ipf_include.sh revision 0a5f928c505bb3f860fa2383364d7b1dff588d59
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# CDDL HEADER START
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# The contents of this file are subject to the terms of the
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# Common Development and Distribution License (the "License").
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# You may not use this file except in compliance with the License.
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# See the License for the specific language governing permissions
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# and limitations under the License.
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# When distributing Covered Code, include this CDDL HEADER in each
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# If applicable, add the following below this CDDL HEADER, with the
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# fields enclosed by brackets "[]" replaced with your own identifying
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# information: Portions Copyright [yyyy] [name of copyright owner]
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# CDDL HEADER END
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# Copyright 2009 Sun Microsystems, Inc. All rights reserved.
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# Use is subject to license terms.
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# version for configuration upgrades
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# Given a service, gets its config pg name
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# Given a service, gets its firewall policy
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen svcprop -p $config_pg/${POLICY_PROP} $1 2>/dev/null
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen svcprop -p ${FW_CONFIG_DEF_PG}/${POLICY_PROP} $IPF_FMRI 2>/dev/null
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# Given a service, gets its firewall policy
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen svcprop -p $config_pg/${EXCEPTIONS_PROP} $1 2>/dev/null
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# Given a service, gets its firewall policy
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen svcprop -p $config_pg/${APPLY2_PROP} $1 2>/dev/null
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen [ -d $VAR_IPF_DIR ] && return 0
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen mkdir $VAR_IPF_DIR >/dev/null 2>&1 || return 1
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# fmri_to_file fmri suffix
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen fprefix="${VAR_IPF_DIR}/`echo $1 | tr -s '/:' '__'`"
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# Return service's enabled property
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen # Temporary enabled state overrides the persistent state
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen enabled_ovr=`svcprop -c -p general_ovr/enabled $1 2>/dev/null`
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen [ "$enabled_ovr" = "true" ] && return 0 || return 1
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen enabled=`svcprop -c -p general/enabled $1 2>/dev/null`
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen [ -n "$enabled" -a "$enabled" = "true" ] && return 0 || return 1
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# Return whether service is desired state
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# Args: fmri state
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# 0 - desired state is service's current state
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# 1 - desired state is not service's current state
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen # Make sure we're done with ongoing state transition
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen while [ "`svcprop -p restarter/next_state $1`" != "$SMF_NONE" ]; do
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen [ "`svcprop -p restarter/state $1`" = "$2" ] && return 0 || return 1
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# Deny/Allow list stores values in the form "host:addr", "network:addr/netmask",
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# "pool:number", and "if:interface". This function returns the
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# IP(addr or addr/netmask) value or a pool number.
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen echo "$1" | sed -n -e 's,^pool:\(.*\),pool/\1,p' \
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen ifconfig $scratch >/dev/null 2>&1 || return 1
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# Remove rules in given file from active list without restarting ipfilter
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen ipf -n -f $1 >/dev/null 2>&1
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen ipnat -n -f $1 >/dev/null 2>&1
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen ipf -n -v -f $1 2>/dev/null | sed -n -e \
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen 's/.*to.* port = \([a-z0-9]*\).*/\1/p' | uniq | \
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen awk '{if (length($0) > 1) {printf("%s ", $1)}}'
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen ipfstat -io 2>/dev/null | sed -n -e \
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen 's/.*to.* port = \([a-z0-9]*\).*/\1/p' | uniq | \
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen awk '{if (length($0) > 1) {printf("%s ",$1)}}'
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# Given two list of ports, return failure if there's a duplicate.
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen # If either list is empty, there isn't any conflict.
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen for p in $1; do
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# Given a file containing ipf rules, check the syntax and verify
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# the rules don't conflict, use same port number, with active
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# rules (ipfstat -io output).
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen sets_check_duplicate "$lports" "$lactive_ports" || return 1
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# Given a file containing ipf rules, check the syntax and verify
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# the rules don't conflict with already processed services.
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# The list of processed services' ports are maintained in the global
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# variable 'server_port_list'.
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen sets_check_duplicate "$lports" "$server_port_list" || return 1
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen check_ipf_syntax $1 && tail -r $1 | sed -e 's/^[a-z]/@0 &/' | \
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen check_ipf_syntax $1 && ipf -f $1 >/dev/null 2>&1
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen check_nat_syntax $1 && ipnat -f $1 >/dev/null 2>&1
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# get port information from string of the form "proto:{port | port-port}"
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen port_str=`echo "$1" | sed -e 's/ //g; s/.*://' 2>/dev/null`
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen if [ $? -eq 0 ]; then
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen echo $port_str | grep '^[0-9]\{1,5\}-[0-9]\{1,5\}$' >/dev/null || \
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen [ $p -gt 65535 ] && return 1
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen # port_str is a single port, verify and return it.
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen echo "$port_str" | grep '^[0-9]\{1,5\}$' >/dev/null || return 1
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen [ $port_str -gt 65535 ] && return 1
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# get proto info from string of the form "{tcp | udp}:port"
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen proto=`echo "$1" | sed -e 's/ //g; s/:.*//' 2>/dev/null`
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen [ "$proto" = "tcp" -o "$proto" = "udp" ] && echo $proto || return 1
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen # Clear lock if the owning process is no longer around.
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen ps -p $curpid >/dev/null 2>&1 || rm -r $IPF_LOCK >/dev/null 2>&1
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# Remove lock if it's ours
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen [ "`cat $IPF_LOCK/pid`" = "$$" ] && rm -r $IPF_LOCK
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# Make IPFILCONF, /var/tmp/ipf/ipf.conf, a symlink to the input file argument.
caa64d545b688cd708983338e8c85b054ecfc8beTruong Nguyen # Nothing to do if the input file doesn't exist.
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# New file replaces original file if they have different content
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen # IPFILCONF may be a symlink, remove it if that's the case
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen mv $new $orig && return 0 || return 1
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# Given a service, gets the following details for ipf rule:
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# - port(IANA port obtained by running servinfo)
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen # Empties service's rules file so callers won't use existing rule if
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen restarter=`svcprop -p general/restarter $service 2>/dev/null`
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen iana_name=`svcprop -p inetd/name $service 2>/dev/null`
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen isrpc=`svcprop -p inetd/isrpc $service 2>/dev/null`
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen iana_name=`svcprop -p $FW_CONTEXT_PG/name $service 2>/dev/null`
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen isrpc=`svcprop -p $FW_CONTEXT_PG/isrpc $service 2>/dev/null`
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen # Bail if iana_name isn't defined. Services with static rules
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen # like nis/client don't need to generate rules using
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen tports=`$SERVINFO -R -p -t -s $iana_name 2>/dev/null`
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen uports=`$SERVINFO -R -p -u -s $iana_name 2>/dev/null`
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen # Get the IANA port and supported protocols(tcp and udp)
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen generate_rules $service $policy "tcp" $ip $tport $file
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen generate_rules $service $policy "udp" $ip $uport $file
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# Given a service's name, policy, protocol and port, generate ipf rules
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# - list of host/network/interface to apply policy
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# A 'use_global' policy inherits the system-wided Global Default policy
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# from network/ipfilter. For {deny | allow} policies, the rules are
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# - make exceptions to policy for those in "exceptions" list
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# - apply policy to those specified in "apply_to" list
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# - policy rule
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen # Default mode is to inherit from global's policy
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen [ "$proto" = "tcp" ] && tcp_opts="flags S keep state keep frags"
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen echo "pass in log quick proto ${proto} from any to ${ip}" \
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen # For now, let's concern only with incoming traffic.
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen [ "$mypolicy" = "deny" ] && { ecmd="pass"; acmd="block"; }
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen [ "$mypolicy" = "allow" ] && { ecmd="block"; acmd="pass"; }
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen echo "${ecmd} in log quick on ${ifc} from any to" \
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen echo "${ecmd} in log quick proto ${proto} from ${addr}" \
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen "to ${ip} port = ${port} ${tcp_opts}" >>${out}
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen echo "${acmd} in log quick on ${ifc} from any to" \
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen echo "${acmd} in log quick proto ${proto} from ${addr}" \
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen "to ${ip} port = ${port} ${tcp_opts}" >>${out}
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen echo "${ecmd} in log quick proto ${proto} from any to ${ip}" \
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# Service has either IANA ports and proto or its own firewall method to
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# generate the rules.
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# - if service has a custom method, use it to populate its rules
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# - if service has a firewall_config pg, use process_server_svc
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# Argument - fmri
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen method=`svcprop -p $FW_CONTEXT_PG/$METHOD_PROP $1 2>/dev/null | \
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen if [ -n "$method" -a "$method" != '""' ]; then
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen svcprop -p $FW_CONFIG_PG $1 >/dev/null 2>&1 || return 1
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# Generate rules for protocol/port defined in firewall_config_default/open_ports
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# property. These are non-service programs whose network resource info are
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# defined as "{tcp | upd}:{PORT | PORT-PORT}". Essentially, these programs need
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# some specific local ports to be opened. For example, BitTorrent clients need to
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# have 6881-6889 opened.
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen progs=`svcprop -p ${FW_CONFIG_DEF_PG}/${OPEN_PORTS_PROP} \
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen [ $? -eq 1 ] && continue
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen if [ $# -gt 1 ]; then
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen echo "pass in log quick proto ${proto} from any" \
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen echo "pass in log quick proto ${proto} from any" \
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# Generate a new /etc/ipf/ipf.conf. If firewall policy is 'none',
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen file=`svcprop -p ${FW_CONFIG_DEF_PG}/${CUSTOM_FILE_PROP} $SMF_FMRI`
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen echo "pass out log quick all keep state" >>${TEMP}
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen echo "${ecmd} in log quick on ${ifc} all" >>${TEMP}
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen echo "${ecmd} in log quick from ${addr} to any" >>${TEMP}
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen echo "${acmd} in log quick on ${ifc} all" >>${TEMP}
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen echo "${acmd} in log quick from ${addr} to any" >>${TEMP}
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen # Allow DHCP traffic if running as a DHCP client
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen if [ $? -eq 0 ]; then
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen echo "pass out log quick from any port = 68" \
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen echo "pass out log quick from any port = 546" \
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen echo "pass in log quick from any to any port = 68" >>${TEMP}
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen echo "pass in log quick from any to any port = 546" >>${TEMP}
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# Generate a new /etc/ipf/ipf_ovr.conf, the override system-wide policy. It's
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# a simplified policy that doesn't support 'exceptions' entities.
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# If firewall policy is "none", no rules are generated.
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# Note that "pass" rules don't have "quick" as we don't want
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# them to override services' block rules.
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen # Simply empty override file if global policy is 'custom'
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen if [ "`get_global_def_policy`" = "custom" ]; then
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen echo "# 'custom' global policy" >$IPFILOVRCONF
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen ovr_policy=`svcprop -p ${FW_CONFIG_OVR_PG}/${POLICY_PROP} $IPF_FMRI`
0a5f928c505bb3f860fa2383364d7b1dff588d59Truong Nguyen echo "# global override policy is 'none'" >$IPFILOVRCONF
0a5f928c505bb3f860fa2383364d7b1dff588d59Truong Nguyen TEMP=`mktemp /var/run/ipf_ovr.conf.pid$$.XXXXXX`
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen [ "$ovr_policy" = "deny" ] && acmd="block in log quick"
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen [ "$ovr_policy" = "allow" ] && acmd="pass in log"
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen apply2_list=`svcprop -p $FW_CONFIG_OVR_PG/$APPLY2_PROP $IPF_FMRI`
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# Service is put into maintenance state due to its invalid firewall
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# definition and/or policy.
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen echo "[ $date ${0}: $1 has invalid ipf configuration. ]"
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen echo "[ $date ${0}: placing $1 in maintenance. ]"
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen # Move service's rule files to another location since
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen [ -f "$natfile" ] && mv $natfile "$natfile.bak"
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# Create rules for enabled firewalling and client services.
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# - obtain the list of enabled services and process them
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# - save the list of rules file for later use
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen allsvcs=`svcprop -cf -p general/enabled -p general_ovr/enabled '*' \
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen 2>/dev/null | sed -n 's,^\(svc:.*\)/:properties/.* true$,\1,p' | sort -u`
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen if [ $? -ne 0 ]; then
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen if [ $? -eq 0 ]; then
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen if [ $? -ne 0 ]; then
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen if [ $? -ne 0 ]; then
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# We update a services ipf ruleset in the following manners:
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# - service is disabled, tear down its rules.
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# - service is disable or refreshed(online), setup or update its rules.
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen # If ipfilter isn't online or global policy is 'custom',
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen service_check_state $SMF_FMRI $SMF_ONLINE || return 0
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen [ "`get_global_def_policy`" = "custom" ] && return 0
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen [ -n "$natfile" ] && remove_nat_rules $natfile
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen # Don't go further if service is disabled or in maintenance.
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen if [ $? -ne 0 ]; then
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen if [ $? -ne 0 ]; then
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen if [ $? -eq 0 ]; then
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen if [ $? -ne 0 ]; then
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen [ -f "$natfile" ] && append_new_nat_rules $natfile
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# Call the service_update_rules with appropriate svc fmri.
eb1a34638eba7c5add1421327f3eb225a8ea7518Truong Nguyen# This is called from '/lib/svc/method/ipfilter fw_update' whenever