17c478bd9Sstevel@tonic-gate#!/bin/sh 27c478bd9Sstevel@tonic-gate# 37c478bd9Sstevel@tonic-gate# CDDL HEADER START 47c478bd9Sstevel@tonic-gate# 57c478bd9Sstevel@tonic-gate# The contents of this file are subject to the terms of the 6eb1a3463STruong Nguyen# Common Development and Distribution License (the "License"). 7eb1a3463STruong Nguyen# You may not use this file except in compliance with the License. 87c478bd9Sstevel@tonic-gate# 97c478bd9Sstevel@tonic-gate# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 107c478bd9Sstevel@tonic-gate# or http://www.opensolaris.org/os/licensing. 117c478bd9Sstevel@tonic-gate# See the License for the specific language governing permissions 127c478bd9Sstevel@tonic-gate# and limitations under the License. 137c478bd9Sstevel@tonic-gate# 147c478bd9Sstevel@tonic-gate# When distributing Covered Code, include this CDDL HEADER in each 157c478bd9Sstevel@tonic-gate# file and include the License file at usr/src/OPENSOLARIS.LICENSE. 167c478bd9Sstevel@tonic-gate# If applicable, add the following below this CDDL HEADER, with the 177c478bd9Sstevel@tonic-gate# fields enclosed by brackets "[]" replaced with your own identifying 187c478bd9Sstevel@tonic-gate# information: Portions Copyright [yyyy] [name of copyright owner] 197c478bd9Sstevel@tonic-gate# 207c478bd9Sstevel@tonic-gate# CDDL HEADER END 217c478bd9Sstevel@tonic-gate# 227c478bd9Sstevel@tonic-gate# 23*4a16f9a6SMilan Jurik# Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved. 247c478bd9Sstevel@tonic-gate# 257c478bd9Sstevel@tonic-gate 267c478bd9Sstevel@tonic-gate. /lib/svc/share/smf_include.sh 27eb1a3463STruong Nguyen. /lib/svc/share/ipf_include.sh 287c478bd9Sstevel@tonic-gate 297c478bd9Sstevel@tonic-gateYPDIR=/usr/lib/netsvc/yp 307c478bd9Sstevel@tonic-gate 31eb1a3463STruong Nguyencreate_client_ipf_rules() 32eb1a3463STruong Nguyen{ 33eb1a3463STruong Nguyen FMRI=$1 34eb1a3463STruong Nguyen file=`fmri_to_file $FMRI $IPF_SUFFIX` 35eb1a3463STruong Nguyen iana_name=`svcprop -p $FW_CONTEXT_PG/name $FMRI` 36eb1a3463STruong Nguyen domain=`domainname` 37eb1a3463STruong Nguyen 38eb1a3463STruong Nguyen if [ -z "$domain" ]; then 39eb1a3463STruong Nguyen return 0 40eb1a3463STruong Nguyen fi 41eb1a3463STruong Nguyen 42eb1a3463STruong Nguyen if [ ! -d /var/yp/binding/$domain ]; then 43eb1a3463STruong Nguyen return 44eb1a3463STruong Nguyen fi 45eb1a3463STruong Nguyen echo "# $FMRI" >$file 46eb1a3463STruong Nguyen 47eb1a3463STruong Nguyen ypfile="/var/yp/binding/$domain/ypservers" 48eb1a3463STruong Nguyen if [ -f $ypfile ]; then 49eb1a3463STruong Nguyen tports=`$SERVINFO -R -p -t -s $iana_name 2>/dev/null` 50eb1a3463STruong Nguyen uports=`$SERVINFO -R -p -u -s $iana_name 2>/dev/null` 51eb1a3463STruong Nguyen 52eb1a3463STruong Nguyen server_addrs="" 53eb1a3463STruong Nguyen for ypsvr in `grep -v '^[ ]*#' $ypfile`; do 54eb1a3463STruong Nguyen # 55eb1a3463STruong Nguyen # Get corresponding IPv4 address in /etc/hosts 56eb1a3463STruong Nguyen # 57eb1a3463STruong Nguyen servers=`grep -v '^[ ]*#' /etc/hosts | awk ' { 58eb1a3463STruong Nguyen if ($1 !~/:/) { 59eb1a3463STruong Nguyen for (i=2; i<=NF; i++) { 60eb1a3463STruong Nguyen if (s == $i) printf("%s ", $1); 61eb1a3463STruong Nguyen } } 62eb1a3463STruong Nguyen }' s="$ypsvr"` 63eb1a3463STruong Nguyen 64eb1a3463STruong Nguyen [ -z "$servers" ] && continue 65eb1a3463STruong Nguyen server_addrs="$server_addrs $servers" 66eb1a3463STruong Nguyen done 67eb1a3463STruong Nguyen 68eb1a3463STruong Nguyen [ -z "$server_addrs" ] && return 0 69eb1a3463STruong Nguyen for s in $server_addrs; do 70eb1a3463STruong Nguyen if [ -n "$tports" ]; then 71eb1a3463STruong Nguyen for tport in $tports; do 72eb1a3463STruong Nguyen echo "pass in log quick proto tcp" \ 73eb1a3463STruong Nguyen "from $s to any port = $tport" >>$file 74eb1a3463STruong Nguyen done 75eb1a3463STruong Nguyen fi 76eb1a3463STruong Nguyen 77eb1a3463STruong Nguyen if [ -n "$uports" ]; then 78eb1a3463STruong Nguyen for uport in $uports; do 79eb1a3463STruong Nguyen echo "pass in log quick proto udp" \ 80eb1a3463STruong Nguyen "from $s to any port = $uport" >>$file 81eb1a3463STruong Nguyen done 82eb1a3463STruong Nguyen fi 83eb1a3463STruong Nguyen done 84eb1a3463STruong Nguyen else 85eb1a3463STruong Nguyen # 86eb1a3463STruong Nguyen # How do we handle the client broadcast case? Server replies 87eb1a3463STruong Nguyen # to the outgoing port that sent the broadcast, but there's 88eb1a3463STruong Nguyen # no way the client know a packet is the reply. 89eb1a3463STruong Nguyen # 90eb1a3463STruong Nguyen # Nis server should be specified and clients shouldn't be 91eb1a3463STruong Nguyen # doing broadcasts but if it does, no choice but to allow 92eb1a3463STruong Nguyen # all traffic. 93eb1a3463STruong Nguyen # 94eb1a3463STruong Nguyen echo "pass in log quick proto udp from any to any" \ 95eb1a3463STruong Nguyen "port > 32768" >>$file 96eb1a3463STruong Nguyen fi 97eb1a3463STruong Nguyen} 98eb1a3463STruong Nguyen 99eb1a3463STruong Nguyen# 100eb1a3463STruong Nguyen# Ipfilter method 101eb1a3463STruong Nguyen# 102eb1a3463STruong Nguyenif [ -n "$1" -a "$1" = "ipfilter" ]; then 103eb1a3463STruong Nguyen create_client_ipf_rules $2 104eb1a3463STruong Nguyen exit $SMF_EXIT_OK 105eb1a3463STruong Nguyenfi 106eb1a3463STruong Nguyen 1077c478bd9Sstevel@tonic-gatecase $SMF_FMRI in 1087c478bd9Sstevel@tonic-gate 'svc:/network/nis/client:default') 1097c478bd9Sstevel@tonic-gate domain=`domainname` 1107c478bd9Sstevel@tonic-gate 1117c478bd9Sstevel@tonic-gate if [ -z "$domain" ]; then 1127c478bd9Sstevel@tonic-gate echo "$0: domainname not set" 1137c478bd9Sstevel@tonic-gate exit $SMF_EXIT_ERR_CONFIG 1147c478bd9Sstevel@tonic-gate fi 1157c478bd9Sstevel@tonic-gate 1167c478bd9Sstevel@tonic-gate if [ ! -d /var/yp/binding/$domain ]; then 1177c478bd9Sstevel@tonic-gate echo "$0: /var/yp/binding/$domain is not a directory" 1187c478bd9Sstevel@tonic-gate exit $SMF_EXIT_ERR_CONFIG 1197c478bd9Sstevel@tonic-gate fi 1207c478bd9Sstevel@tonic-gate 1217c478bd9Sstevel@tonic-gate # Since two ypbinds will cause ypwhich to hang... 1227c478bd9Sstevel@tonic-gate if pgrep -z `/sbin/zonename` ypbind >/dev/null; then 1237c478bd9Sstevel@tonic-gate echo "$0: ypbind is already running." 1247c478bd9Sstevel@tonic-gate exit $SMF_EXIT_ERR_CONFIG 1257c478bd9Sstevel@tonic-gate fi 1267c478bd9Sstevel@tonic-gate 1277c478bd9Sstevel@tonic-gate if [ -f /var/yp/binding/$domain/ypservers ]; then 1287c478bd9Sstevel@tonic-gate $YPDIR/ypbind > /dev/null 2>&1 1297c478bd9Sstevel@tonic-gate else 1307c478bd9Sstevel@tonic-gate $YPDIR/ypbind -broadcast > /dev/null 2>&1 1317c478bd9Sstevel@tonic-gate fi 1327c478bd9Sstevel@tonic-gate 1337c478bd9Sstevel@tonic-gate rc=$? 1347c478bd9Sstevel@tonic-gate if [ $rc != 0 ]; then 1357c478bd9Sstevel@tonic-gate echo "$0: ypbind failed with $rc" 1367c478bd9Sstevel@tonic-gate exit 1 1377c478bd9Sstevel@tonic-gate fi 1387c478bd9Sstevel@tonic-gate ;; 1397c478bd9Sstevel@tonic-gate 1407c478bd9Sstevel@tonic-gate 'svc:/network/nis/server:default') 1417c478bd9Sstevel@tonic-gate domain=`domainname` 1427c478bd9Sstevel@tonic-gate 1437c478bd9Sstevel@tonic-gate if [ -z "$domain" ]; then 1447c478bd9Sstevel@tonic-gate echo "$0: domainname not set" 1457c478bd9Sstevel@tonic-gate exit $SMF_EXIT_ERR_CONFIG 1467c478bd9Sstevel@tonic-gate fi 1477c478bd9Sstevel@tonic-gate 1487c478bd9Sstevel@tonic-gate if [ ! -d /var/yp/$domain ]; then 1497c478bd9Sstevel@tonic-gate echo "$0: domain directory missing" 1507c478bd9Sstevel@tonic-gate exit $SMF_EXIT_ERR_CONFIG 1517c478bd9Sstevel@tonic-gate fi 1527c478bd9Sstevel@tonic-gate 1537c478bd9Sstevel@tonic-gate if [ -f /etc/resolv.conf ]; then 154*4a16f9a6SMilan Jurik $YPDIR/ypserv -d 1557c478bd9Sstevel@tonic-gate else 156*4a16f9a6SMilan Jurik $YPDIR/ypserv 1577c478bd9Sstevel@tonic-gate fi 1587c478bd9Sstevel@tonic-gate 1597c478bd9Sstevel@tonic-gate rc=$? 1607c478bd9Sstevel@tonic-gate if [ $rc != 0 ]; then 1617c478bd9Sstevel@tonic-gate echo "$0: ypserv failed with $rc" 1627c478bd9Sstevel@tonic-gate exit 1 1637c478bd9Sstevel@tonic-gate fi 1647c478bd9Sstevel@tonic-gate ;; 1657c478bd9Sstevel@tonic-gate 1667c478bd9Sstevel@tonic-gate 'svc:/network/nis/passwd:default') 1677c478bd9Sstevel@tonic-gate PWDIR=`grep "^PWDIR" /var/yp/Makefile 2> /dev/null` \ 1687c478bd9Sstevel@tonic-gate && PWDIR=`expr "$PWDIR" : '.*=[ ]*\([^ ]*\)'` 1697c478bd9Sstevel@tonic-gate if [ "$PWDIR" ]; then 1707c478bd9Sstevel@tonic-gate if [ "$PWDIR" = "/etc" ]; then 1717c478bd9Sstevel@tonic-gate unset PWDIR 1727c478bd9Sstevel@tonic-gate else 1737c478bd9Sstevel@tonic-gate PWDIR="-D $PWDIR" 1747c478bd9Sstevel@tonic-gate fi 1757c478bd9Sstevel@tonic-gate fi 1767c478bd9Sstevel@tonic-gate $YPDIR/rpc.yppasswdd $PWDIR -m 1777c478bd9Sstevel@tonic-gate 1787c478bd9Sstevel@tonic-gate rc=$? 1797c478bd9Sstevel@tonic-gate if [ $rc != 0 ]; then 1807c478bd9Sstevel@tonic-gate echo "$0: rpc.yppasswdd failed with $rc" 1817c478bd9Sstevel@tonic-gate exit 1 1827c478bd9Sstevel@tonic-gate fi 1837c478bd9Sstevel@tonic-gate ;; 1847c478bd9Sstevel@tonic-gate 1857c478bd9Sstevel@tonic-gate *) 1867c478bd9Sstevel@tonic-gate echo "$0: Unknown service \"$SMF_FMRI\"." 1877c478bd9Sstevel@tonic-gate exit $SMF_EXIT_ERR_CONFIG 1887c478bd9Sstevel@tonic-gate ;; 1897c478bd9Sstevel@tonic-gateesac 1907c478bd9Sstevel@tonic-gateexit $SMF_EXIT_OK 191