xref: /illumos-gate/usr/src/cmd/ypcmd/yp.sh (revision 4c28a617e3922d92a58e813a5b955eb526b9c386)
1#!/bin/sh
2#
3# CDDL HEADER START
4#
5# The contents of this file are subject to the terms of the
6# Common Development and Distribution License (the "License").
7# You may not use this file except in compliance with the License.
8#
9# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
10# or http://www.opensolaris.org/os/licensing.
11# See the License for the specific language governing permissions
12# and limitations under the License.
13#
14# When distributing Covered Code, include this CDDL HEADER in each
15# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
16# If applicable, add the following below this CDDL HEADER, with the
17# fields enclosed by brackets "[]" replaced with your own identifying
18# information: Portions Copyright [yyyy] [name of copyright owner]
19#
20# CDDL HEADER END
21#
22#
23# Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.
24# Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org>
25#
26
27. /lib/svc/share/smf_include.sh
28. /lib/svc/share/ipf_include.sh
29
30YPDIR=/usr/lib/netsvc/yp
31
32create_client_ipf_rules()
33{
34	FMRI=$1
35	file=`fmri_to_file $FMRI $IPF_SUFFIX`
36	file6=`fmri_to_file $FMRI $IPF6_SUFFIX`
37	iana_name=`svcprop -p $FW_CONTEXT_PG/name $FMRI`
38	domain=`domainname`
39	block_policy=$GLOBAL_BLOCK_POLICY
40
41	if [ "$block_policy" = "return" ]; then
42		block_policy_tcp="return-rst"
43		block_policy_udp="return-icmp-as-dest"
44	fi
45
46	if [ -z "$domain" ]; then
47		return 0
48	fi
49
50	if [ ! -d /var/yp/binding/$domain ]; then
51		return
52	fi
53	echo "# $FMRI" >$file
54	echo "# $FMRI" >$file6
55
56	ypfile="/var/yp/binding/$domain/ypservers"
57	if [ -f $ypfile ]; then
58		tports=`$SERVINFO -R -p -t -s $iana_name 2>/dev/null`
59		uports=`$SERVINFO -R -p -u -s $iana_name 2>/dev/null`
60		tports_6=`$SERVINFO -R -p -t6 -s $iana_name 2>/dev/null`
61		uports_6=`$SERVINFO -R -p -u6 -s $iana_name 2>/dev/null`
62
63		server_addrs=""
64                server_addrs_6=""
65		for ypsvr in `grep -v '^[ ]*#' $ypfile`; do
66			#
67			# Get corresponding IPv4/IPv6 addresses
68			#
69			servers=`getent ipnodes $ypsvr | \
70			    /usr/xpg4/bin/awk '$1 ~ !/:/{ print $1 }'`
71			servers_6=`getent ipnodes $ypsvr | \
72			    /usr/xpg4/bin/awk '$1 ~ /:/{ print $1 }'`
73
74			if [ -n "$servers" ]; then
75				server_addrs="$server_addrs $servers"
76			fi
77
78			if [ -n "$servers_6" ]; then
79				server_addrs_6="$server_addrs_6 $servers_6"
80			fi
81		done
82
83		if [ -n "$tports" -o -n "$tports_6" ]; then
84			for tport in $tports $tports_6; do
85				echo "block $block_policy_tcp in log" \
86				    "proto tcp from any to any" \
87				    "port = $tport" >>$file
88				if [ -n "$server_addrs"  ]; then
89					for s in $server_addrs; do
90						echo "pass in log quick" \
91						    "proto tcp from $s" \
92						    "to any port = $tport" \
93						    >>$file
94					done
95				fi
96			done
97		fi
98
99		if [ -n "$uports" -o -n "$uports_6" ]; then
100			for uport in $uports $uports_6; do
101				echo "block $block_policy_udp in log" \
102				    "proto udp from any to any" \
103				    "port = $uport" >>$file
104				if [ -n "$server_addrs"  ]; then
105					for s in $server_addrs; do
106						echo "pass in log quick" \
107						    "proto udp from $s" \
108						    "to any port = $uport" \
109						     >>$file
110					done
111				fi
112			done
113		fi
114
115		if [ -n "$tports_6" ]; then
116			for tport in $tports_6; do
117				echo "block $block_policy_tcp in log" \
118				    "proto tcp from any to any" \
119				    "port = $tport" >>$file6
120				if [ -n "$server_addrs_6"  ]; then
121					for s in $server_addrs_6; do
122						echo "pass in log quick" \
123						    "proto tcp from $s" \
124						    "to any port = $tport" \
125						    >>$file6
126					done
127				fi
128			done
129		fi
130
131		if [ -n "$uports_6" ]; then
132			for uport in $uports_6; do
133				echo "block $block_policy_udp in log" \
134				    "proto udp from any to any" \
135				    "port = $uport" >>$file6
136				if [ -n "$server_addrs_6"  ]; then
137					for s in $server_addrs_6; do
138						echo "pass in log quick" \
139						    "proto udp from $s" \
140						    "to any port = $uport" \
141						     >>$file6
142					done
143				fi
144			done
145		fi
146	else
147		#
148		# How do we handle the client broadcast case? Server replies
149		# to the outgoing port that sent the broadcast, but there's
150		# no way the client know a packet is the reply.
151		#
152		# Nis server should be specified and clients shouldn't be
153		# doing broadcasts but if it does, no choice but to allow
154		# all traffic.
155		#
156		echo "pass in log quick proto udp from any to any" \
157		    "port > 32768" >>$file
158		echo "pass in log quick proto udp from any to any" \
159		    "port > 32768" >>$file6
160	fi
161}
162
163#
164# Ipfilter method
165#
166if [ -n "$1" -a "$1" = "ipfilter" ]; then
167	create_client_ipf_rules $2
168	exit $SMF_EXIT_OK
169fi
170
171case $SMF_FMRI in
172	'svc:/network/nis/client:default')
173		domain=`domainname`
174
175		if [ -z "$domain" ]; then
176			echo "$0: domainname not set"
177			exit $SMF_EXIT_ERR_CONFIG
178		fi
179
180		if [ ! -d /var/yp/binding/$domain ]; then
181			echo "$0: /var/yp/binding/$domain is not a directory"
182			exit $SMF_EXIT_ERR_CONFIG
183		fi
184
185		# Since two ypbinds will cause ypwhich to hang...
186		if pgrep -z `/sbin/zonename` ypbind >/dev/null; then
187			echo "$0: ypbind is already running."
188			exit $SMF_EXIT_ERR_CONFIG
189		fi
190
191		if [ -f /var/yp/binding/$domain/ypservers ]; then
192			$YPDIR/ypbind > /dev/null 2>&1
193		else
194			$YPDIR/ypbind -broadcast > /dev/null 2>&1
195		fi
196
197		rc=$?
198		if [ $rc != 0 ]; then
199			echo "$0: ypbind failed with $rc"
200			exit 1
201		fi
202		;;
203
204	'svc:/network/nis/server:default')
205		domain=`domainname`
206
207		if [ -z "$domain" ]; then
208			echo "$0: domainname not set"
209			exit $SMF_EXIT_ERR_CONFIG
210		fi
211
212		if [ ! -d /var/yp/$domain ]; then
213			echo "$0: domain directory missing"
214			exit $SMF_EXIT_ERR_CONFIG
215		fi
216
217		if [ -f /etc/resolv.conf ]; then
218			$YPDIR/ypserv -d
219		else
220			$YPDIR/ypserv
221		fi
222
223		rc=$?
224		if [ $rc != 0 ]; then
225			echo "$0: ypserv failed with $rc"
226			exit 1
227		fi
228		;;
229
230	'svc:/network/nis/passwd:default')
231		PWDIR=`grep "^PWDIR" /var/yp/Makefile 2> /dev/null` \
232		    && PWDIR=`expr "$PWDIR" : '.*=[ 	]*\([^ 	]*\)'`
233		if [ "$PWDIR" ]; then
234			if [ "$PWDIR" = "/etc" ]; then
235				unset PWDIR
236			else
237				PWDIR="-D $PWDIR"
238			fi
239		fi
240		$YPDIR/rpc.yppasswdd $PWDIR -m
241
242		rc=$?
243		if [ $rc != 0 ]; then
244			echo "$0: rpc.yppasswdd failed with $rc"
245			exit 1
246		fi
247		;;
248
249	*)
250		echo "$0: Unknown service \"$SMF_FMRI\"."
251		exit $SMF_EXIT_ERR_CONFIG
252		;;
253esac
254exit $SMF_EXIT_OK
255