diff options
Diffstat (limited to 'usr/src')
49 files changed, 1374 insertions, 418 deletions
diff --git a/usr/src/cmd/cmd-inet/usr.lib/mdnsd/multicast.xml b/usr/src/cmd/cmd-inet/usr.lib/mdnsd/multicast.xml index 3a37e51ab2..a6c1901c97 100644 --- a/usr/src/cmd/cmd-inet/usr.lib/mdnsd/multicast.xml +++ b/usr/src/cmd/cmd-inet/usr.lib/mdnsd/multicast.xml @@ -4,6 +4,8 @@ Copyright 2009 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. + Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org> + CDDL HEADER START The contents of this file are subject to the terms of the @@ -127,15 +129,21 @@ <property_group name='firewall_config' type='com.sun,fw_configuration'> <propval name='policy' type='astring' value='use_global' /> + <propval name='block_policy' type='astring' + value='use_global' /> <propval name='apply_to' type='astring' value='' /> + <propval name='apply_to_6' type='astring' value='' /> <propval name='exceptions' type='astring' value='' /> + <propval name='exceptions_6' type='astring' value='' /> + <propval name='target' type='astring' value='' /> + <propval name='target_6' type='astring' value='' /> <propval name='value_authorization' type='astring' value='solaris.smf.value.firewall.config' /> </property_group> </instance> - <stability value='Unstable' /> + <stability value='Unstable' /> <template> diff --git a/usr/src/cmd/cmd-inet/usr.sbin/comsat.xml b/usr/src/cmd/cmd-inet/usr.sbin/comsat.xml index dcfab5f69a..a66e18a02e 100644 --- a/usr/src/cmd/cmd-inet/usr.sbin/comsat.xml +++ b/usr/src/cmd/cmd-inet/usr.sbin/comsat.xml @@ -4,6 +4,8 @@ Copyright 2009 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. + Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org + CDDL HEADER START The contents of this file are subject to the terms of the @@ -79,8 +81,11 @@ <property_group name='firewall_config' type='com.sun,fw_configuration'> <propval name='policy' type='astring' value='use_global' /> + <propval name='block_policy' type='astring' + value='use_global' /> <propval name='apply_to' type='astring' value='' /> <propval name='exceptions' type='astring' value='' /> + <propval name='target' type='astring' value='' /> <propval name='value_authorization' type='astring' value='solaris.smf.value.firewall.config' /> </property_group> diff --git a/usr/src/cmd/cmd-inet/usr.sbin/finger.xml b/usr/src/cmd/cmd-inet/usr.sbin/finger.xml index 3fd6e5321c..2c4281d84a 100644 --- a/usr/src/cmd/cmd-inet/usr.sbin/finger.xml +++ b/usr/src/cmd/cmd-inet/usr.sbin/finger.xml @@ -4,6 +4,8 @@ Copyright 2009 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. + Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org> + CDDL HEADER START The contents of this file are subject to the terms of the @@ -72,8 +74,14 @@ <property_group name='firewall_config' type='com.sun,fw_configuration'> <propval name='policy' type='astring' value='use_global' /> + <propval name='block_policy' type='astring' + value='use_global' /> <propval name='apply_to' type='astring' value='' /> + <propval name='apply_to_6' type='astring' value='' /> <propval name='exceptions' type='astring' value='' /> + <propval name='exceptions_6' type='astring' value='' /> + <propval name='target' type='astring' value='' /> + <propval name='target_6' type='astring' value='' /> <propval name='value_authorization' type='astring' value='solaris.smf.value.firewall.config' /> </property_group> diff --git a/usr/src/cmd/cmd-inet/usr.sbin/in.routed/route.xml b/usr/src/cmd/cmd-inet/usr.sbin/in.routed/route.xml index 22d0f1b4eb..530ec5bda7 100644 --- a/usr/src/cmd/cmd-inet/usr.sbin/in.routed/route.xml +++ b/usr/src/cmd/cmd-inet/usr.sbin/in.routed/route.xml @@ -4,6 +4,8 @@ Copyright 2009 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. + Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org> + CDDL HEADER START The contents of this file are subject to the terms of the @@ -144,8 +146,11 @@ privileges='basic,proc_owner,proc_fork,proc_exec,proc_info,proc_session,file_cho <property_group name='firewall_config' type='com.sun,fw_configuration'> <propval name='policy' type='astring' value='use_global' /> + <propval name='block_policy' type='astring' + value='use_global' /> <propval name='apply_to' type='astring' value='' /> <propval name='exceptions' type='astring' value='' /> + <propval name='target' type='astring' value='' /> <propval name='value_authorization' type='astring' value='solaris.smf.value.firewall.config' /> </property_group> diff --git a/usr/src/cmd/cmd-inet/usr.sbin/in.routed/svc-route b/usr/src/cmd/cmd-inet/usr.sbin/in.routed/svc-route index 87da8c7386..aa49137cb9 100644 --- a/usr/src/cmd/cmd-inet/usr.sbin/in.routed/svc-route +++ b/usr/src/cmd/cmd-inet/usr.sbin/in.routed/svc-route @@ -23,6 +23,8 @@ # Copyright 2009 Sun Microsystems, Inc. All rights reserved. # Use is subject to license terms. # +# Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org> +# . /lib/svc/share/smf_include.sh . /lib/svc/share/routing_include.sh @@ -51,11 +53,11 @@ create_ipf_rules() uport=`$SERVINFO -p -u -s $iana_name 2>/dev/null` if [ -n "$tport" ]; then - generate_rules $FMRI $policy "tcp" "any" $tport $file + generate_rules $FMRI $policy "tcp" $tport $file fi if [ -n "$uport" ]; then - generate_rules $FMRI $policy "udp" "any" $uport $file + generate_rules $FMRI $policy "udp" $uport $file fi } diff --git a/usr/src/cmd/cmd-inet/usr.sbin/in.talkd/talk.xml b/usr/src/cmd/cmd-inet/usr.sbin/in.talkd/talk.xml index a867c40d66..c4d2494095 100644 --- a/usr/src/cmd/cmd-inet/usr.sbin/in.talkd/talk.xml +++ b/usr/src/cmd/cmd-inet/usr.sbin/in.talkd/talk.xml @@ -4,6 +4,8 @@ Copyright 2009 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. + Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org> + CDDL HEADER START The contents of this file are subject to the terms of the @@ -79,8 +81,11 @@ <property_group name='firewall_config' type='com.sun,fw_configuration'> <propval name='policy' type='astring' value='use_global' /> + <propval name='block_policy' type='astring' + value='use_global' /> <propval name='apply_to' type='astring' value='' /> <propval name='exceptions' type='astring' value='' /> + <propval name='target' type='astring' value='' /> <propval name='value_authorization' type='astring' value='solaris.smf.value.firewall.config' /> </property_group> diff --git a/usr/src/cmd/cmd-inet/usr.sbin/login.xml b/usr/src/cmd/cmd-inet/usr.sbin/login.xml index 4e5f974034..f21084da5f 100644 --- a/usr/src/cmd/cmd-inet/usr.sbin/login.xml +++ b/usr/src/cmd/cmd-inet/usr.sbin/login.xml @@ -5,6 +5,8 @@ Copyright 2009 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. + Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org> + CDDL HEADER START The contents of this file are subject to the terms of the @@ -73,8 +75,14 @@ <property_group name='firewall_config' type='com.sun,fw_configuration'> <propval name='policy' type='astring' value='use_global' /> + <propval name='block_policy' type='astring' + value='use_global' /> <propval name='apply_to' type='astring' value='' /> + <propval name='apply_to_6' type='astring' value='' /> <propval name='exceptions' type='astring' value='' /> + <propval name='exceptions_6' type='astring' value='' /> + <propval name='target' type='astring' value='' /> + <propval name='target_6' type='astring' value='' /> <propval name='value_authorization' type='astring' value='solaris.smf.value.firewall.config' /> </property_group> @@ -116,8 +124,11 @@ <property_group name='firewall_config' type='com.sun,fw_configuration'> <propval name='policy' type='astring' value='use_global' /> - <propval name='exception_list' type='astring' value='' /> - <propval name='override_list' type='astring' value='' /> + <propval name='block_policy' type='astring' + value='use_global' /> + <propval name='apply_to' type='astring' value='' /> + <propval name='exceptions' type='astring' value='' /> + <propval name='target' type='astring' value='' /> <propval name='value_authorization' type='astring' value='solaris.smf.value.firewall.config' /> </property_group> @@ -161,8 +172,11 @@ remote login with Kerberos authentication <property_group name='firewall_config' type='com.sun,fw_configuration'> <propval name='policy' type='astring' value='use_global' /> - <propval name='exception_list' type='astring' value='' /> - <propval name='override_list' type='astring' value='' /> + <propval name='block_policy' type='astring' + value='use_global' /> + <propval name='apply_to' type='astring' value='' /> + <propval name='exceptions' type='astring' value='' /> + <propval name='target' type='astring' value='' /> <propval name='value_authorization' type='astring' value='solaris.smf.value.firewall.config' /> </property_group> diff --git a/usr/src/cmd/cmd-inet/usr.sbin/rexec.xml b/usr/src/cmd/cmd-inet/usr.sbin/rexec.xml index 924ced88c4..98f83f3102 100644 --- a/usr/src/cmd/cmd-inet/usr.sbin/rexec.xml +++ b/usr/src/cmd/cmd-inet/usr.sbin/rexec.xml @@ -5,6 +5,8 @@ Copyright 2009 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. + Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org> + CDDL HEADER START The contents of this file are subject to the terms of the @@ -83,8 +85,14 @@ <property_group name='firewall_config' type='com.sun,fw_configuration'> <propval name='policy' type='astring' value='use_global' /> + <propval name='block_policy' type='astring' + value='use_global' /> <propval name='apply_to' type='astring' value='' /> + <propval name='apply_to_6' type='astring' value='' /> <propval name='exceptions' type='astring' value='' /> + <propval name='exceptions_6' type='astring' value='' /> + <propval name='target' type='astring' value='' /> + <propval name='target_6' type='astring' value='' /> <propval name='value_authorization' type='astring' value='solaris.smf.value.firewall.config' /> </property_group> diff --git a/usr/src/cmd/cmd-inet/usr.sbin/shell.xml b/usr/src/cmd/cmd-inet/usr.sbin/shell.xml index 30730380a9..b841f99961 100644 --- a/usr/src/cmd/cmd-inet/usr.sbin/shell.xml +++ b/usr/src/cmd/cmd-inet/usr.sbin/shell.xml @@ -5,6 +5,8 @@ Copyright 2009 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. + Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org> + CDDL HEADER START The contents of this file are subject to the terms of the @@ -98,8 +100,14 @@ <property_group name='firewall_config' type='com.sun,fw_configuration'> <propval name='policy' type='astring' value='use_global' /> + <propval name='block_policy' type='astring' + value='use_global' /> <propval name='apply_to' type='astring' value='' /> + <propval name='apply_to_6' type='astring' value='' /> <propval name='exceptions' type='astring' value='' /> + <propval name='exceptions_6' type='astring' value='' /> + <propval name='target' type='astring' value='' /> + <propval name='target_6' type='astring' value='' /> <propval name='value_authorization' type='astring' value='solaris.smf.value.firewall.config' /> </property_group> @@ -141,8 +149,11 @@ <property_group name='firewall_config' type='com.sun,fw_configuration'> <propval name='policy' type='astring' value='use_global' /> + <propval name='block_policy' type='astring' + value='use_global' /> <propval name='apply_to' type='astring' value='' /> <propval name='exceptions' type='astring' value='' /> + <propval name='target' type='astring' value='' /> <propval name='value_authorization' type='astring' value='solaris.smf.value.firewall.config' /> </property_group> diff --git a/usr/src/cmd/cmd-inet/usr.sbin/telnet.xml b/usr/src/cmd/cmd-inet/usr.sbin/telnet.xml index 6b0ac5dfa5..a5425c3fc1 100644 --- a/usr/src/cmd/cmd-inet/usr.sbin/telnet.xml +++ b/usr/src/cmd/cmd-inet/usr.sbin/telnet.xml @@ -4,6 +4,8 @@ Copyright 2009 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. + Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org> + CDDL HEADER START The contents of this file are subject to the terms of the @@ -72,8 +74,14 @@ <property_group name='firewall_config' type='com.sun,fw_configuration'> <propval name='policy' type='astring' value='use_global' /> + <propval name='block_policy' type='astring' + value='use_global' /> <propval name='apply_to' type='astring' value='' /> + <propval name='apply_to_6' type='astring' value='' /> <propval name='exceptions' type='astring' value='' /> + <propval name='exceptions_6' type='astring' value='' /> + <propval name='target' type='astring' value='' /> + <propval name='target_6' type='astring' value='' /> <propval name='value_authorization' type='astring' value='solaris.smf.value.firewall.config' /> </property_group> diff --git a/usr/src/cmd/fs.d/nfs/svc/nfs-server b/usr/src/cmd/fs.d/nfs/svc/nfs-server index c15fabd8eb..5c8c1a67dd 100644 --- a/usr/src/cmd/fs.d/nfs/svc/nfs-server +++ b/usr/src/cmd/fs.d/nfs/svc/nfs-server @@ -21,8 +21,9 @@ # # -# Copyright 2015 Nexenta Systems, Inc. All rights reserved. # Copyright (c) 2009, 2010, Oracle and/or its affiliates. All rights reserved. +# Copyright 2015 Nexenta Systems, Inc. All rights reserved. +# Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org> # # Start/stop processes required for server NFS @@ -47,7 +48,8 @@ zone=`smf_zonename` configure_ipfilter() { ipfile=`fmri_to_file $SMF_FMRI $IPF_SUFFIX` - [ -f "$ipfile" ] && return 0 + ip6file=`fmri_to_file $SMF_FMRI $IPF6_SUFFIX` + [ -f "$ipfile" -a -f "$ip6file" ] && return 0 # # Nothing to do if: @@ -129,20 +131,22 @@ case "$1" in # - nfs/rquota # # The following services are enabled for both nfs client and - # server so we'll treat them as client services and simply - # allow incoming traffic. + # server, if nfs/client is enabled we'll treat them as client + # services and simply allow incoming traffic. # - nfs/status # - nfs/nlockmgr # - nfs/cbd # NFS_FMRI="svc:/network/nfs/server:default" + NFSCLI_FMRI="svc:/network/nfs/client:default" RQUOTA_FMRI="svc:/network/nfs/rquota:default" FMRI=$2 file=`fmri_to_file $FMRI $IPF_SUFFIX` + file6=`fmri_to_file $FMRI $IPF6_SUFFIX` echo "# $FMRI" >$file + echo "# $FMRI" >$file6 policy=`get_policy $NFS_FMRI` - ip="any" # # nfs/server configuration is processed in the start method. @@ -157,52 +161,107 @@ case "$1" in nfs_name=`svcprop -p $FW_CONTEXT_PG/name $FMRI 2>/dev/null` tport=`$SERVINFO -p -t -s $nfs_name 2>/dev/null` if [ -n "$tport" ]; then - generate_rules $FMRI $policy "tcp" $ip $tport $file + generate_rules $FMRI $policy "tcp" $tport $file + fi + + tport6=`$SERVINFO -p -t6 -s $nfs_name 2>/dev/null` + if [ -n "$tport6" ]; then + generate_rules $FMRI $policy "tcp" $tport6 $file6 _6 fi uport=`$SERVINFO -p -u -s $nfs_name 2>/dev/null` if [ -n "$uport" ]; then - generate_rules $FMRI $policy "udp" $ip $uport $file + generate_rules $FMRI $policy "udp" $uport $file fi + uport6=`$SERVINFO -p -u6 -s $nfs_name 2>/dev/null` + if [ -n "$uport6" ]; then + generate_rules $FMRI $policy "udp" $uport6 $file6 _6 + fi + + # mountd IPv6 ports are also reachable through IPv4, so include + # them when generating IPv4 rules. tports=`$SERVINFO -R -p -t -s "mountd" 2>/dev/null` - if [ -n "$tports" ]; then + tports6=`$SERVINFO -R -p -t6 -s "mountd" 2>/dev/null` + if [ -n "$tports" -o -n "$tports6" ]; then + tports=`unique_ports $tports $tports6` for tport in $tports; do - generate_rules $FMRI $policy "tcp" $ip \ + generate_rules $FMRI $policy "tcp" \ $tport $file done fi + if [ -n "$tports6" ]; then + for tport6 in $tports6; do + generate_rules $FMRI $policy "tcp" \ + $tport6 $file6 _6 + done + fi + uports=`$SERVINFO -R -p -u -s "mountd" 2>/dev/null` - if [ -n "$uports" ]; then + uports6=`$SERVINFO -R -p -u6 -s "mountd" 2>/dev/null` + if [ -n "$uports" -o -n "$uports6" ]; then + uports=`unique_ports $uports $uports6` for uport in $uports; do - generate_rules $FMRI $policy "udp" $ip \ + generate_rules $FMRI $policy "udp" \ $uport $file done fi + if [ -n "$uports6" ]; then + for uport6 in $uports6; do + generate_rules $FMRI $policy "udp" \ + $uport6 $file6 _6 + done + fi + elif [ "$FMRI" = "$RQUOTA_FMRI" ]; then iana_name=`svcprop -p inetd/name $FMRI` + # rquota IPv6 ports are also reachable through IPv4, so include + # them when generating IPv4 rules. tports=`$SERVINFO -R -p -t -s $iana_name 2>/dev/null` - if [ -n "$tports" ]; then + tports6=`$SERVINFO -R -p -t6 -s $iana_name 2>/dev/null` + if [ -n "$tports" -o -n "$tports6" ]; then + tports=`unique_ports $tports $tports6` for tport in $tports; do generate_rules $NFS_FMRI $policy "tcp" \ - $ip $tport $file + $tport $file + done + fi + + if [ -n "$tports6" ]; then + for tport6 in $tports6; do + generate_rules $NFS_FMRI $policy "tcp" \ + $tport6 $file6 _6 done fi uports=`$SERVINFO -R -p -u -s $iana_name 2>/dev/null` - if [ -n "$uports" ]; then + uports6=`$SERVINFO -R -p -u6 -s $iana_name 2>/dev/null` + if [ -n "$uports" -o -n "$uports6" ]; then + uports=`unique_ports $uports $uports6` for uport in $uports; do generate_rules $NFS_FMRI $policy "udp" \ - $ip $uport $file + $uport $file + done + fi + + if [ -n "$uports6" ]; then + for uport6 in $uports6; do + generate_rules $NFS_FMRI $policy "udp" \ + $uport6 $file6 _6 done fi else # # Handle the client services here # + if service_check_state $NFSCLI_FMRI $SMF_ONLINE; then + policy=none + ip=any + fi + restarter=`svcprop -p general/restarter $FMRI 2>/dev/null` if [ "$restarter" = "$INETDFMRI" ]; then iana_name=`svcprop -p inetd/name $FMRI` @@ -214,24 +273,41 @@ case "$1" in if [ "$isrpc" = "true" ]; then tports=`$SERVINFO -R -p -t -s $iana_name 2>/dev/null` + tports6=`$SERVINFO -R -p -t6 -s $iana_name 2>/dev/null` uports=`$SERVINFO -R -p -u -s $iana_name 2>/dev/null` + uports6=`$SERVINFO -R -p -u6 -s $iana_name 2>/dev/null` else tports=`$SERVINFO -p -t -s $iana_name 2>/dev/null` + tports6=`$SERVINFO -p -t6 -s $iana_name 2>/dev/null` uports=`$SERVINFO -p -u -s $iana_name 2>/dev/null` + uports6=`$SERVINFO -p -u6 -s $iana_name 2>/dev/null` fi - if [ -n "$tports" ]; then + # IPv6 ports are also reachable through IPv4, so include + # them when generating IPv4 rules. + if [ -n "$tports" -o -n "$tports6" ]; then + tports=`unique_ports $tports $tports6` for tport in $tports; do - echo "pass in log quick proto tcp from any" \ - "to any port = ${tport} flags S " \ - "keep state" >>${file} + generate_rules $FMRI $policy "tcp" $tport $file + done + fi + + if [ -n "$tports6" ]; then + for tport6 in $tports6; do + generate_rules $FMRI $policy "tcp" $tport6 $file6 _6 done fi - if [ -n "$uports" ]; then + if [ -n "$uports" -o -n "$uports6" ]; then + uports=`unique_ports $uports $uports6` for uport in $uports; do - echo "pass in log quick proto udp from any" \ - "to any port = ${uport}" >>${file} + generate_rules $FMRI $policy "udp" $uport $file + done + fi + + if [ -n "$uports6" ]; then + for uport6 in $uports6; do + generate_rules $FMRI $policy "udp" $uport6 $file6 _6 done fi fi diff --git a/usr/src/cmd/fs.d/nfs/svc/rquota.xml b/usr/src/cmd/fs.d/nfs/svc/rquota.xml index 08fad0b16f..1f7e6554f3 100644 --- a/usr/src/cmd/fs.d/nfs/svc/rquota.xml +++ b/usr/src/cmd/fs.d/nfs/svc/rquota.xml @@ -5,6 +5,8 @@ Copyright 2009 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. + Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org> + CDDL HEADER START The contents of this file are subject to the terms of the @@ -90,10 +92,22 @@ <propval name='wait' type='boolean' value='true' /> </property_group> + <property_group name='firewall_context' type='com.sun,fw_definition'> + <propval name='name' type='astring' value='rquotad' /> + <propval name='ipf_method' type='astring' + value='/lib/svc/method/nfs-server ipfilter' /> + </property_group> + <property_group name='firewall_config' type='com.sun,fw_configuration'> <propval name='policy' type='astring' value='use_global' /> + <propval name='block_policy' type='astring' + value='use_global' /> <propval name='apply_to' type='astring' value='' /> + <propval name='apply_to_6' type='astring' value='' /> <propval name='exceptions' type='astring' value='' /> + <propval name='exceptions_6' type='astring' value='' /> + <propval name='target' type='astring' value='' /> + <propval name='target_6' type='astring' value='' /> <propval name='value_authorization' type='astring' value='solaris.smf.value.firewall.config' /> </property_group> diff --git a/usr/src/cmd/fs.d/nfs/svc/server.xml b/usr/src/cmd/fs.d/nfs/svc/server.xml index 3faffa1457..c963a01fcf 100644 --- a/usr/src/cmd/fs.d/nfs/svc/server.xml +++ b/usr/src/cmd/fs.d/nfs/svc/server.xml @@ -22,7 +22,8 @@ CDDL HEADER END Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved. - Copyright 2014 Nexenta Systems, Inc. All rights reserved. + Copyright 2014 Nexenta Systems, Inc. All rights reserved + Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org> NOTE: This service manifest is not editable; its contents will be overwritten by package or patch operations, including @@ -153,8 +154,14 @@ <property_group name='firewall_config' type='com.sun,fw_configuration'> <propval name='policy' type='astring' value='use_global' /> + <propval name='block_policy' type='astring' + value='use_global' /> <propval name='apply_to' type='astring' value='' /> + <propval name='apply_to_6' type='astring' value='' /> <propval name='exceptions' type='astring' value='' /> + <propval name='exceptions_6' type='astring' value='' /> + <propval name='target' type='astring' value='' /> + <propval name='target_6' type='astring' value='' /> <propval name='value_authorization' type='astring' value='solaris.smf.value.firewall.config' /> </property_group> diff --git a/usr/src/cmd/ipf/svc/ipfilter b/usr/src/cmd/ipf/svc/ipfilter index 6be1eeb7cc..2e6f2189f6 100644 --- a/usr/src/cmd/ipf/svc/ipfilter +++ b/usr/src/cmd/ipf/svc/ipfilter @@ -23,6 +23,8 @@ # Copyright 2009 Sun Microsystems, Inc. All rights reserved. # Use is subject to license terms. # +# Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org> +# . /lib/svc/share/smf_include.sh . /lib/svc/share/ipf_include.sh @@ -48,6 +50,7 @@ logmsg() load_ipf() { bad=0 ipf -IFa + ipf -6IFa for file in $IPFILOVRCONF $CONF_FILES $IPFILCONF; do if [ -r ${file} ]; then @@ -60,13 +63,16 @@ load_ipf() { fi done - if [ -r ${IP6FILCONF} ]; then - ipf -6IFa -f ${IP6FILCONF} - if [ $? != 0 ]; then - echo "$0: load of ${IP6FILCONF} into alternate set failed" - bad=1 + for file in $IP6FILOVRCONF $CONF6_FILES $IP6FILCONF; do + if [ -r ${file} ]; then + ipf -6I -f ${file} + if [ $? != 0 ]; then + echo "$0: load of ${file} into alternate set failed" + bad=1 + fi fi - fi + done + if [ $bad -eq 0 ] ; then ipf -s -y return 0 diff --git a/usr/src/cmd/ipf/svc/ipfilter.xml b/usr/src/cmd/ipf/svc/ipfilter.xml index 4729deb085..e4a70405c1 100644 --- a/usr/src/cmd/ipf/svc/ipfilter.xml +++ b/usr/src/cmd/ipf/svc/ipfilter.xml @@ -2,6 +2,7 @@ <!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1"> <!-- Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved. + Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org> CDDL HEADER START @@ -103,9 +104,15 @@ <property_group name='firewall_config_default' type='com.sun,fw_configuration'> <propval name='policy' type='astring' value='none' /> + <propval name='block_policy' type='astring' + value='none' /> <propval name='custom_policy_file' type='astring' value='' /> <propval name='apply_to' type='astring' value='' /> + <propval name='apply_to_6' type='astring' value='' /> <propval name='exceptions' type='astring' value='' /> + <propval name='exceptions_6' type='astring' value='' /> + <propval name='target' type='astring' value='' /> + <propval name='target_6' type='astring' value='' /> <propval name='open_ports' type='astring' value='' /> <propval name='version' type='count' value='0' /> <propval name='value_authorization' type='astring' @@ -115,7 +122,10 @@ <property_group name='firewall_config_override' type='com.sun,fw_configuration'> <propval name='policy' type='astring' value='none' /> + <propval name='block_policy' type='astring' + value='none' /> <propval name='apply_to' type='astring' value='' /> + <propval name='apply_to_6' type='astring' value='' /> <propval name='value_authorization' type='astring' value='solaris.smf.value.firewall.config' /> </property_group> @@ -209,6 +219,47 @@ Apply the custom ipfilter configuration stored in a custom file (custom file pro <include_values type='values'/> </choices> </prop_pattern> + <prop_pattern name='block_policy' type='astring' + required='false'> + <common_name> + <loctext xml:lang='C'> +Firewall block policy + </loctext> + </common_name> + <description> + <loctext xml:lang='C'> +Service firewall block policy. + </loctext> + </description> + <visibility value='readwrite'/> + <cardinality min='1' max='1'/> + <values> + <value name='use_global'> + <description> + <loctext xml:lang='C'> +Apply Global Default block policy, specified in network/ipfilter for the service. This is the default value. + </loctext> + </description> + </value> + <value name='none'> + <description> + <loctext xml:lang='C'> +Block by dropping packets. + </loctext> + </description> + </value> + <value name='return'> + <description> + <loctext xml:lang='C'> +Block by returning RST or ICMP messages. + </loctext> + </description> + </value> + </values> + <choices> + <include_values type='values'/> + </choices> + </prop_pattern> <prop_pattern name="apply_to" type="astring" required="false"> <common_name> @@ -218,7 +269,20 @@ Apply policy to </common_name> <description> <loctext xml:lang="C"> -The host and network IPs, network interfaces, and ippools to deny if the policy is set to deny, or accept if the policy is set to accept. +The source host and network IPv4 addresses, incoming network interfaces, and ippools to deny if the policy is set to deny, or accept if the policy is set to accept. + </loctext> + </description> + </prop_pattern> + <prop_pattern name="apply_to_6" type="astring" + required="false"> + <common_name> + <loctext xml:lang='C'> +Apply policy to + </loctext> + </common_name> + <description> + <loctext xml:lang="C"> +The source host and network IPv6 addresses, incoming network interfaces, and ippools to deny if the policy is set to deny, or accept if the policy is set to accept. </loctext> </description> </prop_pattern> @@ -231,7 +295,46 @@ Make exceptions to </common_name> <description> <loctext xml:lang="C"> -The host and network IPs, network interfaces, and ippools which will be exempted from the set policy, accept if the policy is set to deny, or deny if the policy is set to accept. +The source host and network IPv4 addresses, incoming network interfaces, and ippools which will be exempted from the set policy, accept if the policy is set to deny, or deny if the policy is set to accept. + </loctext> + </description> + </prop_pattern> + <prop_pattern name="exceptions_6" type="astring" + required="false"> + <common_name> + <loctext xml:lang='C'> +Make exceptions to + </loctext> + </common_name> + <description> + <loctext xml:lang="C"> +The source host and network IPv6 addressess, incoming network interfaces, and ippools to exempt from the set policy. That is, those to accept if the policy is set to deny, or to deny if the policy is set to accept. + </loctext> + </description> + </prop_pattern> + <prop_pattern name="target" type="astring" + required="false"> + <common_name> + <loctext xml:lang='C'> +Apply policy to + </loctext> + </common_name> + <description> + <loctext xml:lang="C"> +The destination host and network IPv4 addresses, and ippools to deny if the policy is set to deny, or accept if the policy is set to accept. + </loctext> + </description> + </prop_pattern> + <prop_pattern name="target6" type="astring" + required="false"> + <common_name> + <loctext xml:lang='C'> +Apply policy to + </loctext> + </common_name> + <description> + <loctext xml:lang="C"> +The destination host and network IPv6 addresses, and ippools to deny if the policy is set to deny, or accept if the policy is set to accept. </loctext> </description> </prop_pattern> @@ -321,6 +424,47 @@ Allow access to entities specified in 'apply_to' property. <include_values type='values'/> </choices> </prop_pattern> + <prop_pattern name='block_policy' type='astring' + required='false'> + <common_name> + <loctext xml:lang='C'> +Firewall block policy + </loctext> + </common_name> + <description> + <loctext xml:lang='C'> +Service firewall block policy. + </loctext> + </description> + <visibility value='readwrite'/> + <cardinality min='1' max='1'/> + <values> + <value name='use_global'> + <description> + <loctext xml:lang='C'> +Apply Global Default block policy, specified in network/ipfilter for the service. This is the default value. + </loctext> + </description> + </value> + <value name='none'> + <description> + <loctext xml:lang='C'> +Block by dropping packets. + </loctext> + </description> + </value> + <value name='return'> + <description> + <loctext xml:lang='C'> +Block by returning RST or ICMP messages. + </loctext> + </description> + </value> + </values> + <choices> + <include_values type='values'/> + </choices> + </prop_pattern> <prop_pattern name="apply_to" type="astring" required="false"> <common_name> diff --git a/usr/src/cmd/lp/cmd/lpsched/print-svc b/usr/src/cmd/lp/cmd/lpsched/print-svc index ff6599faf9..49b082f9a6 100644 --- a/usr/src/cmd/lp/cmd/lpsched/print-svc +++ b/usr/src/cmd/lp/cmd/lpsched/print-svc @@ -23,6 +23,7 @@ # Copyright 2009 Sun Microsystems, Inc. All rights reserved. # Use is subject to license terms. # +# Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org> # . /lib/svc/share/smf_include.sh @@ -121,23 +122,27 @@ fi IPP_FMRI="svc:/application/print/ipp-listener:default" RFC1179_FMRI="svc:/application/print/rfc1179:default" IPP_CONF=/etc/lp/ipp/httpd-standalone-ipp.conf - ip="any" policy=`get_policy $FMRI` file=`fmri_to_file $RFC1179_FMRI $IPF_SUFFIX` + file6=`fmri_to_file $RFC1179_FMRI $IPF6_SUFFIX` echo "# $RFC1179_FMRI" >$file + echo "# $RFC1179_FMRI" >$file6 service_is_enabled ${RFC1179_FMRI} if [ $? -eq 0 ]; then rfc_name=`svcprop -p inetd/name ${RFC1179_FMRI} 2>/dev/null` rfc_proto=`svcprop -p inetd/proto ${RFC1179_FMRI} 2>/dev/null | \ sed 's/6/ /'` rfc_port=`$SERVINFO -p -t -s $rfc_name` - generate_rules $FMRI $policy $rfc_proto $ip $rfc_port $file + generate_rules $FMRI $policy $rfc_proto $rfc_port $file + generate_rules $FMRI $policy $rfc_proto $rfc_port $file6 _6 fi file=`fmri_to_file $IPP_FMRI $IPF_SUFFIX` + file6=`fmri_to_file $IPP_FMRI $IPF6_SUFFIX` echo "# $IPP_FMRI" >$file + echo "# $IPP_FMRI" >$file6 service_is_enabled ${IPP_FMRI} if [ $? -eq 0 ]; then # @@ -153,7 +158,8 @@ fi fi for port in $ipp_ports; do - generate_rules $FMRI $policy "tcp" $ip $port $file + generate_rules $FMRI $policy "tcp" $port $file + generate_rules $FMRI $policy "tcp" $port $file6 _6 done fi diff --git a/usr/src/cmd/lp/cmd/lpsched/server.xml b/usr/src/cmd/lp/cmd/lpsched/server.xml index 790355f873..d8df778cd9 100644 --- a/usr/src/cmd/lp/cmd/lpsched/server.xml +++ b/usr/src/cmd/lp/cmd/lpsched/server.xml @@ -4,6 +4,8 @@ Copyright 2009 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. + Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org> + CDDL HEADER START The contents of this file are subject to the terms of the @@ -112,8 +114,14 @@ <property_group name='firewall_config' type='com.sun,fw_configuration'> <propval name='policy' type='astring' value='use_global' /> + <propval name='block_policy' type='astring' + value='use_global' /> <propval name='apply_to' type='astring' value='' /> + <propval name='apply_to_6' type='astring' value='' /> <propval name='exceptions' type='astring' value='' /> + <propval name='exceptions_6' type='astring' value='' /> + <propval name='target' type='astring' value='' /> + <propval name='target_6' type='astring' value='' /> <propval name='value_authorization' type='astring' value='solaris.smf.value.firewall.config' /> </property_group> diff --git a/usr/src/cmd/lvm/rpc.mdcommd/mdcomm.xml b/usr/src/cmd/lvm/rpc.mdcommd/mdcomm.xml index a59ca4b2e6..5c9762edf7 100644 --- a/usr/src/cmd/lvm/rpc.mdcommd/mdcomm.xml +++ b/usr/src/cmd/lvm/rpc.mdcommd/mdcomm.xml @@ -2,6 +2,7 @@ <!DOCTYPE service_bundle SYSTEM '/usr/share/lib/xml/dtd/service_bundle.dtd.1'> <!-- Copyright 2015 Nexenta Systems, Inc. All rights reserved. + Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org> Copyright 2009 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. @@ -90,8 +91,14 @@ <property_group name='firewall_config' type='com.sun,fw_configuration'> <propval name='policy' type='astring' value='use_global' /> + <propval name='block_policy' type='astring' + value='use_global' /> <propval name='apply_to' type='astring' value='' /> + <propval name='apply_to_6' type='astring' value='' /> <propval name='exceptions' type='astring' value='' /> + <propval name='exceptions_6' type='astring' value='' /> + <propval name='target' type='astring' value='' /> + <propval name='target_6' type='astring' value='' /> <propval name='value_authorization' type='astring' value='solaris.smf.value.firewall.config' /> </property_group> diff --git a/usr/src/cmd/lvm/rpc.metad/meta.xml b/usr/src/cmd/lvm/rpc.metad/meta.xml index 9d940bd2d1..83840692a2 100644 --- a/usr/src/cmd/lvm/rpc.metad/meta.xml +++ b/usr/src/cmd/lvm/rpc.metad/meta.xml @@ -2,6 +2,7 @@ <!DOCTYPE service_bundle SYSTEM '/usr/share/lib/xml/dtd/service_bundle.dtd.1'> <!-- Copyright 2015 Nexenta Systems, Inc. All rights reserved. + Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org> Copyright 2009 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. @@ -89,8 +90,14 @@ <property_group name='firewall_config' type='com.sun,fw_configuration'> <propval name='policy' type='astring' value='use_global' /> + <propval name='block_policy' type='astring' + value='use_global' /> <propval name='apply_to' type='astring' value='' /> + <propval name='apply_to_6' type='astring' value='' /> <propval name='exceptions' type='astring' value='' /> + <propval name='exceptions_6' type='astring' value='' /> + <propval name='target' type='astring' value='' /> + <propval name='target_6' type='astring' value='' /> <propval name='value_authorization' type='astring' value='solaris.smf.value.firewall.config' /> </property_group> diff --git a/usr/src/cmd/lvm/rpc.metamedd/metamed.xml b/usr/src/cmd/lvm/rpc.metamedd/metamed.xml index 2c8be3a6c7..8fc3a6c530 100644 --- a/usr/src/cmd/lvm/rpc.metamedd/metamed.xml +++ b/usr/src/cmd/lvm/rpc.metamedd/metamed.xml @@ -2,6 +2,7 @@ <!DOCTYPE service_bundle SYSTEM '/usr/share/lib/xml/dtd/service_bundle.dtd.1'> <!-- Copyright 2015 Nexenta Systems, Inc. All rights reserved. + Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org> Copyright 2009 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. @@ -89,8 +90,14 @@ <property_group name='firewall_config' type='com.sun,fw_configuration'> <propval name='policy' type='astring' value='use_global' /> + <propval name='block_policy' type='astring' + value='use_global' /> <propval name='apply_to' type='astring' value='' /> + <propval name='apply_to_6' type='astring' value='' /> <propval name='exceptions' type='astring' value='' /> + <propval name='exceptions_6' type='astring' value='' /> + <propval name='target' type='astring' value='' /> + <propval name='target_6' type='astring' value='' /> <propval name='value_authorization' type='astring' value='solaris.smf.value.firewall.config' /> </property_group> diff --git a/usr/src/cmd/lvm/rpc.metamhd/metamh.xml b/usr/src/cmd/lvm/rpc.metamhd/metamh.xml index 40b7f950f7..952a59064d 100644 --- a/usr/src/cmd/lvm/rpc.metamhd/metamh.xml +++ b/usr/src/cmd/lvm/rpc.metamhd/metamh.xml @@ -2,6 +2,7 @@ <!DOCTYPE service_bundle SYSTEM '/usr/share/lib/xml/dtd/service_bundle.dtd.1'> <!-- Copyright 2015 Nexenta Systems, Inc. All rights reserved. + Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org> Copyright 2009 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. @@ -89,8 +90,14 @@ <property_group name='firewall_config' type='com.sun,fw_configuration'> <propval name='policy' type='astring' value='use_global' /> + <propval name='block_policy' type='astring' + value='use_global' /> <propval name='apply_to' type='astring' value='' /> + <propval name='apply_to_6' type='astring' value='' /> <propval name='exceptions' type='astring' value='' /> + <propval name='exceptions_6' type='astring' value='' /> + <propval name='target' type='astring' value='' /> + <propval name='target_6' type='astring' value='' /> <propval name='value_authorization' type='astring' value='solaris.smf.value.firewall.config' /> </property_group> diff --git a/usr/src/cmd/rexd/rex.xml b/usr/src/cmd/rexd/rex.xml index 8d3e77ffb0..8b9843328d 100644 --- a/usr/src/cmd/rexd/rex.xml +++ b/usr/src/cmd/rexd/rex.xml @@ -5,6 +5,8 @@ Copyright 2009 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. + Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org> + CDDL HEADER START The contents of this file are subject to the terms of the @@ -89,8 +91,14 @@ <property_group name='firewall_config' type='com.sun,fw_configuration'> <propval name='policy' type='astring' value='use_global' /> + <propval name='block_policy' type='astring' + value='use_global' /> <propval name='apply_to' type='astring' value='' /> + <propval name='apply_to_6' type='astring' value='' /> <propval name='exceptions' type='astring' value='' /> + <propval name='exceptions_6' type='astring' value='' /> + <propval name='target' type='astring' value='' /> + <propval name='target_6' type='astring' value='' /> <propval name='value_authorization' type='astring' value='solaris.smf.value.firewall.config' /> </property_group> diff --git a/usr/src/cmd/rpcbind/bind.xml b/usr/src/cmd/rpcbind/bind.xml index fca29c8993..c1f264e5f4 100644 --- a/usr/src/cmd/rpcbind/bind.xml +++ b/usr/src/cmd/rpcbind/bind.xml @@ -21,6 +21,7 @@ CDDL HEADER END + Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org> Copyright 2015 Nexenta Systems, Inc. All rights reserved. Copyright 2014 OmniTI Computer Consulting, Inc. All rights reserved. Copyright 2009 Sun Microsystems, Inc. All rights reserved. @@ -191,8 +192,14 @@ <property_group name='firewall_config' type='com.sun,fw_configuration'> <propval name='policy' type='astring' value='use_global' /> + <propval name='block_policy' type='astring' + value='use_global' /> <propval name='apply_to' type='astring' value='' /> + <propval name='apply_to_6' type='astring' value='' /> <propval name='exceptions' type='astring' value='' /> + <propval name='exceptions_6' type='astring' value='' /> + <propval name='target' type='astring' value='' /> + <propval name='target_6' type='astring' value='' /> <propval name='value_authorization' type='astring' value='solaris.smf.value.firewall.config' /> </property_group> diff --git a/usr/src/cmd/rpcsvc/rpc.bootparamd/bootparams.xml b/usr/src/cmd/rpcsvc/rpc.bootparamd/bootparams.xml index c372d710b0..0fd6257a73 100644 --- a/usr/src/cmd/rpcsvc/rpc.bootparamd/bootparams.xml +++ b/usr/src/cmd/rpcsvc/rpc.bootparamd/bootparams.xml @@ -4,6 +4,8 @@ Copyright 2009 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. + Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org> + CDDL HEADER START The contents of this file are subject to the terms of the @@ -92,11 +94,17 @@ <property_group name='firewall_config' type='com.sun,fw_configuration'> <propval name='policy' type='astring' value='use_global' /> + <propval name='block_policy' type='astring' + value='use_global' /> <propval name='apply_to' type='astring' value='' /> + <propval name='apply_to_6' type='astring' value='' /> <propval name='exceptions' type='astring' value='' /> + <propval name='exceptions_6' type='astring' value='' /> + <propval name='target' type='astring' value='' /> + <propval name='target_6' type='astring' value='' /> <propval name='value_authorization' type='astring' value='solaris.smf.value.firewall.config' /> - </property_group> + </property_group> <stability value='Unstable' /> diff --git a/usr/src/cmd/rpcsvc/rstat.xml b/usr/src/cmd/rpcsvc/rstat.xml index cd60e85df7..7d3676eca7 100644 --- a/usr/src/cmd/rpcsvc/rstat.xml +++ b/usr/src/cmd/rpcsvc/rstat.xml @@ -5,6 +5,8 @@ Copyright 2009 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. + Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org> + CDDL HEADER START The contents of this file are subject to the terms of the @@ -90,8 +92,14 @@ <property_group name='firewall_config' type='com.sun,fw_configuration'> <propval name='policy' type='astring' value='use_global' /> + <propval name='block_policy' type='astring' + value='use_global' /> <propval name='apply_to' type='astring' value='' /> + <propval name='apply_to_6' type='astring' value='' /> <propval name='exceptions' type='astring' value='' /> + <propval name='exceptions_6' type='astring' value='' /> + <propval name='target' type='astring' value='' /> + <propval name='target_6' type='astring' value='' /> <propval name='value_authorization' type='astring' value='solaris.smf.value.firewall.config' /> </property_group> diff --git a/usr/src/cmd/rpcsvc/rusers.xml b/usr/src/cmd/rpcsvc/rusers.xml index eb3ab91ccd..c033136ac4 100644 --- a/usr/src/cmd/rpcsvc/rusers.xml +++ b/usr/src/cmd/rpcsvc/rusers.xml @@ -5,6 +5,8 @@ Copyright 2009 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. + Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org> + CDDL HEADER START The contents of this file are subject to the terms of the @@ -94,8 +96,14 @@ <property_group name='firewall_config' type='com.sun,fw_configuration'> <propval name='policy' type='astring' value='use_global' /> + <propval name='block_policy' type='astring' + value='use_global' /> <propval name='apply_to' type='astring' value='' /> + <propval name='apply_to_6' type='astring' value='' /> <propval name='exceptions' type='astring' value='' /> + <propval name='exceptions_6' type='astring' value='' /> + <propval name='target' type='astring' value='' /> + <propval name='target_6' type='astring' value='' /> <propval name='value_authorization' type='astring' value='solaris.smf.value.firewall.config' /> </property_group> diff --git a/usr/src/cmd/rpcsvc/spray.xml b/usr/src/cmd/rpcsvc/spray.xml index 2b8bb3fe5b..03f886b05e 100644 --- a/usr/src/cmd/rpcsvc/spray.xml +++ b/usr/src/cmd/rpcsvc/spray.xml @@ -5,6 +5,8 @@ Copyright 2009 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. + Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org> + CDDL HEADER START The contents of this file are subject to the terms of the @@ -90,8 +92,14 @@ <property_group name='firewall_config' type='com.sun,fw_configuration'> <propval name='policy' type='astring' value='use_global' /> + <propval name='block_policy' type='astring' + value='use_global' /> <propval name='apply_to' type='astring' value='' /> + <propval name='apply_to_6' type='astring' value='' /> <propval name='exceptions' type='astring' value='' /> + <propval name='exceptions_6' type='astring' value='' /> + <propval name='target' type='astring' value='' /> + <propval name='target_6' type='astring' value='' /> <propval name='value_authorization' type='astring' value='solaris.smf.value.firewall.config' /> </property_group> diff --git a/usr/src/cmd/rpcsvc/wall.xml b/usr/src/cmd/rpcsvc/wall.xml index 835eafe117..acf23ede82 100644 --- a/usr/src/cmd/rpcsvc/wall.xml +++ b/usr/src/cmd/rpcsvc/wall.xml @@ -5,6 +5,8 @@ Copyright 2009 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. + Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org> + CDDL HEADER START The contents of this file are subject to the terms of the @@ -90,8 +92,14 @@ <property_group name='firewall_config' type='com.sun,fw_configuration'> <propval name='policy' type='astring' value='use_global' /> + <propval name='block_policy' type='astring' + value='use_global' /> <propval name='apply_to' type='astring' value='' /> + <propval name='apply_to_6' type='astring' value='' /> <propval name='exceptions' type='astring' value='' /> + <propval name='exceptions_6' type='astring' value='' /> + <propval name='target' type='astring' value='' /> + <propval name='target_6' type='astring' value='' /> <propval name='value_authorization' type='astring' value='solaris.smf.value.firewall.config' /> </property_group> diff --git a/usr/src/cmd/sendmail/lib/smtp-sendmail.xml b/usr/src/cmd/sendmail/lib/smtp-sendmail.xml index c19403e568..168d98b4c1 100644 --- a/usr/src/cmd/sendmail/lib/smtp-sendmail.xml +++ b/usr/src/cmd/sendmail/lib/smtp-sendmail.xml @@ -23,6 +23,8 @@ Copyright 2009 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. + Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org> + NOTE: This service manifest is not editable; its contents will be overwritten by package or patch operations, including operating system upgrade. Make customizations in a different @@ -84,8 +86,14 @@ <property_group name='firewall_config' type='com.sun,fw_configuration'> <propval name='policy' type='astring' value='use_global' /> + <propval name='block_policy' type='astring' + value='use_global' /> <propval name='apply_to' type='astring' value='' /> + <propval name='apply_to_6' type='astring' value='' /> <propval name='exceptions' type='astring' value='' /> + <propval name='exceptions_6' type='astring' value='' /> + <propval name='target' type='astring' value='' /> + <propval name='target_6' type='astring' value='' /> <propval name='value_authorization' type='astring' value='solaris.smf.value.firewall.config' /> </property_group> diff --git a/usr/src/cmd/smbsrv/smbd/server.xml b/usr/src/cmd/smbsrv/smbd/server.xml index 3364a193f3..875d6d3bc0 100644 --- a/usr/src/cmd/smbsrv/smbd/server.xml +++ b/usr/src/cmd/smbsrv/smbd/server.xml @@ -23,6 +23,7 @@ CDDL HEADER END Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved. Copyright 2015 Nexenta Systems, Inc. All rights reserved. +Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org> NOTE: This service manifest is not editable; its contents will be overwritten by package or patch operations, including @@ -126,8 +127,14 @@ file. <property_group name='firewall_config' type='com.sun,fw_configuration'> <propval name='policy' type='astring' value='use_global' /> + <propval name='block_policy' type='astring' + value='use_global' /> <propval name='apply_to' type='astring' value='' /> + <propval name='apply_to_6' type='astring' value='' /> <propval name='exceptions' type='astring' value='' /> + <propval name='exceptions_6' type='astring' value='' /> + <propval name='target' type='astring' value='' /> + <propval name='target_6' type='astring' value='' /> <propval name='value_authorization' type='astring' value='solaris.smf.value.firewall.config' /> </property_group> diff --git a/usr/src/cmd/smbsrv/smbd/svc-smbd b/usr/src/cmd/smbsrv/smbd/svc-smbd index 175d2749d7..e6d4b89a23 100644 --- a/usr/src/cmd/smbsrv/smbd/svc-smbd +++ b/usr/src/cmd/smbsrv/smbd/svc-smbd @@ -22,6 +22,8 @@ # Copyright 2009 Sun Microsystems, Inc. All rights reserved. # Use is subject to license terms. # +# Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org> +# # Scripts that generate IPfilter rules for SMB server @@ -32,7 +34,7 @@ create_ipf_rules() { FMRI=$1 file=`fmri_to_file $FMRI $IPF_SUFFIX` - ip=any + file6=`fmri_to_file $FMRI $IPF6_SUFFIX` policy=`get_policy ${FMRI}` iana_names="microsoft-ds netbios-ns netbios-dgm netbios-ssn" @@ -40,13 +42,16 @@ create_ipf_rules() # Enforce policy on each port # echo "# $FMRI" >$file + echo "# $FMRI" >$file6 for name in $iana_names; do port=`$SERVINFO -p -s $name 2>/dev/null` if [ -z "$port" ]; then continue; fi - generate_rules $FMRI $policy "tcp" $ip $port $file - generate_rules $FMRI $policy "udp" $ip $port $file + generate_rules $FMRI $policy "tcp" $port $file + generate_rules $FMRI $policy "tcp" $port $file6 _6 + generate_rules $FMRI $policy "udp" $port $file + generate_rules $FMRI $policy "udp" $port $file6 _6 done } diff --git a/usr/src/cmd/svc/milestone/global.xml b/usr/src/cmd/svc/milestone/global.xml index b1fca9b3cf..dd65d9fed2 100644 --- a/usr/src/cmd/svc/milestone/global.xml +++ b/usr/src/cmd/svc/milestone/global.xml @@ -2,6 +2,7 @@ <!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1"> <!-- Copyright (c) 2008, 2010, Oracle and/or its affiliates. All rights reserved. + Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org> CDDL HEADER START @@ -730,6 +731,47 @@ Allow access to entities specified in 'apply_to' property. <include_values type='values'/> </choices> </prop_pattern> + <prop_pattern name='block_policy' type='astring' + required='false'> + <common_name> + <loctext xml:lang='C'> +Firewall block policy + </loctext> + </common_name> + <description> + <loctext xml:lang='C'> +Service firewall block policy. + </loctext> + </description> + <visibility value='readwrite'/> + <cardinality min='1' max='1'/> + <values> + <value name='use_global'> + <description> + <loctext xml:lang='C'> +Apply Global Default block policy, specified in network/ipfilter for the service. This is the default value. + </loctext> + </description> + </value> + <value name='none'> + <description> + <loctext xml:lang='C'> +Block by dropping packets. + </loctext> + </description> + </value> + <value name='return'> + <description> + <loctext xml:lang='C'> +Block by returning RST or ICMP messages. + </loctext> + </description> + </value> + </values> + <choices> + <include_values type='values'/> + </choices> + </prop_pattern> <prop_pattern name="apply_to" type="astring" required="false"> <common_name> @@ -739,7 +781,20 @@ Apply policy to </common_name> <description> <loctext xml:lang="C"> -The host and network IPs, network interfaces, and ippools to deny if the policy is set to deny, or accept if the policy is set to accept. +The source host and network IPv4 addresses, incoming network interfaces, and ippools to deny if the policy is set to deny, or accept if the policy is set to accept. + </loctext> + </description> + </prop_pattern> + <prop_pattern name="apply_to_6" type="astring" + required="false"> + <common_name> + <loctext xml:lang='C'> +Apply policy to + </loctext> + </common_name> + <description> + <loctext xml:lang="C"> +The source host and network IPv6 addresses, incoming network interfaces, and ippools to deny if the policy is set to deny, or accept if the policy is set to accept. </loctext> </description> </prop_pattern> @@ -752,7 +807,46 @@ Make exceptions to </common_name> <description> <loctext xml:lang="C"> -The host and network IPs, network interfaces, and ippools to exempt from the set policy. That is, those to accept if the policy is set to deny, or to deny if the policy is set to accept. +The source host and network IPv4 addresses, incoming network interfaces, and ippools to exempt from the set policy. That is, those to accept if the policy is set to deny, or to deny if the policy is set to accept. + </loctext> + </description> + </prop_pattern> + <prop_pattern name="exceptions_6" type="astring" + required="false"> + <common_name> + <loctext xml:lang='C'> +Make exceptions to + </loctext> + </common_name> + <description> + <loctext xml:lang="C"> +The source host and network IPv6 addressess, incoming network interfaces, and ippools to exempt from the set policy. That is, those to accept if the policy is set to deny, or to deny if the policy is set to accept. + </loctext> + </description> + </prop_pattern> + <prop_pattern name="target" type="astring" + required="false"> + <common_name> + <loctext xml:lang='C'> +Apply policy to + </loctext> + </common_name> + <description> + <loctext xml:lang="C"> +The destination host and network IPv4 addresses, and ippools to deny if the policy is set to deny, or accept if the policy is set to accept. + </loctext> + </description> + </prop_pattern> + <prop_pattern name="target6" type="astring" + required="false"> + <common_name> + <loctext xml:lang='C'> +Apply policy to + </loctext> + </common_name> + <description> + <loctext xml:lang="C"> +The destination host and network IPv6 addresses, and ippools to deny if the policy is set to deny, or accept if the policy is set to accept. </loctext> </description> </prop_pattern> diff --git a/usr/src/cmd/svc/shell/ipf_include.sh b/usr/src/cmd/svc/shell/ipf_include.sh index ac159b6946..bb41e2ac49 100644 --- a/usr/src/cmd/svc/shell/ipf_include.sh +++ b/usr/src/cmd/svc/shell/ipf_include.sh @@ -20,15 +20,11 @@ # CDDL HEADER END # # Copyright (c) 2009, 2010, Oracle and/or its affiliates. All rights reserved. +# Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org> # IPFILTER_FMRI="svc:/network/ipfilter:default" ETC_IPF_DIR=/etc/ipf -IP6FILCONF=`/usr/bin/svcprop -p config/ipf6_config_file $IPFILTER_FMRI \ - 2>/dev/null` -if [ $? -eq 1 ]; then - IP6FILCONF=$ETC_IPF_DIR/ipf6.conf -fi IPNATCONF=`/usr/bin/svcprop -p config/ipnat_config_file $IPFILTER_FMRI \ 2>/dev/null` if [ $? -eq 1 ]; then @@ -41,11 +37,15 @@ if [ $? -eq 1 ]; then fi VAR_IPF_DIR=/var/run/ipf IPFILCONF=$VAR_IPF_DIR/ipf.conf +IP6FILCONF=$VAR_IPF_DIR/ipf6.conf IPFILOVRCONF=$VAR_IPF_DIR/ipf_ovr.conf +IP6FILOVRCONF=$VAR_IPF_DIR/ipf6_ovr.conf IPF_LOCK=/var/run/ipflock CONF_FILES="" +CONF6_FILES="" NAT_FILES="" IPF_SUFFIX=".ipf" +IPF6_SUFFIX=".ipf6" NAT_SUFFIX=".nat" # version for configuration upgrades @@ -65,11 +65,17 @@ METHOD_PROP="ipf_method" FW_CONFIG_PG="firewall_config" POLICY_PROP="policy" APPLY2_PROP="apply_to" +APPLY2_6_PROP="apply_to_6" EXCEPTIONS_PROP="exceptions" +EXCEPTIONS_6_PROP="exceptions_6" +TARGET_PROP="target" +TARGET_6_PROP="target_6" +BLOCKPOL_PROP="block_policy" FW_CONFIG_DEF_PG="firewall_config_default" FW_CONFIG_OVR_PG="firewall_config_override" CUSTOM_FILE_PROP="custom_policy_file" +CUSTOM_FILE_6_PROP="custom_policy_file_6" OPEN_PORTS_PROP="open_ports" PREFIX_HOST="host:" @@ -79,6 +85,7 @@ PREFIX_IF="if:" GLOBAL_CONFIG="" GLOBAL_POLICY="" +GLOBAL_BLOCK_POLICY="" SERVINFO=/usr/lib/servinfo @@ -129,10 +136,11 @@ global_get_prop_value() # service method, it's best to read all relevant configuration via one svcprop # invocation and cache it for later use. # -# This function reads and store relevant configuration into GLOBAL_CONFIG and -# initializes GLOBAL_POLICY variable. GLOBAL_CONFIG is a string containing pg/prop -# and their corresponding values (i.e. svcprop -p pg fmri output). To get values -# for a certain pg/prop, use global_get_prop_value(). +# This function reads and stores relevant configuration into GLOBAL_CONFIG and +# initializes the GLOBAL_POLICY and GLOBAL_BLOCK_POLICY variables. GLOBAL_CONFIG +# is a string containing pg/prop and their corresponding values (i.e. svcprop -p +# pg fmri output). To get values for a certain pg/prop, use +# global_get_prop_value(). # global_init() { @@ -140,6 +148,8 @@ global_init() $IPF_FMRI 2>/dev/null | awk '{$2=" "; print $0}'` GLOBAL_POLICY=`global_get_prop_value $FW_CONFIG_DEF_PG $POLICY_PROP` + GLOBAL_BLOCK_POLICY=`global_get_prop_value $FW_CONFIG_DEF_PG \ + $BLOCKPOL_PROP` } # @@ -165,21 +175,76 @@ get_policy() } # -# Given a service, gets its firewall policy +# block policy can be set to "return", which will expand into +# separate block rules for tcp (block return-rst ...) and all other +# protocols (block return-icmp-as-dest ...) +# +get_block_policy() +{ + config_pg=`get_config_pg $1` + svcprop -p $config_pg/${BLOCKPOL_PROP} $1 2>/dev/null +} + +# +# Given a service, gets its source address exceptions for IPv4 # get_exceptions() { config_pg=`get_config_pg $1` - svcprop -p $config_pg/${EXCEPTIONS_PROP} $1 2>/dev/null + exceptions=`svcprop -p $config_pg/${EXCEPTIONS_PROP} $1 2>/dev/null` + echo $exceptions | sed -e 's/\\//g' } # -# Given a service, gets its firewall policy +# Given a service, gets its source address exceptions for IPv6 +# +get_exceptions_6() +{ + config_pg=`get_config_pg $1` + exceptions6=`svcprop -p $config_pg/${EXCEPTIONS_6_PROP} $1 2>/dev/null` + echo $exceptions6 | sed -e 's/\\//g' +} + +# +# Given a service, gets its firewalled source addresses for IPv4 # get_apply2_list() { config_pg=`get_config_pg $1` - svcprop -p $config_pg/${APPLY2_PROP} $1 2>/dev/null + apply2=`svcprop -p $config_pg/${APPLY2_PROP} $1 2>/dev/null` + echo $apply2 | sed -e 's/\\//g' +} + +# +# Given a service, gets its firewalled source addresses for IPv6 +# +get_apply2_6_list() +{ + config_pg=`get_config_pg $1` + apply2_6=`svcprop -p $config_pg/${APPLY2_6_PROP} $1 2>/dev/null` + echo $apply2_6 | sed -e 's/\\//g' +} + +# +# Given a service, gets its firewalled target addresses for IPv4 +# +get_target_list() +{ + config_pg=`get_config_pg $1` + target=`svcprop -p $config_pg/${TARGET_PROP} $1 2>/dev/null` + [ -z "$target" -o "$target" = '""' ] && target=any + echo $target | sed -e 's/\\//g' +} + +# +# Given a service, gets its firewalled target addresses for IPv6 +# +get_target_6_list() +{ + config_pg=`get_config_pg $1` + target6=`svcprop -p $config_pg/${TARGET_6_PROP} $1 2>/dev/null` + [ -z "$target6" -o "$target6" = '""' ] && target6=any + echo $target6 | sed -e 's/\\//g' } check_ipf_dir() @@ -244,15 +309,16 @@ service_check_state() get_IP() { value_is_interface $1 && return 1 - echo "$1" | sed -n -e 's,^pool:\(.*\),pool/\1,p' \ - -e 's,^host:\(.*\),\1,p' \ - -e 's,^network:\(.*\),\1,p' + echo "$1" | sed -n -e "s,^${PREFIX_POOL}\(.*\),pool/\1,p" \ + -e "s,^${PREFIX_HOST}\(.*\),\1,p" \ + -e "s,^${PREFIX_NET}\(.*\),\1,p" \ + -e "s,^any,any,p" } get_interface() { value_is_interface $1 || return 1 - scratch=`echo "$1" | sed -e 's/^if://'` + scratch=`echo "$1" | sed -e "s/^${PREFIX_IF}//"` ifconfig $scratch >/dev/null 2>&1 || return 1 echo $scratch | sed -e 's/:.*//' @@ -264,7 +330,7 @@ get_interface() value_is_interface() { [ -z "$1" ] && return 1 - echo $1 | grep "^if:" >/dev/null 2>&1 + echo $1 | grep "^${PREFIX_IF}" >/dev/null 2>&1 } # @@ -272,7 +338,7 @@ value_is_interface() # remove_rules() { - [ -f "$1" ] && ipf -r -f $1 >/dev/null 2>&1 + [ -f "$1" ] && ipf $2 -r -f $1 >/dev/null 2>&1 } remove_nat_rules() @@ -282,7 +348,7 @@ remove_nat_rules() check_ipf_syntax() { - ipf -n -f $1 >/dev/null 2>&1 + ipf $2 -n -f $1 >/dev/null 2>&1 } check_nat_syntax() @@ -290,16 +356,21 @@ check_nat_syntax() ipnat -n -f $1 >/dev/null 2>&1 } +unique_ports() +{ + echo $* | xargs -n 1 echo | sort -u +} + file_get_ports() { - ipf -n -v -f $1 2>/dev/null | sed -n -e \ + ipf $2 -n -v -f $1 2>/dev/null | sed -n -e \ 's/.*to.* port = \([a-z0-9]*\).*/\1/p' | uniq | \ awk '{if (length($0) > 1) {printf("%s ", $1)}}' } get_active_ports() { - ipfstat -io 2>/dev/null | sed -n -e \ + ipfstat $1 -io 2>/dev/null | sed -n -e \ 's/.*to.* port = \([a-z0-9]*\).*/\1/p' | uniq | \ awk '{if (length($0) > 1) {printf("%s ",$1)}}' } @@ -330,42 +401,51 @@ sets_check_duplicate() # update_check_ipf_rules() { - check_ipf_syntax $1 || return 1 + check_ipf_syntax $1 $2 || return 1 - lports=`file_get_ports $1` - lactive_ports=`get_active_ports` + lports=`file_get_ports $1 $2` + lactive_ports=`get_active_ports $2` sets_check_duplicate "$lports" "$lactive_ports" || return 1 } server_port_list="" +server_port_list_6="" # # Given a file containing ipf rules, check the syntax and verify # the rules don't conflict with already processed services. # # The list of processed services' ports are maintained in the global -# variable 'server_port_list'. +# variables 'server_port_list' and 'server_port_list_6'. # check_ipf_rules() { - check_ipf_syntax $1 || return 1 - lports=`file_get_ports $1` - sets_check_duplicate "$lports" "$server_port_list" || return 1 - server_port_list="$server_port_list $lports" + check_ipf_syntax $1 $2 || return 1 + + lports=`file_get_ports $1 $2` + + if [ "$2" = "-6" ]; then + sets_check_duplicate "$lports" "$server_port_list_6" || return 1 + server_port_list_6="$server_port_list_6 $lports" + else + sets_check_duplicate "$lports" "$server_port_list" || return 1 + server_port_list="$server_port_list $lports" + fi + return 0 } prepend_new_rules() { - check_ipf_syntax $1 && tail -r $1 | sed -e 's/^[a-z]/@0 &/' | \ - ipf -f - >/dev/null 2>&1 + check_ipf_syntax $1 $2 && tail -r $1 | sed -e 's/^[a-z]/@0 &/' | \ + ipf $2 -f - >/dev/null 2>&1 } append_new_rules() { - check_ipf_syntax $1 && ipf -f $1 >/dev/null 2>&1 + check_ipf_syntax $1 $2 && ipf $2 -f $1 >/dev/null 2>&1 } append_new_nat_rules() @@ -494,7 +574,6 @@ replace_file() process_server_svc() { service=$1 - ip="any" policy=`get_policy ${service}` # @@ -502,8 +581,10 @@ process_server_svc() # we fail here. # file=`fmri_to_file $service $IPF_SUFFIX` + file6=`fmri_to_file $service $IPF6_SUFFIX` [ -z "$file" ] && return 1 echo "# $service" >${file} + echo "# $service" >${file6} # # Nothing to do if policy is "use_global" @@ -530,19 +611,39 @@ process_server_svc() # RPC services # if [ "$isrpc" = "true" ]; then + # The ports used for IPv6 are usually also reachable + # through IPv4, so generate IPv4 rules for them, too. tports=`$SERVINFO -R -p -t -s $iana_name 2>/dev/null` - if [ -n "$tports" ]; then + tports6=`$SERVINFO -R -p -t6 -s $iana_name 2>/dev/null` + if [ -n "$tports" -o -n "$tports6" ]; then + tports=`unique_ports $tports $tports6` for tport in $tports; do generate_rules $service $policy "tcp" \ - $ip $tport $file + $tport $file + done + fi + + if [ -n "$tports6" ]; then + for tport6 in $tports6; do + generate_rules $service $policy "tcp" \ + $tport6 $file6 _6 done fi uports=`$SERVINFO -R -p -u -s $iana_name 2>/dev/null` + uports6=`$SERVINFO -R -p -u6 -s $iana_name 2>/dev/null` if [ -n "$uports" ]; then + uports=`unique_ports $uports $uports6` for uport in $uports; do generate_rules $service $policy "udp" \ - $ip $uport $file + $uport $file + done + fi + + if [ -n "$uports6" ]; then + for uport6 in $uports6; do + generate_rules $service $policy "udp" \ + $uport6 $file6 _6 done fi @@ -551,16 +652,25 @@ process_server_svc() # # Get the IANA port and supported protocols(tcp and udp) - # No support for IPv6 at this point. # tport=`$SERVINFO -p -t -s $iana_name 2>&1` if [ $? -eq 0 -a -n "$tport" ]; then - generate_rules $service $policy "tcp" $ip $tport $file + generate_rules $service $policy "tcp" $tport $file + fi + + tport6=`$SERVINFO -p -t6 -s $iana_name 2>&1` + if [ $? -eq 0 -a -n "$tport6" ]; then + generate_rules $service $policy "tcp" $tport6 $file6 _6 fi uport=`$SERVINFO -p -u -s $iana_name 2>&1` if [ $? -eq 0 -a -n "$uport" ]; then - generate_rules $service $policy "udp" $ip $uport $file + generate_rules $service $policy "udp" $uport $file + fi + + uport6=`$SERVINFO -p -u6 -s $iana_name 2>&1` + if [ $? -eq 0 -a -n "$uport6" ]; then + generate_rules $service $policy "udp" $uport6 $file6 _6 fi return 0 @@ -583,9 +693,9 @@ generate_rules() service=$1 mypolicy=$2 proto=$3 - ip=$4 - port=$5 - out=$6 + port=$4 + out=$5 + _6=$6 # # Default mode is to inherit from global's policy @@ -595,57 +705,95 @@ generate_rules() tcp_opts="" [ "$proto" = "tcp" ] && tcp_opts="flags S keep state keep frags" + block_policy=`get_block_policy $1` + if [ "$block_policy" = "use_global" ]; then + block_policy=${GLOBAL_BLOCK_POLICY} + fi + + if [ "$block_policy" = "return" ]; then + [ "$proto" = "tcp" ] && block_policy="return-rst" + [ "$proto" != "tcp" ] && block_policy="return-icmp-as-dest" + else + block_policy="" + fi + + iplist=`get_target${_6}_list $service` + # # Allow all if policy is 'none' # if [ "$mypolicy" = "none" ]; then - echo "pass in log quick proto ${proto} from any to ${ip}" \ - "port = ${port} ${tcp_opts}" >>${out} + for ip in $iplist; do + daddr=`get_IP ${ip}` + [ -z "$daddr" -o "$daddr" = '""' ] && continue + echo "pass in log quick proto ${proto} from any to ${daddr}" \ + "port = ${port} ${tcp_opts}" >>${out} + done return 0 fi # - # For now, let's concern only with incoming traffic. + # For now, let's concern ourselves only with incoming traffic. # - [ "$mypolicy" = "deny" ] && { ecmd="pass"; acmd="block"; } - [ "$mypolicy" = "allow" ] && { ecmd="block"; acmd="pass"; } + [ "$mypolicy" = "deny" ] && { ecmd="pass"; acmd="block ${block_policy}"; } + [ "$mypolicy" = "allow" ] && { ecmd="block ${block_policy}"; acmd="pass"; } - for name in `get_exceptions $service`; do + for name in `get_exceptions${_6} $service`; do [ -z "$name" -o "$name" = '""' ] && continue ifc=`get_interface $name` if [ $? -eq 0 -a -n "$ifc" ]; then - echo "${ecmd} in log quick on ${ifc} from any to" \ - "${ip} port = ${port}" >>${out} + for ip in $iplist; do + daddr=`get_IP ${ip}` + [ -z "$daddr" -o "$daddr" = '""' ] && continue + echo "${ecmd} in log quick on ${ifc} from any to" \ + "${daddr} port = ${port}" >>${out} + done continue fi - addr=`get_IP ${name}` - if [ $? -eq 0 -a -n "$addr" ]; then - echo "${ecmd} in log quick proto ${proto} from ${addr}" \ - "to ${ip} port = ${port} ${tcp_opts}" >>${out} + saddr=`get_IP ${name}` + if [ $? -eq 0 -a -n "$saddr" ]; then + for ip in $iplist; do + daddr=`get_IP ${ip}` + [ -z "$daddr" -o "$daddr" = '""' ] && continue + echo "${ecmd} in log quick proto ${proto} from ${saddr}" \ + "to ${daddr} port = ${port} ${tcp_opts}" >>${out} + done fi done - for name in `get_apply2_list $service`; do + for name in `get_apply2${_6}_list $service`; do [ -z "$name" -o "$name" = '""' ] && continue ifc=`get_interface $name` if [ $? -eq 0 -a -n "$ifc" ]; then - echo "${acmd} in log quick on ${ifc} from any to" \ - "${ip} port = ${port}" >>${out} + for ip in $iplist; do + daddr=`get_IP ${ip}` + [ -z "$daddr" -o "$daddr" = '""' ] && continue + echo "${acmd} in log quick on ${ifc} from any to" \ + "${daddr} port = ${port}" >>${out} + done continue fi - addr=`get_IP ${name}` - if [ $? -eq 0 -a -n "$addr" ]; then - echo "${acmd} in log quick proto ${proto} from ${addr}" \ - "to ${ip} port = ${port} ${tcp_opts}" >>${out} + saddr=`get_IP ${name}` + if [ $? -eq 0 -a -n "$saddr" ]; then + for ip in $iplist; do + daddr=`get_IP ${ip}` + [ -z "$daddr" -o "$daddr" = '""' ] && continue + echo "${acmd} in log quick proto ${proto} from ${saddr}" \ + "to ${daddr} port = ${port} ${tcp_opts}" >>${out} + done fi done - echo "${ecmd} in log quick proto ${proto} from any to ${ip}" \ - "port = ${port} ${tcp_opts}" >>${out} + for ip in $iplist; do + daddr=`get_IP ${ip}` + [ -z "$daddr" -o "$daddr" = '""' ] && continue + echo "${ecmd} in log quick proto ${proto} from any to ${daddr}" \ + "port = ${port} ${tcp_opts}" >>${out} + done return 0 } @@ -732,23 +880,31 @@ create_global_rules() { if [ "$GLOBAL_POLICY" = "custom" ]; then file=`global_get_prop_value $FW_CONFIG_DEF_PG $CUSTOM_FILE_PROP` + file6=`global_get_prop_value $FW_CONFIG_DEF_PG $CUSTOM_FILE_6_PROP` [ -n "$file" ] && custom_set_symlink $file + [ -n "$file6" ] && custom_set_symlink $file6 + return 0 fi TEMP=`mktemp /var/run/ipf.conf.pid$$.XXXXXX` + TEMP6=`mktemp /var/run/ipf6.conf.pid$$.XXXXXX` process_nonsvc_progs $TEMP + process_nonsvc_progs $TEMP6 echo "# Global Default rules" >>${TEMP} + echo "# Global Default rules" >>${TEMP6} if [ "$GLOBAL_POLICY" != "none" ]; then echo "pass out log quick all keep state" >>${TEMP} + echo "pass out log quick all keep state" >>${TEMP6} fi case "$GLOBAL_POLICY" in 'none') # No rules replace_file ${IPFILCONF} ${TEMP} + replace_file ${IP6FILCONF} ${TEMP6} return $? ;; @@ -782,6 +938,22 @@ create_global_rules() done + for name in `global_get_prop_value $FW_CONFIG_DEF_PG $EXCEPTIONS_6_PROP`; do + [ -z "$name" -o "$name" = '""' ] && continue + + ifc=`get_interface $name` + if [ $? -eq 0 -a -n "$ifc" ]; then + echo "${ecmd} in log quick on ${ifc} all" >>${TEMP6} + continue + fi + + addr=`get_IP ${name}` + if [ $? -eq 0 -a -n "$addr" ]; then + echo "${ecmd} in log quick from ${addr} to any" >>${TEMP6} + fi + + done + for name in `global_get_prop_value $FW_CONFIG_DEF_PG $APPLY2_PROP`; do [ -z "$name" -o "$name" = '""' ] && continue @@ -797,23 +969,41 @@ create_global_rules() fi done + for name in `global_get_prop_value $FW_CONFIG_DEF_PG $APPLY2_6_PROP`; do + [ -z "$name" -o "$name" = '""' ] && continue + + ifc=`get_interface $name` + if [ $? -eq 0 -a -n "$ifc" ]; then + echo "${acmd} in log quick on ${ifc} all" >>${TEMP6} + continue + fi + + addr=`get_IP ${name}` + if [ $? -eq 0 -a -n "$addr" ]; then + echo "${acmd} in log quick from ${addr} to any" >>${TEMP6} + fi + done + if [ "$GLOBAL_POLICY" = "allow" ]; then # - # Allow DHCP traffic if running as a DHCP client + # Allow DHCP(v6) traffic if running as a DHCP client # /sbin/netstrategy | grep dhcp >/dev/null 2>&1 if [ $? -eq 0 ]; then echo "pass out log quick from any port = 68" \ "keep state" >>${TEMP} - echo "pass out log quick from any port = 546" \ - "keep state" >>${TEMP} echo "pass in log quick from any to any port = 68" >>${TEMP} - echo "pass in log quick from any to any port = 546" >>${TEMP} + + echo "pass out log quick from any port = 546" \ + "keep state" >>${TEMP6} + echo "pass in log quick from any to any port = 546" >>${TEMP6} fi echo "block in log all" >>${TEMP} + echo "block in log all" >>${TEMP6} fi replace_file ${IPFILCONF} ${TEMP} + replace_file ${IP6FILCONF} ${TEMP6} return $? } @@ -833,6 +1023,7 @@ create_global_ovr_rules() # if [ "$GLOBAL_POLICY" = "custom" ]; then echo "# 'custom' global policy" >$IPFILOVRCONF + echo "# 'custom' global policy" >$IP6FILOVRCONF return 0 fi @@ -842,6 +1033,7 @@ create_global_ovr_rules() ovr_policy=`global_get_prop_value $FW_CONFIG_OVR_PG $POLICY_PROP` if [ "$ovr_policy" = "none" ]; then echo "# global override policy is 'none'" >$IPFILOVRCONF + echo "# global override policy is 'none'" >$IP6FILOVRCONF return 0 fi @@ -865,7 +1057,24 @@ create_global_ovr_rules() fi done + apply2_6_list=`global_get_prop_value $FW_CONFIG_OVR_PG $APPLY2_6_PROP` + for name in $apply2_6_list; do + [ -z "$name" -o "$name" = '""' ] && continue + + ifc=`get_interface $name` + if [ $? -eq 0 -a -n "$ifc" ]; then + echo "${acmd} on ${ifc} all" >>${TEMP6} + continue + fi + + addr=`get_IP ${name}` + if [ $? -eq 0 -a -n "$addr" ]; then + echo "${acmd} from ${addr} to any" >>${TEMP6} + fi + done + replace_file ${IPFILOVRCONF} ${TEMP} + replace_file ${IP6FILOVRCONF} ${TEMP6} return $? } @@ -887,6 +1096,8 @@ svc_mark_maintenance() # ipfile=`fmri_to_file $1 $IPF_SUFFIX` [ -f "$ipfile" ] && mv $ipfile "$ipfile.bak" + ip6file=`fmri_to_file $1 $IPF6_SUFFIX` + [ -f "$ip6file" ] && mv $ip6file "$ip6file.bak" natfile=`fmri_to_file $1 $NAT_SUFFIX` [ -f "$natfile" ] && mv $natfile "$natfile.bak" @@ -945,6 +1156,25 @@ create_services_rules() CONF_FILES="$CONF_FILES $ipfile" fi + ip6file=`fmri_to_file $s $IPF6_SUFFIX` + if [ -n "$ip6file" -a -r "$ip6file" ]; then + check_ipf_syntax $ip6file -6 + if [ $? -ne 0 ]; then + svc_mark_maintenance $s + continue + fi + + svc_is_server $s + if [ $? -eq 0 ]; then + check_ipf_rules $ip6file -6 + if [ $? -ne 0 ]; then + svc_mark_maintenance $s + continue + fi + fi + CONF6_FILES="$CONF6_FILES $ip6file" + fi + natfile=`fmri_to_file $s $NAT_SUFFIX` if [ -n "$natfile" -a -r "$natfile" ]; then check_nat_syntax $natfile @@ -971,9 +1201,11 @@ service_update_rules() svc=$1 ipfile=`fmri_to_file $svc $IPF_SUFFIX` - [ -z "$ipfile" ] && return 0 + ip6file=`fmri_to_file $svc $IPF6_SUFFIX` + [ -n "$ipfile" ] && remove_rules $ipfile + [ -n "$ip6file" ] && remove_rules $ip6file -6 - remove_rules $ipfile + [ -z "$ipfile" -a -z "$ip6file" ] && return 0 natfile=`fmri_to_file $svc $NAT_SUFFIX` [ -n "$natfile" ] && remove_nat_rules $natfile @@ -993,6 +1225,14 @@ service_update_rules() fi fi + if [ -f "$ip6file" ]; then + check_ipf_syntax $ip6file -6 + if [ $? -ne 0 ]; then + svc_mark_maintenance $svc + return 1 + fi + fi + if [ -f "$natfile" ]; then check_nat_syntax $natfile if [ $? -ne 0 ]; then @@ -1021,6 +1261,26 @@ service_update_rules() prepend_new_rules $IPFILOVRCONF fi + if [ -f "$ip6file" ]; then + svc_is_server $svc + if [ $? -eq 0 ]; then + update_check_ipf_rules $ip6file -6 + if [ $? -ne 0 ]; then + svc_mark_maintenance $svc + return 1 + fi + fi + + prepend_new_rules $ip6file -6 + + # + # reload Global Override rules to + # maintain correct ordering. + # + remove_rules $IP6FILOVRCONF -6 + prepend_new_rules $IP6FILOVRCONF -6 + fi + [ -f "$natfile" ] && append_new_nat_rules $natfile return 0 diff --git a/usr/src/cmd/syslogd/system-log.xml b/usr/src/cmd/syslogd/system-log.xml index 80f147f0fc..8802d363b7 100644 --- a/usr/src/cmd/syslogd/system-log.xml +++ b/usr/src/cmd/syslogd/system-log.xml @@ -23,6 +23,8 @@ Copyright 2009 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. + Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org> + NOTE: This service manifest is not editable; its contents will be overwritten by package or patch operations, including operating system upgrade. Make customizations in a different @@ -140,8 +142,14 @@ <property_group name='firewall_config' type='com.sun,fw_configuration'> <propval name='policy' type='astring' value='use_global' /> + <propval name='block_policy' type='astring' + value='use_global' /> <propval name='apply_to' type='astring' value='' /> + <propval name='apply_to_6' type='astring' value='' /> <propval name='exceptions' type='astring' value='' /> + <propval name='exceptions_6' type='astring' value='' /> + <propval name='target' type='astring' value='' /> + <propval name='target_6' type='astring' value='' /> <propval name='value_authorization' type='astring' value='solaris.smf.value.firewall.config' /> </property_group> diff --git a/usr/src/cmd/ypcmd/yp.sh b/usr/src/cmd/ypcmd/yp.sh index 0d690e65f1..277d970465 100644 --- a/usr/src/cmd/ypcmd/yp.sh +++ b/usr/src/cmd/ypcmd/yp.sh @@ -21,6 +21,7 @@ # # # Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved. +# Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org> # . /lib/svc/share/smf_include.sh @@ -32,6 +33,7 @@ create_client_ipf_rules() { FMRI=$1 file=`fmri_to_file $FMRI $IPF_SUFFIX` + file6=`fmri_to_file $FMRI $IPF6_SUFFIX` iana_name=`svcprop -p $FW_CONTEXT_PG/name $FMRI` domain=`domainname` @@ -43,44 +45,76 @@ create_client_ipf_rules() return fi echo "# $FMRI" >$file + echo "# $FMRI" >$file6 ypfile="/var/yp/binding/$domain/ypservers" if [ -f $ypfile ]; then tports=`$SERVINFO -R -p -t -s $iana_name 2>/dev/null` uports=`$SERVINFO -R -p -u -s $iana_name 2>/dev/null` + tports_6=`$SERVINFO -R -p -t6 -s $iana_name 2>/dev/null` + uports_6=`$SERVINFO -R -p -u6 -s $iana_name 2>/dev/null` server_addrs="" + server_addrs_6="" for ypsvr in `grep -v '^[ ]*#' $ypfile`; do # - # Get corresponding IPv4 address in /etc/hosts + # Get corresponding IPv4/IPv6 addresses # - servers=`grep -v '^[ ]*#' /etc/hosts | awk ' { - if ($1 !~/:/) { - for (i=2; i<=NF; i++) { - if (s == $i) printf("%s ", $1); - } } - }' s="$ypsvr"` - - [ -z "$servers" ] && continue - server_addrs="$server_addrs $servers" - done + servers=`getent ipnodes $ypsvr | awk '/^:/{ print $1 }'` + servers_6=`getent ipnodes $ypsvr | awk '/:/{ print $1 }'` - [ -z "$server_addrs" ] && return 0 - for s in $server_addrs; do - if [ -n "$tports" ]; then - for tport in $tports; do - echo "pass in log quick proto tcp" \ - "from $s to any port = $tport" >>$file - done + if [ -n "$servers" ]; then + server_addrs="$server_addrs $servers" fi - if [ -n "$uports" ]; then - for uport in $uports; do - echo "pass in log quick proto udp" \ - "from $s to any port = $uport" >>$file - done + if [ -n "$servers_6" ]; then + server_addrs_6="$server_addrs_6 $servers" fi done + + if [ -n "$server_addrs" ]; then + for s in $server_addrs; do + if [ -n "$tports" ]; then + for tport in $tports; do + echo "pass in log quick" \ + "proto tcp from $s" \ + "to any port = $tport" \ + >>$file + done + fi + + if [ -n "$uports" ]; then + for uport in $uports; do + echo "pass in log quick" \ + "proto udp from $s" \ + "to any port = $uport" \ + >>$file + done + fi + done + fi + + if [ -n "$server_addrs_6" ]; then + for s in $server_addrs_6; do + if [ -n "$tports_6" ]; then + for tport in $tports_6; do + echo "pass in log quick" \ + "proto tcp from $s" \ + "to any port = $tport" \ + >>$file6 + done + fi + + if [ -n "$uports_6" ]; then + for uport in $uports_6; do + echo "pass in log quick" \ + "proto udp from $s" \ + "to any port = $uport" \ + >>$file6 + done + fi + done + fi else # # How do we handle the client broadcast case? Server replies @@ -93,6 +127,8 @@ create_client_ipf_rules() # echo "pass in log quick proto udp from any to any" \ "port > 32768" >>$file + echo "pass in log quick proto udp from any to any" \ + "port > 32768" >>$file6 fi } diff --git a/usr/src/man/man1m/svc.ipfd.1m b/usr/src/man/man1m/svc.ipfd.1m index 58b8ffb151..3790a40c3d 100644 --- a/usr/src/man/man1m/svc.ipfd.1m +++ b/usr/src/man/man1m/svc.ipfd.1m @@ -2,7 +2,8 @@ .\" To view license terms, attribution, and copyright for IP Filter, the default path is /usr/lib/ipf/IPFILTER.LICENCE. If the Solaris operating environment has been installed anywhere other than the default, modify the given path to access the file at the installed .\" location. .\" Copyright (c) 2009, Sun Microsystems, Inc. All Rights Reserved -.TH SVC.IPFD 1M "Jan 13, 2009" +.\" Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org> +.TH SVC.IPFD 1M "Dec 30, 2015" .SH NAME svc.ipfd \- IP Filter firewall monitoring daemon .SH SYNOPSIS @@ -17,7 +18,6 @@ svc.ipfd \- IP Filter firewall monitoring daemon .fi .SH DESCRIPTION -.sp .LP The \fBsvc.ipfd\fR daemon monitors actions on services that use firewall configuration and initiates update services' IP Filter configuration. The @@ -37,7 +37,6 @@ This daemon is started by the \fBnetwork/ipfilter\fR service either through the variables and credentials from the method and runs as root with all zone privileges. .SS "Firewall Static Configuration" -.sp .LP A static definition describes a service's network resource configuration that is used to generate service-specific IPF rules. The per-service @@ -103,7 +102,6 @@ The service static configuration is delivered by the service developer and not intended to be modified by users. These properties are only modified upon installation of an updated service definition. .SS "Firewall Policy Configuration" -.sp .LP A per-service property group, \fBfirewall_config\fR, stores the services' firewall policy configuration. Because \fBnetwork/ipfilter:default\fR is @@ -161,21 +159,77 @@ except those specified in the \fBapply_to\fR property. .sp .ne 2 .na +\fB\fBblock-policy\fR\fR +.ad +.sp .6 +.RS 4n +The \fBblock-policy\fR property defines the handling of packets that +are blocked by the filter. It has the following modes: +.sp +.ne 2 +.na +\fB\fBnone\fR block-policy mode\fR +.ad +.sp .6 +.RS 4n +Block by dropping packets. +.RE + +.sp +.ne 2 +.na +\fB\fBreturn\fR block-policy mode\fR +.ad +.sp .6 +.RS 4n +Block by returning RST (for TCP) or ICMP messages (for other +protocols) to the sender of the blocked packets. +.RE + +.RE + +.sp +.ne 2 +.na \fB\fBapply_to\fR\fR .ad .sp .6 .RS 4n -A multi-value property listing network entities to enforce the chosen policy -mode. Entities listed in \fBapply_to\fR property will be denied if policy is -\fBdeny\fR and allowed if policy is \fBallow\fR. The syntax for possible values -are: +A multi-value property listing IPv4 network source entities to enforce the +chosen policy mode. Packets coming from the entities listed in \fBapply_to\fR +property will be denied if policy is \fBdeny\fR and allowed if policy is +\fBallow\fR. The syntax for possible values are: +.sp +.in +2 +.nf +host: host:\fIIP\fR "host:192.168.84.14" +subnet: network:\fIIP/netmask\fR "network:129.168.1.5/24" +ippool: pool:\fIpool number\fR "pool:77" +interface: if:\fIinterface_name\fR "if:e1000g0" +.fi +.in -2 +.sp + +.RE + +.sp +.ne 2 +.na +\fB\fBapply_to_6\fR\fR +.ad +.sp .6 +.RS 4n +A multi-value property listing IPv6 network source entities to enforce the +chosen policy mode. Packets coming from the entities listed in \fBapply_to_6\fR +property will be denied if policy is \fBdeny\fR and allowed if policy is +\fBallow\fR. The syntax for possible values are: .sp .in +2 .nf -host: host:\fIIP\fR "host:192.168.84.14" -subnet: network:\fIIP/netmask\fR "network:129.168.1.5/24" -ippool: pool:\fIpool number\fR "pool:77" -interface: if:\fIinterface_name\fR "if:e1000g0" +host: host:\fIIP\fR "host:2001:DB8::12ff:fe34:5678" +subnet: network:\fIIP/netmask\fR "network:2001:DB8::/32" +ippool: pool:\fIpool number\fR "pool:77" +interface: if:\fIinterface_name\fR "if:e1000g0" .fi .in -2 .sp @@ -189,14 +243,58 @@ interface: if:\fIinterface_name\fR "if:e1000g0" .ad .sp .6 .RS 4n -A multi-value property listing network entities to be excluded from the -\fBapply_to\fR list. For example, when \fBdeny\fR policy is applied to a +A multi-value property listing IPv4 network source entities to be excluded from +the \fBapply_to\fR list. For example, when \fBdeny\fR policy is applied to a subnet, exceptions can be made to some hosts in that subnet by specifying them in the \fBexceptions\fR property. This property has the same value syntax as \fBapply_to\fR property. .RE .sp +.ne 2 +.na +\fB\fBexceptions_6\fR\fR +.ad +.sp .6 +.RS 4n +A multi-value property listing IPv6 network source entities to be excluded from +the \fBapply_to_6\fR list. For example, when \fBdeny\fR policy is applied to a +subnet, exceptions can be made to some hosts in that subnet by specifying them +in the \fBexceptions_6\fR property. This property has the same value syntax as +\fBapply_to_6\fR property. +.RE + +.sp +.ne 2 +.na +\fB\fBtarget\fR\fR +.ad +.sp .6 +.RS 4n +A multi-value property listing IPv4 network destination entities to enforce the +chosen policy mode. Packets directed to the destination entities listed in +\fBtarget\fR property will be denied if policy is \fBdeny\fR and allowed if +policy is \fBallow\fR. This property has the same value syntax as \fBapply_to\fR +property, with the notable exception that specifying network interfaces is not +supported. +.RE + +.sp +.ne 2 +.na +\fB\fBtarget_6\fR\fR +.ad +.sp .6 +.RS 4n +A multi-value property listing IPv6 network destination entities to enforce the +chosen policy mode. Packets directed to the destination entities listed in +\fBtarget_6\fR property will be denied if policy is \fBdeny\fR and allowed if +policy is \fBallow\fR. This property has the same value syntax as +\fBapply_to_6\fR property, with the notable exception that specifying network +interfaces is not supported. +.RE + +.sp .LP For individual network services only: .sp @@ -207,7 +305,19 @@ For individual network services only: .sp .6 .RS 4n A service's policy can also be set to \fBuse_global\fR. Services with -\fBuse_global\fR policy mode inherits the Global Default firewall policy. +\fBuse_global\fR policy mode inherit the Global Default firewall policy. +.RE + +.sp +.ne 2 +.na +\fB\fBfirewall_config/block_policy\fR\fR +.ad +.sp .6 +.RS 4n +A service's block policy can also be set to \fBuse_global\fR. Services with +\fBuse_global\fR block policy mode inherit the Global Default firewall block +policy. .RE .sp @@ -324,7 +434,6 @@ firewall administration privilege to users. Users with Service Operator privileges will need this new authorization to be able to configure firewall policy. .SS "Firewall Availability" -.sp .LP During boot, a firewall is configured for enabled services prior to the starting of those services. Thus, services are protected on boot. While the @@ -342,7 +451,6 @@ ephemeral addresses, which are not known until the services are actually running. Thus RPC services are subjected to similar exposure since their firewalls are not configured until the services are running. .SS "Developer Documentation" -.sp .LP Services providing remote capabilities are encouraged to participate in the firewall framework to control network access to the service. While framework @@ -490,7 +598,6 @@ svc:/network/ntp:default .RE .SH ATTRIBUTES -.sp .LP See \fBattributes\fR(5) for descriptions of the following attributes: .sp @@ -506,7 +613,6 @@ Interface Stability Committed .TE .SH SEE ALSO -.sp .LP \fBsvcprop\fR(1), \fBsvcs\fR(1), \fBipf\fR(1M), \fBsvcadm\fR(1M), \fBsvccfg\fR(1M), \fBgetservbyname\fR(3SOCKET), \fBrpc\fR(4), diff --git a/usr/src/test/zfs-tests/tests/functional/cli_root/zpool_upgrade/cleanup.ksh b/usr/src/test/zfs-tests/tests/functional/cli_root/zpool_upgrade/cleanup.ksh index f94c3bcbd5..0c893efe3c 100644 --- a/usr/src/test/zfs-tests/tests/functional/cli_root/zpool_upgrade/cleanup.ksh +++ b/usr/src/test/zfs-tests/tests/functional/cli_root/zpool_upgrade/cleanup.ksh @@ -27,19 +27,13 @@ # # Copyright (c) 2012 by Delphix. All rights reserved. +# Copyright 2015 Nexenta Systems, Inc. All rights reserved. # -. $STF_SUITE/include/libtest.shlib . $STF_SUITE/tests/functional/cli_root/zpool_upgrade/zpool_upgrade.kshlib -function destroy_upgraded_pools { - for config in $CONFIGS; do - POOL_NAME=$(eval $ECHO \$ZPOOL_VERSION_${VERSION}_NAME) - POOL_FILES=$(eval $ECHO \$ZPOOL_VERSION_${VERSION}_FILES) - poolexists $POOL_NAME && log_must $ZPOOL destroy -f $POOL_NAME - done -} - -destroy_upgraded_pools +for config in $CONFIGS; do + destroy_upgraded_pool $config +done default_cleanup diff --git a/usr/src/test/zfs-tests/tests/functional/cli_root/zpool_upgrade/zpool_upgrade.cfg b/usr/src/test/zfs-tests/tests/functional/cli_root/zpool_upgrade/zpool_upgrade.cfg index ead4abc2d2..993fafc032 100644 --- a/usr/src/test/zfs-tests/tests/functional/cli_root/zpool_upgrade/zpool_upgrade.cfg +++ b/usr/src/test/zfs-tests/tests/functional/cli_root/zpool_upgrade/zpool_upgrade.cfg @@ -26,140 +26,136 @@ # # Copyright (c) 2012 by Delphix. All rights reserved. +# Copyright 2015 Nexenta Systems, Inc. All rights reserved. # -. $STF_SUITE/include/libtest.shlib - # The following variable names describe files, stored as gzip compressed files # in the test directory which can be used to construct a pool of a given # version. The variable names are important, in that the construction # ZPOOL_VERSION_$var_FILES describes the files the pool is made from, and # ZPOOL_VERSION_$var_NAME describes the pool name. -# Version 1 pools -export ZPOOL_VERSION_1_FILES="zfs-pool-v1.dat" -export ZPOOL_VERSION_1_NAME="v1-pool" +# v1 pools +ZPOOL_VERSION_1_FILES="zfs-pool-v1.dat" +ZPOOL_VERSION_1_NAME="v1-pool" # v1 stripe -export ZPOOL_VERSION_1stripe_FILES="zfs-pool-v1stripe1.dat \ +ZPOOL_VERSION_1stripe_FILES="zfs-pool-v1stripe1.dat \ zfs-pool-v1stripe2.dat zfs-pool-v1stripe3.dat" -export ZPOOL_VERSION_1stripe_NAME="pool-v1stripe" +ZPOOL_VERSION_1stripe_NAME="pool-v1stripe" # v1 raidz -export ZPOOL_VERSION_1raidz_FILES="zfs-pool-v1raidz1.dat zfs-pool-v1raidz2.dat \ +ZPOOL_VERSION_1raidz_FILES="zfs-pool-v1raidz1.dat zfs-pool-v1raidz2.dat \ zfs-pool-v1raidz3.dat" -export ZPOOL_VERSION_1raidz_NAME="pool-v1raidz" +ZPOOL_VERSION_1raidz_NAME="pool-v1raidz" # v1 mirror -export ZPOOL_VERSION_1mirror_FILES="zfs-pool-v1mirror1.dat \ -zfs-pool-v1mirror2.dat zfs-pool-v1mirror3.dat" -export ZPOOL_VERSION_1mirror_NAME="pool-v1mirror" - +ZPOOL_VERSION_1mirror_FILES="zfs-pool-v1mirror1.dat zfs-pool-v1mirror2.dat \ +zfs-pool-v1mirror3.dat" +ZPOOL_VERSION_1mirror_NAME="pool-v1mirror" -# Version 2 pools -export ZPOOL_VERSION_2_FILES="zfs-pool-v2.dat" -export ZPOOL_VERSION_2_NAME="v2-pool" +# v2 pools +ZPOOL_VERSION_2_FILES="zfs-pool-v2.dat" +ZPOOL_VERSION_2_NAME="v2-pool" # v2 stripe -export ZPOOL_VERSION_2stripe_FILES="zfs-pool-v2stripe1.dat \ -zfs-pool-v2stripe2.dat zfs-pool-v2stripe3.dat" -export ZPOOL_VERSION_2stripe_NAME="pool-v2stripe" +ZPOOL_VERSION_2stripe_FILES="zfs-pool-v2stripe1.dat zfs-pool-v2stripe2.dat \ +zfs-pool-v2stripe3.dat" +ZPOOL_VERSION_2stripe_NAME="pool-v2stripe" # v2 raidz -export ZPOOL_VERSION_2raidz_FILES="zfs-pool-v2raidz1.dat zfs-pool-v2raidz2.dat \ +ZPOOL_VERSION_2raidz_FILES="zfs-pool-v2raidz1.dat zfs-pool-v2raidz2.dat \ zfs-pool-v2raidz3.dat" -export ZPOOL_VERSION_2raidz_NAME="pool-v2raidz" +ZPOOL_VERSION_2raidz_NAME="pool-v2raidz" # v2 mirror -export ZPOOL_VERSION_2mirror_FILES="zfs-pool-v2mirror1.dat \ -zfs-pool-v2mirror2.dat zfs-pool-v2mirror3.dat" -export ZPOOL_VERSION_2mirror_NAME="pool-v2mirror" - +ZPOOL_VERSION_2mirror_FILES="zfs-pool-v2mirror1.dat zfs-pool-v2mirror2.dat \ +zfs-pool-v2mirror3.dat" +ZPOOL_VERSION_2mirror_NAME="pool-v2mirror" -# This is a v3 pool -export ZPOOL_VERSION_3_FILES="zfs-pool-v3.dat" -export ZPOOL_VERSION_3_NAME="v3-pool" +# v3 pools +ZPOOL_VERSION_3_FILES="zfs-pool-v3.dat" +ZPOOL_VERSION_3_NAME="v3-pool" # v3 stripe -export ZPOOL_VERSION_3stripe_FILES="zfs-pool-v3stripe1.dat \ -zfs-pool-v3stripe2.dat zfs-pool-v3stripe3.dat" -export ZPOOL_VERSION_3stripe_NAME="pool-v3stripe" +ZPOOL_VERSION_3stripe_FILES="zfs-pool-v3stripe1.dat zfs-pool-v3stripe2.dat \ +zfs-pool-v3stripe3.dat" +ZPOOL_VERSION_3stripe_NAME="pool-v3stripe" # v3 raidz -export ZPOOL_VERSION_3raidz_FILES="zfs-pool-v3raidz1.dat zfs-pool-v3raidz2.dat \ +ZPOOL_VERSION_3raidz_FILES="zfs-pool-v3raidz1.dat zfs-pool-v3raidz2.dat \ zfs-pool-v3raidz3.dat" -export ZPOOL_VERSION_3raidz_NAME="pool-v3raidz" +ZPOOL_VERSION_3raidz_NAME="pool-v3raidz" # v3 mirror -export ZPOOL_VERSION_3mirror_FILES="zfs-pool-v3mirror1.dat \ -zfs-pool-v3mirror2.dat zfs-pool-v3mirror3.dat" -export ZPOOL_VERSION_3mirror_NAME="pool-v3mirror" +ZPOOL_VERSION_3mirror_FILES="zfs-pool-v3mirror1.dat zfs-pool-v3mirror2.dat \ +zfs-pool-v3mirror3.dat" +ZPOOL_VERSION_3mirror_NAME="pool-v3mirror" # v3 raidz2 -export ZPOOL_VERSION_3dblraidz_FILES="zfs-pool-v3raidz21.dat \ -zfs-pool-v3raidz22.dat zfs-pool-v3raidz23.dat" -export ZPOOL_VERSION_3dblraidz_NAME="pool-v3raidz2" +ZPOOL_VERSION_3dblraidz_FILES="zfs-pool-v3raidz21.dat zfs-pool-v3raidz22.dat \ +zfs-pool-v3raidz23.dat" +ZPOOL_VERSION_3dblraidz_NAME="pool-v3raidz2" # v3 hotspares -export ZPOOL_VERSION_3hotspare_FILES="zfs-pool-v3hotspare1.dat \ +ZPOOL_VERSION_3hotspare_FILES="zfs-pool-v3hotspare1.dat \ zfs-pool-v3hotspare2.dat zfs-pool-v3hotspare3.dat" -export ZPOOL_VERSION_3hotspare_NAME="pool-v3hotspare" +ZPOOL_VERSION_3hotspare_NAME="pool-v3hotspare" # v4 pool -export ZPOOL_VERSION_4_FILES="zfs-pool-v4.dat" -export ZPOOL_VERSION_4_NAME="v4-pool" +ZPOOL_VERSION_4_FILES="zfs-pool-v4.dat" +ZPOOL_VERSION_4_NAME="v4-pool" # v5 pool -export ZPOOL_VERSION_5_FILES="zfs-pool-v5.dat" -export ZPOOL_VERSION_5_NAME="v5-pool" +ZPOOL_VERSION_5_FILES="zfs-pool-v5.dat" +ZPOOL_VERSION_5_NAME="v5-pool" # v6 pool -export ZPOOL_VERSION_6_FILES="zfs-pool-v6.dat" -export ZPOOL_VERSION_6_NAME="v6-pool" +ZPOOL_VERSION_6_FILES="zfs-pool-v6.dat" +ZPOOL_VERSION_6_NAME="v6-pool" # v7 pool -export ZPOOL_VERSION_7_FILES="zfs-pool-v7.dat" -export ZPOOL_VERSION_7_NAME="v7-pool" +ZPOOL_VERSION_7_FILES="zfs-pool-v7.dat" +ZPOOL_VERSION_7_NAME="v7-pool" # v8 pool -export ZPOOL_VERSION_8_FILES="zfs-pool-v8.dat" -export ZPOOL_VERSION_8_NAME="v8-pool" +ZPOOL_VERSION_8_FILES="zfs-pool-v8.dat" +ZPOOL_VERSION_8_NAME="v8-pool" # v9 pool -export ZPOOL_VERSION_9_FILES="zfs-pool-v9.dat" -export ZPOOL_VERSION_9_NAME="v9-pool" +ZPOOL_VERSION_9_FILES="zfs-pool-v9.dat" +ZPOOL_VERSION_9_NAME="v9-pool" # v10 pool -export ZPOOL_VERSION_10_FILES="zfs-pool-v10.dat" -export ZPOOL_VERSION_10_NAME="v10-pool" +ZPOOL_VERSION_10_FILES="zfs-pool-v10.dat" +ZPOOL_VERSION_10_NAME="v10-pool" # v11 pool -export ZPOOL_VERSION_11_FILES="zfs-pool-v11.dat" -export ZPOOL_VERSION_11_NAME="v11-pool" +ZPOOL_VERSION_11_FILES="zfs-pool-v11.dat" +ZPOOL_VERSION_11_NAME="v11-pool" # v12 pool -export ZPOOL_VERSION_12_FILES="zfs-pool-v12.dat" -export ZPOOL_VERSION_12_NAME="v12-pool" +ZPOOL_VERSION_12_FILES="zfs-pool-v12.dat" +ZPOOL_VERSION_12_NAME="v12-pool" # v13 pool -export ZPOOL_VERSION_13_FILES="zfs-pool-v13.dat" -export ZPOOL_VERSION_13_NAME="v13-pool" +ZPOOL_VERSION_13_FILES="zfs-pool-v13.dat" +ZPOOL_VERSION_13_NAME="v13-pool" # v14 pool -export ZPOOL_VERSION_14_FILES="zfs-pool-v14.dat" -export ZPOOL_VERSION_14_NAME="v14-pool" +ZPOOL_VERSION_14_FILES="zfs-pool-v14.dat" +ZPOOL_VERSION_14_NAME="v14-pool" # v15 pool -export ZPOOL_VERSION_15_FILES="zfs-pool-v15.dat" -export ZPOOL_VERSION_15_NAME="v15-pool" +ZPOOL_VERSION_15_FILES="zfs-pool-v15.dat" +ZPOOL_VERSION_15_NAME="v15-pool" -# This pool is a v2 pool, with device problems on one side of the mirror +# v2 pool, with device problems on one side of the mirror # so that the pool appears as DEGRADED -export ZPOOL_VERSION_2brokenmirror_FILES="zfs-broken-mirror1.dat \ +ZPOOL_VERSION_2brokenmirror_FILES="zfs-broken-mirror1.dat \ zfs-broken-mirror2.dat" -export ZPOOL_VERSION_2brokenmirror_NAME="zfs-broken-mirror" - - -# This pool is a v999 pool (an unknown version) which can be used to check -# whether upgrade, import or other tests that should fail against unknown -# pool versions should fail. It should not be listed in the CONFIGS -# variable below, as these are pool versions that can be imported and upgraded -export ZPOOL_VERSION_9999_FILES="zfs-pool-v999.dat" -export ZPOOL_VERSION_9999_NAME="v999-pool" +ZPOOL_VERSION_2brokenmirror_NAME="zfs-broken-mirror" +# v999 pool (an unknown version) which can be used to check whether upgrade, +# import or other tests that should fail against unknown pool version. +# It should not be listed in the CONFIGS variable below, as these are pool +# versions that can be imported and upgraded. +ZPOOL_VERSION_9999_FILES="zfs-pool-v999.dat" +ZPOOL_VERSION_9999_NAME="v999-pool" # This is a list of pool configurations we should be able to upgrade from, # each entry should have corresponding ZPOOL_VERSION_*_FILES and # ZPOOL_VERSION_*_NAME variables defined above. -export CONFIGS="1 1stripe 1raidz 1mirror \ +CONFIGS="1 1stripe 1raidz 1mirror \ 2 2stripe 2raidz 2mirror 2brokenmirror \ -3 3stripe 3raidz 3mirror 3dblraidz 3hotspare 4 5 6 7 8 9 10 11 12 13 14 15" +3 3stripe 3raidz 3mirror 3dblraidz 3hotspare \ +4 5 6 7 8 9 10 11 12 13 14 15" diff --git a/usr/src/test/zfs-tests/tests/functional/cli_root/zpool_upgrade/zpool_upgrade.kshlib b/usr/src/test/zfs-tests/tests/functional/cli_root/zpool_upgrade/zpool_upgrade.kshlib index afe8594467..dd505053fd 100644 --- a/usr/src/test/zfs-tests/tests/functional/cli_root/zpool_upgrade/zpool_upgrade.kshlib +++ b/usr/src/test/zfs-tests/tests/functional/cli_root/zpool_upgrade/zpool_upgrade.kshlib @@ -26,6 +26,7 @@ # # Copyright (c) 2012 by Delphix. All rights reserved. +# Copyright 2015 Nexenta Systems, Inc. All rights reserved. # . $STF_SUITE/include/libtest.shlib @@ -41,24 +42,22 @@ # $1 a version number we can use to get information about the pool function create_old_pool { - VERSION=$1 - POOL_FILES=$(eval $ECHO \$ZPOOL_VERSION_${VERSION}_FILES) - POOL_NAME=$(eval $ECHO \$ZPOOL_VERSION_${VERSION}_NAME) + typeset vers=$1 + typeset -n pool_files=ZPOOL_VERSION_${vers}_FILES + typeset -n pool_name=ZPOOL_VERSION_${vers}_NAME - log_note "Creating $POOL_NAME from $POOL_FILES" - for pool_file in $POOL_FILES; do + log_note "Creating $pool_name from $pool_files" + for pool_file in $pool_files; do log_must $BZCAT \ $STF_SUITE/tests/functional/cli_root/zpool_upgrade/blockfiles/$pool_file.bz2 \ >/$TESTPOOL/$pool_file done - log_must $ZPOOL import -d /$TESTPOOL $POOL_NAME - - # Now put some random contents into the pool. - COUNT=0 - while [ $COUNT -lt 1024 ]; do - $DD if=/dev/urandom of=/$POOL_NAME/random.$COUNT \ - count=1 bs=1024 > /dev/null 2>&1 - COUNT=$(( $COUNT + 1 )) + log_must $ZPOOL import -d /$TESTPOOL $pool_name + + # Put some random contents into the pool + for i in {1..1024} ; do + $DD if=/dev/urandom of=/$pool_name/random.$i \ + count=1 bs=1024 > /dev/null 2>&1 done } @@ -68,35 +67,37 @@ function create_old_pool # not using "zpool status -x" to see if the pool is healthy, as it's possible # to also upgrade faulted, or degraded pools. # $1 a version number we can use to get information about the pool -function check_upgrade { - VERSION=$1 - POOL_FILES=$(eval $ECHO \$ZPOOL_VERSION_${VERSION}_FILES) - POOL_NAME=$(eval $ECHO \$ZPOOL_VERSION_${VERSION}_NAME) +function check_upgrade +{ + typeset vers=$1 + typeset -n pool_files=ZPOOL_VERSION_${vers}_FILES + typeset -n pool_name=ZPOOL_VERSION_${vers}_NAME + typeset pre_upgrade_checksum + typeset post_upgrade_checksum - log_note "Checking if we can upgrade from ZFS version ${VERSION}." - PRE_UPGRADE_CHECKSUM=$(check_pool $POOL_NAME pre ) - log_must $ZPOOL upgrade $POOL_NAME > /dev/null - POST_UPGRADE_CHECKSUM=$(check_pool $POOL_NAME post ) + log_note "Checking if we can upgrade from ZFS version $vers" + pre_upgrade_checksum=$(check_pool $pool_name pre) + log_must $ZPOOL upgrade $pool_name + post_upgrade_checksum=$(check_pool $pool_name post) log_note "Checking that there are no differences between checksum output" - log_must $DIFF $PRE_UPGRADE_CHECKSUM $POST_UPGRADE_CHECKSUM - $RM $PRE_UPGRADE_CHECKSUM $POST_UPGRADE_CHECKSUM + log_must $DIFF $pre_upgrade_checksum $post_upgrade_checksum + $RM $pre_upgrade_checksum $post_upgrade_checksum } # A function to destroy an upgraded pool, plus the files it was based on. # $1 a version number we can use to get information about the pool -function destroy_upgraded_pool { - VERSION=$1 - POOL_FILES=$(eval $ECHO \$ZPOOL_VERSION_${VERSION}_FILES) - POOL_NAME=$(eval $ECHO \$ZPOOL_VERSION_${VERSION}_NAME) +function destroy_upgraded_pool +{ + typeset vers=$1 + typeset -n pool_files=ZPOOL_VERSION_${vers}_FILES + typeset -n pool_name=ZPOOL_VERSION_${vers}_NAME - if poolexists $POOL_NAME; then - log_must $ZPOOL destroy $POOL_NAME + if poolexists $pool_name; then + log_must $ZPOOL destroy $pool_name fi - for file in $POOL_FILES; do - if [ -e /$TESTPOOL/$file ]; then - $RM /$TESTPOOL/$file - fi + for file in $pool_files; do + $RM -f /$TESTPOOL/$file done } @@ -106,37 +107,36 @@ function destroy_upgraded_pool { # $1 the name of the pool # $2 a flag we can use to determine when this check is being performed # (ie. pre or post pool-upgrade) -function check_pool { # pool state - POOL=$1 - STATE=$2 - $FIND /$POOL -type f -exec $CKSUM {} + > \ - /$TESTPOOL/pool-checksums.$POOL.$STATE - echo /$TESTPOOL/pool-checksums.$POOL.$STATE +function check_pool +{ + typeset pool=$1 + typeset flag=$2 + $FIND /$pool -type f -exec $CKSUM {} + > \ + /$TESTPOOL/pool-checksums.$pool.$flag + echo /$TESTPOOL/pool-checksums.$pool.$flag } # This function simply checks that a pool has a particular version number # as reported by zdb and zpool upgrade -v # $1 the name of the pool # $2 the version of the pool we expect to see -function check_poolversion { # pool version - - POOL=$1 - VERSION=$2 +function check_poolversion +{ + typeset pool=$1 + typeset vers=$2 + typeset actual # check version using zdb - ACTUAL=$($ZDB -C $POOL | $SED -n 's/version: \(.*\)$/\1/p') - - if [ $ACTUAL != $VERSION ] - then - log_fail "$POOL not upgraded, ver. $ACTUAL, expected $VERSION" + actual=$($ZDB -C $pool | $SED -n 's/^.*version: \(.*\)$/\1/p') + if [[ $actual != $vers ]] ; then + log_fail "$pool: zdb reported version $actual, expected $vers" fi # check version using zpool upgrade - ACTUAL=$($ZPOOL upgrade | $GREP $POOL$ | \ - $AWK '{print $1}' | $SED -e 's/ //g') - if [ $ACTUAL != $VERSION ] - then - log_fail "$POOL reported version $ACTUAL, expected $VERSION" + actual=$($ZPOOL upgrade | $GREP $pool$ | \ + $AWK '{print $1}' | $SED -e 's/ //g') + if [[ $actual != $vers ]] ; then + log_fail "$pool: zpool reported version $actual, expected $vers" fi } @@ -146,17 +146,15 @@ function check_poolversion { # pool version # can accept as the upper bound. # $1 lower bound # $2 upper bound -function random { # min max - - typeset MIN=$1 - typeset MAX=$2 - typeset RAND=0 +function random +{ + typeset min=$1 + typeset max=$2 + typeset rand=0 - while [ $RAND -lt $MIN ] - do - RAND=$(( $RANDOM % $MAX + 1)) + while [[ $rand -lt $min ]] ; do + rand=$(( $RANDOM % $max + 1)) done - echo $RAND + echo $rand } - diff --git a/usr/src/test/zfs-tests/tests/functional/cli_root/zpool_upgrade/zpool_upgrade_001_pos.ksh b/usr/src/test/zfs-tests/tests/functional/cli_root/zpool_upgrade/zpool_upgrade_001_pos.ksh index e727eef5a9..aa4750f4c7 100644 --- a/usr/src/test/zfs-tests/tests/functional/cli_root/zpool_upgrade/zpool_upgrade_001_pos.ksh +++ b/usr/src/test/zfs-tests/tests/functional/cli_root/zpool_upgrade/zpool_upgrade_001_pos.ksh @@ -27,10 +27,10 @@ # # Copyright (c) 2012 by Delphix. All rights reserved. +# Copyright 2015 Nexenta Systems, Inc. All rights reserved. # -. $STF_SUITE/include/libtest.shlib -. $STF_SUITE/tests/functional/cli_root/zpool_upgrade/zpool_upgrade.cfg +. $STF_SUITE/tests/functional/cli_root/zpool_upgrade/zpool_upgrade.kshlib # # DESCRIPTION: @@ -45,7 +45,7 @@ verify_runnable "global" -log_assert "Executing 'zpool upgrade -v' command succeeds." +log_assert "Executing 'zpool upgrade -v' command succeeds" log_must $ZPOOL upgrade -v @@ -63,9 +63,9 @@ $ZPOOL upgrade -v > /tmp/zpool-versions.$$ # 10 Cache devices # for version in {1..28}; do - log_note "Checking for a description of pool version $version." + log_note "Checking for a description of pool version $version" log_must eval "$AWK '/^ $version / { print $1 }' /tmp/zpool-versions.$$ | $GREP $version" done $RM /tmp/zpool-versions.$$ -log_pass "Executing 'zpool upgrade -v' command succeeds." +log_pass "Executing 'zpool upgrade -v' command succeeds" diff --git a/usr/src/test/zfs-tests/tests/functional/cli_root/zpool_upgrade/zpool_upgrade_002_pos.ksh b/usr/src/test/zfs-tests/tests/functional/cli_root/zpool_upgrade/zpool_upgrade_002_pos.ksh index aaaa54d4d9..a8b55d6fc5 100644 --- a/usr/src/test/zfs-tests/tests/functional/cli_root/zpool_upgrade/zpool_upgrade_002_pos.ksh +++ b/usr/src/test/zfs-tests/tests/functional/cli_root/zpool_upgrade/zpool_upgrade_002_pos.ksh @@ -24,9 +24,11 @@ # Copyright 2008 Sun Microsystems, Inc. All rights reserved. # Use is subject to license terms. # + +# +# Copyright 2015 Nexenta Systems, Inc. All rights reserved. # -. $STF_SUITE/include/libtest.shlib . $STF_SUITE/tests/functional/cli_root/zpool_upgrade/zpool_upgrade.kshlib # @@ -45,15 +47,13 @@ function cleanup destroy_upgraded_pool $config } -log_assert "Import pools of all versions - zpool upgrade on each pools works" +log_assert "Import pools of all versions - zpool upgrade on each pool works" log_onexit cleanup -# $CONFIGS gets set in the .cfg script -for config in $CONFIGS -do +for config in $CONFIGS; do create_old_pool $config check_upgrade $config destroy_upgraded_pool $config done -log_pass "Import pools of all versions - zpool upgrade on each pools works" +log_pass "Import pools of all versions - zpool upgrade on each pool works" diff --git a/usr/src/test/zfs-tests/tests/functional/cli_root/zpool_upgrade/zpool_upgrade_003_pos.ksh b/usr/src/test/zfs-tests/tests/functional/cli_root/zpool_upgrade/zpool_upgrade_003_pos.ksh index 32d352d447..dcd657ecc0 100644 --- a/usr/src/test/zfs-tests/tests/functional/cli_root/zpool_upgrade/zpool_upgrade_003_pos.ksh +++ b/usr/src/test/zfs-tests/tests/functional/cli_root/zpool_upgrade/zpool_upgrade_003_pos.ksh @@ -24,9 +24,11 @@ # Copyright 2008 Sun Microsystems, Inc. All rights reserved. # Use is subject to license terms. # + +# +# Copyright 2015 Nexenta Systems, Inc. All rights reserved. # -. $STF_SUITE/include/libtest.shlib . $STF_SUITE/tests/functional/cli_root/zpool_upgrade/zpool_upgrade.kshlib # @@ -45,13 +47,13 @@ function cleanup destroy_upgraded_pool 1 } -log_assert "Upgrading a pool that has already been upgraded succeeds." +log_assert "Upgrading a pool that has already been upgraded succeeds" log_onexit cleanup -# we just create a version 1 pool here +# Create a version 1 pool create_old_pool 1 check_upgrade 1 check_upgrade 1 destroy_upgraded_pool 1 -log_pass "Upgrading a pool that has already been upgraded succeeds." +log_pass "Upgrading a pool that has already been upgraded succeeds" diff --git a/usr/src/test/zfs-tests/tests/functional/cli_root/zpool_upgrade/zpool_upgrade_004_pos.ksh b/usr/src/test/zfs-tests/tests/functional/cli_root/zpool_upgrade/zpool_upgrade_004_pos.ksh index 961935f036..c859fa628e 100644 --- a/usr/src/test/zfs-tests/tests/functional/cli_root/zpool_upgrade/zpool_upgrade_004_pos.ksh +++ b/usr/src/test/zfs-tests/tests/functional/cli_root/zpool_upgrade/zpool_upgrade_004_pos.ksh @@ -27,9 +27,9 @@ # # Copyright (c) 2012 by Delphix. All rights reserved. +# Copyright 2015 Nexenta Systems, Inc. All rights reserved. # -. $STF_SUITE/include/libtest.shlib . $STF_SUITE/tests/functional/cli_root/zpool_upgrade/zpool_upgrade.kshlib # @@ -45,7 +45,7 @@ verify_runnable "global" function cleanup { - for config in $CONFIGS ; do + for config in $CONFIGS; do destroy_upgraded_pool $config done } @@ -55,15 +55,12 @@ log_onexit cleanup TEST_POOLS= # Now build all of our pools -for config in $CONFIGS -do - POOL_NAME=$(eval $ECHO \$ZPOOL_VERSION_${config}_NAME) +for config in $CONFIGS; do + typeset -n pool_name=ZPOOL_VERSION_${config}_NAME - TEST_POOLS="$TEST_POOLS $POOL_NAME" + TEST_POOLS="$TEST_POOLS $pool_name" create_old_pool $config - # a side effect of the check_pool here, is that we get a checksum written - # called /$TESTPOOL/pool-checksums.$POOL.pre - check_pool $POOL_NAME pre > /dev/null + check_pool $pool_name pre > /dev/null done # upgrade them all at once @@ -72,18 +69,14 @@ log_must $ZPOOL upgrade -a unset __ZFS_POOL_RESTRICT # verify their contents then destroy them -for config in $CONFIGS -do - POOL_NAME=$(eval $ECHO \$ZPOOL_VERSION_${config}_NAME) +for config in $CONFIGS ; do + typeset -n pool_name=ZPOOL_VERSION_${config}_NAME - check_pool $POOL_NAME post > /dev/null - - # a side effect of the check_pool here, is that we get a checksum written - # called /$TESTPOOL/pool-checksums.$POOL_NAME.post - log_must $DIFF /$TESTPOOL/pool-checksums.$POOL_NAME.pre \ - /$TESTPOOL/pool-checksums.$POOL_NAME.post - - $RM /$TESTPOOL/pool-checksums.$POOL_NAME.pre /$TESTPOOL/pool-checksums.$POOL_NAME.post + check_pool $pool_name post > /dev/null + log_must $DIFF /$TESTPOOL/pool-checksums.$pool_name.pre \ + /$TESTPOOL/pool-checksums.$pool_name.post + $RM /$TESTPOOL/pool-checksums.$pool_name.pre \ + /$TESTPOOL/pool-checksums.$pool_name.post destroy_upgraded_pool $config done diff --git a/usr/src/test/zfs-tests/tests/functional/cli_root/zpool_upgrade/zpool_upgrade_005_neg.ksh b/usr/src/test/zfs-tests/tests/functional/cli_root/zpool_upgrade/zpool_upgrade_005_neg.ksh index 63432f158e..ecd9ea413a 100644 --- a/usr/src/test/zfs-tests/tests/functional/cli_root/zpool_upgrade/zpool_upgrade_005_neg.ksh +++ b/usr/src/test/zfs-tests/tests/functional/cli_root/zpool_upgrade/zpool_upgrade_005_neg.ksh @@ -27,10 +27,10 @@ # # Copyright (c) 2012 by Delphix. All rights reserved. +# Copyright 2015 Nexenta Systems, Inc. All rights reserved. # -. $STF_SUITE/include/libtest.shlib -. $STF_SUITE/tests/functional/cli_root/zpool_upgrade/zpool_upgrade.cfg +. $STF_SUITE/tests/functional/cli_root/zpool_upgrade/zpool_upgrade.kshlib # # DESCRIPTION: @@ -43,19 +43,12 @@ verify_runnable "global" -set -A args "/tmp" "-?" "-va" "-v fakepool" "-a fakepool" +log_assert "Variations of upgrade -v print usage message," \ + "return with non-zero status" -log_assert "Variations of upgrade -v print usage message, \ - return with non-zero status" - -typeset -i i=0 - -while [[ $i -lt ${#args[*]} ]]; do - - log_mustnot $ZPOOL upgrade ${args[$i]} > /dev/null - - (( i = i + 1 )) +for arg in "/tmp" "-?" "-va" "-v fakepool" "-a fakepool" ; do + log_mustnot $ZPOOL upgrade $arg done -log_pass "Variations of upgrade -v print usage message, \ - return with non-zero status" +log_pass "Variations of upgrade -v print usage message," \ + "return with non-zero status" diff --git a/usr/src/test/zfs-tests/tests/functional/cli_root/zpool_upgrade/zpool_upgrade_006_neg.ksh b/usr/src/test/zfs-tests/tests/functional/cli_root/zpool_upgrade/zpool_upgrade_006_neg.ksh index af2963585d..97b5df6d3b 100644 --- a/usr/src/test/zfs-tests/tests/functional/cli_root/zpool_upgrade/zpool_upgrade_006_neg.ksh +++ b/usr/src/test/zfs-tests/tests/functional/cli_root/zpool_upgrade/zpool_upgrade_006_neg.ksh @@ -27,34 +27,31 @@ # # Copyright (c) 2012 by Delphix. All rights reserved. +# Copyright 2015 Nexenta Systems, Inc. All rights reserved. # -. $STF_SUITE/include/libtest.shlib -. $STF_SUITE/tests/functional/cli_root/zpool_upgrade/zpool_upgrade.cfg +. $STF_SUITE/tests/functional/cli_root/zpool_upgrade/zpool_upgrade.kshlib # # DESCRIPTION: # Attempting to upgrade a non-existent pool will return an error # # STRATEGY: -# 1. Verify a pool doesn't exist, then try to upgrade it -# 2. Verify a 0 exit status +# 1. Compose non-existent pool name, try to upgrade it +# 2. Verify non-zero exit status # log_assert "Attempting to upgrade a non-existent pool will return an error" + NO_POOL=notapool -FOUND="" - -while [ -z "$FOUND" ] -do - $ZPOOL list $NO_POOL 2>&1 > /dev/null - if [ $? -ne 0 ] - then - FOUND="true" - log_mustnot $ZPOOL upgrade $NO_POOL - else - NO_POOL="${NO_POOL}x" - fi + +while true ; do + if poolexists $NO_POOL ; then + NO_POOL="${NO_POOL}x" + else + log_mustnot $ZPOOL upgrade $NO_POOL + break + fi done log_pass "Attempting to upgrade a non-existent pool will return an error" diff --git a/usr/src/test/zfs-tests/tests/functional/cli_root/zpool_upgrade/zpool_upgrade_007_pos.ksh b/usr/src/test/zfs-tests/tests/functional/cli_root/zpool_upgrade/zpool_upgrade_007_pos.ksh index da7f2718a6..94355200d5 100644 --- a/usr/src/test/zfs-tests/tests/functional/cli_root/zpool_upgrade/zpool_upgrade_007_pos.ksh +++ b/usr/src/test/zfs-tests/tests/functional/cli_root/zpool_upgrade/zpool_upgrade_007_pos.ksh @@ -27,9 +27,9 @@ # # Copyright (c) 2012 by Delphix. All rights reserved. +# Copyright 2015 Nexenta Systems, Inc. All rights reserved. # -. $STF_SUITE/include/libtest.shlib . $STF_SUITE/tests/functional/cli_root/zpool_upgrade/zpool_upgrade.kshlib . $STF_SUITE/tests/functional/cli_root/zfs_upgrade/zfs_upgrade.kshlib @@ -53,17 +53,16 @@ function cleanup destroy_upgraded_pool $config } -log_assert "Import pools of all versions - 'zfs upgrade' on each pools works" +log_assert "Import pools of all versions - 'zfs upgrade' on each pool works" log_onexit cleanup # $CONFIGS gets set in the .cfg script -for config in $CONFIGS -do - create_old_pool $config - POOL_NAME=$(eval $ECHO \$ZPOOL_VERSION_${config}_NAME) +for config in $CONFIGS; do + typeset -n pool_name=ZPOOL_VERSION_${config}_NAME - default_check_zfs_upgrade $pool + create_old_pool $config + default_check_zfs_upgrade $pool_name destroy_upgraded_pool $config done -log_pass "Import pools of all versions - 'zfs upgrade' on each pools works" +log_pass "Import pools of all versions - 'zfs upgrade' on each pool works" diff --git a/usr/src/test/zfs-tests/tests/functional/cli_root/zpool_upgrade/zpool_upgrade_008_pos.ksh b/usr/src/test/zfs-tests/tests/functional/cli_root/zpool_upgrade/zpool_upgrade_008_pos.ksh index 45dc8f784e..bd1934e7d7 100644 --- a/usr/src/test/zfs-tests/tests/functional/cli_root/zpool_upgrade/zpool_upgrade_008_pos.ksh +++ b/usr/src/test/zfs-tests/tests/functional/cli_root/zpool_upgrade/zpool_upgrade_008_pos.ksh @@ -27,15 +27,15 @@ # # Copyright (c) 2012 by Delphix. All rights reserved. +# Copyright 2015 Nexenta Systems, Inc. All rights reserved. # -. $STF_SUITE/include/libtest.shlib . $STF_SUITE/tests/functional/cli_root/zpool_upgrade/zpool_upgrade.kshlib # # DESCRIPTION: # -# Zpool upgrade should be able to upgrade pools to a given version using -V +# zpool upgrade should be able to upgrade pools to a given version using -V # # STRATEGY: # 1. For all versions pools that can be upgraded on a given OS version @@ -50,30 +50,30 @@ verify_runnable "global" function cleanup { - destroy_upgraded_pool $config + destroy_upgraded_pool $ver_old } -log_assert \ - "Zpool upgrade should be able to upgrade pools to a given version using -V" +log_assert "zpool upgrade should be able to upgrade pools to a given version" \ + "using -V" log_onexit cleanup # We're just using the single disk version of the pool, which should be # enough to determine if upgrade works correctly. Also set a MAX_VER # variable, which specifies the highest version that we should expect -# a zpool upgrade operation to succeed from. (latest version - 1) -CONFIGS="1 2 3 4 5 6 7 8 9 10 11 12 13 14 15" +# a zpool upgrade operation to succeed from. +VERSIONS="1 2 3 4 5 6 7 8 9 10 11 12 13 14 15" MAX_VER=15 -for config in $CONFIGS -do - create_old_pool $config - pool=$(eval $ECHO \$ZPOOL_VERSION_${config}_NAME) - NEXT=$(random $config $MAX_VER) - log_must $ZPOOL upgrade -V $NEXT $pool - check_poolversion $pool $NEXT - destroy_upgraded_pool $config +for ver_old in $VERSIONS; do + typeset -n pool_name=ZPOOL_VERSION_${ver_old}_NAME + typeset ver_new=$(random $ver_old $MAX_VER) + + create_old_pool $ver_old + log_must $ZPOOL upgrade -V $ver_new $pool_name > /dev/null + check_poolversion $pool_name $ver_new + destroy_upgraded_pool $ver_old done -log_pass "zpool upgrade should be able to upgrade pools to a given version " \ +log_pass "zpool upgrade should be able to upgrade pools to a given version" \ "using -V" diff --git a/usr/src/test/zfs-tests/tests/functional/cli_root/zpool_upgrade/zpool_upgrade_009_neg.ksh b/usr/src/test/zfs-tests/tests/functional/cli_root/zpool_upgrade/zpool_upgrade_009_neg.ksh index bb304c0560..56967a4ba9 100644 --- a/usr/src/test/zfs-tests/tests/functional/cli_root/zpool_upgrade/zpool_upgrade_009_neg.ksh +++ b/usr/src/test/zfs-tests/tests/functional/cli_root/zpool_upgrade/zpool_upgrade_009_neg.ksh @@ -27,15 +27,15 @@ # # Copyright (c) 2012 by Delphix. All rights reserved. +# Copyright 2015 Nexenta Systems, Inc. All rights reserved. # -. $STF_SUITE/include/libtest.shlib . $STF_SUITE/tests/functional/cli_root/zpool_upgrade/zpool_upgrade.kshlib # # DESCRIPTION: # -# Zpool upgrade -V shouldn't be able to upgrade a pool to an unknown version +# zpool upgrade -V shouldn't be able to upgrade a pool to an unknown version # # STRATEGY: # 1. Take an existing pool @@ -50,21 +50,17 @@ function cleanup destroy_upgraded_pool $config } -log_assert \ -"Zpool upgrade -V shouldn't be able to upgrade a pool to an unknown version" +log_assert "zpool upgrade -V shouldn't be able to upgrade a pool to" \ + "unknown version" -# Create a version 2 pool typeset -i config=2 -create_old_pool $config -pool=$(eval $ECHO \$ZPOOL_VERSION_${config}_NAME) +typeset -n pool_name=ZPOOL_VERSION_${config}_NAME -# Attempt to upgrade it -log_mustnot $ZPOOL upgrade -V 999 $pool +create_old_pool $config +log_mustnot $ZPOOL upgrade -V 999 $pool_name log_mustnot $ZPOOL upgrade -V 999 - -# Verify we're still on the old version -check_poolversion $pool $config +check_poolversion $pool_name $config destroy_upgraded_pool $config -log_pass \ - "Zpool upgrade -V shouldn't be able to upgrade a pool to an unknown version" +log_pass "zpool upgrade -V shouldn't be able to upgrade a pool to" \ + "unknown version" diff --git a/usr/src/uts/common/fs/zfs/dsl_scan.c b/usr/src/uts/common/fs/zfs/dsl_scan.c index fb4efa55a6..bab70055cb 100644 --- a/usr/src/uts/common/fs/zfs/dsl_scan.c +++ b/usr/src/uts/common/fs/zfs/dsl_scan.c @@ -819,7 +819,16 @@ dsl_scan_ds_destroyed(dsl_dataset_t *ds, dmu_tx_t *tx) if (scn->scn_phys.scn_bookmark.zb_objset == ds->ds_object) { if (ds->ds_is_snapshot) { - /* Note, scn_cur_{min,max}_txg stays the same. */ + /* + * Note: + * - scn_cur_{min,max}_txg stays the same. + * - Setting the flag is not really necessary if + * scn_cur_max_txg == scn_max_txg, because there + * is nothing after this snapshot that we care + * about. However, we set it anyway and then + * ignore it when we retraverse it in + * dsl_scan_visitds(). + */ scn->scn_phys.scn_bookmark.zb_objset = dsl_dataset_phys(ds)->ds_next_snap_obj; zfs_dbgmsg("destroying ds %llu; currently traversing; " @@ -859,9 +868,6 @@ dsl_scan_ds_destroyed(dsl_dataset_t *ds, dmu_tx_t *tx) zfs_dbgmsg("destroying ds %llu; in queue; removing", (u_longlong_t)ds->ds_object); } - } else { - zfs_dbgmsg("destroying ds %llu; ignoring", - (u_longlong_t)ds->ds_object); } /* @@ -1014,6 +1020,46 @@ dsl_scan_visitds(dsl_scan_t *scn, uint64_t dsobj, dmu_tx_t *tx) VERIFY3U(0, ==, dsl_dataset_hold_obj(dp, dsobj, FTAG, &ds)); + if (scn->scn_phys.scn_cur_min_txg >= + scn->scn_phys.scn_max_txg) { + /* + * This can happen if this snapshot was created after the + * scan started, and we already completed a previous snapshot + * that was created after the scan started. This snapshot + * only references blocks with: + * + * birth < our ds_creation_txg + * cur_min_txg is no less than ds_creation_txg. + * We have already visited these blocks. + * or + * birth > scn_max_txg + * The scan requested not to visit these blocks. + * + * Subsequent snapshots (and clones) can reference our + * blocks, or blocks with even higher birth times. + * Therefore we do not need to visit them either, + * so we do not add them to the work queue. + * + * Note that checking for cur_min_txg >= cur_max_txg + * is not sufficient, because in that case we may need to + * visit subsequent snapshots. This happens when min_txg > 0, + * which raises cur_min_txg. In this case we will visit + * this dataset but skip all of its blocks, because the + * rootbp's birth time is < cur_min_txg. Then we will + * add the next snapshots/clones to the work queue. + */ + char *dsname = kmem_alloc(MAXNAMELEN, KM_SLEEP); + dsl_dataset_name(ds, dsname); + zfs_dbgmsg("scanning dataset %llu (%s) is unnecessary because " + "cur_min_txg (%llu) >= max_txg (%llu)", + dsobj, dsname, + scn->scn_phys.scn_cur_min_txg, + scn->scn_phys.scn_max_txg); + kmem_free(dsname, MAXNAMELEN); + + goto out; + } + if (dmu_objset_from_ds(ds, &os)) goto out; |