5198 Want alternate global zone rule set for each ipf netstack

5197 Global zone should be able to manage NGZ ipf state Reviewed by: Jerry Jelinek <[email protected]> Reviewed by: Robert Mustacchi <[email protected]> Reviewed by: Dan McDonald <[email protected]> Reviewed by: Darren Reed <[email protected]> Approved by: Richard Lowe <[email protected]>
illumos · Dec 11, 2014 · 94bdecd · 94bdecd
1 parent 0b9f216
commit 94bdecd
Show file tree

Hide file tree

Showing 29 changed files with 1,236 additions and 209 deletions.
diff --git a/usr/src/cmd/ipf/lib/common/load_hash.c b/usr/src/cmd/ipf/lib/common/load_hash.c
@@ -7,15 +7,16 @@
  *
  * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
+ *
+ * Copyright (c) 2014, Joyent, Inc.  All rights reserved.
  */
 
-#pragma ident	"%Z%%M%	%I%	%E% SMI"
-
 #include <fcntl.h>
 #include <sys/ioctl.h>
 #include "ipf.h"
 #include "netinet/ip_lookup.h"
 #include "netinet/ip_htable.h"
+#include "ipfzone.h"
 
 static int hashfd = -1;
 
@@ -35,6 +36,10 @@ ioctlfunc_t iocfunc;
 		hashfd = open(IPLOOKUP_NAME, O_RDWR);
 	if ((hashfd == -1) && ((opts & OPT_DONOTHING) == 0))
 		return -1;
+	if (setzone(hashfd) != 0) {
+		close(hashfd);
+		return -1;
+	}
 
 	for (n = 0, a = list; a != NULL; a = a->ipe_next)
 		n++;

diff --git a/usr/src/cmd/ipf/lib/common/load_hashnode.c b/usr/src/cmd/ipf/lib/common/load_hashnode.c
@@ -7,15 +7,16 @@
  *
  * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
+ *
+ * Copyright (c) 2014, Joyent, Inc.  All rights reserved.
  */
 
-#pragma ident	"%Z%%M%	%I%	%E% SMI"
-
 #include <fcntl.h>
 #include <sys/ioctl.h>
 #include "ipf.h"
 #include "netinet/ip_lookup.h"
 #include "netinet/ip_htable.h"
+#include "ipfzone.h"
 
 static int hashfd = -1;
 
@@ -34,6 +35,10 @@ ioctlfunc_t iocfunc;
 		hashfd = open(IPLOOKUP_NAME, O_RDWR);
 	if ((hashfd == -1) && ((opts & OPT_DONOTHING) == 0))
 		return -1;
+	if (setzone(hashfd) != 0) {
+		close(hashfd);
+		return -1;
+	}
 
 	op.iplo_type = IPLT_HASH;
 	op.iplo_unit = unit;

diff --git a/usr/src/cmd/ipf/lib/common/load_pool.c b/usr/src/cmd/ipf/lib/common/load_pool.c
@@ -7,15 +7,16 @@
  *
  * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
+ *
+ * Copyright (c) 2014, Joyent, Inc.  All rights reserved.
  */
 
-#pragma ident	"%Z%%M%	%I%	%E% SMI"
-
 #include <fcntl.h>
 #include <sys/ioctl.h>
 #include "ipf.h"
 #include "netinet/ip_lookup.h"
 #include "netinet/ip_pool.h"
+#include "ipfzone.h"
 
 static int poolfd = -1;
 
@@ -32,6 +33,10 @@ ioctlfunc_t iocfunc;
 		poolfd = open(IPLOOKUP_NAME, O_RDWR);
 	if ((poolfd == -1) && ((opts & OPT_DONOTHING) == 0))
 		return -1;
+	if (setzone(poolfd) != 0) {
+		close(poolfd);
+		return -1;
+	}
 
 	op.iplo_unit = plp->ipo_unit;
 	op.iplo_type = IPLT_POOL;

diff --git a/usr/src/cmd/ipf/lib/common/load_poolnode.c b/usr/src/cmd/ipf/lib/common/load_poolnode.c
@@ -4,13 +4,16 @@
  * See the IPFILTER.LICENCE file for details on licencing.
  *
  * $Id: load_poolnode.c,v 1.3.2.1 2004/03/06 14:33:29 darrenr Exp $
+ *
+ * Copyright (c) 2014, Joyent, Inc.  All rights reserved.
  */
 
 #include <fcntl.h>
 #include <sys/ioctl.h>
 #include "ipf.h"
 #include "netinet/ip_lookup.h"
 #include "netinet/ip_pool.h"
+#include "ipfzone.h"
 
 static int poolfd = -1;
 
@@ -29,6 +32,10 @@ ioctlfunc_t iocfunc;
 		poolfd = open(IPLOOKUP_NAME, O_RDWR);
 	if ((poolfd == -1) && ((opts & OPT_DONOTHING) == 0))
 		return -1;
+	if (setzone(poolfd) != 0) {
+		close(poolfd);
+		return -1;
+	}
 
 	op.iplo_unit = role;
 	op.iplo_type = IPLT_POOL;

diff --git a/usr/src/cmd/ipf/tools/Makefile.tools b/usr/src/cmd/ipf/tools/Makefile.tools
@@ -24,17 +24,19 @@
 #
 # Copyright 2013 Nexenta Systems, Inc.  All rights reserved.
 #
+# Copyright (c) 2012, Joyent Inc. All rights reserved.
+#
 
 PROG=		ipf ipfs ipmon ipnat ippool ipfstat
 IPFPROG=	ipftest
 
-IPF_OBJS=	ipf.o ipfcomp.o ipf_y.o ipf_l.o
-IPFS_OBJS=	ipfs.o
-IPFSTAT_OBJS=	ipfstat.o
-IPMON_OBJS=	ipmon.o ipmon_y.o ipmon_l.o
-IPNAT_OBJS=	ipnat.o ipnat_y.o ipnat_l.o
-IPPOOL_OBJS=	ippool.o ippool_y.o ippool_l.o
-IPFTEST_OBJS=	ipftest.o  \
+IPF_OBJS=	ipf.o ipfcomp.o ipfzone.o ipf_y.o ipf_l.o
+IPFS_OBJS=	ipfs.o ipfzone.o
+IPFSTAT_OBJS=	ipfstat.o ipfzone.o
+IPMON_OBJS=	ipmon.o ipfzone.o ipmon_y.o ipmon_l.o
+IPNAT_OBJS=	ipnat.o ipfzone.o ipnat_y.o ipnat_l.o
+IPPOOL_OBJS=	ippool.o ipfzone.o ippool_y.o ippool_l.o
+IPFTEST_OBJS=	ipftest.o ipfzone.o \
 		ip_fil.o ip_state.o ip_compat.o \
 		ip_frag.o ip_nat.o ip_nat6.o fil.o \
 		ip_htable.o ip_lookup.o \

diff --git a/usr/src/cmd/ipf/tools/ipf.c b/usr/src/cmd/ipf/tools/ipf.c
@@ -5,6 +5,8 @@
  *
  * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
+ *
+ * Copyright (c) 2014, Joyent, Inc.  All rights reserved.
  */
 
 #ifdef	__FreeBSD__
@@ -20,6 +22,7 @@
 #include <fcntl.h>
 #include <sys/ioctl.h>
 #include "netinet/ipl.h"
+#include "ipfzone.h"
 
 #if !defined(lint)
 static const char sccsid[] = "@(#)ipf.c	1.23 6/5/96 (C) 1993-2000 Darren Reed";
@@ -62,9 +65,9 @@ static	ioctlfunc_t	iocfunctions[IPL_LOGSIZE] = { ioctl, ioctl, ioctl,
 
 static void usage()
 {
-	fprintf(stderr, "usage: ipf [-6AdDEInoPrRsvVyzZ] %s %s %s\n",
+	fprintf(stderr, "usage: ipf [-6AdDEGInoPrRsvVyzZ] %s %s %s",
 		"[-l block|pass|nomatch|state|nat]", "[-cc] [-F i|o|a|s|S|u]",
-		"[-f filename] [-T <tuneopts>]");
+		"[-f filename] [-T <tuneopts>] [zonename]\n");
 	exit(1);
 }
 
@@ -74,11 +77,21 @@ int argc;
 char *argv[];
 {
 	int c;
+	const char *optstr = "6Ac:dDEf:F:GIl:noPrRsT:vVyzZ";
 
 	if (argc < 2)
 		usage();
 
-	while ((c = getopt(argc, argv, "6Ac:dDEf:F:Il:noPrRsT:vVyzZ")) != -1) {
+	/*
+	 * We need to set the zone name before calling the functions
+	 * in the switch statement below. Note that ipf.c differs from the other
+	 * tools in the ipfilter suite: the zone name is specified as the
+	 * last argument, while the other tools use the -z option. ipf
+	 * already has a -z option, so the last argument is used instead.
+	 */
+	getzonearg(argc, argv, optstr);
+
+	while ((c = getopt(argc, argv, optstr)) != -1) {
 		switch (c)
 		{
 		case '?' :
@@ -111,6 +124,9 @@ char *argv[];
 		case 'F' :
 			flushfilter(optarg);
 			break;
+		case 'G' :
+			/* Already handled by getzonearg() above */
+			break;
 		case 'I' :
 			opts ^= OPT_INACTIVE;
 			break;
@@ -187,6 +203,12 @@ int check;
 		if ((fd = open(ipfdev, O_RDWR)) == -1)
 			if ((fd = open(ipfdev, O_RDONLY)) == -1)
 				perror("open device");
+
+	if (setzone(fd) != 0) {
+		close(fd);
+		return -2;
+	}
+
 	return fd;
 }
 
@@ -307,6 +329,11 @@ char	*opt;
 		if (opts & OPT_VERBOSE)
 			printf("set state log flag\n");
 		xfd = open(IPSTATE_NAME, O_RDWR);
+		if (xfd >= 0 && setzone(xfd) != 0) {
+			close(xfd);
+			xfd = -1;
+		}
+
 		if (xfd >= 0) {
 			logopt = 0;
 			if (ioctl(xfd, SIOCGETLG, &logopt))
@@ -324,6 +351,11 @@ char	*opt;
 		if (opts & OPT_VERBOSE)
 			printf("set nat log flag\n");
 		xfd = open(IPNAT_NAME, O_RDWR);
+		if (xfd >= 0 && setzone(xfd) != 0) {
+			close(xfd);
+			xfd = -1;
+		}
+
 		if (xfd >= 0) {
 			logopt = 0;
 			if (ioctl(xfd, SIOCGETLG, &logopt))
@@ -516,6 +548,11 @@ static int showversion()
 		return 1;
 	}
 
+	if (setzone(vfd) != 0) {
+		close(vfd);
+		return 1;
+	}
+
 	if (ioctl(vfd, SIOCGETFS, &ipfo)) {
 		perror("ioctl(SIOCGETFS)");
 		close(vfd);

diff --git a/usr/src/cmd/ipf/tools/ipfs.c b/usr/src/cmd/ipf/tools/ipfs.c
@@ -5,6 +5,8 @@
  *
  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
+ *
+ * Copyright (c) 2014, Joyent, Inc.  All rights reserved.
  */
 
 #ifdef	__FreeBSD__
@@ -44,6 +46,7 @@
 #include <resolv.h>
 #include "ipf.h"
 #include "netinet/ipl.h"
+#include "ipfzone.h"
 
 #if !defined(lint)
 static const char rcsid[] = "@(#)Id: ipfs.c,v 1.12 2003/12/01 01:56:53 darrenr Exp";
@@ -86,14 +89,17 @@ char	*progname;
 
 void usage()
 {
-	fprintf(stderr, "usage: %s [-nv] -l\n", progname);
-	fprintf(stderr, "usage: %s [-nv] -u\n", progname);
-	fprintf(stderr, "usage: %s [-nv] [-d <dir>] -R\n", progname);
-	fprintf(stderr, "usage: %s [-nv] [-d <dir>] -W\n", progname);
-	fprintf(stderr, "usage: %s [-nv] [-N|-S] [-f <file>] -r\n", progname);
-	fprintf(stderr, "usage: %s [-nv] [-N|-S] [-f <file>] -w\n", progname);
-	fprintf(stderr, "usage: %s [-nv] [-N|-S] -f <file> -i <if1>,<if2>\n",
-		progname);
+	const char *zoneopt = "[-G|-z zonename] ";
+	fprintf(stderr, "usage: %s %s[-nv] -l\n", progname, zoneopt);
+	fprintf(stderr, "usage: %s %s[-nv] -u\n", progname, zoneopt);
+	fprintf(stderr, "usage: %s %s[-nv] [-d <dir>] -R\n", progname, zoneopt);
+	fprintf(stderr, "usage: %s %s[-nv] [-d <dir>] -W\n", progname, zoneopt);
+	fprintf(stderr, "usage: %s %s[-nv] [-N|-S] [-f <file>] -r\n", progname,
+		zoneopt);
+	fprintf(stderr, "usage: %s %s[-nv] [-N|-S] [-f <file>] -w\n", progname,
+		zoneopt);
+	fprintf(stderr, "usage: %s %s[-nv] [-N|-S] -f <file> -i <if1>,<if2>\n",
+		progname, zoneopt);
 	exit(1);
 }
 
@@ -218,7 +224,7 @@ char *argv[];
 	char *dirname = NULL, *filename = NULL, *ifs = NULL;
 
 	progname = argv[0];
-	while ((c = getopt(argc, argv, "d:f:lNnSRruvWw")) != -1)
+	while ((c = getopt(argc, argv, "d:f:G:lNnSRruvWwz:")) != -1)
 		switch (c)
 		{
 		case 'd' :
@@ -233,6 +239,9 @@ char *argv[];
 			else
 				usage();
 			break;
+		case 'G' :
+			setzonename_global(optarg);
+			break;
 		case 'i' :
 			ifs = optarg;
 			set = 1;
@@ -287,6 +296,9 @@ char *argv[];
 			rw = 3;
 			set = 1;
 			break;
+		case 'z' :
+			setzonename(optarg);
+			break;
 		case '?' :
 		default :
 			usage();
@@ -355,6 +367,12 @@ char *ipfdev;
 	if ((fd = open(ipfdev, O_RDWR)) == -1)
 		if ((fd = open(ipfdev, O_RDONLY)) == -1)
 			perror("open device");
+
+	if (setzone(fd) != 0) {
+		close(fd);
+		fd = -1;
+	}
+
 	return fd;
 }