18823STruong.Q.Nguyen@Sun.COM#!/sbin/sh 28823STruong.Q.Nguyen@Sun.COM# 38823STruong.Q.Nguyen@Sun.COM# CDDL HEADER START 48823STruong.Q.Nguyen@Sun.COM# 58823STruong.Q.Nguyen@Sun.COM# The contents of this file are subject to the terms of the 68823STruong.Q.Nguyen@Sun.COM# Common Development and Distribution License (the "License"). 78823STruong.Q.Nguyen@Sun.COM# You may not use this file except in compliance with the License. 88823STruong.Q.Nguyen@Sun.COM# 98823STruong.Q.Nguyen@Sun.COM# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 108823STruong.Q.Nguyen@Sun.COM# or http://www.opensolaris.org/os/licensing. 118823STruong.Q.Nguyen@Sun.COM# See the License for the specific language governing permissions 128823STruong.Q.Nguyen@Sun.COM# and limitations under the License. 138823STruong.Q.Nguyen@Sun.COM# 148823STruong.Q.Nguyen@Sun.COM# When distributing Covered Code, include this CDDL HEADER in each 158823STruong.Q.Nguyen@Sun.COM# file and include the License file at usr/src/OPENSOLARIS.LICENSE. 168823STruong.Q.Nguyen@Sun.COM# If applicable, add the following below this CDDL HEADER, with the 178823STruong.Q.Nguyen@Sun.COM# fields enclosed by brackets "[]" replaced with your own identifying 188823STruong.Q.Nguyen@Sun.COM# information: Portions Copyright [yyyy] [name of copyright owner] 198823STruong.Q.Nguyen@Sun.COM# 208823STruong.Q.Nguyen@Sun.COM# CDDL HEADER END 218823STruong.Q.Nguyen@Sun.COM# 228823STruong.Q.Nguyen@Sun.COM# 238823STruong.Q.Nguyen@Sun.COM# Copyright 2009 Sun Microsystems, Inc. All rights reserved. 248823STruong.Q.Nguyen@Sun.COM# Use is subject to license terms. 258823STruong.Q.Nguyen@Sun.COM# 268823STruong.Q.Nguyen@Sun.COM 278823STruong.Q.Nguyen@Sun.COMETC_IPF_DIR=/etc/ipf 288823STruong.Q.Nguyen@Sun.COMIP6FILCONF=$ETC_IPF_DIR/ipf6.conf 298823STruong.Q.Nguyen@Sun.COMIPNATCONF=$ETC_IPF_DIR/ipnat.conf 308823STruong.Q.Nguyen@Sun.COMIPPOOLCONF=$ETC_IPF_DIR/ippool.conf 318823STruong.Q.Nguyen@Sun.COMVAR_IPF_DIR=/var/tmp/ipf 328823STruong.Q.Nguyen@Sun.COMIPFILCONF=$VAR_IPF_DIR/ipf.conf 338823STruong.Q.Nguyen@Sun.COMIPFILOVRCONF=$VAR_IPF_DIR/ipf_ovr.conf 348823STruong.Q.Nguyen@Sun.COMIPF_LOCK=/var/run/ipflock 358823STruong.Q.Nguyen@Sun.COMCONF_FILES="" 368823STruong.Q.Nguyen@Sun.COMNAT_FILES="" 378823STruong.Q.Nguyen@Sun.COMIPF_SUFFIX=".ipf" 388823STruong.Q.Nguyen@Sun.COMNAT_SUFFIX=".nat" 398823STruong.Q.Nguyen@Sun.COM 408823STruong.Q.Nguyen@Sun.COM# version for configuration upgrades 418823STruong.Q.Nguyen@Sun.COMCURRENT_VERSION=1 428823STruong.Q.Nguyen@Sun.COM 438823STruong.Q.Nguyen@Sun.COMIPF_FMRI="svc:/network/ipfilter:default" 448823STruong.Q.Nguyen@Sun.COMINETDFMRI="svc:/network/inetd:default" 458823STruong.Q.Nguyen@Sun.COMRPCBINDFMRI="svc:/network/rpc/bind:default" 468823STruong.Q.Nguyen@Sun.COM 478823STruong.Q.Nguyen@Sun.COMSMF_ONLINE="online" 488823STruong.Q.Nguyen@Sun.COMSMF_MAINT="maintenance" 498823STruong.Q.Nguyen@Sun.COMSMF_NONE="none" 508823STruong.Q.Nguyen@Sun.COM 518823STruong.Q.Nguyen@Sun.COMFW_CONTEXT_PG="firewall_context" 528823STruong.Q.Nguyen@Sun.COMMETHOD_PROP="ipf_method" 538823STruong.Q.Nguyen@Sun.COM 548823STruong.Q.Nguyen@Sun.COMFW_CONFIG_PG="firewall_config" 558823STruong.Q.Nguyen@Sun.COMPOLICY_PROP="policy" 568823STruong.Q.Nguyen@Sun.COMAPPLY2_PROP="apply_to" 578823STruong.Q.Nguyen@Sun.COMEXCEPTIONS_PROP="exceptions" 588823STruong.Q.Nguyen@Sun.COM 598823STruong.Q.Nguyen@Sun.COMFW_CONFIG_DEF_PG="firewall_config_default" 608823STruong.Q.Nguyen@Sun.COMFW_CONFIG_OVR_PG="firewall_config_override" 618823STruong.Q.Nguyen@Sun.COMCUSTOM_FILE_PROP="custom_policy_file" 628823STruong.Q.Nguyen@Sun.COMOPEN_PORTS_PROP="open_ports" 638823STruong.Q.Nguyen@Sun.COM 648823STruong.Q.Nguyen@Sun.COMPREFIX_HOST="host:" 658823STruong.Q.Nguyen@Sun.COMPREFIX_NET="network:" 668823STruong.Q.Nguyen@Sun.COMPREFIX_POOL="pool:" 678823STruong.Q.Nguyen@Sun.COMPREFIX_IF="if:" 688823STruong.Q.Nguyen@Sun.COM 698823STruong.Q.Nguyen@Sun.COMSERVINFO=/usr/lib/servinfo 708823STruong.Q.Nguyen@Sun.COM 718823STruong.Q.Nguyen@Sun.COM# 728823STruong.Q.Nguyen@Sun.COM# Given a service, gets its config pg name 738823STruong.Q.Nguyen@Sun.COM# 748823STruong.Q.Nguyen@Sun.COMget_config_pg() 758823STruong.Q.Nguyen@Sun.COM{ 768823STruong.Q.Nguyen@Sun.COM if [ "$1" = "$IPF_FMRI" ]; then 778823STruong.Q.Nguyen@Sun.COM echo "$FW_CONFIG_DEF_PG" 788823STruong.Q.Nguyen@Sun.COM else 798823STruong.Q.Nguyen@Sun.COM echo "$FW_CONFIG_PG" 808823STruong.Q.Nguyen@Sun.COM fi 818823STruong.Q.Nguyen@Sun.COM return 0 828823STruong.Q.Nguyen@Sun.COM} 838823STruong.Q.Nguyen@Sun.COM 848823STruong.Q.Nguyen@Sun.COM# 858823STruong.Q.Nguyen@Sun.COM# Given a service, gets its firewall policy 868823STruong.Q.Nguyen@Sun.COM# 878823STruong.Q.Nguyen@Sun.COMget_policy() 888823STruong.Q.Nguyen@Sun.COM{ 898823STruong.Q.Nguyen@Sun.COM config_pg=`get_config_pg $1` 908823STruong.Q.Nguyen@Sun.COM svcprop -p $config_pg/${POLICY_PROP} $1 2>/dev/null 918823STruong.Q.Nguyen@Sun.COM} 928823STruong.Q.Nguyen@Sun.COM 938823STruong.Q.Nguyen@Sun.COMget_global_def_policy() 948823STruong.Q.Nguyen@Sun.COM{ 958823STruong.Q.Nguyen@Sun.COM svcprop -p ${FW_CONFIG_DEF_PG}/${POLICY_PROP} $IPF_FMRI 2>/dev/null 968823STruong.Q.Nguyen@Sun.COM} 978823STruong.Q.Nguyen@Sun.COM 988823STruong.Q.Nguyen@Sun.COM# 998823STruong.Q.Nguyen@Sun.COM# Given a service, gets its firewall policy 1008823STruong.Q.Nguyen@Sun.COM# 1018823STruong.Q.Nguyen@Sun.COMget_exceptions() 1028823STruong.Q.Nguyen@Sun.COM{ 1038823STruong.Q.Nguyen@Sun.COM config_pg=`get_config_pg $1` 1048823STruong.Q.Nguyen@Sun.COM svcprop -p $config_pg/${EXCEPTIONS_PROP} $1 2>/dev/null 1058823STruong.Q.Nguyen@Sun.COM} 1068823STruong.Q.Nguyen@Sun.COM 1078823STruong.Q.Nguyen@Sun.COM# 1088823STruong.Q.Nguyen@Sun.COM# Given a service, gets its firewall policy 1098823STruong.Q.Nguyen@Sun.COM# 1108823STruong.Q.Nguyen@Sun.COMget_apply2_list() 1118823STruong.Q.Nguyen@Sun.COM{ 1128823STruong.Q.Nguyen@Sun.COM config_pg=`get_config_pg $1` 1138823STruong.Q.Nguyen@Sun.COM svcprop -p $config_pg/${APPLY2_PROP} $1 2>/dev/null 1148823STruong.Q.Nguyen@Sun.COM} 1158823STruong.Q.Nguyen@Sun.COM 1168823STruong.Q.Nguyen@Sun.COMcheck_ipf_dir() 1178823STruong.Q.Nguyen@Sun.COM{ 1188823STruong.Q.Nguyen@Sun.COM [ -d $VAR_IPF_DIR ] && return 0 1198823STruong.Q.Nguyen@Sun.COM mkdir $VAR_IPF_DIR >/dev/null 2>&1 || return 1 1208823STruong.Q.Nguyen@Sun.COM} 1218823STruong.Q.Nguyen@Sun.COM 1228823STruong.Q.Nguyen@Sun.COM# 1238823STruong.Q.Nguyen@Sun.COM# fmri_to_file fmri suffix 1248823STruong.Q.Nguyen@Sun.COM# 1258823STruong.Q.Nguyen@Sun.COMfmri_to_file() 1268823STruong.Q.Nguyen@Sun.COM{ 1278823STruong.Q.Nguyen@Sun.COM check_ipf_dir || return 1 1288823STruong.Q.Nguyen@Sun.COM fprefix="${VAR_IPF_DIR}/`echo $1 | tr -s '/:' '__'`" 1298823STruong.Q.Nguyen@Sun.COM echo "${fprefix}${2}" 1308823STruong.Q.Nguyen@Sun.COM} 1318823STruong.Q.Nguyen@Sun.COM 1328823STruong.Q.Nguyen@Sun.COM# 1338823STruong.Q.Nguyen@Sun.COM# Return service's enabled property 1348823STruong.Q.Nguyen@Sun.COM# 1358823STruong.Q.Nguyen@Sun.COMservice_is_enabled() 1368823STruong.Q.Nguyen@Sun.COM{ 1378823STruong.Q.Nguyen@Sun.COM # 1388823STruong.Q.Nguyen@Sun.COM # Temporary enabled state overrides the persistent state 1398823STruong.Q.Nguyen@Sun.COM # so check it first. 1408823STruong.Q.Nguyen@Sun.COM # 1418823STruong.Q.Nguyen@Sun.COM enabled_ovr=`svcprop -c -p general_ovr/enabled $1 2>/dev/null` 1428823STruong.Q.Nguyen@Sun.COM if [ -n "$enabled_ovr" ]; then 1438823STruong.Q.Nguyen@Sun.COM [ "$enabled_ovr" = "true" ] && return 0 || return 1 1448823STruong.Q.Nguyen@Sun.COM fi 1458823STruong.Q.Nguyen@Sun.COM 1468823STruong.Q.Nguyen@Sun.COM enabled=`svcprop -c -p general/enabled $1 2>/dev/null` 1478823STruong.Q.Nguyen@Sun.COM [ -n "$enabled" -a "$enabled" = "true" ] && return 0 || return 1 1488823STruong.Q.Nguyen@Sun.COM} 1498823STruong.Q.Nguyen@Sun.COM 1508823STruong.Q.Nguyen@Sun.COM# 1518823STruong.Q.Nguyen@Sun.COM# Return whether service is desired state 1528823STruong.Q.Nguyen@Sun.COM# 1538823STruong.Q.Nguyen@Sun.COM# Args: fmri state 1548823STruong.Q.Nguyen@Sun.COM# Return: 1558823STruong.Q.Nguyen@Sun.COM# 0 - desired state is service's current state 1568823STruong.Q.Nguyen@Sun.COM# 1 - desired state is not service's current state 1578823STruong.Q.Nguyen@Sun.COM# 1588823STruong.Q.Nguyen@Sun.COMservice_check_state() 1598823STruong.Q.Nguyen@Sun.COM{ 1608823STruong.Q.Nguyen@Sun.COM # 1618823STruong.Q.Nguyen@Sun.COM # Make sure we're done with ongoing state transition 1628823STruong.Q.Nguyen@Sun.COM # 1638823STruong.Q.Nguyen@Sun.COM while [ "`svcprop -p restarter/next_state $1`" != "$SMF_NONE" ]; do 1648823STruong.Q.Nguyen@Sun.COM sleep 1 1658823STruong.Q.Nguyen@Sun.COM done 1668823STruong.Q.Nguyen@Sun.COM 1678823STruong.Q.Nguyen@Sun.COM [ "`svcprop -p restarter/state $1`" = "$2" ] && return 0 || return 1 1688823STruong.Q.Nguyen@Sun.COM} 1698823STruong.Q.Nguyen@Sun.COM 1708823STruong.Q.Nguyen@Sun.COM# 1718823STruong.Q.Nguyen@Sun.COM# Deny/Allow list stores values in the form "host:addr", "network:addr/netmask", 1728823STruong.Q.Nguyen@Sun.COM# "pool:number", and "if:interface". This function returns the 1738823STruong.Q.Nguyen@Sun.COM# IP(addr or addr/netmask) value or a pool number. 1748823STruong.Q.Nguyen@Sun.COM# 1758823STruong.Q.Nguyen@Sun.COMget_IP() 1768823STruong.Q.Nguyen@Sun.COM{ 1778823STruong.Q.Nguyen@Sun.COM value_is_interface $1 && return 1 1788823STruong.Q.Nguyen@Sun.COM echo "$1" | sed -n -e 's,^pool:\(.*\),pool/\1,p' \ 1798823STruong.Q.Nguyen@Sun.COM -e 's,^host:\(.*\),\1,p' \ 1808823STruong.Q.Nguyen@Sun.COM -e 's,^network:\(.*\),\1,p' 1818823STruong.Q.Nguyen@Sun.COM} 1828823STruong.Q.Nguyen@Sun.COM 1838823STruong.Q.Nguyen@Sun.COMget_interface() 1848823STruong.Q.Nguyen@Sun.COM{ 1858823STruong.Q.Nguyen@Sun.COM value_is_interface $1 || return 1 1868823STruong.Q.Nguyen@Sun.COM scratch=`echo "$1" | sed -e 's/^if://'` 1878823STruong.Q.Nguyen@Sun.COM 1888823STruong.Q.Nguyen@Sun.COM ifconfig $scratch >/dev/null 2>&1 || return 1 1898823STruong.Q.Nguyen@Sun.COM echo $scratch | sed -e 's/:.*//' 1908823STruong.Q.Nguyen@Sun.COM} 1918823STruong.Q.Nguyen@Sun.COM 1928823STruong.Q.Nguyen@Sun.COM# 1938823STruong.Q.Nguyen@Sun.COM# 1948823STruong.Q.Nguyen@Sun.COM# 1958823STruong.Q.Nguyen@Sun.COMvalue_is_interface() 1968823STruong.Q.Nguyen@Sun.COM{ 1978823STruong.Q.Nguyen@Sun.COM [ -z "$1" ] && return 1 1988823STruong.Q.Nguyen@Sun.COM echo $1 | grep "^if:" >/dev/null 2>&1 1998823STruong.Q.Nguyen@Sun.COM} 2008823STruong.Q.Nguyen@Sun.COM 2018823STruong.Q.Nguyen@Sun.COM# 2028823STruong.Q.Nguyen@Sun.COM# Remove rules in given file from active list without restarting ipfilter 2038823STruong.Q.Nguyen@Sun.COM# 2048823STruong.Q.Nguyen@Sun.COMremove_rules() 2058823STruong.Q.Nguyen@Sun.COM{ 2068823STruong.Q.Nguyen@Sun.COM [ -f "$1" ] && ipf -r -f $1 >/dev/null 2>&1 2078823STruong.Q.Nguyen@Sun.COM} 2088823STruong.Q.Nguyen@Sun.COM 2098823STruong.Q.Nguyen@Sun.COMremove_nat_rules() 2108823STruong.Q.Nguyen@Sun.COM{ 2118823STruong.Q.Nguyen@Sun.COM [ -f "$1" ] && ipnat -r -f $1 >/dev/null 2>&1 2128823STruong.Q.Nguyen@Sun.COM} 2138823STruong.Q.Nguyen@Sun.COM 2148823STruong.Q.Nguyen@Sun.COMcheck_ipf_syntax() 2158823STruong.Q.Nguyen@Sun.COM{ 2168823STruong.Q.Nguyen@Sun.COM ipf -n -f $1 >/dev/null 2>&1 2178823STruong.Q.Nguyen@Sun.COM} 2188823STruong.Q.Nguyen@Sun.COM 2198823STruong.Q.Nguyen@Sun.COMcheck_nat_syntax() 2208823STruong.Q.Nguyen@Sun.COM{ 2218823STruong.Q.Nguyen@Sun.COM ipnat -n -f $1 >/dev/null 2>&1 2228823STruong.Q.Nguyen@Sun.COM} 2238823STruong.Q.Nguyen@Sun.COM 2248823STruong.Q.Nguyen@Sun.COMfile_get_ports() 2258823STruong.Q.Nguyen@Sun.COM{ 2268823STruong.Q.Nguyen@Sun.COM ipf -n -v -f $1 2>/dev/null | sed -n -e \ 2278823STruong.Q.Nguyen@Sun.COM 's/.*to.* port = \([a-z0-9]*\).*/\1/p' | uniq | \ 2288823STruong.Q.Nguyen@Sun.COM awk '{if (length($0) > 1) {printf("%s ", $1)}}' 2298823STruong.Q.Nguyen@Sun.COM} 2308823STruong.Q.Nguyen@Sun.COM 2318823STruong.Q.Nguyen@Sun.COMget_active_ports() 2328823STruong.Q.Nguyen@Sun.COM{ 2338823STruong.Q.Nguyen@Sun.COM ipfstat -io 2>/dev/null | sed -n -e \ 2348823STruong.Q.Nguyen@Sun.COM 's/.*to.* port = \([a-z0-9]*\).*/\1/p' | uniq | \ 2358823STruong.Q.Nguyen@Sun.COM awk '{if (length($0) > 1) {printf("%s ",$1)}}' 2368823STruong.Q.Nguyen@Sun.COM} 2378823STruong.Q.Nguyen@Sun.COM 2388823STruong.Q.Nguyen@Sun.COM# 2398823STruong.Q.Nguyen@Sun.COM# Given two list of ports, return failure if there's a duplicate. 2408823STruong.Q.Nguyen@Sun.COM# 2418823STruong.Q.Nguyen@Sun.COMsets_check_duplicate() 2428823STruong.Q.Nguyen@Sun.COM{ 2438823STruong.Q.Nguyen@Sun.COM # 2448823STruong.Q.Nguyen@Sun.COM # If either list is empty, there isn't any conflict. 2458823STruong.Q.Nguyen@Sun.COM # 2468823STruong.Q.Nguyen@Sun.COM [ -z "$1" -o -z "$2" ] && return 0 2478823STruong.Q.Nguyen@Sun.COM 2488823STruong.Q.Nguyen@Sun.COM for p in $1; do 2498823STruong.Q.Nguyen@Sun.COM for ap in $2; do 2508823STruong.Q.Nguyen@Sun.COM [ "$p" = "$ap" ] && return 1 2518823STruong.Q.Nguyen@Sun.COM done 2528823STruong.Q.Nguyen@Sun.COM done 2538823STruong.Q.Nguyen@Sun.COM 2548823STruong.Q.Nguyen@Sun.COM return 0 2558823STruong.Q.Nguyen@Sun.COM} 2568823STruong.Q.Nguyen@Sun.COM 2578823STruong.Q.Nguyen@Sun.COM# 2588823STruong.Q.Nguyen@Sun.COM# Given a file containing ipf rules, check the syntax and verify 2598823STruong.Q.Nguyen@Sun.COM# the rules don't conflict, use same port number, with active 2608823STruong.Q.Nguyen@Sun.COM# rules (ipfstat -io output). 2618823STruong.Q.Nguyen@Sun.COM# 2628823STruong.Q.Nguyen@Sun.COMupdate_check_ipf_rules() 2638823STruong.Q.Nguyen@Sun.COM{ 2648823STruong.Q.Nguyen@Sun.COM check_ipf_syntax $1 || return 1 2658823STruong.Q.Nguyen@Sun.COM 2668823STruong.Q.Nguyen@Sun.COM lports=`file_get_ports $1` 2678823STruong.Q.Nguyen@Sun.COM lactive_ports=`get_active_ports` 2688823STruong.Q.Nguyen@Sun.COM 2698823STruong.Q.Nguyen@Sun.COM sets_check_duplicate "$lports" "$lactive_ports" || return 1 2708823STruong.Q.Nguyen@Sun.COM} 2718823STruong.Q.Nguyen@Sun.COM 2728823STruong.Q.Nguyen@Sun.COMserver_port_list="" 2738823STruong.Q.Nguyen@Sun.COM 2748823STruong.Q.Nguyen@Sun.COM# 2758823STruong.Q.Nguyen@Sun.COM# Given a file containing ipf rules, check the syntax and verify 2768823STruong.Q.Nguyen@Sun.COM# the rules don't conflict with already processed services. 2778823STruong.Q.Nguyen@Sun.COM# 2788823STruong.Q.Nguyen@Sun.COM# The list of processed services' ports are maintained in the global 2798823STruong.Q.Nguyen@Sun.COM# variable 'server_port_list'. 2808823STruong.Q.Nguyen@Sun.COM# 2818823STruong.Q.Nguyen@Sun.COMcheck_ipf_rules() 2828823STruong.Q.Nguyen@Sun.COM{ 2838823STruong.Q.Nguyen@Sun.COM check_ipf_syntax $1 || return 1 2848823STruong.Q.Nguyen@Sun.COM 2858823STruong.Q.Nguyen@Sun.COM lports=`file_get_ports $1` 2868823STruong.Q.Nguyen@Sun.COM sets_check_duplicate "$lports" "$server_port_list" || return 1 2878823STruong.Q.Nguyen@Sun.COM server_port_list="$server_port_list $lports" 2888823STruong.Q.Nguyen@Sun.COM return 0 2898823STruong.Q.Nguyen@Sun.COM} 2908823STruong.Q.Nguyen@Sun.COM 2918823STruong.Q.Nguyen@Sun.COMprepend_new_rules() 2928823STruong.Q.Nguyen@Sun.COM{ 2938823STruong.Q.Nguyen@Sun.COM check_ipf_syntax $1 && tail -r $1 | sed -e 's/^[a-z]/@0 &/' | \ 2948823STruong.Q.Nguyen@Sun.COM ipf -f - >/dev/null 2>&1 2958823STruong.Q.Nguyen@Sun.COM} 2968823STruong.Q.Nguyen@Sun.COM 2978823STruong.Q.Nguyen@Sun.COMappend_new_rules() 2988823STruong.Q.Nguyen@Sun.COM{ 2998823STruong.Q.Nguyen@Sun.COM check_ipf_syntax $1 && ipf -f $1 >/dev/null 2>&1 3008823STruong.Q.Nguyen@Sun.COM} 3018823STruong.Q.Nguyen@Sun.COM 3028823STruong.Q.Nguyen@Sun.COMappend_new_nat_rules() 3038823STruong.Q.Nguyen@Sun.COM{ 3048823STruong.Q.Nguyen@Sun.COM check_nat_syntax $1 && ipnat -f $1 >/dev/null 2>&1 3058823STruong.Q.Nguyen@Sun.COM} 3068823STruong.Q.Nguyen@Sun.COM 3078823STruong.Q.Nguyen@Sun.COM# 3088823STruong.Q.Nguyen@Sun.COM# get port information from string of the form "proto:{port | port-port}" 3098823STruong.Q.Nguyen@Sun.COM# 3108823STruong.Q.Nguyen@Sun.COMtuple_get_port() 3118823STruong.Q.Nguyen@Sun.COM{ 3128823STruong.Q.Nguyen@Sun.COM port_str=`echo "$1" | sed -e 's/ //g; s/.*://' 2>/dev/null` 3138823STruong.Q.Nguyen@Sun.COM [ -z "$port_str" ] && return 1 3148823STruong.Q.Nguyen@Sun.COM 3158823STruong.Q.Nguyen@Sun.COM echo $port_str | grep "-" >/dev/null 3168823STruong.Q.Nguyen@Sun.COM if [ $? -eq 0 ]; then 3178823STruong.Q.Nguyen@Sun.COM echo $port_str | grep '^[0-9]\{1,5\}-[0-9]\{1,5\}$' >/dev/null || \ 3188823STruong.Q.Nguyen@Sun.COM return 1 3198823STruong.Q.Nguyen@Sun.COM ports=`echo $port_str | ( IFS=- read a b ; \ 3208823STruong.Q.Nguyen@Sun.COM [ $a \-le $b ] && echo $a $b || echo $b $a )` 3218823STruong.Q.Nguyen@Sun.COM 3228823STruong.Q.Nguyen@Sun.COM for p in $ports; do 3238823STruong.Q.Nguyen@Sun.COM [ $p -gt 65535 ] && return 1 3248823STruong.Q.Nguyen@Sun.COM done 3258823STruong.Q.Nguyen@Sun.COM echo "$ports" 3268823STruong.Q.Nguyen@Sun.COM else 3278823STruong.Q.Nguyen@Sun.COM # 3288823STruong.Q.Nguyen@Sun.COM # port_str is a single port, verify and return it. 3298823STruong.Q.Nguyen@Sun.COM # 3308823STruong.Q.Nguyen@Sun.COM echo "$port_str" | grep '^[0-9]\{1,5\}$' >/dev/null || return 1 3318823STruong.Q.Nguyen@Sun.COM [ $port_str -gt 65535 ] && return 1 3328823STruong.Q.Nguyen@Sun.COM echo "$port_str" 3338823STruong.Q.Nguyen@Sun.COM fi 3348823STruong.Q.Nguyen@Sun.COM} 3358823STruong.Q.Nguyen@Sun.COM 3368823STruong.Q.Nguyen@Sun.COM# 3378823STruong.Q.Nguyen@Sun.COM# get proto info from string of the form "{tcp | udp}:port" 3388823STruong.Q.Nguyen@Sun.COM# 3398823STruong.Q.Nguyen@Sun.COMtuple_get_proto() 3408823STruong.Q.Nguyen@Sun.COM{ 3418823STruong.Q.Nguyen@Sun.COM proto=`echo "$1" | sed -e 's/ //g; s/:.*//' 2>/dev/null` 3428823STruong.Q.Nguyen@Sun.COM [ -z "$proto" ] && return 0 3438823STruong.Q.Nguyen@Sun.COM 3448823STruong.Q.Nguyen@Sun.COM [ "$proto" = "tcp" -o "$proto" = "udp" ] && echo $proto || return 1 3458823STruong.Q.Nguyen@Sun.COM return 0 3468823STruong.Q.Nguyen@Sun.COM} 3478823STruong.Q.Nguyen@Sun.COM 3488823STruong.Q.Nguyen@Sun.COMipf_get_lock() 3498823STruong.Q.Nguyen@Sun.COM{ 3508823STruong.Q.Nguyen@Sun.COM newpid=$$ 3518823STruong.Q.Nguyen@Sun.COM 3528823STruong.Q.Nguyen@Sun.COM if [ -f "$IPF_LOCK/pid" ]; then 3538823STruong.Q.Nguyen@Sun.COM curpid=`cat $IPF_LOCK/pid 2>/dev/null` 3548823STruong.Q.Nguyen@Sun.COM [ "$curpid" = "$newpid" ] && return 0 3558823STruong.Q.Nguyen@Sun.COM 3568823STruong.Q.Nguyen@Sun.COM # 3578823STruong.Q.Nguyen@Sun.COM # Clear lock if the owning process is no longer around. 3588823STruong.Q.Nguyen@Sun.COM # 3598823STruong.Q.Nguyen@Sun.COM ps -p $curpid >/dev/null 2>&1 || rm -r $IPF_LOCK >/dev/null 2>&1 3608823STruong.Q.Nguyen@Sun.COM fi 3618823STruong.Q.Nguyen@Sun.COM 3628823STruong.Q.Nguyen@Sun.COM # 3638823STruong.Q.Nguyen@Sun.COM # Grab the lock 3648823STruong.Q.Nguyen@Sun.COM # 3658823STruong.Q.Nguyen@Sun.COM while :; do 3668823STruong.Q.Nguyen@Sun.COM mkdir $IPF_LOCK 2>/dev/null && break; 3678823STruong.Q.Nguyen@Sun.COM sleep 1 3688823STruong.Q.Nguyen@Sun.COM done 3698823STruong.Q.Nguyen@Sun.COM echo $newpid > $IPF_LOCK/pid 3708823STruong.Q.Nguyen@Sun.COM} 3718823STruong.Q.Nguyen@Sun.COM 3728823STruong.Q.Nguyen@Sun.COM# 3738823STruong.Q.Nguyen@Sun.COM# Remove lock if it's ours 3748823STruong.Q.Nguyen@Sun.COM# 3758823STruong.Q.Nguyen@Sun.COMipf_remove_lock() 3768823STruong.Q.Nguyen@Sun.COM{ 3778823STruong.Q.Nguyen@Sun.COM if [ -f "$IPF_LOCK/pid" ]; then 3788823STruong.Q.Nguyen@Sun.COM [ "`cat $IPF_LOCK/pid`" = "$$" ] && rm -r $IPF_LOCK 3798823STruong.Q.Nguyen@Sun.COM fi 3808823STruong.Q.Nguyen@Sun.COM return 0 3818823STruong.Q.Nguyen@Sun.COM} 3828823STruong.Q.Nguyen@Sun.COM 3838823STruong.Q.Nguyen@Sun.COM# 3848823STruong.Q.Nguyen@Sun.COM# Make IPFILCONF, /var/tmp/ipf/ipf.conf, a symlink to the input file argument. 3858823STruong.Q.Nguyen@Sun.COM# 3868823STruong.Q.Nguyen@Sun.COMcustom_set_symlink() 3878823STruong.Q.Nguyen@Sun.COM{ 3888823STruong.Q.Nguyen@Sun.COM # 389*8846STruong.Q.Nguyen@Sun.COM # Nothing to do if the input file doesn't exist. 3908823STruong.Q.Nguyen@Sun.COM # 3918823STruong.Q.Nguyen@Sun.COM [ ! -f "$1" ] && return 0 3928823STruong.Q.Nguyen@Sun.COM 393*8846STruong.Q.Nguyen@Sun.COM check_ipf_dir || return 1 394*8846STruong.Q.Nguyen@Sun.COM 3958823STruong.Q.Nguyen@Sun.COM rm $IPFILCONF >/dev/null 2>&1 3968823STruong.Q.Nguyen@Sun.COM ln -s $1 $IPFILCONF >/dev/null 2>&1 3978823STruong.Q.Nguyen@Sun.COM} 3988823STruong.Q.Nguyen@Sun.COM 3998823STruong.Q.Nguyen@Sun.COM# 4008823STruong.Q.Nguyen@Sun.COM# New file replaces original file if they have different content 4018823STruong.Q.Nguyen@Sun.COM# 4028823STruong.Q.Nguyen@Sun.COMreplace_file() 4038823STruong.Q.Nguyen@Sun.COM{ 4048823STruong.Q.Nguyen@Sun.COM orig=$1 4058823STruong.Q.Nguyen@Sun.COM new=$2 4068823STruong.Q.Nguyen@Sun.COM 4078823STruong.Q.Nguyen@Sun.COM # 4088823STruong.Q.Nguyen@Sun.COM # IPFILCONF may be a symlink, remove it if that's the case 4098823STruong.Q.Nguyen@Sun.COM # 4108823STruong.Q.Nguyen@Sun.COM if [ -L "$orig" ]; then 4118823STruong.Q.Nguyen@Sun.COM rm $orig 4128823STruong.Q.Nguyen@Sun.COM touch $orig 4138823STruong.Q.Nguyen@Sun.COM fi 4148823STruong.Q.Nguyen@Sun.COM 415*8846STruong.Q.Nguyen@Sun.COM check_ipf_dir || return 1 4168823STruong.Q.Nguyen@Sun.COM mv $new $orig && return 0 || return 1 4178823STruong.Q.Nguyen@Sun.COM} 4188823STruong.Q.Nguyen@Sun.COM 4198823STruong.Q.Nguyen@Sun.COM# 4208823STruong.Q.Nguyen@Sun.COM# Given a service, gets the following details for ipf rule: 4218823STruong.Q.Nguyen@Sun.COM# - policy 4228823STruong.Q.Nguyen@Sun.COM# - protocol 4238823STruong.Q.Nguyen@Sun.COM# - port(IANA port obtained by running servinfo) 4248823STruong.Q.Nguyen@Sun.COM# 4258823STruong.Q.Nguyen@Sun.COMprocess_server_svc() 4268823STruong.Q.Nguyen@Sun.COM{ 4278823STruong.Q.Nguyen@Sun.COM service=$1 4288823STruong.Q.Nguyen@Sun.COM ip="any" 4298823STruong.Q.Nguyen@Sun.COM policy=`get_policy ${service}` 4308823STruong.Q.Nguyen@Sun.COM 4318823STruong.Q.Nguyen@Sun.COM # 4328823STruong.Q.Nguyen@Sun.COM # Empties service's rules file so callers won't use existing rule if 4338823STruong.Q.Nguyen@Sun.COM # we fail here. 4348823STruong.Q.Nguyen@Sun.COM # 4358823STruong.Q.Nguyen@Sun.COM file=`fmri_to_file $service $IPF_SUFFIX` 4368823STruong.Q.Nguyen@Sun.COM [ -z "$file" ] && return 1 4378823STruong.Q.Nguyen@Sun.COM echo "# $service" >${file} 4388823STruong.Q.Nguyen@Sun.COM 4398823STruong.Q.Nguyen@Sun.COM # 4408823STruong.Q.Nguyen@Sun.COM # Nothing to do if policy is "use_global" 4418823STruong.Q.Nguyen@Sun.COM # 4428823STruong.Q.Nguyen@Sun.COM [ "$policy" = "use_global" ] && return 0 4438823STruong.Q.Nguyen@Sun.COM 4448823STruong.Q.Nguyen@Sun.COM restarter=`svcprop -p general/restarter $service 2>/dev/null` 4458823STruong.Q.Nguyen@Sun.COM if [ "$restarter" = "$INETDFMRI" ]; then 4468823STruong.Q.Nguyen@Sun.COM iana_name=`svcprop -p inetd/name $service 2>/dev/null` 4478823STruong.Q.Nguyen@Sun.COM isrpc=`svcprop -p inetd/isrpc $service 2>/dev/null` 4488823STruong.Q.Nguyen@Sun.COM else 4498823STruong.Q.Nguyen@Sun.COM iana_name=`svcprop -p $FW_CONTEXT_PG/name $service 2>/dev/null` 4508823STruong.Q.Nguyen@Sun.COM isrpc=`svcprop -p $FW_CONTEXT_PG/isrpc $service 2>/dev/null` 4518823STruong.Q.Nguyen@Sun.COM fi 4528823STruong.Q.Nguyen@Sun.COM 4538823STruong.Q.Nguyen@Sun.COM # 4548823STruong.Q.Nguyen@Sun.COM # Bail if iana_name isn't defined. Services with static rules 4558823STruong.Q.Nguyen@Sun.COM # like nis/client don't need to generate rules using 4568823STruong.Q.Nguyen@Sun.COM # iana name and protocol information. 4578823STruong.Q.Nguyen@Sun.COM # 4588823STruong.Q.Nguyen@Sun.COM [ -z "$iana_name" ] && return 1 4598823STruong.Q.Nguyen@Sun.COM 4608823STruong.Q.Nguyen@Sun.COM # 4618823STruong.Q.Nguyen@Sun.COM # RPC services 4628823STruong.Q.Nguyen@Sun.COM # 4638823STruong.Q.Nguyen@Sun.COM if [ "$isrpc" = "true" ]; then 4648823STruong.Q.Nguyen@Sun.COM tports=`$SERVINFO -R -p -t -s $iana_name 2>/dev/null` 4658823STruong.Q.Nguyen@Sun.COM if [ -n "$tports" ]; then 4668823STruong.Q.Nguyen@Sun.COM for tport in $tports; do 4678823STruong.Q.Nguyen@Sun.COM generate_rules $service $policy "tcp" \ 4688823STruong.Q.Nguyen@Sun.COM $ip $tport $file 4698823STruong.Q.Nguyen@Sun.COM done 4708823STruong.Q.Nguyen@Sun.COM fi 4718823STruong.Q.Nguyen@Sun.COM 4728823STruong.Q.Nguyen@Sun.COM uports=`$SERVINFO -R -p -u -s $iana_name 2>/dev/null` 4738823STruong.Q.Nguyen@Sun.COM if [ -n "$uports" ]; then 4748823STruong.Q.Nguyen@Sun.COM for uport in $uports; do 4758823STruong.Q.Nguyen@Sun.COM generate_rules $service $policy "udp" \ 4768823STruong.Q.Nguyen@Sun.COM $ip $uport $file 4778823STruong.Q.Nguyen@Sun.COM done 4788823STruong.Q.Nguyen@Sun.COM fi 4798823STruong.Q.Nguyen@Sun.COM 4808823STruong.Q.Nguyen@Sun.COM return 0 4818823STruong.Q.Nguyen@Sun.COM fi 4828823STruong.Q.Nguyen@Sun.COM 4838823STruong.Q.Nguyen@Sun.COM # 4848823STruong.Q.Nguyen@Sun.COM # Get the IANA port and supported protocols(tcp and udp) 4858823STruong.Q.Nguyen@Sun.COM # No support for IPv6 at this point. 4868823STruong.Q.Nguyen@Sun.COM # 4878823STruong.Q.Nguyen@Sun.COM tport=`$SERVINFO -p -t -s $iana_name 2>&1` 4888823STruong.Q.Nguyen@Sun.COM if [ $? -eq 0 -a -n "$tport" ]; then 4898823STruong.Q.Nguyen@Sun.COM generate_rules $service $policy "tcp" $ip $tport $file 4908823STruong.Q.Nguyen@Sun.COM fi 4918823STruong.Q.Nguyen@Sun.COM 4928823STruong.Q.Nguyen@Sun.COM uport=`$SERVINFO -p -u -s $iana_name 2>&1` 4938823STruong.Q.Nguyen@Sun.COM if [ $? -eq 0 -a -n "$uport" ]; then 4948823STruong.Q.Nguyen@Sun.COM generate_rules $service $policy "udp" $ip $uport $file 4958823STruong.Q.Nguyen@Sun.COM fi 4968823STruong.Q.Nguyen@Sun.COM 4978823STruong.Q.Nguyen@Sun.COM return 0 4988823STruong.Q.Nguyen@Sun.COM} 4998823STruong.Q.Nguyen@Sun.COM 5008823STruong.Q.Nguyen@Sun.COM# 5018823STruong.Q.Nguyen@Sun.COM# Given a service's name, policy, protocol and port, generate ipf rules 5028823STruong.Q.Nguyen@Sun.COM# - list of host/network/interface to apply policy 5038823STruong.Q.Nguyen@Sun.COM# 5048823STruong.Q.Nguyen@Sun.COM# A 'use_global' policy inherits the system-wided Global Default policy 5058823STruong.Q.Nguyen@Sun.COM# from network/ipfilter. For {deny | allow} policies, the rules are 5068823STruong.Q.Nguyen@Sun.COM# ordered as: 5078823STruong.Q.Nguyen@Sun.COM# 5088823STruong.Q.Nguyen@Sun.COM# - make exceptions to policy for those in "exceptions" list 5098823STruong.Q.Nguyen@Sun.COM# - apply policy to those specified in "apply_to" list 5108823STruong.Q.Nguyen@Sun.COM# - policy rule 5118823STruong.Q.Nguyen@Sun.COM# 5128823STruong.Q.Nguyen@Sun.COMgenerate_rules() 5138823STruong.Q.Nguyen@Sun.COM{ 5148823STruong.Q.Nguyen@Sun.COM service=$1 5158823STruong.Q.Nguyen@Sun.COM mypolicy=$2 5168823STruong.Q.Nguyen@Sun.COM proto=$3 5178823STruong.Q.Nguyen@Sun.COM ip=$4 5188823STruong.Q.Nguyen@Sun.COM port=$5 5198823STruong.Q.Nguyen@Sun.COM out=$6 5208823STruong.Q.Nguyen@Sun.COM 5218823STruong.Q.Nguyen@Sun.COM # 5228823STruong.Q.Nguyen@Sun.COM # Default mode is to inherit from global's policy 5238823STruong.Q.Nguyen@Sun.COM # 5248823STruong.Q.Nguyen@Sun.COM [ "$mypolicy" = "use_global" ] && return 0 5258823STruong.Q.Nguyen@Sun.COM 5268823STruong.Q.Nguyen@Sun.COM tcp_opts="" 5278823STruong.Q.Nguyen@Sun.COM [ "$proto" = "tcp" ] && tcp_opts="flags S keep state keep frags" 5288823STruong.Q.Nguyen@Sun.COM 5298823STruong.Q.Nguyen@Sun.COM # 5308823STruong.Q.Nguyen@Sun.COM # Allow all if policy is 'none' 5318823STruong.Q.Nguyen@Sun.COM # 5328823STruong.Q.Nguyen@Sun.COM if [ "$mypolicy" = "none" ]; then 5338823STruong.Q.Nguyen@Sun.COM echo "pass in log quick proto ${proto} from any to ${ip}" \ 5348823STruong.Q.Nguyen@Sun.COM "port = ${port} ${tcp_opts}" >>${out} 5358823STruong.Q.Nguyen@Sun.COM return 0 5368823STruong.Q.Nguyen@Sun.COM fi 5378823STruong.Q.Nguyen@Sun.COM 5388823STruong.Q.Nguyen@Sun.COM # 5398823STruong.Q.Nguyen@Sun.COM # For now, let's concern only with incoming traffic. 5408823STruong.Q.Nguyen@Sun.COM # 5418823STruong.Q.Nguyen@Sun.COM [ "$mypolicy" = "deny" ] && { ecmd="pass"; acmd="block"; } 5428823STruong.Q.Nguyen@Sun.COM [ "$mypolicy" = "allow" ] && { ecmd="block"; acmd="pass"; } 5438823STruong.Q.Nguyen@Sun.COM 5448823STruong.Q.Nguyen@Sun.COM for name in `get_exceptions $service`; do 5458823STruong.Q.Nguyen@Sun.COM [ -z "$name" -o "$name" = '""' ] && continue 5468823STruong.Q.Nguyen@Sun.COM 5478823STruong.Q.Nguyen@Sun.COM ifc=`get_interface $name` 5488823STruong.Q.Nguyen@Sun.COM if [ $? -eq 0 -a -n "$ifc" ]; then 5498823STruong.Q.Nguyen@Sun.COM echo "${ecmd} in log quick on ${ifc} from any to" \ 5508823STruong.Q.Nguyen@Sun.COM "${ip} port = ${port}" >>${out} 5518823STruong.Q.Nguyen@Sun.COM continue 5528823STruong.Q.Nguyen@Sun.COM fi 5538823STruong.Q.Nguyen@Sun.COM 5548823STruong.Q.Nguyen@Sun.COM addr=`get_IP ${name}` 5558823STruong.Q.Nguyen@Sun.COM if [ $? -eq 0 -a -n "$addr" ]; then 5568823STruong.Q.Nguyen@Sun.COM echo "${ecmd} in log quick proto ${proto} from ${addr}" \ 5578823STruong.Q.Nguyen@Sun.COM "to ${ip} port = ${port} ${tcp_opts}" >>${out} 5588823STruong.Q.Nguyen@Sun.COM fi 5598823STruong.Q.Nguyen@Sun.COM done 5608823STruong.Q.Nguyen@Sun.COM 5618823STruong.Q.Nguyen@Sun.COM for name in `get_apply2_list $service`; do 5628823STruong.Q.Nguyen@Sun.COM [ -z "$name" -o "$name" = '""' ] && continue 5638823STruong.Q.Nguyen@Sun.COM 5648823STruong.Q.Nguyen@Sun.COM ifc=`get_interface $name` 5658823STruong.Q.Nguyen@Sun.COM if [ $? -eq 0 -a -n "$ifc" ]; then 5668823STruong.Q.Nguyen@Sun.COM echo "${acmd} in log quick on ${ifc} from any to" \ 5678823STruong.Q.Nguyen@Sun.COM "${ip} port = ${port}" >>${out} 5688823STruong.Q.Nguyen@Sun.COM continue 5698823STruong.Q.Nguyen@Sun.COM fi 5708823STruong.Q.Nguyen@Sun.COM 5718823STruong.Q.Nguyen@Sun.COM addr=`get_IP ${name}` 5728823STruong.Q.Nguyen@Sun.COM if [ $? -eq 0 -a -n "$addr" ]; then 5738823STruong.Q.Nguyen@Sun.COM echo "${acmd} in log quick proto ${proto} from ${addr}" \ 5748823STruong.Q.Nguyen@Sun.COM "to ${ip} port = ${port} ${tcp_opts}" >>${out} 5758823STruong.Q.Nguyen@Sun.COM fi 5768823STruong.Q.Nguyen@Sun.COM done 5778823STruong.Q.Nguyen@Sun.COM 5788823STruong.Q.Nguyen@Sun.COM echo "${ecmd} in log quick proto ${proto} from any to ${ip}" \ 5798823STruong.Q.Nguyen@Sun.COM "port = ${port} ${tcp_opts}" >>${out} 5808823STruong.Q.Nguyen@Sun.COM 5818823STruong.Q.Nguyen@Sun.COM return 0 5828823STruong.Q.Nguyen@Sun.COM} 5838823STruong.Q.Nguyen@Sun.COM 5848823STruong.Q.Nguyen@Sun.COM# 5858823STruong.Q.Nguyen@Sun.COM# Service has either IANA ports and proto or its own firewall method to 5868823STruong.Q.Nguyen@Sun.COM# generate the rules. 5878823STruong.Q.Nguyen@Sun.COM# 5888823STruong.Q.Nguyen@Sun.COM# - if service has a custom method, use it to populate its rules 5898823STruong.Q.Nguyen@Sun.COM# - if service has a firewall_config pg, use process_server_svc 5908823STruong.Q.Nguyen@Sun.COM# 5918823STruong.Q.Nguyen@Sun.COM# Argument - fmri 5928823STruong.Q.Nguyen@Sun.COM# 5938823STruong.Q.Nguyen@Sun.COMprocess_service() 5948823STruong.Q.Nguyen@Sun.COM{ 5958823STruong.Q.Nguyen@Sun.COM # 5968823STruong.Q.Nguyen@Sun.COM # Don't process network/ipfilter 5978823STruong.Q.Nguyen@Sun.COM # 5988823STruong.Q.Nguyen@Sun.COM [ "$1" = "$IPF_FMRI" ] && return 0 5998823STruong.Q.Nguyen@Sun.COM 6008823STruong.Q.Nguyen@Sun.COM service_check_state $1 $SMF_MAINT && return 1 6018823STruong.Q.Nguyen@Sun.COM 6028823STruong.Q.Nguyen@Sun.COM method=`svcprop -p $FW_CONTEXT_PG/$METHOD_PROP $1 2>/dev/null | \ 6038823STruong.Q.Nguyen@Sun.COM sed 's/\\\//g'` 6048823STruong.Q.Nguyen@Sun.COM if [ -n "$method" -a "$method" != '""' ]; then 6058823STruong.Q.Nguyen@Sun.COM ( exec $method $1 >/dev/null ) 6068823STruong.Q.Nguyen@Sun.COM else 6078823STruong.Q.Nguyen@Sun.COM svcprop -p $FW_CONFIG_PG $1 >/dev/null 2>&1 || return 1 6088823STruong.Q.Nguyen@Sun.COM process_server_svc $1 || return 1 6098823STruong.Q.Nguyen@Sun.COM fi 6108823STruong.Q.Nguyen@Sun.COM return 0 6118823STruong.Q.Nguyen@Sun.COM} 6128823STruong.Q.Nguyen@Sun.COM 6138823STruong.Q.Nguyen@Sun.COM# 6148823STruong.Q.Nguyen@Sun.COM# Generate rules for protocol/port defined in firewall_config_default/open_ports 6158823STruong.Q.Nguyen@Sun.COM# property. These are non-service programs whose network resource info are 6168823STruong.Q.Nguyen@Sun.COM# defined as "{tcp | upd}:{PORT | PORT-PORT}". Essentially, these programs need 6178823STruong.Q.Nguyen@Sun.COM# some specific local ports to be opened. For example, BitTorrent clients need to 6188823STruong.Q.Nguyen@Sun.COM# have 6881-6889 opened. 6198823STruong.Q.Nguyen@Sun.COM# 6208823STruong.Q.Nguyen@Sun.COMprocess_nonsvc_progs() 6218823STruong.Q.Nguyen@Sun.COM{ 6228823STruong.Q.Nguyen@Sun.COM out=$1 6238823STruong.Q.Nguyen@Sun.COM echo "# Non-service programs rules" >>${out} 6248823STruong.Q.Nguyen@Sun.COM progs=`svcprop -p ${FW_CONFIG_DEF_PG}/${OPEN_PORTS_PROP} \ 6258823STruong.Q.Nguyen@Sun.COM $SMF_FMRI 2>/dev/null` 6268823STruong.Q.Nguyen@Sun.COM 6278823STruong.Q.Nguyen@Sun.COM for prog in $progs; do 6288823STruong.Q.Nguyen@Sun.COM [ -z "$prog" -o "$prog" = '""' ] && continue 6298823STruong.Q.Nguyen@Sun.COM 6308823STruong.Q.Nguyen@Sun.COM port=`tuple_get_port $prog` 6318823STruong.Q.Nguyen@Sun.COM [ $? -eq 1 -o -z "$port" ] && continue 6328823STruong.Q.Nguyen@Sun.COM 6338823STruong.Q.Nguyen@Sun.COM proto=`tuple_get_proto $prog` 6348823STruong.Q.Nguyen@Sun.COM [ $? -eq 1 ] && continue 6358823STruong.Q.Nguyen@Sun.COM 6368823STruong.Q.Nguyen@Sun.COM set -- $port 6378823STruong.Q.Nguyen@Sun.COM if [ $# -gt 1 ]; then 6388823STruong.Q.Nguyen@Sun.COM if [ -z "$proto" ]; then 6398823STruong.Q.Nguyen@Sun.COM echo "pass in log quick from any to any" \ 6408823STruong.Q.Nguyen@Sun.COM "port ${1} >< ${2}" >>${out} 6418823STruong.Q.Nguyen@Sun.COM else 6428823STruong.Q.Nguyen@Sun.COM echo "pass in log quick proto ${proto} from any" \ 6438823STruong.Q.Nguyen@Sun.COM "to any port ${1} >< ${2}" >>${out} 6448823STruong.Q.Nguyen@Sun.COM fi 6458823STruong.Q.Nguyen@Sun.COM else 6468823STruong.Q.Nguyen@Sun.COM if [ -z "$proto" ]; then 6478823STruong.Q.Nguyen@Sun.COM echo "pass in log quick from any to any" \ 6488823STruong.Q.Nguyen@Sun.COM "port = ${1}" >>${out} 6498823STruong.Q.Nguyen@Sun.COM else 6508823STruong.Q.Nguyen@Sun.COM echo "pass in log quick proto ${proto} from any" \ 6518823STruong.Q.Nguyen@Sun.COM "to any port = ${1}" >>${out} 6528823STruong.Q.Nguyen@Sun.COM fi 6538823STruong.Q.Nguyen@Sun.COM fi 6548823STruong.Q.Nguyen@Sun.COM done 6558823STruong.Q.Nguyen@Sun.COM 6568823STruong.Q.Nguyen@Sun.COM return 0 6578823STruong.Q.Nguyen@Sun.COM} 6588823STruong.Q.Nguyen@Sun.COM 6598823STruong.Q.Nguyen@Sun.COM# 6608823STruong.Q.Nguyen@Sun.COM# Generate a new /etc/ipf/ipf.conf. If firewall policy is 'none', 6618823STruong.Q.Nguyen@Sun.COM# ipf.conf is empty . 6628823STruong.Q.Nguyen@Sun.COM# 6638823STruong.Q.Nguyen@Sun.COMcreate_global_rules() 6648823STruong.Q.Nguyen@Sun.COM{ 6658823STruong.Q.Nguyen@Sun.COM policy=`get_global_def_policy` 6668823STruong.Q.Nguyen@Sun.COM 6678823STruong.Q.Nguyen@Sun.COM if [ "$policy" = "custom" ]; then 6688823STruong.Q.Nguyen@Sun.COM file=`svcprop -p ${FW_CONFIG_DEF_PG}/${CUSTOM_FILE_PROP} $SMF_FMRI` 6698823STruong.Q.Nguyen@Sun.COM 6708823STruong.Q.Nguyen@Sun.COM [ -n "$file" ] && custom_set_symlink $file 6718823STruong.Q.Nguyen@Sun.COM return 0 6728823STruong.Q.Nguyen@Sun.COM fi 6738823STruong.Q.Nguyen@Sun.COM 6748823STruong.Q.Nguyen@Sun.COM TEMP=`mktemp /var/run/ipf.conf.pid$$.XXXXXX` 6758823STruong.Q.Nguyen@Sun.COM process_nonsvc_progs $TEMP 6768823STruong.Q.Nguyen@Sun.COM 6778823STruong.Q.Nguyen@Sun.COM echo "# Global Default rules" >>${TEMP} 6788823STruong.Q.Nguyen@Sun.COM if [ "$policy" != "none" ]; then 6798823STruong.Q.Nguyen@Sun.COM echo "pass out log quick all keep state" >>${TEMP} 6808823STruong.Q.Nguyen@Sun.COM fi 6818823STruong.Q.Nguyen@Sun.COM 6828823STruong.Q.Nguyen@Sun.COM case "$policy" in 6838823STruong.Q.Nguyen@Sun.COM 'none') 6848823STruong.Q.Nguyen@Sun.COM # No rules 6858823STruong.Q.Nguyen@Sun.COM replace_file ${IPFILCONF} ${TEMP} 6868823STruong.Q.Nguyen@Sun.COM return $? 6878823STruong.Q.Nguyen@Sun.COM ;; 6888823STruong.Q.Nguyen@Sun.COM 6898823STruong.Q.Nguyen@Sun.COM 'deny') 6908823STruong.Q.Nguyen@Sun.COM ecmd="pass" 6918823STruong.Q.Nguyen@Sun.COM acmd="block" 6928823STruong.Q.Nguyen@Sun.COM ;; 6938823STruong.Q.Nguyen@Sun.COM 6948823STruong.Q.Nguyen@Sun.COM 'allow') 6958823STruong.Q.Nguyen@Sun.COM ecmd="block" 6968823STruong.Q.Nguyen@Sun.COM acmd="pass" 6978823STruong.Q.Nguyen@Sun.COM ;; 6988823STruong.Q.Nguyen@Sun.COM *) 6998823STruong.Q.Nguyen@Sun.COM return 1; 7008823STruong.Q.Nguyen@Sun.COM ;; 7018823STruong.Q.Nguyen@Sun.COM esac 7028823STruong.Q.Nguyen@Sun.COM 7038823STruong.Q.Nguyen@Sun.COM for name in `get_exceptions $SMF_FMRI`; do 7048823STruong.Q.Nguyen@Sun.COM [ -z "$name" -o "$name" = '""' ] && continue 7058823STruong.Q.Nguyen@Sun.COM 7068823STruong.Q.Nguyen@Sun.COM ifc=`get_interface $name` 7078823STruong.Q.Nguyen@Sun.COM if [ $? -eq 0 -a -n "$ifc" ]; then 7088823STruong.Q.Nguyen@Sun.COM echo "${ecmd} in log quick on ${ifc} all" >>${TEMP} 7098823STruong.Q.Nguyen@Sun.COM continue 7108823STruong.Q.Nguyen@Sun.COM fi 7118823STruong.Q.Nguyen@Sun.COM 7128823STruong.Q.Nguyen@Sun.COM addr=`get_IP ${name}` 7138823STruong.Q.Nguyen@Sun.COM if [ $? -eq 0 -a -n "$addr" ]; then 7148823STruong.Q.Nguyen@Sun.COM echo "${ecmd} in log quick from ${addr} to any" >>${TEMP} 7158823STruong.Q.Nguyen@Sun.COM fi 7168823STruong.Q.Nguyen@Sun.COM 7178823STruong.Q.Nguyen@Sun.COM done 7188823STruong.Q.Nguyen@Sun.COM 7198823STruong.Q.Nguyen@Sun.COM for name in `get_apply2_list $SMF_FMRI`; do 7208823STruong.Q.Nguyen@Sun.COM [ -z "$name" -o "$name" = '""' ] && continue 7218823STruong.Q.Nguyen@Sun.COM 7228823STruong.Q.Nguyen@Sun.COM ifc=`get_interface $name` 7238823STruong.Q.Nguyen@Sun.COM if [ $? -eq 0 -a -n "$ifc" ]; then 7248823STruong.Q.Nguyen@Sun.COM echo "${acmd} in log quick on ${ifc} all" >>${TEMP} 7258823STruong.Q.Nguyen@Sun.COM continue 7268823STruong.Q.Nguyen@Sun.COM fi 7278823STruong.Q.Nguyen@Sun.COM 7288823STruong.Q.Nguyen@Sun.COM addr=`get_IP ${name}` 7298823STruong.Q.Nguyen@Sun.COM if [ $? -eq 0 -a -n "$addr" ]; then 7308823STruong.Q.Nguyen@Sun.COM echo "${acmd} in log quick from ${addr} to any" >>${TEMP} 7318823STruong.Q.Nguyen@Sun.COM fi 7328823STruong.Q.Nguyen@Sun.COM done 7338823STruong.Q.Nguyen@Sun.COM 7348823STruong.Q.Nguyen@Sun.COM if [ "$policy" = "allow" ]; then 7358823STruong.Q.Nguyen@Sun.COM # 7368823STruong.Q.Nguyen@Sun.COM # Allow DHCP traffic if running as a DHCP client 7378823STruong.Q.Nguyen@Sun.COM # 7388823STruong.Q.Nguyen@Sun.COM /sbin/netstrategy | grep dhcp >/dev/null 2>&1 7398823STruong.Q.Nguyen@Sun.COM if [ $? -eq 0 ]; then 7408823STruong.Q.Nguyen@Sun.COM echo "pass out log quick from any port = 68" \ 7418823STruong.Q.Nguyen@Sun.COM "keep state" >>${TEMP} 7428823STruong.Q.Nguyen@Sun.COM echo "pass out log quick from any port = 546" \ 7438823STruong.Q.Nguyen@Sun.COM "keep state" >>${TEMP} 7448823STruong.Q.Nguyen@Sun.COM echo "pass in log quick from any to any port = 68" >>${TEMP} 7458823STruong.Q.Nguyen@Sun.COM echo "pass in log quick from any to any port = 546" >>${TEMP} 7468823STruong.Q.Nguyen@Sun.COM fi 7478823STruong.Q.Nguyen@Sun.COM echo "block in log all" >>${TEMP} 7488823STruong.Q.Nguyen@Sun.COM fi 7498823STruong.Q.Nguyen@Sun.COM 7508823STruong.Q.Nguyen@Sun.COM replace_file ${IPFILCONF} ${TEMP} 7518823STruong.Q.Nguyen@Sun.COM return $? 7528823STruong.Q.Nguyen@Sun.COM} 7538823STruong.Q.Nguyen@Sun.COM 7548823STruong.Q.Nguyen@Sun.COM# 7558823STruong.Q.Nguyen@Sun.COM# Generate a new /etc/ipf/ipf_ovr.conf, the override system-wide policy. It's 7568823STruong.Q.Nguyen@Sun.COM# a simplified policy that doesn't support 'exceptions' entities. 7578823STruong.Q.Nguyen@Sun.COM# 7588823STruong.Q.Nguyen@Sun.COM# If firewall policy is "none", no rules are generated. 7598823STruong.Q.Nguyen@Sun.COM# 7608823STruong.Q.Nguyen@Sun.COM# Note that "pass" rules don't have "quick" as we don't want 7618823STruong.Q.Nguyen@Sun.COM# them to override services' block rules. 7628823STruong.Q.Nguyen@Sun.COM# 7638823STruong.Q.Nguyen@Sun.COMcreate_global_ovr_rules() 7648823STruong.Q.Nguyen@Sun.COM{ 7658823STruong.Q.Nguyen@Sun.COM # 7668823STruong.Q.Nguyen@Sun.COM # Simply empty override file if global policy is 'custom' 7678823STruong.Q.Nguyen@Sun.COM # 7688823STruong.Q.Nguyen@Sun.COM if [ "`get_global_def_policy`" = "custom" ]; then 7698823STruong.Q.Nguyen@Sun.COM echo "# 'custom' global policy" >$IPFILOVRCONF 7708823STruong.Q.Nguyen@Sun.COM return 0 7718823STruong.Q.Nguyen@Sun.COM fi 7728823STruong.Q.Nguyen@Sun.COM 7738823STruong.Q.Nguyen@Sun.COM # 7748823STruong.Q.Nguyen@Sun.COM # Get and process override policy 7758823STruong.Q.Nguyen@Sun.COM # 7768823STruong.Q.Nguyen@Sun.COM ovr_policy=`svcprop -p ${FW_CONFIG_OVR_PG}/${POLICY_PROP} $IPF_FMRI` 7778823STruong.Q.Nguyen@Sun.COM TEMP=`mktemp /var/run/ipf_ovr.conf.pid$$.XXXXXX` 7788823STruong.Q.Nguyen@Sun.COM 7798823STruong.Q.Nguyen@Sun.COM [ "$ovr_policy" = "deny" ] && acmd="block in log quick" 7808823STruong.Q.Nguyen@Sun.COM [ "$ovr_policy" = "allow" ] && acmd="pass in log" 7818823STruong.Q.Nguyen@Sun.COM 7828823STruong.Q.Nguyen@Sun.COM apply2_list=`svcprop -p $FW_CONFIG_OVR_PG/$APPLY2_PROP $IPF_FMRI` 7838823STruong.Q.Nguyen@Sun.COM for name in $apply2_list; do 7848823STruong.Q.Nguyen@Sun.COM [ -z "$name" -o "$name" = '""' ] && continue 7858823STruong.Q.Nguyen@Sun.COM 7868823STruong.Q.Nguyen@Sun.COM ifc=`get_interface $name` 7878823STruong.Q.Nguyen@Sun.COM if [ $? -eq 0 -a -n "$ifc" ]; then 7888823STruong.Q.Nguyen@Sun.COM echo "${acmd} on ${ifc} all" >>${TEMP} 7898823STruong.Q.Nguyen@Sun.COM continue 7908823STruong.Q.Nguyen@Sun.COM fi 7918823STruong.Q.Nguyen@Sun.COM 7928823STruong.Q.Nguyen@Sun.COM addr=`get_IP ${name}` 7938823STruong.Q.Nguyen@Sun.COM if [ $? -eq 0 -a -n "$addr" ]; then 7948823STruong.Q.Nguyen@Sun.COM echo "${acmd} from ${addr} to any" >>${TEMP} 7958823STruong.Q.Nguyen@Sun.COM fi 7968823STruong.Q.Nguyen@Sun.COM done 7978823STruong.Q.Nguyen@Sun.COM 7988823STruong.Q.Nguyen@Sun.COM replace_file ${IPFILOVRCONF} ${TEMP} 7998823STruong.Q.Nguyen@Sun.COM return $? 8008823STruong.Q.Nguyen@Sun.COM} 8018823STruong.Q.Nguyen@Sun.COM 8028823STruong.Q.Nguyen@Sun.COM# 8038823STruong.Q.Nguyen@Sun.COM# Service is put into maintenance state due to its invalid firewall 8048823STruong.Q.Nguyen@Sun.COM# definition and/or policy. 8058823STruong.Q.Nguyen@Sun.COM# 8068823STruong.Q.Nguyen@Sun.COMsvc_mark_maintenance() 8078823STruong.Q.Nguyen@Sun.COM{ 8088823STruong.Q.Nguyen@Sun.COM svcadm mark maintenance $1 >/dev/null 2>&1 8098823STruong.Q.Nguyen@Sun.COM 8108823STruong.Q.Nguyen@Sun.COM date=`date` 8118823STruong.Q.Nguyen@Sun.COM echo "[ $date ${0}: $1 has invalid ipf configuration. ]" 8128823STruong.Q.Nguyen@Sun.COM echo "[ $date ${0}: placing $1 in maintenance. ]" 8138823STruong.Q.Nguyen@Sun.COM 8148823STruong.Q.Nguyen@Sun.COM # 8158823STruong.Q.Nguyen@Sun.COM # Move service's rule files to another location since 8168823STruong.Q.Nguyen@Sun.COM # they're most likely invalid. 8178823STruong.Q.Nguyen@Sun.COM # 8188823STruong.Q.Nguyen@Sun.COM ipfile=`fmri_to_file $1 $IPF_SUFFIX` 8198823STruong.Q.Nguyen@Sun.COM [ -f "$ipfile" ] && mv $ipfile "$ipfile.bak" 8208823STruong.Q.Nguyen@Sun.COM 8218823STruong.Q.Nguyen@Sun.COM natfile=`fmri_to_file $1 $NAT_SUFFIX` 8228823STruong.Q.Nguyen@Sun.COM [ -f "$natfile" ] && mv $natfile "$natfile.bak" 8238823STruong.Q.Nguyen@Sun.COM 8248823STruong.Q.Nguyen@Sun.COM return 0 8258823STruong.Q.Nguyen@Sun.COM} 8268823STruong.Q.Nguyen@Sun.COM 8278823STruong.Q.Nguyen@Sun.COMsvc_is_server() 8288823STruong.Q.Nguyen@Sun.COM{ 8298823STruong.Q.Nguyen@Sun.COM svcprop -p $FW_CONFIG_PG $1 >/dev/null 2>&1 8308823STruong.Q.Nguyen@Sun.COM} 8318823STruong.Q.Nguyen@Sun.COM 8328823STruong.Q.Nguyen@Sun.COM# 8338823STruong.Q.Nguyen@Sun.COM# Create rules for enabled firewalling and client services. 8348823STruong.Q.Nguyen@Sun.COM# - obtain the list of enabled services and process them 8358823STruong.Q.Nguyen@Sun.COM# - save the list of rules file for later use 8368823STruong.Q.Nguyen@Sun.COM# 8378823STruong.Q.Nguyen@Sun.COMcreate_services_rules() 8388823STruong.Q.Nguyen@Sun.COM{ 8398823STruong.Q.Nguyen@Sun.COM # 8408823STruong.Q.Nguyen@Sun.COM # Do nothing if global policy is 'custom' 8418823STruong.Q.Nguyen@Sun.COM # 8428823STruong.Q.Nguyen@Sun.COM global_policy=`get_global_def_policy` 8438823STruong.Q.Nguyen@Sun.COM [ "$global_policy" = "custom" ] && return 0 8448823STruong.Q.Nguyen@Sun.COM 8458823STruong.Q.Nguyen@Sun.COM ipf_get_lock 8468823STruong.Q.Nguyen@Sun.COM 8478823STruong.Q.Nguyen@Sun.COM # 8488823STruong.Q.Nguyen@Sun.COM # Get all enabled services 8498823STruong.Q.Nguyen@Sun.COM # 8508823STruong.Q.Nguyen@Sun.COM allsvcs=`svcprop -cf -p general/enabled -p general_ovr/enabled '*' \ 8518823STruong.Q.Nguyen@Sun.COM 2>/dev/null | sed -n 's,^\(svc:.*\)/:properties/.* true$,\1,p' | sort -u` 8528823STruong.Q.Nguyen@Sun.COM 8538823STruong.Q.Nguyen@Sun.COM # 8548823STruong.Q.Nguyen@Sun.COM # Process enabled services 8558823STruong.Q.Nguyen@Sun.COM # 8568823STruong.Q.Nguyen@Sun.COM for s in $allsvcs; do 8578823STruong.Q.Nguyen@Sun.COM service_is_enabled $s || continue 8588823STruong.Q.Nguyen@Sun.COM process_service $s || continue 8598823STruong.Q.Nguyen@Sun.COM 8608823STruong.Q.Nguyen@Sun.COM ipfile=`fmri_to_file $s $IPF_SUFFIX` 8618823STruong.Q.Nguyen@Sun.COM if [ -n "$ipfile" -a -r "$ipfile" ]; then 8628823STruong.Q.Nguyen@Sun.COM check_ipf_syntax $ipfile 8638823STruong.Q.Nguyen@Sun.COM if [ $? -ne 0 ]; then 8648823STruong.Q.Nguyen@Sun.COM svc_mark_maintenance $s 8658823STruong.Q.Nguyen@Sun.COM continue 8668823STruong.Q.Nguyen@Sun.COM fi 8678823STruong.Q.Nguyen@Sun.COM 8688823STruong.Q.Nguyen@Sun.COM svc_is_server $s 8698823STruong.Q.Nguyen@Sun.COM if [ $? -eq 0 ]; then 8708823STruong.Q.Nguyen@Sun.COM check_ipf_rules $ipfile 8718823STruong.Q.Nguyen@Sun.COM if [ $? -ne 0 ]; then 8728823STruong.Q.Nguyen@Sun.COM svc_mark_maintenance $s 8738823STruong.Q.Nguyen@Sun.COM continue 8748823STruong.Q.Nguyen@Sun.COM fi 8758823STruong.Q.Nguyen@Sun.COM fi 8768823STruong.Q.Nguyen@Sun.COM CONF_FILES="$CONF_FILES $ipfile" 8778823STruong.Q.Nguyen@Sun.COM fi 8788823STruong.Q.Nguyen@Sun.COM 8798823STruong.Q.Nguyen@Sun.COM natfile=`fmri_to_file $s $NAT_SUFFIX` 8808823STruong.Q.Nguyen@Sun.COM if [ -n "$natfile" -a -r "$natfile" ]; then 8818823STruong.Q.Nguyen@Sun.COM check_nat_syntax $natfile 8828823STruong.Q.Nguyen@Sun.COM if [ $? -ne 0 ]; then 8838823STruong.Q.Nguyen@Sun.COM svc_mark_maintenance $s 8848823STruong.Q.Nguyen@Sun.COM continue 8858823STruong.Q.Nguyen@Sun.COM fi 8868823STruong.Q.Nguyen@Sun.COM 8878823STruong.Q.Nguyen@Sun.COM NAT_FILES="$NAT_FILES $natfile" 8888823STruong.Q.Nguyen@Sun.COM fi 8898823STruong.Q.Nguyen@Sun.COM done 8908823STruong.Q.Nguyen@Sun.COM 8918823STruong.Q.Nguyen@Sun.COM ipf_remove_lock 8928823STruong.Q.Nguyen@Sun.COM return 0 8938823STruong.Q.Nguyen@Sun.COM} 8948823STruong.Q.Nguyen@Sun.COM 8958823STruong.Q.Nguyen@Sun.COM# 8968823STruong.Q.Nguyen@Sun.COM# We update a services ipf ruleset in the following manners: 8978823STruong.Q.Nguyen@Sun.COM# - service is disabled, tear down its rules. 8988823STruong.Q.Nguyen@Sun.COM# - service is disable or refreshed(online), setup or update its rules. 8998823STruong.Q.Nguyen@Sun.COM# 9008823STruong.Q.Nguyen@Sun.COMservice_update_rules() 9018823STruong.Q.Nguyen@Sun.COM{ 9028823STruong.Q.Nguyen@Sun.COM # 9038823STruong.Q.Nguyen@Sun.COM # If ipfilter isn't online or global policy is 'custom', 9048823STruong.Q.Nguyen@Sun.COM # nothing should be done. 9058823STruong.Q.Nguyen@Sun.COM # 9068823STruong.Q.Nguyen@Sun.COM service_check_state $SMF_FMRI $SMF_ONLINE || return 0 9078823STruong.Q.Nguyen@Sun.COM [ "`get_global_def_policy`" = "custom" ] && return 0 9088823STruong.Q.Nguyen@Sun.COM 9098823STruong.Q.Nguyen@Sun.COM svc=$1 9108823STruong.Q.Nguyen@Sun.COM 9118823STruong.Q.Nguyen@Sun.COM ipfile=`fmri_to_file $svc $IPF_SUFFIX` 9128823STruong.Q.Nguyen@Sun.COM [ -z "$ipfile" ] && return 0 9138823STruong.Q.Nguyen@Sun.COM 9148823STruong.Q.Nguyen@Sun.COM remove_rules $ipfile 9158823STruong.Q.Nguyen@Sun.COM 9168823STruong.Q.Nguyen@Sun.COM natfile=`fmri_to_file $svc $NAT_SUFFIX` 9178823STruong.Q.Nguyen@Sun.COM [ -n "$natfile" ] && remove_nat_rules $natfile 9188823STruong.Q.Nguyen@Sun.COM 9198823STruong.Q.Nguyen@Sun.COM # 9208823STruong.Q.Nguyen@Sun.COM # Don't go further if service is disabled or in maintenance. 9218823STruong.Q.Nguyen@Sun.COM # 9228823STruong.Q.Nguyen@Sun.COM service_is_enabled $svc || return 0 9238823STruong.Q.Nguyen@Sun.COM service_check_state $1 $SMF_MAINT && return 0 9248823STruong.Q.Nguyen@Sun.COM 9258823STruong.Q.Nguyen@Sun.COM process_service $svc || return 1 9268823STruong.Q.Nguyen@Sun.COM if [ -f "$ipfile" ]; then 9278823STruong.Q.Nguyen@Sun.COM check_ipf_syntax $ipfile 9288823STruong.Q.Nguyen@Sun.COM if [ $? -ne 0 ]; then 9298823STruong.Q.Nguyen@Sun.COM svc_mark_maintenance $svc 9308823STruong.Q.Nguyen@Sun.COM return 1 9318823STruong.Q.Nguyen@Sun.COM fi 9328823STruong.Q.Nguyen@Sun.COM fi 9338823STruong.Q.Nguyen@Sun.COM 9348823STruong.Q.Nguyen@Sun.COM if [ -f "$natfile" ]; then 9358823STruong.Q.Nguyen@Sun.COM check_nat_syntax $natfile 9368823STruong.Q.Nguyen@Sun.COM if [ $? -ne 0 ]; then 9378823STruong.Q.Nguyen@Sun.COM svc_mark_maintenance $svc 9388823STruong.Q.Nguyen@Sun.COM return 1 9398823STruong.Q.Nguyen@Sun.COM fi 9408823STruong.Q.Nguyen@Sun.COM fi 9418823STruong.Q.Nguyen@Sun.COM 9428823STruong.Q.Nguyen@Sun.COM if [ -f "$ipfile" ]; then 9438823STruong.Q.Nguyen@Sun.COM svc_is_server $svc 9448823STruong.Q.Nguyen@Sun.COM if [ $? -eq 0 ]; then 9458823STruong.Q.Nguyen@Sun.COM update_check_ipf_rules $ipfile 9468823STruong.Q.Nguyen@Sun.COM if [ $? -ne 0 ]; then 9478823STruong.Q.Nguyen@Sun.COM svc_mark_maintenance $svc 9488823STruong.Q.Nguyen@Sun.COM return 1 9498823STruong.Q.Nguyen@Sun.COM fi 9508823STruong.Q.Nguyen@Sun.COM fi 9518823STruong.Q.Nguyen@Sun.COM 9528823STruong.Q.Nguyen@Sun.COM prepend_new_rules $ipfile 9538823STruong.Q.Nguyen@Sun.COM 9548823STruong.Q.Nguyen@Sun.COM # 9558823STruong.Q.Nguyen@Sun.COM # reload Global Override rules to 9568823STruong.Q.Nguyen@Sun.COM # maintain correct ordering. 9578823STruong.Q.Nguyen@Sun.COM # 9588823STruong.Q.Nguyen@Sun.COM remove_rules $IPFILOVRCONF 9598823STruong.Q.Nguyen@Sun.COM prepend_new_rules $IPFILOVRCONF 9608823STruong.Q.Nguyen@Sun.COM fi 9618823STruong.Q.Nguyen@Sun.COM 9628823STruong.Q.Nguyen@Sun.COM [ -f "$natfile" ] && append_new_nat_rules $natfile 9638823STruong.Q.Nguyen@Sun.COM 9648823STruong.Q.Nguyen@Sun.COM return 0 9658823STruong.Q.Nguyen@Sun.COM} 9668823STruong.Q.Nguyen@Sun.COM 9678823STruong.Q.Nguyen@Sun.COM# 9688823STruong.Q.Nguyen@Sun.COM# Call the service_update_rules with appropriate svc fmri. 9698823STruong.Q.Nguyen@Sun.COM# 9708823STruong.Q.Nguyen@Sun.COM# This is called from '/lib/svc/method/ipfilter fw_update' whenever 9718823STruong.Q.Nguyen@Sun.COM# a service is disabled/enabled/refreshed. 9728823STruong.Q.Nguyen@Sun.COM# 9738823STruong.Q.Nguyen@Sun.COMservice_update() 9748823STruong.Q.Nguyen@Sun.COM{ 9758823STruong.Q.Nguyen@Sun.COM svc=$1 9768823STruong.Q.Nguyen@Sun.COM ret=0 9778823STruong.Q.Nguyen@Sun.COM 9788823STruong.Q.Nguyen@Sun.COM ipf_get_lock 9798823STruong.Q.Nguyen@Sun.COM service_update_rules $svc || ret=1 9808823STruong.Q.Nguyen@Sun.COM 9818823STruong.Q.Nguyen@Sun.COM ipf_remove_lock 9828823STruong.Q.Nguyen@Sun.COM return $ret 9838823STruong.Q.Nguyen@Sun.COM} 984