#!/sbin/sh # # CDDL HEADER START # # The contents of this file are subject to the terms of the # Common Development and Distribution License (the "License"). # You may not use this file except in compliance with the License. # # You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE # or http://www.opensolaris.org/os/licensing. # See the License for the specific language governing permissions # and limitations under the License. # # When distributing Covered Code, include this CDDL HEADER in each # file and include the License file at usr/src/OPENSOLARIS.LICENSE. # If applicable, add the following below this CDDL HEADER, with the # fields enclosed by brackets "[]" replaced with your own identifying # information: Portions Copyright [yyyy] [name of copyright owner] # # CDDL HEADER END # # # Copyright (c) 2009, 2010, Oracle and/or its affiliates. All rights reserved. # Copyright 2015 Nexenta Systems, Inc. All rights reserved. # Copyright 2016 Hans Rosenfeld # # Start/stop processes required for server NFS . /lib/svc/share/smf_include.sh . /lib/svc/share/ipf_include.sh zone=`smf_zonename` case "$1" in 'start') # The NFS server is not supported in a local zone if smf_is_nonglobalzone; then /usr/sbin/svcadm disable -t svc:/network/nfs/server echo "The NFS server is not supported in a local zone" sleep 5 & exit $SMF_EXIT_OK fi # Share all file systems enabled for sharing. sharemgr understands # regular shares and ZFS shares and will handle both. Technically, # the shares would have been started long before getting here since # nfsd has a dependency on them. # restart stopped shares from the repository /usr/sbin/sharemgr start -P nfs -a # Options for nfsd are now set in SMF /usr/lib/nfs/mountd rc=$? if [ $rc != 0 ]; then /usr/sbin/svcadm mark -t maintenance svc:/network/nfs/server echo "$0: mountd failed with $rc" sleep 5 & exit $SMF_EXIT_ERR_FATAL fi /usr/lib/nfs/nfsd rc=$? if [ $rc != 0 ]; then /usr/sbin/svcadm mark -t maintenance svc:/network/nfs/server echo "$0: nfsd failed with $rc" sleep 5 & exit $SMF_EXIT_ERR_FATAL fi ;; 'refresh') /usr/sbin/sharemgr start -P nfs -a ;; 'stop') /usr/bin/pkill -x -u 0,1 -z $zone '(nfsd|mountd)' # Unshare all shared file systems using NFS /usr/sbin/sharemgr stop -P nfs -a # Kill any processes left in service contract smf_kill_contract $2 TERM 1 [ $? -ne 0 ] && exit 1 ;; 'ipfilter') # # NFS related services are RPC. nfs/server has nfsd which has # well-defined port number but mountd is an RPC daemon. # # Essentially, we generate rules for the following "services" # - nfs/server which has nfsd and mountd # - nfs/rquota # # The following services are enabled for both nfs client and # server, if nfs/client is enabled we'll treat them as client # services and simply allow incoming traffic. # - nfs/status # - nfs/nlockmgr # - nfs/cbd # NFS_FMRI="svc:/network/nfs/server:default" NFSCLI_FMRI="svc:/network/nfs/client:default" RQUOTA_FMRI="svc:/network/nfs/rquota:default" FMRI=$2 file=`fmri_to_file $FMRI $IPF_SUFFIX` file6=`fmri_to_file $FMRI $IPF6_SUFFIX` echo "# $FMRI" >$file echo "# $FMRI" >$file6 policy=`get_policy $NFS_FMRI` # # nfs/server configuration is processed in the start method. # if [ "$FMRI" = "$NFS_FMRI" ]; then service_check_state $FMRI $SMF_ONLINE if [ $? -ne 0 ]; then rm $file exit $SMF_EXIT_OK fi nfs_name=`svcprop -p $FW_CONTEXT_PG/name $FMRI 2>/dev/null` tport=`$SERVINFO -p -t -s $nfs_name 2>/dev/null` if [ -n "$tport" ]; then generate_rules $FMRI $policy "tcp" $tport $file fi tport6=`$SERVINFO -p -t6 -s $nfs_name 2>/dev/null` if [ -n "$tport6" ]; then generate_rules $FMRI $policy "tcp" $tport6 $file6 _6 fi uport=`$SERVINFO -p -u -s $nfs_name 2>/dev/null` if [ -n "$uport" ]; then generate_rules $FMRI $policy "udp" $uport $file fi uport6=`$SERVINFO -p -u6 -s $nfs_name 2>/dev/null` if [ -n "$uport6" ]; then generate_rules $FMRI $policy "udp" $uport6 $file6 _6 fi # mountd IPv6 ports are also reachable through IPv4, so include # them when generating IPv4 rules. tports=`$SERVINFO -R -p -t -s "mountd" 2>/dev/null` tports6=`$SERVINFO -R -p -t6 -s "mountd" 2>/dev/null` if [ -n "$tports" -o -n "$tports6" ]; then tports=`unique_ports $tports $tports6` for tport in $tports; do generate_rules $FMRI $policy "tcp" \ $tport $file done fi if [ -n "$tports6" ]; then for tport6 in $tports6; do generate_rules $FMRI $policy "tcp" \ $tport6 $file6 _6 done fi uports=`$SERVINFO -R -p -u -s "mountd" 2>/dev/null` uports6=`$SERVINFO -R -p -u6 -s "mountd" 2>/dev/null` if [ -n "$uports" -o -n "$uports6" ]; then uports=`unique_ports $uports $uports6` for uport in $uports; do generate_rules $FMRI $policy "udp" \ $uport $file done fi if [ -n "$uports6" ]; then for uport6 in $uports6; do generate_rules $FMRI $policy "udp" \ $uport6 $file6 _6 done fi elif [ "$FMRI" = "$RQUOTA_FMRI" ]; then iana_name=`svcprop -p inetd/name $FMRI` # rquota IPv6 ports are also reachable through IPv4, so include # them when generating IPv4 rules. tports=`$SERVINFO -R -p -t -s $iana_name 2>/dev/null` tports6=`$SERVINFO -R -p -t6 -s $iana_name 2>/dev/null` if [ -n "$tports" -o -n "$tports6" ]; then tports=`unique_ports $tports $tports6` for tport in $tports; do generate_rules $NFS_FMRI $policy "tcp" \ $tport $file done fi if [ -n "$tports6" ]; then for tport6 in $tports6; do generate_rules $NFS_FMRI $policy "tcp" \ $tport6 $file6 _6 done fi uports=`$SERVINFO -R -p -u -s $iana_name 2>/dev/null` uports6=`$SERVINFO -R -p -u6 -s $iana_name 2>/dev/null` if [ -n "$uports" -o -n "$uports6" ]; then uports=`unique_ports $uports $uports6` for uport in $uports; do generate_rules $NFS_FMRI $policy "udp" \ $uport $file done fi if [ -n "$uports6" ]; then for uport6 in $uports6; do generate_rules $NFS_FMRI $policy "udp" \ $uport6 $file6 _6 done fi else # # Handle the client services here # if service_check_state $NFSCLI_FMRI $SMF_ONLINE; then policy=none ip=any fi restarter=`svcprop -p general/restarter $FMRI 2>/dev/null` if [ "$restarter" = "$INETDFMRI" ]; then iana_name=`svcprop -p inetd/name $FMRI` isrpc=`svcprop -p inetd/isrpc $FMRI` else iana_name=`svcprop -p $FW_CONTEXT_PG/name $FMRI` isrpc=`svcprop -p $FW_CONTEXT_PG/isrpc $FMRI` fi if [ "$isrpc" = "true" ]; then tports=`$SERVINFO -R -p -t -s $iana_name 2>/dev/null` tports6=`$SERVINFO -R -p -t6 -s $iana_name 2>/dev/null` uports=`$SERVINFO -R -p -u -s $iana_name 2>/dev/null` uports6=`$SERVINFO -R -p -u6 -s $iana_name 2>/dev/null` else tports=`$SERVINFO -p -t -s $iana_name 2>/dev/null` tports6=`$SERVINFO -p -t6 -s $iana_name 2>/dev/null` uports=`$SERVINFO -p -u -s $iana_name 2>/dev/null` uports6=`$SERVINFO -p -u6 -s $iana_name 2>/dev/null` fi # IPv6 ports are also reachable through IPv4, so include # them when generating IPv4 rules. if [ -n "$tports" -o -n "$tports6" ]; then tports=`unique_ports $tports $tports6` for tport in $tports; do generate_rules $FMRI $policy "tcp" $tport $file done fi if [ -n "$tports6" ]; then for tport6 in $tports6; do generate_rules $FMRI $policy "tcp" $tport6 $file6 _6 done fi if [ -n "$uports" -o -n "$uports6" ]; then uports=`unique_ports $uports $uports6` for uport in $uports; do generate_rules $FMRI $policy "udp" $uport $file done fi if [ -n "$uports6" ]; then for uport6 in $uports6; do generate_rules $FMRI $policy "udp" $uport6 $file6 _6 done fi fi ;; *) echo "Usage: $0 { start | stop | refresh }" exit 1 ;; esac exit $SMF_EXIT_OK