrs", IPF6_V6HDRS }, { "with", IPFY_WITH }, { NULL, 0 } diff --git a/usr/src/cmd/ipf/tools/ipfstat.c b/usr/src/cmd/ipf/tools/ipfstat.c index 1a3a5f4be8..52c4421404 100644 --- a/usr/src/cmd/ipf/tools/ipfstat.c +++ b/usr/src/cmd/ipf/tools/ipfstat.c @@ -165,6 +165,10 @@ static int sort_dstip __P((const void *, const void *)); static int sort_dstpt __P((const void *, const void *)); #endif +#if SOLARIS +#include "ipfzone.h" +#endif + static void usage(name) char *name; diff --git a/usr/src/cmd/ipf/tools/ipmon_y.y b/usr/src/cmd/ipf/tools/ipmon_y.y index e6dda81c35..b4fce4015d 100644 --- a/usr/src/cmd/ipf/tools/ipmon_y.y +++ b/usr/src/cmd/ipf/tools/ipmon_y.y @@ -1,11 +1,14 @@ /* * Copyright (C) 1993-2005 by Darren Reed. * See the IPFILTER.LICENCE file for details on licencing. + * + * Copyright 2019 Joyent, Inc. */ %{ #include "ipf.h" #include <syslog.h> +#include <uuid/uuid.h> #undef OPT_NAT #undef OPT_VERBOSE #include "ipmon_l.h" @@ -42,11 +45,13 @@ static ipmon_action_t *alist = NULL; struct in_addr addr; struct opt *opt; union i6addr ip6; + uuid_t uuid; } %token <num> YY_NUMBER YY_HEX %token <str> YY_STR %token <ip6> YY_IPV6 +%token <uuid> YY_UUID %token YY_COMMENT %token YY_CMP_EQ YY_CMP_NE YY_CMP_LE YY_CMP_GE YY_CMP_LT YY_CMP_GT %token YY_RANGE_OUT YY_RANGE_IN diff --git a/usr/src/cmd/ipf/tools/ipnat_y.y b/usr/src/cmd/ipf/tools/ipnat_y.y index d929bf413a..2c913afea2 100644 --- a/usr/src/cmd/ipf/tools/ipnat_y.y +++ b/usr/src/cmd/ipf/tools/ipnat_y.y @@ -6,6 +6,7 @@ * * Copyright 2008 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. + * Copyright 2019 Joyent, Inc. */ #pragma ident "%Z%%M% %I% %E% SMI" @@ -39,6 +40,7 @@ #include <sys/time.h> #include <syslog.h> #include <net/if.h> +#include <uuid/uuid.h> #if __FreeBSD_version >= 300000 # include <net/if_var.h> #endif @@ -89,6 +91,7 @@ static void setnatproto __P((int)); int v; } ipp; union i6addr ip6; + uuid_t uuid; }; %token <num> YY_NUMBER YY_HEX @@ -97,6 +100,7 @@ static void setnatproto __P((int)); %token YY_CMP_EQ YY_CMP_NE YY_CMP_LE YY_CMP_GE YY_CMP_LT YY_CMP_GT %token YY_RANGE_OUT YY_RANGE_IN %token <ip6> YY_IPV6 +%token <uuid> YY_UUID %token IPNY_MAPBLOCK IPNY_RDR IPNY_PORT IPNY_PORTS IPNY_AUTO IPNY_RANGE %token IPNY_MAP IPNY_BIMAP IPNY_FROM IPNY_TO IPNY_MASK IPNY_PORTMAP IPNY_ANY diff --git a/usr/src/cmd/ipf/tools/ippool_y.y b/usr/src/cmd/ipf/tools/ippool_y.y index cca5052bd4..5aadd22206 100644 --- a/usr/src/cmd/ipf/tools/ippool_y.y +++ b/usr/src/cmd/ipf/tools/ippool_y.y @@ -6,6 +6,7 @@ * * Copyright 2006 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. + * Copyright 2019 Joyent, Inc. */ #pragma ident "%Z%%M% %I% %E% SMI" @@ -34,6 +35,7 @@ #include <netdb.h> #include <ctype.h> #include <unistd.h> +#include <uuid/uuid.h> #include "ipf.h" #include "netinet/ip_lookup.h" @@ -66,6 +68,7 @@ static int set_ipv6_addr = 0; iphtent_t *ipe; ip_pool_node_t *ipp; union i6addr ip6; + uuid_t uuid; } %token <num> YY_NUMBER YY_HEX @@ -74,6 +77,7 @@ static int set_ipv6_addr = 0; %token YY_CMP_EQ YY_CMP_NE YY_CMP_LE YY_CMP_GE YY_CMP_LT YY_CMP_GT %token YY_RANGE_OUT YY_RANGE_IN %token <ip6> YY_IPV6 +%token <uuid> YY_UUID %token IPT_IPF IPT_NAT IPT_COUNT IPT_AUTH IPT_IN IPT_OUT %token IPT_TABLE IPT_GROUPMAP IPT_HASH diff --git a/usr/src/cmd/ipf/tools/lexer.c b/usr/src/cmd/ipf/tools/lexer.c index 3db3a0888b..b4ee8b3f77 100644 --- a/usr/src/cmd/ipf/tools/lexer.c +++ b/usr/src/cmd/ipf/tools/lexer.c @@ -5,6 +5,7 @@ * * Copyright 2009 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. + * Copyright 2019 Joyent, Inc. */ #include <ctype.h> @@ -14,6 +15,7 @@ #endif #include <sys/ioctl.h> #include <syslog.h> +#include <uuid/uuid.h> #ifdef TEST_LEXER # define NO_YACC union { @@ -21,6 +23,7 @@ union { char *str; struct in_addr ipa; i6addr_t ip6; + uuid_t uuid; } yylval; #endif #include "lexer.h" @@ -455,6 +458,40 @@ nextchar: } #endif + /* + * UUID: e.g., "2426e38c-9f63-c0b8-cfd5-9aaeaf992d42" or its uppercase + * variant. + */ + if (isbuilding == 0 && (ishex(c) || c == '-')) { + char uuidbuf[UUID_PRINTABLE_STRING_LENGTH], *s, oc; + int start; + + start = yypos; + s = uuidbuf; + oc = c; + + /* + * Don't worry about exact position of hexdigits and hyphens + * because uuid_parse() will provide the sanity check. + */ + do { + *s++ = c; + c = yygetc(1); + } while ((ishex(c) || c == '-') && + (s - uuidbuf < sizeof (uuidbuf))); + yyunputc(c); + *s = '\0'; + + if (uuid_parse(uuidbuf, yylval.uuid) == 0) { + rval = YY_UUID; + yyexpectaddr = 0; + goto done; + } + yypos = start; + c = oc; + } + + if (c == ':') { if (isbuilding == 1) { yyunputc(c); diff --git a/usr/src/cmd/ipf/tools/lexer.h b/usr/src/cmd/ipf/tools/lexer.h index a296cb0bc3..448b3e6ffd 100644 --- a/usr/src/cmd/ipf/tools/lexer.h +++ b/usr/src/cmd/ipf/tools/lexer.h @@ -1,4 +1,6 @@ - +/* + * Copyright 2019 Joyent, Inc. + */ typedef struct wordtab { char *w_word; int w_value; @@ -16,6 +18,7 @@ typedef struct wordtab { #define YY_IPV6 1008 #define YY_STR 1009 #define YY_IPADDR 1010 +#define YY_UUID 1011 #endif #define YYBUFSIZ 8192 |