17c478bd9Sstevel@tonic-gate#!/bin/sh 27c478bd9Sstevel@tonic-gate# 37c478bd9Sstevel@tonic-gate# CDDL HEADER START 47c478bd9Sstevel@tonic-gate# 57c478bd9Sstevel@tonic-gate# The contents of this file are subject to the terms of the 6eb1a3463STruong Nguyen# Common Development and Distribution License (the "License"). 7eb1a3463STruong Nguyen# You may not use this file except in compliance with the License. 87c478bd9Sstevel@tonic-gate# 97c478bd9Sstevel@tonic-gate# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 107c478bd9Sstevel@tonic-gate# or http://www.opensolaris.org/os/licensing. 117c478bd9Sstevel@tonic-gate# See the License for the specific language governing permissions 127c478bd9Sstevel@tonic-gate# and limitations under the License. 137c478bd9Sstevel@tonic-gate# 147c478bd9Sstevel@tonic-gate# When distributing Covered Code, include this CDDL HEADER in each 157c478bd9Sstevel@tonic-gate# file and include the License file at usr/src/OPENSOLARIS.LICENSE. 167c478bd9Sstevel@tonic-gate# If applicable, add the following below this CDDL HEADER, with the 177c478bd9Sstevel@tonic-gate# fields enclosed by brackets "[]" replaced with your own identifying 187c478bd9Sstevel@tonic-gate# information: Portions Copyright [yyyy] [name of copyright owner] 197c478bd9Sstevel@tonic-gate# 207c478bd9Sstevel@tonic-gate# CDDL HEADER END 217c478bd9Sstevel@tonic-gate# 227c478bd9Sstevel@tonic-gate# 234a16f9a6SMilan Jurik# Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved. 247ddce999SHans Rosenfeld# Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org> 257c478bd9Sstevel@tonic-gate# 267c478bd9Sstevel@tonic-gate 277c478bd9Sstevel@tonic-gate. /lib/svc/share/smf_include.sh 28eb1a3463STruong Nguyen. /lib/svc/share/ipf_include.sh 297c478bd9Sstevel@tonic-gate 307c478bd9Sstevel@tonic-gateYPDIR=/usr/lib/netsvc/yp 317c478bd9Sstevel@tonic-gate 32eb1a3463STruong Nguyencreate_client_ipf_rules() 33eb1a3463STruong Nguyen{ 34eb1a3463STruong Nguyen FMRI=$1 35eb1a3463STruong Nguyen file=`fmri_to_file $FMRI $IPF_SUFFIX` 367ddce999SHans Rosenfeld file6=`fmri_to_file $FMRI $IPF6_SUFFIX` 37eb1a3463STruong Nguyen iana_name=`svcprop -p $FW_CONTEXT_PG/name $FMRI` 38eb1a3463STruong Nguyen domain=`domainname` 39*545f15aeSHans Rosenfeld block_policy=$GLOBAL_BLOCK_POLICY 40*545f15aeSHans Rosenfeld 41*545f15aeSHans Rosenfeld if [ "$block_policy" = "return" ]; then 42*545f15aeSHans Rosenfeld block_policy_tcp="return-rst" 43*545f15aeSHans Rosenfeld block_policy_udp="return-icmp-as-dest" 44*545f15aeSHans Rosenfeld fi 45eb1a3463STruong Nguyen 46eb1a3463STruong Nguyen if [ -z "$domain" ]; then 47eb1a3463STruong Nguyen return 0 48eb1a3463STruong Nguyen fi 49eb1a3463STruong Nguyen 50eb1a3463STruong Nguyen if [ ! -d /var/yp/binding/$domain ]; then 51eb1a3463STruong Nguyen return 52eb1a3463STruong Nguyen fi 53eb1a3463STruong Nguyen echo "# $FMRI" >$file 547ddce999SHans Rosenfeld echo "# $FMRI" >$file6 55eb1a3463STruong Nguyen 56eb1a3463STruong Nguyen ypfile="/var/yp/binding/$domain/ypservers" 57eb1a3463STruong Nguyen if [ -f $ypfile ]; then 58eb1a3463STruong Nguyen tports=`$SERVINFO -R -p -t -s $iana_name 2>/dev/null` 59eb1a3463STruong Nguyen uports=`$SERVINFO -R -p -u -s $iana_name 2>/dev/null` 607ddce999SHans Rosenfeld tports_6=`$SERVINFO -R -p -t6 -s $iana_name 2>/dev/null` 617ddce999SHans Rosenfeld uports_6=`$SERVINFO -R -p -u6 -s $iana_name 2>/dev/null` 62eb1a3463STruong Nguyen 63eb1a3463STruong Nguyen server_addrs="" 647ddce999SHans Rosenfeld server_addrs_6="" 65eb1a3463STruong Nguyen for ypsvr in `grep -v '^[ ]*#' $ypfile`; do 66eb1a3463STruong Nguyen # 677ddce999SHans Rosenfeld # Get corresponding IPv4/IPv6 addresses 68eb1a3463STruong Nguyen # 69*545f15aeSHans Rosenfeld servers=`getent ipnodes $ypsvr | \ 70*545f15aeSHans Rosenfeld /usr/xpg4/bin/awk '$1 ~ !/:/{ print $1 }'` 71*545f15aeSHans Rosenfeld servers_6=`getent ipnodes $ypsvr | \ 72*545f15aeSHans Rosenfeld /usr/xpg4/bin/awk '$1 ~ /:/{ print $1 }'` 73eb1a3463STruong Nguyen 747ddce999SHans Rosenfeld if [ -n "$servers" ]; then 75eb1a3463STruong Nguyen server_addrs="$server_addrs $servers" 767ddce999SHans Rosenfeld fi 777ddce999SHans Rosenfeld 787ddce999SHans Rosenfeld if [ -n "$servers_6" ]; then 79*545f15aeSHans Rosenfeld server_addrs_6="$server_addrs_6 $servers_6" 807ddce999SHans Rosenfeld fi 81eb1a3463STruong Nguyen done 82eb1a3463STruong Nguyen 83*545f15aeSHans Rosenfeld if [ -n "$tports" -o -n "$tports_6" ]; then 84*545f15aeSHans Rosenfeld for tport in $tports $tports_6; do 85*545f15aeSHans Rosenfeld echo "block $block_policy_tcp in log" \ 86*545f15aeSHans Rosenfeld "proto tcp from any to any" \ 87*545f15aeSHans Rosenfeld "port = $tport" >>$file 887ddce999SHans Rosenfeld if [ -n "$server_addrs" ]; then 89eb1a3463STruong Nguyen for s in $server_addrs; do 907ddce999SHans Rosenfeld echo "pass in log quick" \ 917ddce999SHans Rosenfeld "proto tcp from $s" \ 927ddce999SHans Rosenfeld "to any port = $tport" \ 937ddce999SHans Rosenfeld >>$file 94eb1a3463STruong Nguyen done 95eb1a3463STruong Nguyen fi 96*545f15aeSHans Rosenfeld done 97*545f15aeSHans Rosenfeld fi 98eb1a3463STruong Nguyen 99*545f15aeSHans Rosenfeld if [ -n "$uports" -o -n "$uports_6" ]; then 100*545f15aeSHans Rosenfeld for uport in $uports $uports_6; do 101*545f15aeSHans Rosenfeld echo "block $block_policy_udp in log" \ 102*545f15aeSHans Rosenfeld "proto udp from any to any" \ 103*545f15aeSHans Rosenfeld "port = $uport" >>$file 104*545f15aeSHans Rosenfeld if [ -n "$server_addrs" ]; then 105*545f15aeSHans Rosenfeld for s in $server_addrs; do 1067ddce999SHans Rosenfeld echo "pass in log quick" \ 1077ddce999SHans Rosenfeld "proto udp from $s" \ 1087ddce999SHans Rosenfeld "to any port = $uport" \ 1097ddce999SHans Rosenfeld >>$file 110eb1a3463STruong Nguyen done 111eb1a3463STruong Nguyen fi 112eb1a3463STruong Nguyen done 1137ddce999SHans Rosenfeld fi 1147ddce999SHans Rosenfeld 1157ddce999SHans Rosenfeld if [ -n "$tports_6" ]; then 1167ddce999SHans Rosenfeld for tport in $tports_6; do 117*545f15aeSHans Rosenfeld echo "block $block_policy_tcp in log" \ 118*545f15aeSHans Rosenfeld "proto tcp from any to any" \ 119*545f15aeSHans Rosenfeld "port = $tport" >>$file6 120*545f15aeSHans Rosenfeld if [ -n "$server_addrs_6" ]; then 121*545f15aeSHans Rosenfeld for s in $server_addrs_6; do 1227ddce999SHans Rosenfeld echo "pass in log quick" \ 1237ddce999SHans Rosenfeld "proto tcp from $s" \ 1247ddce999SHans Rosenfeld "to any port = $tport" \ 1257ddce999SHans Rosenfeld >>$file6 1267ddce999SHans Rosenfeld done 1277ddce999SHans Rosenfeld fi 128*545f15aeSHans Rosenfeld done 129*545f15aeSHans Rosenfeld fi 1307ddce999SHans Rosenfeld 1317ddce999SHans Rosenfeld if [ -n "$uports_6" ]; then 1327ddce999SHans Rosenfeld for uport in $uports_6; do 133*545f15aeSHans Rosenfeld echo "block $block_policy_udp in log" \ 134*545f15aeSHans Rosenfeld "proto udp from any to any" \ 135*545f15aeSHans Rosenfeld "port = $uport" >>$file6 136*545f15aeSHans Rosenfeld if [ -n "$server_addrs_6" ]; then 137*545f15aeSHans Rosenfeld for s in $server_addrs_6; do 1387ddce999SHans Rosenfeld echo "pass in log quick" \ 1397ddce999SHans Rosenfeld "proto udp from $s" \ 1407ddce999SHans Rosenfeld "to any port = $uport" \ 1417ddce999SHans Rosenfeld >>$file6 1427ddce999SHans Rosenfeld done 1437ddce999SHans Rosenfeld fi 1447ddce999SHans Rosenfeld done 1457ddce999SHans Rosenfeld fi 146eb1a3463STruong Nguyen else 147eb1a3463STruong Nguyen # 148eb1a3463STruong Nguyen # How do we handle the client broadcast case? Server replies 149eb1a3463STruong Nguyen # to the outgoing port that sent the broadcast, but there's 150eb1a3463STruong Nguyen # no way the client know a packet is the reply. 151eb1a3463STruong Nguyen # 152eb1a3463STruong Nguyen # Nis server should be specified and clients shouldn't be 153eb1a3463STruong Nguyen # doing broadcasts but if it does, no choice but to allow 154eb1a3463STruong Nguyen # all traffic. 155eb1a3463STruong Nguyen # 156eb1a3463STruong Nguyen echo "pass in log quick proto udp from any to any" \ 157eb1a3463STruong Nguyen "port > 32768" >>$file 1587ddce999SHans Rosenfeld echo "pass in log quick proto udp from any to any" \ 1597ddce999SHans Rosenfeld "port > 32768" >>$file6 160eb1a3463STruong Nguyen fi 161eb1a3463STruong Nguyen} 162eb1a3463STruong Nguyen 163eb1a3463STruong Nguyen# 164eb1a3463STruong Nguyen# Ipfilter method 165eb1a3463STruong Nguyen# 166eb1a3463STruong Nguyenif [ -n "$1" -a "$1" = "ipfilter" ]; then 167eb1a3463STruong Nguyen create_client_ipf_rules $2 168eb1a3463STruong Nguyen exit $SMF_EXIT_OK 169eb1a3463STruong Nguyenfi 170eb1a3463STruong Nguyen 1717c478bd9Sstevel@tonic-gatecase $SMF_FMRI in 1727c478bd9Sstevel@tonic-gate 'svc:/network/nis/client:default') 1737c478bd9Sstevel@tonic-gate domain=`domainname` 1747c478bd9Sstevel@tonic-gate 1757c478bd9Sstevel@tonic-gate if [ -z "$domain" ]; then 1767c478bd9Sstevel@tonic-gate echo "$0: domainname not set" 1777c478bd9Sstevel@tonic-gate exit $SMF_EXIT_ERR_CONFIG 1787c478bd9Sstevel@tonic-gate fi 1797c478bd9Sstevel@tonic-gate 1807c478bd9Sstevel@tonic-gate if [ ! -d /var/yp/binding/$domain ]; then 1817c478bd9Sstevel@tonic-gate echo "$0: /var/yp/binding/$domain is not a directory" 1827c478bd9Sstevel@tonic-gate exit $SMF_EXIT_ERR_CONFIG 1837c478bd9Sstevel@tonic-gate fi 1847c478bd9Sstevel@tonic-gate 1857c478bd9Sstevel@tonic-gate # Since two ypbinds will cause ypwhich to hang... 1867c478bd9Sstevel@tonic-gate if pgrep -z `/sbin/zonename` ypbind >/dev/null; then 1877c478bd9Sstevel@tonic-gate echo "$0: ypbind is already running." 1887c478bd9Sstevel@tonic-gate exit $SMF_EXIT_ERR_CONFIG 1897c478bd9Sstevel@tonic-gate fi 1907c478bd9Sstevel@tonic-gate 1917c478bd9Sstevel@tonic-gate if [ -f /var/yp/binding/$domain/ypservers ]; then 1927c478bd9Sstevel@tonic-gate $YPDIR/ypbind > /dev/null 2>&1 1937c478bd9Sstevel@tonic-gate else 1947c478bd9Sstevel@tonic-gate $YPDIR/ypbind -broadcast > /dev/null 2>&1 1957c478bd9Sstevel@tonic-gate fi 1967c478bd9Sstevel@tonic-gate 1977c478bd9Sstevel@tonic-gate rc=$? 1987c478bd9Sstevel@tonic-gate if [ $rc != 0 ]; then 1997c478bd9Sstevel@tonic-gate echo "$0: ypbind failed with $rc" 2007c478bd9Sstevel@tonic-gate exit 1 2017c478bd9Sstevel@tonic-gate fi 2027c478bd9Sstevel@tonic-gate ;; 2037c478bd9Sstevel@tonic-gate 2047c478bd9Sstevel@tonic-gate 'svc:/network/nis/server:default') 2057c478bd9Sstevel@tonic-gate domain=`domainname` 2067c478bd9Sstevel@tonic-gate 2077c478bd9Sstevel@tonic-gate if [ -z "$domain" ]; then 2087c478bd9Sstevel@tonic-gate echo "$0: domainname not set" 2097c478bd9Sstevel@tonic-gate exit $SMF_EXIT_ERR_CONFIG 2107c478bd9Sstevel@tonic-gate fi 2117c478bd9Sstevel@tonic-gate 2127c478bd9Sstevel@tonic-gate if [ ! -d /var/yp/$domain ]; then 2137c478bd9Sstevel@tonic-gate echo "$0: domain directory missing" 2147c478bd9Sstevel@tonic-gate exit $SMF_EXIT_ERR_CONFIG 2157c478bd9Sstevel@tonic-gate fi 2167c478bd9Sstevel@tonic-gate 2177c478bd9Sstevel@tonic-gate if [ -f /etc/resolv.conf ]; then 2184a16f9a6SMilan Jurik $YPDIR/ypserv -d 2197c478bd9Sstevel@tonic-gate else 2204a16f9a6SMilan Jurik $YPDIR/ypserv 2217c478bd9Sstevel@tonic-gate fi 2227c478bd9Sstevel@tonic-gate 2237c478bd9Sstevel@tonic-gate rc=$? 2247c478bd9Sstevel@tonic-gate if [ $rc != 0 ]; then 2257c478bd9Sstevel@tonic-gate echo "$0: ypserv failed with $rc" 2267c478bd9Sstevel@tonic-gate exit 1 2277c478bd9Sstevel@tonic-gate fi 2287c478bd9Sstevel@tonic-gate ;; 2297c478bd9Sstevel@tonic-gate 2307c478bd9Sstevel@tonic-gate 'svc:/network/nis/passwd:default') 2317c478bd9Sstevel@tonic-gate PWDIR=`grep "^PWDIR" /var/yp/Makefile 2> /dev/null` \ 2327c478bd9Sstevel@tonic-gate && PWDIR=`expr "$PWDIR" : '.*=[ ]*\([^ ]*\)'` 2337c478bd9Sstevel@tonic-gate if [ "$PWDIR" ]; then 2347c478bd9Sstevel@tonic-gate if [ "$PWDIR" = "/etc" ]; then 2357c478bd9Sstevel@tonic-gate unset PWDIR 2367c478bd9Sstevel@tonic-gate else 2377c478bd9Sstevel@tonic-gate PWDIR="-D $PWDIR" 2387c478bd9Sstevel@tonic-gate fi 2397c478bd9Sstevel@tonic-gate fi 2407c478bd9Sstevel@tonic-gate $YPDIR/rpc.yppasswdd $PWDIR -m 2417c478bd9Sstevel@tonic-gate 2427c478bd9Sstevel@tonic-gate rc=$? 2437c478bd9Sstevel@tonic-gate if [ $rc != 0 ]; then 2447c478bd9Sstevel@tonic-gate echo "$0: rpc.yppasswdd failed with $rc" 2457c478bd9Sstevel@tonic-gate exit 1 2467c478bd9Sstevel@tonic-gate fi 2477c478bd9Sstevel@tonic-gate ;; 2487c478bd9Sstevel@tonic-gate 2497c478bd9Sstevel@tonic-gate *) 2507c478bd9Sstevel@tonic-gate echo "$0: Unknown service \"$SMF_FMRI\"." 2517c478bd9Sstevel@tonic-gate exit $SMF_EXIT_ERR_CONFIG 2527c478bd9Sstevel@tonic-gate ;; 2537c478bd9Sstevel@tonic-gateesac 2547c478bd9Sstevel@tonic-gateexit $SMF_EXIT_OK 255