1#!/sbin/sh 2# 3# CDDL HEADER START 4# 5# The contents of this file are subject to the terms of the 6# Common Development and Distribution License (the "License"). 7# You may not use this file except in compliance with the License. 8# 9# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 10# or http://www.opensolaris.org/os/licensing. 11# See the License for the specific language governing permissions 12# and limitations under the License. 13# 14# When distributing Covered Code, include this CDDL HEADER in each 15# file and include the License file at usr/src/OPENSOLARIS.LICENSE. 16# If applicable, add the following below this CDDL HEADER, with the 17# fields enclosed by brackets "[]" replaced with your own identifying 18# information: Portions Copyright [yyyy] [name of copyright owner] 19# 20# CDDL HEADER END 21# 22 23# 24# Copyright (c) 2009, 2010, Oracle and/or its affiliates. All rights reserved. 25# Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org> 26# Copyright 2018 Nexenta Systems, Inc. All rights reserved. 27# 28 29# Start/stop processes required for server NFS 30 31. /lib/svc/share/smf_include.sh 32. /lib/svc/share/ipf_include.sh 33zone=`smf_zonename` 34 35# 36# Handling a corner case here. If we were in offline state due to an 37# unsatisfied dependency, the ipf_method process wouldn't have generated 38# the ipfilter configuration. When we transition to online because the 39# dependency is satisfied, the start method will have to generate the 40# ipfilter configuration. To avoid all possible deadlock scenarios, 41# we restart ipfilter which will regenerate the ipfilter configuration 42# for the entire system. 43# 44# The ipf_method process signals that it didn't generate ipf rules by 45# removing the service's ipf file. Thus we only restart network/ipfilter 46# when the file is missing. 47# 48configure_ipfilter() 49{ 50 ipfile=`fmri_to_file $SMF_FMRI $IPF_SUFFIX` 51 ip6file=`fmri_to_file $SMF_FMRI $IPF6_SUFFIX` 52 [ -f "$ipfile" -a -f "$ip6file" ] && return 0 53 54 # 55 # Nothing to do if: 56 # - ipfilter isn't online 57 # - global policy is 'custom' 58 # - service's policy is 'use_global' 59 # 60 service_check_state $IPF_FMRI $SMF_ONLINE || return 0 61 [ "`get_global_def_policy`" = "custom" ] && return 0 62 [ "`get_policy $SMF_FMRI`" = "use_global" ] && return 0 63 64 svcadm restart $IPF_FMRI 65} 66 67case "$1" in 68'start') 69 # Share all file systems enabled for sharing. sharemgr understands 70 # regular shares and ZFS shares and will handle both. Technically, 71 # the shares would have been started long before getting here since 72 # nfsd has a dependency on them. 73 74 # restart stopped shares from the repository 75 /usr/sbin/sharemgr start -P nfs -a 76 77 # Options for nfsd are now set in SMF 78 79 /usr/lib/nfs/mountd 80 rc=$? 81 if [ $rc != 0 ]; then 82 /usr/sbin/svcadm mark -t maintenance svc:/network/nfs/server 83 echo "$0: mountd failed with $rc" 84 sleep 5 & 85 exit $SMF_EXIT_ERR_FATAL 86 fi 87 88 /usr/lib/nfs/nfsd 89 rc=$? 90 if [ $rc != 0 ]; then 91 /usr/sbin/svcadm mark -t maintenance svc:/network/nfs/server 92 echo "$0: nfsd failed with $rc" 93 sleep 5 & 94 exit $SMF_EXIT_ERR_FATAL 95 fi 96 97 configure_ipfilter 98 ;; 99 100'refresh') 101 /usr/sbin/sharemgr start -P nfs -a 102 ;; 103 104'stop') 105 /usr/bin/pkill -x -u 0,1 -z $zone '(nfsd|mountd)' 106 107 # Unshare all shared file systems using NFS 108 109 /usr/sbin/sharemgr stop -P nfs -a 110 111 # Kill any processes left in service contract 112 smf_kill_contract $2 TERM 1 113 [ $? -ne 0 ] && exit 1 114 ;; 115 116'ipfilter') 117 # 118 # NFS related services are RPC. nfs/server has nfsd which has 119 # well-defined port number but mountd is an RPC daemon. 120 # 121 # Essentially, we generate rules for the following "services" 122 # - nfs/server which has nfsd and mountd 123 # - nfs/rquota 124 # 125 # The following services are enabled for both nfs client and 126 # server, if nfs/client is enabled we'll treat them as client 127 # services and simply allow incoming traffic. 128 # - nfs/status 129 # - nfs/nlockmgr 130 # - nfs/cbd 131 # 132 NFS_FMRI="svc:/network/nfs/server:default" 133 NFSCLI_FMRI="svc:/network/nfs/client:default" 134 RQUOTA_FMRI="svc:/network/nfs/rquota:default" 135 FMRI=$2 136 137 file=`fmri_to_file $FMRI $IPF_SUFFIX` 138 file6=`fmri_to_file $FMRI $IPF6_SUFFIX` 139 echo "# $FMRI" >$file 140 echo "# $FMRI" >$file6 141 policy=`get_policy $NFS_FMRI` 142 143 # 144 # nfs/server configuration is processed in the start method. 145 # 146 if [ "$FMRI" = "$NFS_FMRI" ]; then 147 service_check_state $FMRI $SMF_ONLINE 148 if [ $? -ne 0 ]; then 149 rm $file 150 exit $SMF_EXIT_OK 151 fi 152 153 nfs_name=`svcprop -p $FW_CONTEXT_PG/name $FMRI 2>/dev/null` 154 tport=`$SERVINFO -p -t -s $nfs_name 2>/dev/null` 155 if [ -n "$tport" ]; then 156 generate_rules $FMRI $policy "tcp" $tport $file 157 fi 158 159 tport6=`$SERVINFO -p -t6 -s $nfs_name 2>/dev/null` 160 if [ -n "$tport6" ]; then 161 generate_rules $FMRI $policy "tcp" $tport6 $file6 _6 162 fi 163 164 uport=`$SERVINFO -p -u -s $nfs_name 2>/dev/null` 165 if [ -n "$uport" ]; then 166 generate_rules $FMRI $policy "udp" $uport $file 167 fi 168 169 uport6=`$SERVINFO -p -u6 -s $nfs_name 2>/dev/null` 170 if [ -n "$uport6" ]; then 171 generate_rules $FMRI $policy "udp" $uport6 $file6 _6 172 fi 173 174 # mountd IPv6 ports are also reachable through IPv4, so include 175 # them when generating IPv4 rules. 176 tports=`$SERVINFO -R -p -t -s "mountd" 2>/dev/null` 177 tports6=`$SERVINFO -R -p -t6 -s "mountd" 2>/dev/null` 178 if [ -n "$tports" -o -n "$tports6" ]; then 179 tports=`unique_ports $tports $tports6` 180 for tport in $tports; do 181 generate_rules $FMRI $policy "tcp" \ 182 $tport $file 183 done 184 fi 185 186 if [ -n "$tports6" ]; then 187 for tport6 in $tports6; do 188 generate_rules $FMRI $policy "tcp" \ 189 $tport6 $file6 _6 190 done 191 fi 192 193 uports=`$SERVINFO -R -p -u -s "mountd" 2>/dev/null` 194 uports6=`$SERVINFO -R -p -u6 -s "mountd" 2>/dev/null` 195 if [ -n "$uports" -o -n "$uports6" ]; then 196 uports=`unique_ports $uports $uports6` 197 for uport in $uports; do 198 generate_rules $FMRI $policy "udp" \ 199 $uport $file 200 done 201 fi 202 203 if [ -n "$uports6" ]; then 204 for uport6 in $uports6; do 205 generate_rules $FMRI $policy "udp" \ 206 $uport6 $file6 _6 207 done 208 fi 209 210 elif [ "$FMRI" = "$RQUOTA_FMRI" ]; then 211 iana_name=`svcprop -p inetd/name $FMRI` 212 213 # rquota IPv6 ports are also reachable through IPv4, so include 214 # them when generating IPv4 rules. 215 tports=`$SERVINFO -R -p -t -s $iana_name 2>/dev/null` 216 tports6=`$SERVINFO -R -p -t6 -s $iana_name 2>/dev/null` 217 if [ -n "$tports" -o -n "$tports6" ]; then 218 tports=`unique_ports $tports $tports6` 219 for tport in $tports; do 220 generate_rules $NFS_FMRI $policy "tcp" \ 221 $tport $file 222 done 223 fi 224 225 if [ -n "$tports6" ]; then 226 for tport6 in $tports6; do 227 generate_rules $NFS_FMRI $policy "tcp" \ 228 $tport6 $file6 _6 229 done 230 fi 231 232 uports=`$SERVINFO -R -p -u -s $iana_name 2>/dev/null` 233 uports6=`$SERVINFO -R -p -u6 -s $iana_name 2>/dev/null` 234 if [ -n "$uports" -o -n "$uports6" ]; then 235 uports=`unique_ports $uports $uports6` 236 for uport in $uports; do 237 generate_rules $NFS_FMRI $policy "udp" \ 238 $uport $file 239 done 240 fi 241 242 if [ -n "$uports6" ]; then 243 for uport6 in $uports6; do 244 generate_rules $NFS_FMRI $policy "udp" \ 245 $uport6 $file6 _6 246 done 247 fi 248 else 249 # 250 # Handle the client services here 251 # 252 if service_check_state $NFSCLI_FMRI $SMF_ONLINE; then 253 policy=none 254 ip=any 255 fi 256 257 restarter=`svcprop -p general/restarter $FMRI 2>/dev/null` 258 if [ "$restarter" = "$INETDFMRI" ]; then 259 iana_name=`svcprop -p inetd/name $FMRI` 260 isrpc=`svcprop -p inetd/isrpc $FMRI` 261 else 262 iana_name=`svcprop -p $FW_CONTEXT_PG/name $FMRI` 263 isrpc=`svcprop -p $FW_CONTEXT_PG/isrpc $FMRI` 264 fi 265 266 if [ "$isrpc" = "true" ]; then 267 tports=`$SERVINFO -R -p -t -s $iana_name 2>/dev/null` 268 tports6=`$SERVINFO -R -p -t6 -s $iana_name 2>/dev/null` 269 uports=`$SERVINFO -R -p -u -s $iana_name 2>/dev/null` 270 uports6=`$SERVINFO -R -p -u6 -s $iana_name 2>/dev/null` 271 else 272 tports=`$SERVINFO -p -t -s $iana_name 2>/dev/null` 273 tports6=`$SERVINFO -p -t6 -s $iana_name 2>/dev/null` 274 uports=`$SERVINFO -p -u -s $iana_name 2>/dev/null` 275 uports6=`$SERVINFO -p -u6 -s $iana_name 2>/dev/null` 276 fi 277 278 # IPv6 ports are also reachable through IPv4, so include 279 # them when generating IPv4 rules. 280 if [ -n "$tports" -o -n "$tports6" ]; then 281 tports=`unique_ports $tports $tports6` 282 for tport in $tports; do 283 generate_rules $FMRI $policy "tcp" $tport $file 284 done 285 fi 286 287 if [ -n "$tports6" ]; then 288 for tport6 in $tports6; do 289 generate_rules $FMRI $policy "tcp" $tport6 $file6 _6 290 done 291 fi 292 293 if [ -n "$uports" -o -n "$uports6" ]; then 294 uports=`unique_ports $uports $uports6` 295 for uport in $uports; do 296 generate_rules $FMRI $policy "udp" $uport $file 297 done 298 fi 299 300 if [ -n "$uports6" ]; then 301 for uport6 in $uports6; do 302 generate_rules $FMRI $policy "udp" $uport6 $file6 _6 303 done 304 fi 305 fi 306 307 ;; 308 309*) 310 echo "Usage: $0 { start | stop | refresh }" 311 exit 1 312 ;; 313esac 314exit $SMF_EXIT_OK 315