17c478bd9Sstevel@tonic-gate#!/bin/sh 27c478bd9Sstevel@tonic-gate# 37c478bd9Sstevel@tonic-gate# CDDL HEADER START 47c478bd9Sstevel@tonic-gate# 57c478bd9Sstevel@tonic-gate# The contents of this file are subject to the terms of the 6eb1a3463STruong Nguyen# Common Development and Distribution License (the "License"). 7eb1a3463STruong Nguyen# You may not use this file except in compliance with the License. 87c478bd9Sstevel@tonic-gate# 97c478bd9Sstevel@tonic-gate# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 107c478bd9Sstevel@tonic-gate# or http://www.opensolaris.org/os/licensing. 117c478bd9Sstevel@tonic-gate# See the License for the specific language governing permissions 127c478bd9Sstevel@tonic-gate# and limitations under the License. 137c478bd9Sstevel@tonic-gate# 147c478bd9Sstevel@tonic-gate# When distributing Covered Code, include this CDDL HEADER in each 157c478bd9Sstevel@tonic-gate# file and include the License file at usr/src/OPENSOLARIS.LICENSE. 167c478bd9Sstevel@tonic-gate# If applicable, add the following below this CDDL HEADER, with the 177c478bd9Sstevel@tonic-gate# fields enclosed by brackets "[]" replaced with your own identifying 187c478bd9Sstevel@tonic-gate# information: Portions Copyright [yyyy] [name of copyright owner] 197c478bd9Sstevel@tonic-gate# 207c478bd9Sstevel@tonic-gate# CDDL HEADER END 217c478bd9Sstevel@tonic-gate# 227c478bd9Sstevel@tonic-gate# 234a16f9a6SMilan Jurik# Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved. 24*7ddce999SHans Rosenfeld# Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org> 257c478bd9Sstevel@tonic-gate# 267c478bd9Sstevel@tonic-gate 277c478bd9Sstevel@tonic-gate. /lib/svc/share/smf_include.sh 28eb1a3463STruong Nguyen. /lib/svc/share/ipf_include.sh 297c478bd9Sstevel@tonic-gate 307c478bd9Sstevel@tonic-gateYPDIR=/usr/lib/netsvc/yp 317c478bd9Sstevel@tonic-gate 32eb1a3463STruong Nguyencreate_client_ipf_rules() 33eb1a3463STruong Nguyen{ 34eb1a3463STruong Nguyen FMRI=$1 35eb1a3463STruong Nguyen file=`fmri_to_file $FMRI $IPF_SUFFIX` 36*7ddce999SHans Rosenfeld file6=`fmri_to_file $FMRI $IPF6_SUFFIX` 37eb1a3463STruong Nguyen iana_name=`svcprop -p $FW_CONTEXT_PG/name $FMRI` 38eb1a3463STruong Nguyen domain=`domainname` 39eb1a3463STruong Nguyen 40eb1a3463STruong Nguyen if [ -z "$domain" ]; then 41eb1a3463STruong Nguyen return 0 42eb1a3463STruong Nguyen fi 43eb1a3463STruong Nguyen 44eb1a3463STruong Nguyen if [ ! -d /var/yp/binding/$domain ]; then 45eb1a3463STruong Nguyen return 46eb1a3463STruong Nguyen fi 47eb1a3463STruong Nguyen echo "# $FMRI" >$file 48*7ddce999SHans Rosenfeld echo "# $FMRI" >$file6 49eb1a3463STruong Nguyen 50eb1a3463STruong Nguyen ypfile="/var/yp/binding/$domain/ypservers" 51eb1a3463STruong Nguyen if [ -f $ypfile ]; then 52eb1a3463STruong Nguyen tports=`$SERVINFO -R -p -t -s $iana_name 2>/dev/null` 53eb1a3463STruong Nguyen uports=`$SERVINFO -R -p -u -s $iana_name 2>/dev/null` 54*7ddce999SHans Rosenfeld tports_6=`$SERVINFO -R -p -t6 -s $iana_name 2>/dev/null` 55*7ddce999SHans Rosenfeld uports_6=`$SERVINFO -R -p -u6 -s $iana_name 2>/dev/null` 56eb1a3463STruong Nguyen 57eb1a3463STruong Nguyen server_addrs="" 58*7ddce999SHans Rosenfeld server_addrs_6="" 59eb1a3463STruong Nguyen for ypsvr in `grep -v '^[ ]*#' $ypfile`; do 60eb1a3463STruong Nguyen # 61*7ddce999SHans Rosenfeld # Get corresponding IPv4/IPv6 addresses 62eb1a3463STruong Nguyen # 63*7ddce999SHans Rosenfeld servers=`getent ipnodes $ypsvr | awk '/^:/{ print $1 }'` 64*7ddce999SHans Rosenfeld servers_6=`getent ipnodes $ypsvr | awk '/:/{ print $1 }'` 65eb1a3463STruong Nguyen 66*7ddce999SHans Rosenfeld if [ -n "$servers" ]; then 67eb1a3463STruong Nguyen server_addrs="$server_addrs $servers" 68*7ddce999SHans Rosenfeld fi 69*7ddce999SHans Rosenfeld 70*7ddce999SHans Rosenfeld if [ -n "$servers_6" ]; then 71*7ddce999SHans Rosenfeld server_addrs_6="$server_addrs_6 $servers" 72*7ddce999SHans Rosenfeld fi 73eb1a3463STruong Nguyen done 74eb1a3463STruong Nguyen 75*7ddce999SHans Rosenfeld if [ -n "$server_addrs" ]; then 76eb1a3463STruong Nguyen for s in $server_addrs; do 77eb1a3463STruong Nguyen if [ -n "$tports" ]; then 78eb1a3463STruong Nguyen for tport in $tports; do 79*7ddce999SHans Rosenfeld echo "pass in log quick" \ 80*7ddce999SHans Rosenfeld "proto tcp from $s" \ 81*7ddce999SHans Rosenfeld "to any port = $tport" \ 82*7ddce999SHans Rosenfeld >>$file 83eb1a3463STruong Nguyen done 84eb1a3463STruong Nguyen fi 85eb1a3463STruong Nguyen 86eb1a3463STruong Nguyen if [ -n "$uports" ]; then 87eb1a3463STruong Nguyen for uport in $uports; do 88*7ddce999SHans Rosenfeld echo "pass in log quick" \ 89*7ddce999SHans Rosenfeld "proto udp from $s" \ 90*7ddce999SHans Rosenfeld "to any port = $uport" \ 91*7ddce999SHans Rosenfeld >>$file 92eb1a3463STruong Nguyen done 93eb1a3463STruong Nguyen fi 94eb1a3463STruong Nguyen done 95*7ddce999SHans Rosenfeld fi 96*7ddce999SHans Rosenfeld 97*7ddce999SHans Rosenfeld if [ -n "$server_addrs_6" ]; then 98*7ddce999SHans Rosenfeld for s in $server_addrs_6; do 99*7ddce999SHans Rosenfeld if [ -n "$tports_6" ]; then 100*7ddce999SHans Rosenfeld for tport in $tports_6; do 101*7ddce999SHans Rosenfeld echo "pass in log quick" \ 102*7ddce999SHans Rosenfeld "proto tcp from $s" \ 103*7ddce999SHans Rosenfeld "to any port = $tport" \ 104*7ddce999SHans Rosenfeld >>$file6 105*7ddce999SHans Rosenfeld done 106*7ddce999SHans Rosenfeld fi 107*7ddce999SHans Rosenfeld 108*7ddce999SHans Rosenfeld if [ -n "$uports_6" ]; then 109*7ddce999SHans Rosenfeld for uport in $uports_6; do 110*7ddce999SHans Rosenfeld echo "pass in log quick" \ 111*7ddce999SHans Rosenfeld "proto udp from $s" \ 112*7ddce999SHans Rosenfeld "to any port = $uport" \ 113*7ddce999SHans Rosenfeld >>$file6 114*7ddce999SHans Rosenfeld done 115*7ddce999SHans Rosenfeld fi 116*7ddce999SHans Rosenfeld done 117*7ddce999SHans Rosenfeld fi 118eb1a3463STruong Nguyen else 119eb1a3463STruong Nguyen # 120eb1a3463STruong Nguyen # How do we handle the client broadcast case? Server replies 121eb1a3463STruong Nguyen # to the outgoing port that sent the broadcast, but there's 122eb1a3463STruong Nguyen # no way the client know a packet is the reply. 123eb1a3463STruong Nguyen # 124eb1a3463STruong Nguyen # Nis server should be specified and clients shouldn't be 125eb1a3463STruong Nguyen # doing broadcasts but if it does, no choice but to allow 126eb1a3463STruong Nguyen # all traffic. 127eb1a3463STruong Nguyen # 128eb1a3463STruong Nguyen echo "pass in log quick proto udp from any to any" \ 129eb1a3463STruong Nguyen "port > 32768" >>$file 130*7ddce999SHans Rosenfeld echo "pass in log quick proto udp from any to any" \ 131*7ddce999SHans Rosenfeld "port > 32768" >>$file6 132eb1a3463STruong Nguyen fi 133eb1a3463STruong Nguyen} 134eb1a3463STruong Nguyen 135eb1a3463STruong Nguyen# 136eb1a3463STruong Nguyen# Ipfilter method 137eb1a3463STruong Nguyen# 138eb1a3463STruong Nguyenif [ -n "$1" -a "$1" = "ipfilter" ]; then 139eb1a3463STruong Nguyen create_client_ipf_rules $2 140eb1a3463STruong Nguyen exit $SMF_EXIT_OK 141eb1a3463STruong Nguyenfi 142eb1a3463STruong Nguyen 1437c478bd9Sstevel@tonic-gatecase $SMF_FMRI in 1447c478bd9Sstevel@tonic-gate 'svc:/network/nis/client:default') 1457c478bd9Sstevel@tonic-gate domain=`domainname` 1467c478bd9Sstevel@tonic-gate 1477c478bd9Sstevel@tonic-gate if [ -z "$domain" ]; then 1487c478bd9Sstevel@tonic-gate echo "$0: domainname not set" 1497c478bd9Sstevel@tonic-gate exit $SMF_EXIT_ERR_CONFIG 1507c478bd9Sstevel@tonic-gate fi 1517c478bd9Sstevel@tonic-gate 1527c478bd9Sstevel@tonic-gate if [ ! -d /var/yp/binding/$domain ]; then 1537c478bd9Sstevel@tonic-gate echo "$0: /var/yp/binding/$domain is not a directory" 1547c478bd9Sstevel@tonic-gate exit $SMF_EXIT_ERR_CONFIG 1557c478bd9Sstevel@tonic-gate fi 1567c478bd9Sstevel@tonic-gate 1577c478bd9Sstevel@tonic-gate # Since two ypbinds will cause ypwhich to hang... 1587c478bd9Sstevel@tonic-gate if pgrep -z `/sbin/zonename` ypbind >/dev/null; then 1597c478bd9Sstevel@tonic-gate echo "$0: ypbind is already running." 1607c478bd9Sstevel@tonic-gate exit $SMF_EXIT_ERR_CONFIG 1617c478bd9Sstevel@tonic-gate fi 1627c478bd9Sstevel@tonic-gate 1637c478bd9Sstevel@tonic-gate if [ -f /var/yp/binding/$domain/ypservers ]; then 1647c478bd9Sstevel@tonic-gate $YPDIR/ypbind > /dev/null 2>&1 1657c478bd9Sstevel@tonic-gate else 1667c478bd9Sstevel@tonic-gate $YPDIR/ypbind -broadcast > /dev/null 2>&1 1677c478bd9Sstevel@tonic-gate fi 1687c478bd9Sstevel@tonic-gate 1697c478bd9Sstevel@tonic-gate rc=$? 1707c478bd9Sstevel@tonic-gate if [ $rc != 0 ]; then 1717c478bd9Sstevel@tonic-gate echo "$0: ypbind failed with $rc" 1727c478bd9Sstevel@tonic-gate exit 1 1737c478bd9Sstevel@tonic-gate fi 1747c478bd9Sstevel@tonic-gate ;; 1757c478bd9Sstevel@tonic-gate 1767c478bd9Sstevel@tonic-gate 'svc:/network/nis/server:default') 1777c478bd9Sstevel@tonic-gate domain=`domainname` 1787c478bd9Sstevel@tonic-gate 1797c478bd9Sstevel@tonic-gate if [ -z "$domain" ]; then 1807c478bd9Sstevel@tonic-gate echo "$0: domainname not set" 1817c478bd9Sstevel@tonic-gate exit $SMF_EXIT_ERR_CONFIG 1827c478bd9Sstevel@tonic-gate fi 1837c478bd9Sstevel@tonic-gate 1847c478bd9Sstevel@tonic-gate if [ ! -d /var/yp/$domain ]; then 1857c478bd9Sstevel@tonic-gate echo "$0: domain directory missing" 1867c478bd9Sstevel@tonic-gate exit $SMF_EXIT_ERR_CONFIG 1877c478bd9Sstevel@tonic-gate fi 1887c478bd9Sstevel@tonic-gate 1897c478bd9Sstevel@tonic-gate if [ -f /etc/resolv.conf ]; then 1904a16f9a6SMilan Jurik $YPDIR/ypserv -d 1917c478bd9Sstevel@tonic-gate else 1924a16f9a6SMilan Jurik $YPDIR/ypserv 1937c478bd9Sstevel@tonic-gate fi 1947c478bd9Sstevel@tonic-gate 1957c478bd9Sstevel@tonic-gate rc=$? 1967c478bd9Sstevel@tonic-gate if [ $rc != 0 ]; then 1977c478bd9Sstevel@tonic-gate echo "$0: ypserv failed with $rc" 1987c478bd9Sstevel@tonic-gate exit 1 1997c478bd9Sstevel@tonic-gate fi 2007c478bd9Sstevel@tonic-gate ;; 2017c478bd9Sstevel@tonic-gate 2027c478bd9Sstevel@tonic-gate 'svc:/network/nis/passwd:default') 2037c478bd9Sstevel@tonic-gate PWDIR=`grep "^PWDIR" /var/yp/Makefile 2> /dev/null` \ 2047c478bd9Sstevel@tonic-gate && PWDIR=`expr "$PWDIR" : '.*=[ ]*\([^ ]*\)'` 2057c478bd9Sstevel@tonic-gate if [ "$PWDIR" ]; then 2067c478bd9Sstevel@tonic-gate if [ "$PWDIR" = "/etc" ]; then 2077c478bd9Sstevel@tonic-gate unset PWDIR 2087c478bd9Sstevel@tonic-gate else 2097c478bd9Sstevel@tonic-gate PWDIR="-D $PWDIR" 2107c478bd9Sstevel@tonic-gate fi 2117c478bd9Sstevel@tonic-gate fi 2127c478bd9Sstevel@tonic-gate $YPDIR/rpc.yppasswdd $PWDIR -m 2137c478bd9Sstevel@tonic-gate 2147c478bd9Sstevel@tonic-gate rc=$? 2157c478bd9Sstevel@tonic-gate if [ $rc != 0 ]; then 2167c478bd9Sstevel@tonic-gate echo "$0: rpc.yppasswdd failed with $rc" 2177c478bd9Sstevel@tonic-gate exit 1 2187c478bd9Sstevel@tonic-gate fi 2197c478bd9Sstevel@tonic-gate ;; 2207c478bd9Sstevel@tonic-gate 2217c478bd9Sstevel@tonic-gate *) 2227c478bd9Sstevel@tonic-gate echo "$0: Unknown service \"$SMF_FMRI\"." 2237c478bd9Sstevel@tonic-gate exit $SMF_EXIT_ERR_CONFIG 2247c478bd9Sstevel@tonic-gate ;; 2257c478bd9Sstevel@tonic-gateesac 2267c478bd9Sstevel@tonic-gateexit $SMF_EXIT_OK 227