#!/sbin/sh
#
# CDDL HEADER START
#
# The contents of this file are subject to the terms of the
# Common Development and Distribution License (the "License").
# You may not use this file except in compliance with the License.
#
# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
# or http://www.opensolaris.org/os/licensing.
# See the License for the specific language governing permissions
# and limitations under the License.
#
# When distributing Covered Code, include this CDDL HEADER in each
# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
# If applicable, add the following below this CDDL HEADER, with the
# fields enclosed by brackets "[]" replaced with your own identifying
# information: Portions Copyright [yyyy] [name of copyright owner]
#
# CDDL HEADER END
#
#
# Copyright (c) 2009, 2010, Oracle and/or its affiliates. All rights reserved.
# Copyright 2015 Nexenta Systems, Inc. All rights reserved.
# Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org>
#
# Start/stop processes required for server NFS
. /lib/svc/share/smf_include.sh
. /lib/svc/share/ipf_include.sh
zone=`smf_zonename`
#
# Handling a corner case here. If we were in offline state due to an
# unsatisfied dependency, the ipf_method process wouldn't have generated
# the ipfilter configuration. When we transition to online because the
# dependency is satisfied, the start method will have to generate the
# ipfilter configuration. To avoid all possible deadlock scenarios,
# we restart ipfilter which will regenerate the ipfilter configuration
# for the entire system.
#
# The ipf_method process signals that it didn't generate ipf rules by
# removing the service's ipf file. Thus we only restart network/ipfilter
# when the file is missing.
#
configure_ipfilter()
{
ipfile=`fmri_to_file $SMF_FMRI $IPF_SUFFIX`
ip6file=`fmri_to_file $SMF_FMRI $IPF6_SUFFIX`
[ -f "$ipfile" -a -f "$ip6file" ] && return 0
#
# Nothing to do if:
# - ipfilter isn't online
# - global policy is 'custom'
# - service's policy is 'use_global'
#
service_check_state $IPF_FMRI $SMF_ONLINE || return 0
[ "`get_global_def_policy`" = "custom" ] && return 0
[ "`get_policy $SMF_FMRI`" = "use_global" ] && return 0
svcadm restart $IPF_FMRI
}
case "$1" in
'start')
# The NFS server is not supported in a local zone
if smf_is_nonglobalzone; then
/usr/sbin/svcadm disable -t svc:/network/nfs/server
echo "The NFS server is not supported in a local zone"
sleep 5 &
exit $SMF_EXIT_OK
fi
# Share all file systems enabled for sharing. sharemgr understands
# regular shares and ZFS shares and will handle both. Technically,
# the shares would have been started long before getting here since
# nfsd has a dependency on them.
# restart stopped shares from the repository
/usr/sbin/sharemgr start -P nfs -a
# Options for nfsd are now set in SMF
/usr/lib/nfs/mountd
rc=$?
if [ $rc != 0 ]; then
/usr/sbin/svcadm mark -t maintenance svc:/network/nfs/server
echo "$0: mountd failed with $rc"
sleep 5 &
exit $SMF_EXIT_ERR_FATAL
fi
/usr/lib/nfs/nfsd
rc=$?
if [ $rc != 0 ]; then
/usr/sbin/svcadm mark -t maintenance svc:/network/nfs/server
echo "$0: nfsd failed with $rc"
sleep 5 &
exit $SMF_EXIT_ERR_FATAL
fi
configure_ipfilter
;;
'refresh')
/usr/sbin/sharemgr start -P nfs -a
;;
'stop')
/usr/bin/pkill -x -u 0,1 -z $zone '(nfsd|mountd)'
# Unshare all shared file systems using NFS
/usr/sbin/sharemgr stop -P nfs -a
# Kill any processes left in service contract
smf_kill_contract $2 TERM 1
[ $? -ne 0 ] && exit 1
;;
'ipfilter')
#
# NFS related services are RPC. nfs/server has nfsd which has
# well-defined port number but mountd is an RPC daemon.
#
# Essentially, we generate rules for the following "services"
# - nfs/server which has nfsd and mountd
# - nfs/rquota
#
# The following services are enabled for both nfs client and
# server, if nfs/client is enabled we'll treat them as client
# services and simply allow incoming traffic.
# - nfs/status
# - nfs/nlockmgr
# - nfs/cbd
#
NFS_FMRI="svc:/network/nfs/server:default"
NFSCLI_FMRI="svc:/network/nfs/client:default"
RQUOTA_FMRI="svc:/network/nfs/rquota:default"
FMRI=$2
file=`fmri_to_file $FMRI $IPF_SUFFIX`
file6=`fmri_to_file $FMRI $IPF6_SUFFIX`
echo "# $FMRI" >$file
echo "# $FMRI" >$file6
policy=`get_policy $NFS_FMRI`
#
# nfs/server configuration is processed in the start method.
#
if [ "$FMRI" = "$NFS_FMRI" ]; then
service_check_state $FMRI $SMF_ONLINE
if [ $? -ne 0 ]; then
rm $file
exit $SMF_EXIT_OK
fi
nfs_name=`svcprop -p $FW_CONTEXT_PG/name $FMRI 2>/dev/null`
tport=`$SERVINFO -p -t -s $nfs_name 2>/dev/null`
if [ -n "$tport" ]; then
generate_rules $FMRI $policy "tcp" $tport $file
fi
tport6=`$SERVINFO -p -t6 -s $nfs_name 2>/dev/null`
if [ -n "$tport6" ]; then
generate_rules $FMRI $policy "tcp" $tport6 $file6 _6
fi
uport=`$SERVINFO -p -u -s $nfs_name 2>/dev/null`
if [ -n "$uport" ]; then
generate_rules $FMRI $policy "udp" $uport $file
fi
uport6=`$SERVINFO -p -u6 -s $nfs_name 2>/dev/null`
if [ -n "$uport6" ]; then
generate_rules $FMRI $policy "udp" $uport6 $file6 _6
fi
# mountd IPv6 ports are also reachable through IPv4, so include
# them when generating IPv4 rules.
tports=`$SERVINFO -R -p -t -s "mountd" 2>/dev/null`
tports6=`$SERVINFO -R -p -t6 -s "mountd" 2>/dev/null`
if [ -n "$tports" -o -n "$tports6" ]; then
tports=`unique_ports $tports $tports6`
for tport in $tports; do
generate_rules $FMRI $policy "tcp" \
$tport $file
done
fi
if [ -n "$tports6" ]; then
for tport6 in $tports6; do
generate_rules $FMRI $policy "tcp" \
$tport6 $file6 _6
done
fi
uports=`$SERVINFO -R -p -u -s "mountd" 2>/dev/null`
uports6=`$SERVINFO -R -p -u6 -s "mountd" 2>/dev/null`
if [ -n "$uports" -o -n "$uports6" ]; then
uports=`unique_ports $uports $uports6`
for uport in $uports; do
generate_rules $FMRI $policy "udp" \
$uport $file
done
fi
if [ -n "$uports6" ]; then
for uport6 in $uports6; do
generate_rules $FMRI $policy "udp" \
$uport6 $file6 _6
done
fi
elif [ "$FMRI" = "$RQUOTA_FMRI" ]; then
iana_name=`svcprop -p inetd/name $FMRI`
# rquota IPv6 ports are also reachable through IPv4, so include
# them when generating IPv4 rules.
tports=`$SERVINFO -R -p -t -s $iana_name 2>/dev/null`
tports6=`$SERVINFO -R -p -t6 -s $iana_name 2>/dev/null`
if [ -n "$tports" -o -n "$tports6" ]; then
tports=`unique_ports $tports $tports6`
for tport in $tports; do
generate_rules $NFS_FMRI $policy "tcp" \
$tport $file
done
fi
if [ -n "$tports6" ]; then
for tport6 in $tports6; do
generate_rules $NFS_FMRI $policy "tcp" \
$tport6 $file6 _6
done
fi
uports=`$SERVINFO -R -p -u -s $iana_name 2>/dev/null`
uports6=`$SERVINFO -R -p -u6 -s $iana_name 2>/dev/null`
if [ -n "$uports" -o -n "$uports6" ]; then
uports=`unique_ports $uports $uports6`
for uport in $uports; do
generate_rules $NFS_FMRI $policy "udp" \
$uport $file
done
fi
if [ -n "$uports6" ]; then
for uport6 in $uports6; do
generate_rules $NFS_FMRI $policy "udp" \
$uport6 $file6 _6
done
fi
else
#
# Handle the client services here
#
if service_check_state $NFSCLI_FMRI $SMF_ONLINE; then
policy=none
ip=any
fi
restarter=`svcprop -p general/restarter $FMRI 2>/dev/null`
if [ "$restarter" = "$INETDFMRI" ]; then
iana_name=`svcprop -p inetd/name $FMRI`
isrpc=`svcprop -p inetd/isrpc $FMRI`
else
iana_name=`svcprop -p $FW_CONTEXT_PG/name $FMRI`
isrpc=`svcprop -p $FW_CONTEXT_PG/isrpc $FMRI`
fi
if [ "$isrpc" = "true" ]; then
tports=`$SERVINFO -R -p -t -s $iana_name 2>/dev/null`
tports6=`$SERVINFO -R -p -t6 -s $iana_name 2>/dev/null`
uports=`$SERVINFO -R -p -u -s $iana_name 2>/dev/null`
uports6=`$SERVINFO -R -p -u6 -s $iana_name 2>/dev/null`
else
tports=`$SERVINFO -p -t -s $iana_name 2>/dev/null`
tports6=`$SERVINFO -p -t6 -s $iana_name 2>/dev/null`
uports=`$SERVINFO -p -u -s $iana_name 2>/dev/null`
uports6=`$SERVINFO -p -u6 -s $iana_name 2>/dev/null`
fi
# IPv6 ports are also reachable through IPv4, so include
# them when generating IPv4 rules.
if [ -n "$tports" -o -n "$tports6" ]; then
tports=`unique_ports $tports $tports6`
for tport in $tports; do
generate_rules $FMRI $policy "tcp" $tport $file
done
fi
if [ -n "$tports6" ]; then
for tport6 in $tports6; do
generate_rules $FMRI $policy "tcp" $tport6 $file6 _6
done
fi
if [ -n "$uports" -o -n "$uports6" ]; then
uports=`unique_ports $uports $uports6`
for uport in $uports; do
generate_rules $FMRI $policy "udp" $uport $file
done
fi
if [ -n "$uports6" ]; then
for uport6 in $uports6; do
generate_rules $FMRI $policy "udp" $uport6 $file6 _6
done
fi
fi
;;
*)
echo "Usage: $0 { start | stop | refresh }"
exit 1
;;
esac
exit $SMF_EXIT_OK