#!/bin/sh # # CDDL HEADER START # # The contents of this file are subject to the terms of the # Common Development and Distribution License (the "License"). # You may not use this file except in compliance with the License. # # You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE # or http://www.opensolaris.org/os/licensing. # See the License for the specific language governing permissions # and limitations under the License. # # When distributing Covered Code, include this CDDL HEADER in each # file and include the License file at usr/src/OPENSOLARIS.LICENSE. # If applicable, add the following below this CDDL HEADER, with the # fields enclosed by brackets "[]" replaced with your own identifying # information: Portions Copyright [yyyy] [name of copyright owner] # # CDDL HEADER END # # # Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved. # Copyright 2016 Hans Rosenfeld # source /lib/svc/share/smf_include.sh source /lib/svc/share/ipf_include.sh setvar YPDIR = '/usr/lib/netsvc/yp' proc create_client_ipf_rules { setvar FMRI = "$1" setvar file = $(fmri_to_file $FMRI $IPF_SUFFIX) setvar file6 = $(fmri_to_file $FMRI $IPF6_SUFFIX) setvar iana_name = $(svcprop -p $FW_CONTEXT_PG/name $FMRI) setvar domain = $(domainname) setvar block_policy = "$GLOBAL_BLOCK_POLICY" if test $block_policy = "return" { setvar block_policy_tcp = ""return-rst"" setvar block_policy_udp = ""return-icmp-as-dest"" } if test -z $domain { return 0 } if test ! -d /var/yp/binding/$domain { return } echo "# $FMRI" >$file echo "# $FMRI" >$file6 setvar ypfile = ""/var/yp/binding/$domain/ypservers"" if test -f $ypfile { setvar tports = $($SERVINFO -R -p -t -s $iana_name ) setvar uports = $($SERVINFO -R -p -u -s $iana_name ) setvar tports_6 = $($SERVINFO -R -p -t6 -s $iana_name ) setvar uports_6 = $($SERVINFO -R -p -u6 -s $iana_name ) setvar server_addrs = """" setvar server_addrs_6 = """" for ypsvr in [$(grep -v '^[ ]*#' $ypfile)] { # # Get corresponding IPv4/IPv6 addresses # setvar servers = $(getent ipnodes $ypsvr | \ /usr/xpg4/bin/awk '$1 ~ !/:/{ print $1 }) setvar servers_6 = $(getent ipnodes $ypsvr | \ /usr/xpg4/bin/awk '$1 ~ /:/{ print $1 }) if test -n $servers { setvar server_addrs = ""$server_addrs $servers"" } if test -n $servers_6 { setvar server_addrs_6 = ""$server_addrs_6 $servers_6"" } } if test -n $tports -o -n $tports_6 { for tport in [$tports $tports_6] { echo "block $block_policy_tcp in log" \ "proto tcp from any to any" \ "port = $tport" >>$file if test -n $server_addrs { for s in [$server_addrs] { echo "pass in log quick" \ "proto tcp from $s" \ "to any port = $tport" \ >>$file } } } } if test -n $uports -o -n $uports_6 { for uport in [$uports $uports_6] { echo "block $block_policy_udp in log" \ "proto udp from any to any" \ "port = $uport" >>$file if test -n $server_addrs { for s in [$server_addrs] { echo "pass in log quick" \ "proto udp from $s" \ "to any port = $uport" \ >>$file } } } } if test -n $tports_6 { for tport in [$tports_6] { echo "block $block_policy_tcp in log" \ "proto tcp from any to any" \ "port = $tport" >>$file6 if test -n $server_addrs_6 { for s in [$server_addrs_6] { echo "pass in log quick" \ "proto tcp from $s" \ "to any port = $tport" \ >>$file6 } } } } if test -n $uports_6 { for uport in [$uports_6] { echo "block $block_policy_udp in log" \ "proto udp from any to any" \ "port = $uport" >>$file6 if test -n $server_addrs_6 { for s in [$server_addrs_6] { echo "pass in log quick" \ "proto udp from $s" \ "to any port = $uport" \ >>$file6 } } } } } else { # # How do we handle the client broadcast case? Server replies # to the outgoing port that sent the broadcast, but there's # no way the client know a packet is the reply. # # Nis server should be specified and clients shouldn't be # doing broadcasts but if it does, no choice but to allow # all traffic. # echo "pass in log quick proto udp from any to any" \ "port > 32768" >>$file echo "pass in log quick proto udp from any to any" \ "port > 32768" >>$file6 } } # # Ipfilter method # if test -n $1 -a $1 = "ipfilter" { create_client_ipf_rules $2 exit $SMF_EXIT_OK } match $SMF_FMRI { with 'svc:/network/nis/client:default' setvar domain = $(domainname) if test -z $domain { echo "$0: domainname not set" exit $SMF_EXIT_ERR_CONFIG } if test ! -d /var/yp/binding/$domain { echo "$0: /var/yp/binding/$domain is not a directory" exit $SMF_EXIT_ERR_CONFIG } # Since two ypbinds will cause ypwhich to hang... if pgrep -z $(/sbin/zonename) ypbind >/dev/null { echo "$0: ypbind is already running." exit $SMF_EXIT_ERR_CONFIG } if test -f /var/yp/binding/$domain/ypservers { $YPDIR/ypbind > /dev/null 2>&1 } else { $YPDIR/ypbind -broadcast > /dev/null 2>&1 } setvar rc = "$Status" if test $rc != 0 { echo "$0: ypbind failed with $rc" exit 1 } with 'svc:/network/nis/server:default' setvar domain = $(domainname) if test -z $domain { echo "$0: domainname not set" exit $SMF_EXIT_ERR_CONFIG } if test ! -d /var/yp/$domain { echo "$0: domain directory missing" exit $SMF_EXIT_ERR_CONFIG } if test -f /etc/resolv.conf { $YPDIR/ypserv -d } else { $YPDIR/ypserv } setvar rc = "$Status" if test $rc != 0 { echo "$0: ypserv failed with $rc" exit 1 } with 'svc:/network/nis/passwd:default' setvar PWDIR = $(grep "^PWDIR" /var/yp/Makefile ) \ && setvar PWDIR = $(expr $PWDIR : '.*=[ ]*\([^ ]*\)) if test $PWDIR { if test $PWDIR = "/etc" { unset PWDIR } else { setvar PWDIR = ""-D $PWDIR"" } } $YPDIR/rpc.yppasswdd $PWDIR -m setvar rc = "$Status" if test $rc != 0 { echo "$0: rpc.yppasswdd failed with $rc" exit 1 } with * echo "$0: Unknown service \"$SMF_FMRI\"." exit $SMF_EXIT_ERR_CONFIG } exit $SMF_EXIT_OK