eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# CDDL HEADER START
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# The contents of this file are subject to the terms of the
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# Common Development and Distribution License (the "License").
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# You may not use this file except in compliance with the License.
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# See the License for the specific language governing permissions
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# and limitations under the License.
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# When distributing Covered Code, include this CDDL HEADER in each
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# If applicable, add the following below this CDDL HEADER, with the
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# fields enclosed by brackets "[]" replaced with your own identifying
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# information: Portions Copyright [yyyy] [name of copyright owner]
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# CDDL HEADER END
ea7d3b1a278e2af7b09658d7a51d5b61d6ee490fTruong Nguyen# Copyright (c) 2009, 2010, Oracle and/or its affiliates. All rights reserved.
7ddce99911fbb5e44b38ac65e991a22e42267ee9Hans Rosenfeld# Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org>
6ba597c56d749c61b4f783157f63196d7b2445f0Anurag S. MaskeyIPFILTER_FMRI="svc:/network/ipfilter:default"
6ba597c56d749c61b4f783157f63196d7b2445f0Anurag S. MaskeyIPNATCONF=`/usr/bin/svcprop -p config/ipnat_config_file $IPFILTER_FMRI \
6ba597c56d749c61b4f783157f63196d7b2445f0Anurag S. MaskeyIPPOOLCONF=`/usr/bin/svcprop -p config/ippool_config_file $IPFILTER_FMRI \
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# version for configuration upgrades
6f7d61cdf37e55c737a1ecb01bf5b8453f55c7d1Truong Q. Nguyen# Get value(s) for given property from either firewall_config_default or
6f7d61cdf37e55c737a1ecb01bf5b8453f55c7d1Truong Q. Nguyen# firewall_config_override property groups.
6f7d61cdf37e55c737a1ecb01bf5b8453f55c7d1Truong Q. Nguyen# global_get_prop_value pg_name propname
6f7d61cdf37e55c737a1ecb01bf5b8453f55c7d1Truong Q. Nguyen# pg_name - FW_CONFIG_DEF_PG or FW_CONFIG_OVR_PG
6f7d61cdf37e55c737a1ecb01bf5b8453f55c7d1Truong Q. Nguyen# propname - property name
6f7d61cdf37e55c737a1ecb01bf5b8453f55c7d1Truong Q. Nguyen [ "$1" != $FW_CONFIG_OVR_PG -a "$1" != $FW_CONFIG_DEF_PG ] && return
6f7d61cdf37e55c737a1ecb01bf5b8453f55c7d1Truong Q. Nguyen [ "$1" == $FW_CONFIG_DEF_PG ] && extra_pg=$FW_CONFIG_OVR_PG || \
6f7d61cdf37e55c737a1ecb01bf5b8453f55c7d1Truong Q. Nguyen for (i=1; i<=NF; i++) {
6f7d61cdf37e55c737a1ecb01bf5b8453f55c7d1Truong Q. Nguyen if (found == 1) {
6f7d61cdf37e55c737a1ecb01bf5b8453f55c7d1Truong Q. Nguyen if (index($i, target_pg) == 1 || index($i, extra_pg) == 1)
6f7d61cdf37e55c737a1ecb01bf5b8453f55c7d1Truong Q. Nguyen if (split($i, values, "/") < 2)
6f7d61cdf37e55c737a1ecb01bf5b8453f55c7d1Truong Q. Nguyen if (values[1] == target_pg && values[2] == prop)
6f7d61cdf37e55c737a1ecb01bf5b8453f55c7d1Truong Q. Nguyen }' target_pg=$target_pg prop=$prop extra_pg=$extra_pg`
6f7d61cdf37e55c737a1ecb01bf5b8453f55c7d1Truong Q. Nguyen# Initialize and cache network/ipfilter configuration, global configuration.
6f7d61cdf37e55c737a1ecb01bf5b8453f55c7d1Truong Q. Nguyen# Since an SMF service configuration may get updated during the execution of the
6f7d61cdf37e55c737a1ecb01bf5b8453f55c7d1Truong Q. Nguyen# service method, it's best to read all relevant configuration via one svcprop
6f7d61cdf37e55c737a1ecb01bf5b8453f55c7d1Truong Q. Nguyen# invocation and cache it for later use.
7ddce99911fbb5e44b38ac65e991a22e42267ee9Hans Rosenfeld# This function reads and stores relevant configuration into GLOBAL_CONFIG and
7ddce99911fbb5e44b38ac65e991a22e42267ee9Hans Rosenfeld# initializes the GLOBAL_POLICY and GLOBAL_BLOCK_POLICY variables. GLOBAL_CONFIG
7ddce99911fbb5e44b38ac65e991a22e42267ee9Hans Rosenfeld# is a string containing pg/prop and their corresponding values (i.e. svcprop -p
7ddce99911fbb5e44b38ac65e991a22e42267ee9Hans Rosenfeld# pg fmri output). To get values for a certain pg/prop, use
7ddce99911fbb5e44b38ac65e991a22e42267ee9Hans Rosenfeld# global_get_prop_value().
6f7d61cdf37e55c737a1ecb01bf5b8453f55c7d1Truong Q. Nguyen GLOBAL_CONFIG=`svcprop -p ${FW_CONFIG_OVR_PG} -p ${FW_CONFIG_DEF_PG} \
6f7d61cdf37e55c737a1ecb01bf5b8453f55c7d1Truong Q. Nguyen $IPF_FMRI 2>/dev/null | awk '{$2=" "; print $0}'`
6f7d61cdf37e55c737a1ecb01bf5b8453f55c7d1Truong Q. Nguyen GLOBAL_POLICY=`global_get_prop_value $FW_CONFIG_DEF_PG $POLICY_PROP`
7ddce99911fbb5e44b38ac65e991a22e42267ee9Hans Rosenfeld GLOBAL_BLOCK_POLICY=`global_get_prop_value $FW_CONFIG_DEF_PG \
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# Given a service, gets its config pg name
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# Given a service, gets its firewall policy
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen svcprop -p $config_pg/${POLICY_PROP} $1 2>/dev/null
7ddce99911fbb5e44b38ac65e991a22e42267ee9Hans Rosenfeld# block policy can be set to "return", which will expand into
7ddce99911fbb5e44b38ac65e991a22e42267ee9Hans Rosenfeld# separate block rules for tcp (block return-rst ...) and all other
7ddce99911fbb5e44b38ac65e991a22e42267ee9Hans Rosenfeld# protocols (block return-icmp-as-dest ...)
7ddce99911fbb5e44b38ac65e991a22e42267ee9Hans Rosenfeld svcprop -p $config_pg/${BLOCKPOL_PROP} $1 2>/dev/null
7ddce99911fbb5e44b38ac65e991a22e42267ee9Hans Rosenfeld# Given a service, gets its source address exceptions for IPv4
7ddce99911fbb5e44b38ac65e991a22e42267ee9Hans Rosenfeld exceptions=`svcprop -p $config_pg/${EXCEPTIONS_PROP} $1 2>/dev/null`
7ddce99911fbb5e44b38ac65e991a22e42267ee9Hans Rosenfeld# Given a service, gets its source address exceptions for IPv6
7ddce99911fbb5e44b38ac65e991a22e42267ee9Hans Rosenfeld exceptions6=`svcprop -p $config_pg/${EXCEPTIONS_6_PROP} $1 2>/dev/null`
7ddce99911fbb5e44b38ac65e991a22e42267ee9Hans Rosenfeld# Given a service, gets its firewalled source addresses for IPv4
7ddce99911fbb5e44b38ac65e991a22e42267ee9Hans Rosenfeld apply2=`svcprop -p $config_pg/${APPLY2_PROP} $1 2>/dev/null`
7ddce99911fbb5e44b38ac65e991a22e42267ee9Hans Rosenfeld# Given a service, gets its firewalled source addresses for IPv6
7ddce99911fbb5e44b38ac65e991a22e42267ee9Hans Rosenfeld apply2_6=`svcprop -p $config_pg/${APPLY2_6_PROP} $1 2>/dev/null`
7ddce99911fbb5e44b38ac65e991a22e42267ee9Hans Rosenfeld# Given a service, gets its firewalled target addresses for IPv4
7ddce99911fbb5e44b38ac65e991a22e42267ee9Hans Rosenfeld target=`svcprop -p $config_pg/${TARGET_PROP} $1 2>/dev/null`
7ddce99911fbb5e44b38ac65e991a22e42267ee9Hans Rosenfeld [ -z "$target" -o "$target" = '""' ] && target=any
7ddce99911fbb5e44b38ac65e991a22e42267ee9Hans Rosenfeld# Given a service, gets its firewalled target addresses for IPv6
7ddce99911fbb5e44b38ac65e991a22e42267ee9Hans Rosenfeld target6=`svcprop -p $config_pg/${TARGET_6_PROP} $1 2>/dev/null`
7ddce99911fbb5e44b38ac65e991a22e42267ee9Hans Rosenfeld [ -z "$target6" -o "$target6" = '""' ] && target6=any
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen [ -d $VAR_IPF_DIR ] && return 0
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen mkdir $VAR_IPF_DIR >/dev/null 2>&1 || return 1
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# fmri_to_file fmri suffix
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen fprefix="${VAR_IPF_DIR}/`echo $1 | tr -s '/:' '__'`"
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# Return service's enabled property
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen # Temporary enabled state overrides the persistent state
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen enabled_ovr=`svcprop -c -p general_ovr/enabled $1 2>/dev/null`
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen [ "$enabled_ovr" = "true" ] && return 0 || return 1
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen enabled=`svcprop -c -p general/enabled $1 2>/dev/null`
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen [ -n "$enabled" -a "$enabled" = "true" ] && return 0 || return 1
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# Return whether service is desired state
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# Args: fmri state
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# 0 - desired state is service's current state
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# 1 - desired state is not service's current state
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen # Make sure we're done with ongoing state transition
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen while [ "`svcprop -p restarter/next_state $1`" != "$SMF_NONE" ]; do
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen [ "`svcprop -p restarter/state $1`" = "$2" ] && return 0 || return 1
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# Deny/Allow list stores values in the form "host:addr", "network:addr/netmask",
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# "pool:number", and "if:interface". This function returns the
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# IP(addr or addr/netmask) value or a pool number.
7ddce99911fbb5e44b38ac65e991a22e42267ee9Hans Rosenfeld echo "$1" | sed -n -e "s,^${PREFIX_POOL}\(.*\),pool/\1,p" \
7ddce99911fbb5e44b38ac65e991a22e42267ee9Hans Rosenfeld scratch=`echo "$1" | sed -e "s/^${PREFIX_IF}//"`
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen ifconfig $scratch >/dev/null 2>&1 || return 1
7ddce99911fbb5e44b38ac65e991a22e42267ee9Hans Rosenfeld echo $1 | grep "^${PREFIX_IF}" >/dev/null 2>&1
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# Remove rules in given file from active list without restarting ipfilter
7ddce99911fbb5e44b38ac65e991a22e42267ee9Hans Rosenfeld [ -f "$1" ] && ipf $2 -r -f $1 >/dev/null 2>&1
7ddce99911fbb5e44b38ac65e991a22e42267ee9Hans Rosenfeld ipf $2 -n -f $1 >/dev/null 2>&1
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen ipnat -n -f $1 >/dev/null 2>&1
7ddce99911fbb5e44b38ac65e991a22e42267ee9Hans Rosenfeld echo $* | xargs -n 1 echo | sort -u
7ddce99911fbb5e44b38ac65e991a22e42267ee9Hans Rosenfeld ipf $2 -n -v -f $1 2>/dev/null | sed -n -e \
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen 's/.*to.* port = \([a-z0-9]*\).*/\1/p' | uniq | \
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen awk '{if (length($0) > 1) {printf("%s ", $1)}}'
7ddce99911fbb5e44b38ac65e991a22e42267ee9Hans Rosenfeld ipfstat $1 -io 2>/dev/null | sed -n -e \
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen 's/.*to.* port = \([a-z0-9]*\).*/\1/p' | uniq | \
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen awk '{if (length($0) > 1) {printf("%s ",$1)}}'
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# Given two list of ports, return failure if there's a duplicate.
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen # If either list is empty, there isn't any conflict.
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen for p in $1; do
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# Given a file containing ipf rules, check the syntax and verify
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# the rules don't conflict, use same port number, with active
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# rules (ipfstat -io output).
7ddce99911fbb5e44b38ac65e991a22e42267ee9Hans Rosenfeld check_ipf_syntax $1 $2 || return 1
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen sets_check_duplicate "$lports" "$lactive_ports" || return 1
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# Given a file containing ipf rules, check the syntax and verify
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# the rules don't conflict with already processed services.
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# The list of processed services' ports are maintained in the global
7ddce99911fbb5e44b38ac65e991a22e42267ee9Hans Rosenfeld# variables 'server_port_list' and 'server_port_list_6'.
7ddce99911fbb5e44b38ac65e991a22e42267ee9Hans Rosenfeld check_ipf_syntax $1 $2 || return 1
7ddce99911fbb5e44b38ac65e991a22e42267ee9Hans Rosenfeld sets_check_duplicate "$lports" "$server_port_list_6" || return 1
7ddce99911fbb5e44b38ac65e991a22e42267ee9Hans Rosenfeld server_port_list_6="$server_port_list_6 $lports"
7ddce99911fbb5e44b38ac65e991a22e42267ee9Hans Rosenfeld sets_check_duplicate "$lports" "$server_port_list" || return 1
7ddce99911fbb5e44b38ac65e991a22e42267ee9Hans Rosenfeld check_ipf_syntax $1 $2 && tail -r $1 | sed -e 's/^[a-z]/@0 &/' | \
7ddce99911fbb5e44b38ac65e991a22e42267ee9Hans Rosenfeld ipf $2 -f - >/dev/null 2>&1
7ddce99911fbb5e44b38ac65e991a22e42267ee9Hans Rosenfeld check_ipf_syntax $1 $2 && ipf $2 -f $1 >/dev/null 2>&1
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen check_nat_syntax $1 && ipnat -f $1 >/dev/null 2>&1
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# get port information from string of the form "proto:{port | port-port}"
2bd8b3545dceb97f56401b7ad2a327e08d520574Hans Rosenfeld port_str=`echo "$1" | sed -e 's/ //g; s/\\\//g; s/.*://' 2>/dev/null`
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen if [ $? -eq 0 ]; then
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen echo $port_str | grep '^[0-9]\{1,5\}-[0-9]\{1,5\}$' >/dev/null || \
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen [ $p -gt 65535 ] && return 1
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen # port_str is a single port, verify and return it.
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen echo "$port_str" | grep '^[0-9]\{1,5\}$' >/dev/null || return 1
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen [ $port_str -gt 65535 ] && return 1
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# get proto info from string of the form "{tcp | udp}:port"
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen proto=`echo "$1" | sed -e 's/ //g; s/:.*//' 2>/dev/null`
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen [ "$proto" = "tcp" -o "$proto" = "udp" ] && echo $proto || return 1
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen # Clear lock if the owning process is no longer around.
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen ps -p $curpid >/dev/null 2>&1 || rm -r $IPF_LOCK >/dev/null 2>&1
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# Remove lock if it's ours
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen [ "`cat $IPF_LOCK/pid`" = "$$" ] && rm -r $IPF_LOCK
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# Make IPFILCONF, /var/tmp/ipf/ipf.conf, a symlink to the input file argument.
caa64d545b688cd708983338e8c85b054ecfc8beTruong Nguyen # Nothing to do if the input file doesn't exist.
2bd8b3545dceb97f56401b7ad2a327e08d520574Hans Rosenfeld# Make IP6FILCONF, /var/tmp/ipf/ipf6.conf, a symlink to the input file argument.
2bd8b3545dceb97f56401b7ad2a327e08d520574Hans Rosenfeld # Nothing to do if the input file doesn't exist.
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# New file replaces original file if they have different content
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen # IPFILCONF may be a symlink, remove it if that's the case
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen mv $new $orig && return 0 || return 1
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# Given a service, gets the following details for ipf rule:
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# - port(IANA port obtained by running servinfo)
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen # Empties service's rules file so callers won't use existing rule if
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen restarter=`svcprop -p general/restarter $service 2>/dev/null`
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen iana_name=`svcprop -p inetd/name $service 2>/dev/null`
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen isrpc=`svcprop -p inetd/isrpc $service 2>/dev/null`
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen iana_name=`svcprop -p $FW_CONTEXT_PG/name $service 2>/dev/null`
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen isrpc=`svcprop -p $FW_CONTEXT_PG/isrpc $service 2>/dev/null`
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen # Bail if iana_name isn't defined. Services with static rules
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen # like nis/client don't need to generate rules using
7ddce99911fbb5e44b38ac65e991a22e42267ee9Hans Rosenfeld # The ports used for IPv6 are usually also reachable
7ddce99911fbb5e44b38ac65e991a22e42267ee9Hans Rosenfeld # through IPv4, so generate IPv4 rules for them, too.
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen tports=`$SERVINFO -R -p -t -s $iana_name 2>/dev/null`
7ddce99911fbb5e44b38ac65e991a22e42267ee9Hans Rosenfeld tports6=`$SERVINFO -R -p -t6 -s $iana_name 2>/dev/null`
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen uports=`$SERVINFO -R -p -u -s $iana_name 2>/dev/null`
7ddce99911fbb5e44b38ac65e991a22e42267ee9Hans Rosenfeld uports6=`$SERVINFO -R -p -u6 -s $iana_name 2>/dev/null`
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen # Get the IANA port and supported protocols(tcp and udp)
7ddce99911fbb5e44b38ac65e991a22e42267ee9Hans Rosenfeld generate_rules $service $policy "tcp" $tport $file
7ddce99911fbb5e44b38ac65e991a22e42267ee9Hans Rosenfeld generate_rules $service $policy "tcp" $tport6 $file6 _6
7ddce99911fbb5e44b38ac65e991a22e42267ee9Hans Rosenfeld generate_rules $service $policy "udp" $uport $file
7ddce99911fbb5e44b38ac65e991a22e42267ee9Hans Rosenfeld generate_rules $service $policy "udp" $uport6 $file6 _6
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# Given a service's name, policy, protocol and port, generate ipf rules
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# - list of host/network/interface to apply policy
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# A 'use_global' policy inherits the system-wided Global Default policy
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# from network/ipfilter. For {deny | allow} policies, the rules are
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# - make exceptions to policy for those in "exceptions" list
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# - apply policy to those specified in "apply_to" list
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# - policy rule
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen # Default mode is to inherit from global's policy
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen [ "$proto" = "tcp" ] && tcp_opts="flags S keep state keep frags"
7ddce99911fbb5e44b38ac65e991a22e42267ee9Hans Rosenfeld [ "$proto" = "tcp" ] && block_policy="return-rst"
7ddce99911fbb5e44b38ac65e991a22e42267ee9Hans Rosenfeld [ "$proto" != "tcp" ] && block_policy="return-icmp-as-dest"
7ddce99911fbb5e44b38ac65e991a22e42267ee9Hans Rosenfeld [ -z "$daddr" -o "$daddr" = '""' ] && continue
7ddce99911fbb5e44b38ac65e991a22e42267ee9Hans Rosenfeld echo "pass in log quick proto ${proto} from any to ${daddr}" \
7ddce99911fbb5e44b38ac65e991a22e42267ee9Hans Rosenfeld # For now, let's concern ourselves only with incoming traffic.
7ddce99911fbb5e44b38ac65e991a22e42267ee9Hans Rosenfeld [ "$mypolicy" = "deny" ] && { ecmd="pass"; acmd="block ${block_policy}"; }
7ddce99911fbb5e44b38ac65e991a22e42267ee9Hans Rosenfeld [ "$mypolicy" = "allow" ] && { ecmd="block ${block_policy}"; acmd="pass"; }
7ddce99911fbb5e44b38ac65e991a22e42267ee9Hans Rosenfeld for name in `get_exceptions${_6} $service`; do
7ddce99911fbb5e44b38ac65e991a22e42267ee9Hans Rosenfeld [ -z "$daddr" -o "$daddr" = '""' ] && continue
7ddce99911fbb5e44b38ac65e991a22e42267ee9Hans Rosenfeld echo "${ecmd} in log quick on ${ifc} from any to" \
7ddce99911fbb5e44b38ac65e991a22e42267ee9Hans Rosenfeld [ -z "$daddr" -o "$daddr" = '""' ] && continue
7ddce99911fbb5e44b38ac65e991a22e42267ee9Hans Rosenfeld echo "${ecmd} in log quick proto ${proto} from ${saddr}" \
7ddce99911fbb5e44b38ac65e991a22e42267ee9Hans Rosenfeld "to ${daddr} port = ${port} ${tcp_opts}" >>${out}
7ddce99911fbb5e44b38ac65e991a22e42267ee9Hans Rosenfeld for name in `get_apply2${_6}_list $service`; do
7ddce99911fbb5e44b38ac65e991a22e42267ee9Hans Rosenfeld [ -z "$daddr" -o "$daddr" = '""' ] && continue
7ddce99911fbb5e44b38ac65e991a22e42267ee9Hans Rosenfeld echo "${acmd} in log quick on ${ifc} from any to" \
7ddce99911fbb5e44b38ac65e991a22e42267ee9Hans Rosenfeld [ -z "$daddr" -o "$daddr" = '""' ] && continue
7ddce99911fbb5e44b38ac65e991a22e42267ee9Hans Rosenfeld echo "${acmd} in log quick proto ${proto} from ${saddr}" \
7ddce99911fbb5e44b38ac65e991a22e42267ee9Hans Rosenfeld "to ${daddr} port = ${port} ${tcp_opts}" >>${out}
7ddce99911fbb5e44b38ac65e991a22e42267ee9Hans Rosenfeld [ -z "$daddr" -o "$daddr" = '""' ] && continue
7ddce99911fbb5e44b38ac65e991a22e42267ee9Hans Rosenfeld echo "${ecmd} in log quick proto ${proto} from any to ${daddr}" \
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# Service has either IANA ports and proto or its own firewall method to
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# generate the rules.
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# - if service has a custom method, use it to populate its rules
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# - if service has a firewall_config pg, use process_server_svc
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# Argument - fmri
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen method=`svcprop -p $FW_CONTEXT_PG/$METHOD_PROP $1 2>/dev/null | \
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen if [ -n "$method" -a "$method" != '""' ]; then
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen svcprop -p $FW_CONFIG_PG $1 >/dev/null 2>&1 || return 1
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# Generate rules for protocol/port defined in firewall_config_default/open_ports
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# property. These are non-service programs whose network resource info are
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# defined as "{tcp | upd}:{PORT | PORT-PORT}". Essentially, these programs need
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# some specific local ports to be opened. For example, BitTorrent clients need to
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# have 6881-6889 opened.
6f7d61cdf37e55c737a1ecb01bf5b8453f55c7d1Truong Q. Nguyen progs=`global_get_prop_value $FW_CONFIG_DEF_PG $OPEN_PORTS_PROP`
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen [ $? -eq 1 ] && continue
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen if [ $# -gt 1 ]; then
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen echo "pass in log quick proto ${proto} from any" \
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen echo "pass in log quick proto ${proto} from any" \
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# Generate a new /etc/ipf/ipf.conf. If firewall policy is 'none',
6f7d61cdf37e55c737a1ecb01bf5b8453f55c7d1Truong Q. Nguyen file=`global_get_prop_value $FW_CONFIG_DEF_PG $CUSTOM_FILE_PROP`
7ddce99911fbb5e44b38ac65e991a22e42267ee9Hans Rosenfeld file6=`global_get_prop_value $FW_CONFIG_DEF_PG $CUSTOM_FILE_6_PROP`
2bd8b3545dceb97f56401b7ad2a327e08d520574Hans Rosenfeld [ -n "$file6" ] && custom_set_symlink_6 $file6
7ddce99911fbb5e44b38ac65e991a22e42267ee9Hans Rosenfeld TEMP6=`mktemp /var/run/ipf6.conf.pid$$.XXXXXX`
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen echo "pass out log quick all keep state" >>${TEMP}
7ddce99911fbb5e44b38ac65e991a22e42267ee9Hans Rosenfeld echo "pass out log quick all keep state" >>${TEMP6}
6f7d61cdf37e55c737a1ecb01bf5b8453f55c7d1Truong Q. Nguyen for name in `global_get_prop_value $FW_CONFIG_DEF_PG $EXCEPTIONS_PROP`; do
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen echo "${ecmd} in log quick on ${ifc} all" >>${TEMP}
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen echo "${ecmd} in log quick from ${addr} to any" >>${TEMP}
7ddce99911fbb5e44b38ac65e991a22e42267ee9Hans Rosenfeld for name in `global_get_prop_value $FW_CONFIG_DEF_PG $EXCEPTIONS_6_PROP`; do
7ddce99911fbb5e44b38ac65e991a22e42267ee9Hans Rosenfeld echo "${ecmd} in log quick on ${ifc} all" >>${TEMP6}
7ddce99911fbb5e44b38ac65e991a22e42267ee9Hans Rosenfeld echo "${ecmd} in log quick from ${addr} to any" >>${TEMP6}
6f7d61cdf37e55c737a1ecb01bf5b8453f55c7d1Truong Q. Nguyen for name in `global_get_prop_value $FW_CONFIG_DEF_PG $APPLY2_PROP`; do
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen echo "${acmd} in log quick on ${ifc} all" >>${TEMP}
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen echo "${acmd} in log quick from ${addr} to any" >>${TEMP}
7ddce99911fbb5e44b38ac65e991a22e42267ee9Hans Rosenfeld for name in `global_get_prop_value $FW_CONFIG_DEF_PG $APPLY2_6_PROP`; do
7ddce99911fbb5e44b38ac65e991a22e42267ee9Hans Rosenfeld echo "${acmd} in log quick on ${ifc} all" >>${TEMP6}
7ddce99911fbb5e44b38ac65e991a22e42267ee9Hans Rosenfeld echo "${acmd} in log quick from ${addr} to any" >>${TEMP6}
7ddce99911fbb5e44b38ac65e991a22e42267ee9Hans Rosenfeld # Allow DHCP(v6) traffic if running as a DHCP client
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen if [ $? -eq 0 ]; then
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen echo "pass out log quick from any port = 68" \
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen echo "pass in log quick from any to any port = 68" >>${TEMP}
7ddce99911fbb5e44b38ac65e991a22e42267ee9Hans Rosenfeld echo "pass out log quick from any port = 546" \
7ddce99911fbb5e44b38ac65e991a22e42267ee9Hans Rosenfeld echo "pass in log quick from any to any port = 546" >>${TEMP6}
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# Generate a new /etc/ipf/ipf_ovr.conf, the override system-wide policy. It's
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# a simplified policy that doesn't support 'exceptions' entities.
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# If firewall policy is "none", no rules are generated.
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# Note that "pass" rules don't have "quick" as we don't want
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# them to override services' block rules.
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen # Simply empty override file if global policy is 'custom'
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen echo "# 'custom' global policy" >$IPFILOVRCONF
7ddce99911fbb5e44b38ac65e991a22e42267ee9Hans Rosenfeld echo "# 'custom' global policy" >$IP6FILOVRCONF
6f7d61cdf37e55c737a1ecb01bf5b8453f55c7d1Truong Q. Nguyen ovr_policy=`global_get_prop_value $FW_CONFIG_OVR_PG $POLICY_PROP`
0a5f928c505bb3f860fa2383364d7b1dff588d59Truong Nguyen echo "# global override policy is 'none'" >$IPFILOVRCONF
7ddce99911fbb5e44b38ac65e991a22e42267ee9Hans Rosenfeld echo "# global override policy is 'none'" >$IP6FILOVRCONF
0a5f928c505bb3f860fa2383364d7b1dff588d59Truong Nguyen TEMP=`mktemp /var/run/ipf_ovr.conf.pid$$.XXXXXX`
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen [ "$ovr_policy" = "deny" ] && acmd="block in log quick"
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen [ "$ovr_policy" = "allow" ] && acmd="pass in log"
6f7d61cdf37e55c737a1ecb01bf5b8453f55c7d1Truong Q. Nguyen apply2_list=`global_get_prop_value $FW_CONFIG_OVR_PG $APPLY2_PROP`
7ddce99911fbb5e44b38ac65e991a22e42267ee9Hans Rosenfeld apply2_6_list=`global_get_prop_value $FW_CONFIG_OVR_PG $APPLY2_6_PROP`
7ddce99911fbb5e44b38ac65e991a22e42267ee9Hans Rosenfeld echo "${acmd} from ${addr} to any" >>${TEMP6}
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# Service is put into maintenance state due to its invalid firewall
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# definition and/or policy.
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen echo "[ $date ${0}: $1 has invalid ipf configuration. ]"
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen echo "[ $date ${0}: placing $1 in maintenance. ]"
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen # Move service's rule files to another location since
7ddce99911fbb5e44b38ac65e991a22e42267ee9Hans Rosenfeld [ -f "$ip6file" ] && mv $ip6file "$ip6file.bak"
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen [ -f "$natfile" ] && mv $natfile "$natfile.bak"
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# Create rules for enabled firewalling and client services.
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# - obtain the list of enabled services and process them
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# - save the list of rules file for later use
6f7d61cdf37e55c737a1ecb01bf5b8453f55c7d1Truong Q. Nguyen [ "$GLOBAL_POLICY" = "custom" ] && return 0
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen allsvcs=`svcprop -cf -p general/enabled -p general_ovr/enabled '*' \
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen 2>/dev/null | sed -n 's,^\(svc:.*\)/:properties/.* true$,\1,p' | sort -u`
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen if [ $? -ne 0 ]; then
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen if [ $? -eq 0 ]; then
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen if [ $? -ne 0 ]; then
7ddce99911fbb5e44b38ac65e991a22e42267ee9Hans Rosenfeld if [ $? -ne 0 ]; then
7ddce99911fbb5e44b38ac65e991a22e42267ee9Hans Rosenfeld if [ $? -eq 0 ]; then
7ddce99911fbb5e44b38ac65e991a22e42267ee9Hans Rosenfeld if [ $? -ne 0 ]; then
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen if [ $? -ne 0 ]; then
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# We update a services ipf ruleset in the following manners:
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# - service is disabled, tear down its rules.
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# - service is disable or refreshed(online), setup or update its rules.
7ddce99911fbb5e44b38ac65e991a22e42267ee9Hans Rosenfeld [ -n "$ip6file" ] && remove_rules $ip6file -6
7ddce99911fbb5e44b38ac65e991a22e42267ee9Hans Rosenfeld [ -z "$ipfile" -a -z "$ip6file" ] && return 0
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen [ -n "$natfile" ] && remove_nat_rules $natfile
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen # Don't go further if service is disabled or in maintenance.
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen if [ $? -ne 0 ]; then
7ddce99911fbb5e44b38ac65e991a22e42267ee9Hans Rosenfeld if [ $? -ne 0 ]; then
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen if [ $? -ne 0 ]; then
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen if [ $? -eq 0 ]; then
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen if [ $? -ne 0 ]; then
7ddce99911fbb5e44b38ac65e991a22e42267ee9Hans Rosenfeld if [ $? -eq 0 ]; then
7ddce99911fbb5e44b38ac65e991a22e42267ee9Hans Rosenfeld if [ $? -ne 0 ]; then
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen [ -f "$natfile" ] && append_new_nat_rules $natfile
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# Call the service_update_rules with appropriate svc fmri.
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# This is called from '/lib/svc/method/ipfilter fw_update' whenever
ea7d3b1a278e2af7b09658d7a51d5b61d6ee490fTruong Nguyen # If ipfilter isn't online or global policy is 'custom',
6f7d61cdf37e55c737a1ecb01bf5b8453f55c7d1Truong Q. Nguyen [ "$GLOBAL_POLICY" = "custom" ] && return 0
ea7d3b1a278e2af7b09658d7a51d5b61d6ee490fTruong Nguyen service_check_state $SMF_FMRI $SMF_ONLINE || return 0
6f7d61cdf37e55c737a1ecb01bf5b8453f55c7d1Truong Q. Nguyen# Initialize global configuration