search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
6123 SMF ipfilter support needs improvement
[unleashed.git] / usr / src / cmd / ypcmd / yp.sh
blob277d9704654a381713ae2cac15ec89cffe905201
1 #!/bin/sh
2 #
3 # CDDL HEADER START
4 #
5 # The contents of this file are subject to the terms of the
6 # Common Development and Distribution License (the "License").
7 # You may not use this file except in compliance with the License.
8 #
9 # You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
10 # or http://www.opensolaris.org/os/licensing.
11 # See the License for the specific language governing permissions
12 # and limitations under the License.
13 #
14 # When distributing Covered Code, include this CDDL HEADER in each
15 # file and include the License file at usr/src/OPENSOLARIS.LICENSE.
16 # If applicable, add the following below this CDDL HEADER, with the
17 # fields enclosed by brackets "[]" replaced with your own identifying
18 # information: Portions Copyright [yyyy] [name of copyright owner]
19 #
20 # CDDL HEADER END
21 #
22 #
23 # Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.
24 # Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org>
25 #
26
27 . /lib/svc/share/smf_include.sh
28 . /lib/svc/share/ipf_include.sh
29
30 YPDIR=/usr/lib/netsvc/yp
31
32 create_client_ipf_rules()
33 {
34 FMRI=$1
35 file=`fmri_to_file $FMRI $IPF_SUFFIX`
36 file6=`fmri_to_file $FMRI $IPF6_SUFFIX`
37 iana_name=`svcprop -p $FW_CONTEXT_PG/name $FMRI`
38 domain=`domainname`
39
40 if [ -z "$domain" ]; then
41 return 0
42 fi
43
44 if [ ! -d /var/yp/binding/$domain ]; then
45 return
46 fi
47 echo "# $FMRI" >$file
48 echo "# $FMRI" >$file6
49
50 ypfile="/var/yp/binding/$domain/ypservers"
51 if [ -f $ypfile ]; then
52 tports=`$SERVINFO -R -p -t -s $iana_name 2>/dev/null`
53 uports=`$SERVINFO -R -p -u -s $iana_name 2>/dev/null`
54 tports_6=`$SERVINFO -R -p -t6 -s $iana_name 2>/dev/null`
55 uports_6=`$SERVINFO -R -p -u6 -s $iana_name 2>/dev/null`
56
57 server_addrs=""
58 server_addrs_6=""
59 for ypsvr in `grep -v '^[ ]*#' $ypfile`; do
60 #
61 # Get corresponding IPv4/IPv6 addresses
62 #
63 servers=`getent ipnodes $ypsvr | awk '/^:/{ print $1 }'`
64 servers_6=`getent ipnodes $ypsvr | awk '/:/{ print $1 }'`
65
66 if [ -n "$servers" ]; then
67 server_addrs="$server_addrs $servers"
68 fi
69
70 if [ -n "$servers_6" ]; then
71 server_addrs_6="$server_addrs_6 $servers"
72 fi
73 done
74
75 if [ -n "$server_addrs" ]; then
76 for s in $server_addrs; do
77 if [ -n "$tports" ]; then
78 for tport in $tports; do
79 echo "pass in log quick" \
80 "proto tcp from $s" \
81 "to any port = $tport" \
82 >>$file
83 done
84 fi
85
86 if [ -n "$uports" ]; then
87 for uport in $uports; do
88 echo "pass in log quick" \
89 "proto udp from $s" \
90 "to any port = $uport" \
91 >>$file
92 done
93 fi
94 done
95 fi
96
97 if [ -n "$server_addrs_6" ]; then
98 for s in $server_addrs_6; do
99 if [ -n "$tports_6" ]; then
100 for tport in $tports_6; do
101 echo "pass in log quick" \
102 "proto tcp from $s" \
103 "to any port = $tport" \
104 >>$file6
105 done
106 fi
107
108 if [ -n "$uports_6" ]; then
109 for uport in $uports_6; do
110 echo "pass in log quick" \
111 "proto udp from $s" \
112 "to any port = $uport" \
113 >>$file6
114 done
115 fi
116 done
117 fi
118 else
119 #
120 # How do we handle the client broadcast case? Server replies
121 # to the outgoing port that sent the broadcast, but there's
122 # no way the client know a packet is the reply.
123 #
124 # Nis server should be specified and clients shouldn't be
125 # doing broadcasts but if it does, no choice but to allow
126 # all traffic.
127 #
128 echo "pass in log quick proto udp from any to any" \
129 "port > 32768" >>$file
130 echo "pass in log quick proto udp from any to any" \
131 "port > 32768" >>$file6
132 fi
133 }
134
135 #
136 # Ipfilter method
137 #
138 if [ -n "$1" -a "$1" = "ipfilter" ]; then
139 create_client_ipf_rules $2
140 exit $SMF_EXIT_OK
141 fi
142
143 case $SMF_FMRI in
144 'svc:/network/nis/client:default')
145 domain=`domainname`
146
147 if [ -z "$domain" ]; then
148 echo "$0: domainname not set"
149 exit $SMF_EXIT_ERR_CONFIG
150 fi
151
152 if [ ! -d /var/yp/binding/$domain ]; then
153 echo "$0: /var/yp/binding/$domain is not a directory"
154 exit $SMF_EXIT_ERR_CONFIG
155 fi
156
157 # Since two ypbinds will cause ypwhich to hang...
158 if pgrep -z `/sbin/zonename` ypbind >/dev/null; then
159 echo "$0: ypbind is already running."
160 exit $SMF_EXIT_ERR_CONFIG
161 fi
162
163 if [ -f /var/yp/binding/$domain/ypservers ]; then
164 $YPDIR/ypbind > /dev/null 2>&1
165 else
166 $YPDIR/ypbind -broadcast > /dev/null 2>&1
167 fi
168
169 rc=$?
170 if [ $rc != 0 ]; then
171 echo "$0: ypbind failed with $rc"
172 exit 1
173 fi
174 ;;
175
176 'svc:/network/nis/server:default')
177 domain=`domainname`
178
179 if [ -z "$domain" ]; then
180 echo "$0: domainname not set"
181 exit $SMF_EXIT_ERR_CONFIG
182 fi
183
184 if [ ! -d /var/yp/$domain ]; then
185 echo "$0: domain directory missing"
186 exit $SMF_EXIT_ERR_CONFIG
187 fi
188
189 if [ -f /etc/resolv.conf ]; then
190 $YPDIR/ypserv -d
191 else
192 $YPDIR/ypserv
193 fi
194
195 rc=$?
196 if [ $rc != 0 ]; then
197 echo "$0: ypserv failed with $rc"
198 exit 1
199 fi
200 ;;
201
202 'svc:/network/nis/passwd:default')
203 PWDIR=`grep "^PWDIR" /var/yp/Makefile 2> /dev/null` \
204 && PWDIR=`expr "$PWDIR" : '.*=[ ]*\([^ ]*\)'`
205 if [ "$PWDIR" ]; then
206 if [ "$PWDIR" = "/etc" ]; then
207 unset PWDIR
208 else
209 PWDIR="-D $PWDIR"
210 fi
211 fi
212 $YPDIR/rpc.yppasswdd $PWDIR -m
213
214 rc=$?
215 if [ $rc != 0 ]; then
216 echo "$0: rpc.yppasswdd failed with $rc"
217 exit 1
218 fi
219 ;;
220
221 *)
222 echo "$0: Unknown service \"$SMF_FMRI\"."
223 exit $SMF_EXIT_ERR_CONFIG
224 ;;
225 esac
226 exit $SMF_EXIT_OK
Unleashed OS