1 #!/sbin/sh
2 #
3 # CDDL HEADER START
4 #
5 # The contents of this file are subject to the terms of the
6 # Common Development and Distribution License (the "License").
7 # You may not use this file except in compliance with the License.
8 #
9 # You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
10 # or http://www.opensolaris.org/os/licensing.
11 # See the License for the specific language governing permissions
12 # and limitations under the License.
13 #
14 # When distributing Covered Code, include this CDDL HEADER in each
15 # file and include the License file at usr/src/OPENSOLARIS.LICENSE.
16 # If applicable, add the following below this CDDL HEADER, with the
17 # fields enclosed by brackets "[]" replaced with your own identifying
18 # information: Portions Copyright [yyyy] [name of copyright owner]
19 #
20 # CDDL HEADER END
21 #
22
23 #
24 # Copyright (c) 2009, 2010, Oracle and/or its affiliates. All rights reserved.
25 # Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org>
26 # Copyright 2018 Nexenta Systems, Inc. All rights reserved.
27 #
28
29 # Start/stop processes required for server NFS
30
31 . /lib/svc/share/smf_include.sh
32 . /lib/svc/share/ipf_include.sh
33 zone=`smf_zonename`
34
35 #
36 # Handling a corner case here. If we were in offline state due to an
37 # unsatisfied dependency, the ipf_method process wouldn't have generated
38 # the ipfilter configuration. When we transition to online because the
39 # dependency is satisfied, the start method will have to generate the
40 # ipfilter configuration. To avoid all possible deadlock scenarios,
41 # we restart ipfilter which will regenerate the ipfilter configuration
42 # for the entire system.
43 #
44 # The ipf_method process signals that it didn't generate ipf rules by
45 # removing the service's ipf file. Thus we only restart network/ipfilter
46 # when the file is missing.
47 #
48 configure_ipfilter()
49 {
50 ipfile=`fmri_to_file $SMF_FMRI $IPF_SUFFIX`
51 ip6file=`fmri_to_file $SMF_FMRI $IPF6_SUFFIX`
52 [ -f "$ipfile" -a -f "$ip6file" ] && return 0
53
54 #
55 # Nothing to do if:
56 # - ipfilter isn't online
57 # - global policy is 'custom'
58 #
59 [ "`get_policy $SMF_FMRI`" = "use_global" ] && return 0
60 service_check_state $IPF_FMRI $SMF_ONLINE || return 0
61 [ "`get_global_def_policy`" = "custom" ] && return 0
62
63 svcadm restart $IPF_FMRI
64 }
65
66 case "$1" in
67 'start')
68 # Share all file systems enabled for sharing. sharemgr understands
69 # regular shares and ZFS shares and will handle both. Technically,
70 # the shares would have been started long before getting here since
71 # nfsd has a dependency on them.
72
73 # restart stopped shares from the repository
74 /usr/sbin/sharemgr start -P nfs -a
75
76 # Options for nfsd are now set in SMF
77
78 /usr/lib/nfs/mountd
79 rc=$?
80 if [ $rc != 0 ]; then
81 /usr/sbin/svcadm mark -t maintenance svc:/network/nfs/server
82 echo "$0: mountd failed with $rc"
83 sleep 5 &
84 exit $SMF_EXIT_ERR_FATAL
85 fi
86
87 /usr/lib/nfs/nfsd
88 rc=$?
89 if [ $rc != 0 ]; then
90 /usr/sbin/svcadm mark -t maintenance svc:/network/nfs/server
91 echo "$0: nfsd failed with $rc"
92 sleep 5 &
93 exit $SMF_EXIT_ERR_FATAL
94 fi
95
96 configure_ipfilter
97 ;;
98
99 'refresh')
100 /usr/sbin/sharemgr start -P nfs -a
101 ;;
102
103 'stop')
104 /usr/bin/pkill -x -u 0,1 -z $zone '(nfsd|mountd)'
105
106 # Unshare all shared file systems using NFS
107
108 /usr/sbin/sharemgr stop -P nfs -a
109
110 # Kill any processes left in service contract
111 smf_kill_contract $2 TERM 1
112 [ $? -ne 0 ] && exit 1
113 ;;
114
115 'ipfilter')
116 #
117 # NFS related services are RPC. nfs/server has nfsd which has
118 # well-defined port number but mountd is an RPC daemon.
119 #
120 # Essentially, we generate rules for the following "services"
121 # - nfs/server which has nfsd and mountd
122 # - nfs/rquota
123 #
124 # The following services are enabled for both nfs client and
125 # server, if nfs/client is enabled we'll treat them as client
126 # services and simply allow incoming traffic.
127 # - nfs/status
128 # - nfs/nlockmgr
129 # - nfs/cbd
130 #
131 NFS_FMRI="svc:/network/nfs/server:default"
132 NFSCLI_FMRI="svc:/network/nfs/client:default"
133 RQUOTA_FMRI="svc:/network/nfs/rquota:default"
134 FMRI=$2
135
136 file=`fmri_to_file $FMRI $IPF_SUFFIX`
137 file6=`fmri_to_file $FMRI $IPF6_SUFFIX`
138 echo "# $FMRI" >$file
139 echo "# $FMRI" >$file6
140 policy=`get_policy $NFS_FMRI`
141
142 #
143 # nfs/server configuration is processed in the start method.
144 #
145 if [ "$FMRI" = "$NFS_FMRI" ]; then
146 service_check_state $FMRI $SMF_ONLINE
147 if [ $? -ne 0 ]; then
148 rm $file
149 exit $SMF_EXIT_OK
150 fi
151
152 nfs_name=`svcprop -p $FW_CONTEXT_PG/name $FMRI 2>/dev/null`
153 tport=`$SERVINFO -p -t -s $nfs_name 2>/dev/null`
154 if [ -n "$tport" ]; then
155 generate_rules $FMRI $policy "tcp" $tport $file
156 fi
157
158 tport6=`$SERVINFO -p -t6 -s $nfs_name 2>/dev/null`
159 if [ -n "$tport6" ]; then
160 generate_rules $FMRI $policy "tcp" $tport6 $file6 _6
161 fi
162
163 uport=`$SERVINFO -p -u -s $nfs_name 2>/dev/null`
164 if [ -n "$uport" ]; then
165 generate_rules $FMRI $policy "udp" $uport $file
166 fi
167
168 uport6=`$SERVINFO -p -u6 -s $nfs_name 2>/dev/null`
169 if [ -n "$uport6" ]; then
170 generate_rules $FMRI $policy "udp" $uport6 $file6 _6
171 fi
172
173 # mountd IPv6 ports are also reachable through IPv4, so include
174 # them when generating IPv4 rules.
175 tports=`$SERVINFO -R -p -t -s "mountd" 2>/dev/null`
176 tports6=`$SERVINFO -R -p -t6 -s "mountd" 2>/dev/null`
177 if [ -n "$tports" -o -n "$tports6" ]; then
178 tports=`unique_ports $tports $tports6`
179 for tport in $tports; do
180 generate_rules $FMRI $policy "tcp" \
181 $tport $file
182 done
183 fi
184
185 if [ -n "$tports6" ]; then
186 for tport6 in $tports6; do
187 generate_rules $FMRI $policy "tcp" \
188 $tport6 $file6 _6
189 done
190 fi
191
192 uports=`$SERVINFO -R -p -u -s "mountd" 2>/dev/null`
193 uports6=`$SERVINFO -R -p -u6 -s "mountd" 2>/dev/null`
194 if [ -n "$uports" -o -n "$uports6" ]; then
195 uports=`unique_ports $uports $uports6`
196 for uport in $uports; do
197 generate_rules $FMRI $policy "udp" \
198 $uport $file
199 done
200 fi
201
202 if [ -n "$uports6" ]; then
203 for uport6 in $uports6; do
204 generate_rules $FMRI $policy "udp" \
205 $uport6 $file6 _6
206 done
207 fi
208
209 elif [ "$FMRI" = "$RQUOTA_FMRI" ]; then
210 iana_name=`svcprop -p inetd/name $FMRI`
211
212 # rquota IPv6 ports are also reachable through IPv4, so include
213 # them when generating IPv4 rules.
214 tports=`$SERVINFO -R -p -t -s $iana_name 2>/dev/null`
215 tports6=`$SERVINFO -R -p -t6 -s $iana_name 2>/dev/null`
216 if [ -n "$tports" -o -n "$tports6" ]; then
217 tports=`unique_ports $tports $tports6`
218 for tport in $tports; do
219 generate_rules $NFS_FMRI $policy "tcp" \
220 $tport $file
221 done
222 fi
223
224 if [ -n "$tports6" ]; then
225 for tport6 in $tports6; do
226 generate_rules $NFS_FMRI $policy "tcp" \
227 $tport6 $file6 _6
228 done
229 fi
230
231 uports=`$SERVINFO -R -p -u -s $iana_name 2>/dev/null`
232 uports6=`$SERVINFO -R -p -u6 -s $iana_name 2>/dev/null`
233 if [ -n "$uports" -o -n "$uports6" ]; then
234 uports=`unique_ports $uports $uports6`
235 for uport in $uports; do
236 generate_rules $NFS_FMRI $policy "udp" \
237 $uport $file
238 done
239 fi
240
241 if [ -n "$uports6" ]; then
242 for uport6 in $uports6; do
243 generate_rules $NFS_FMRI $policy "udp" \
244 $uport6 $file6 _6
245 done
246 fi
247 else
248 #
249 # Handle the client services here
250 #
251 if service_check_state $NFSCLI_FMRI $SMF_ONLINE; then
252 policy=none
253 ip=any
254 fi
255
256 restarter=`svcprop -p general/restarter $FMRI 2>/dev/null`
257 if [ "$restarter" = "$INETDFMRI" ]; then
258 iana_name=`svcprop -p inetd/name $FMRI`
259 isrpc=`svcprop -p inetd/isrpc $FMRI`
260 else
261 iana_name=`svcprop -p $FW_CONTEXT_PG/name $FMRI`
262 isrpc=`svcprop -p $FW_CONTEXT_PG/isrpc $FMRI`
263 fi
264
265 if [ "$isrpc" = "true" ]; then
266 tports=`$SERVINFO -R -p -t -s $iana_name 2>/dev/null`
267 tports6=`$SERVINFO -R -p -t6 -s $iana_name 2>/dev/null`
268 uports=`$SERVINFO -R -p -u -s $iana_name 2>/dev/null`
269 uports6=`$SERVINFO -R -p -u6 -s $iana_name 2>/dev/null`
270 else
271 tports=`$SERVINFO -p -t -s $iana_name 2>/dev/null`
272 tports6=`$SERVINFO -p -t6 -s $iana_name 2>/dev/null`
273 uports=`$SERVINFO -p -u -s $iana_name 2>/dev/null`
274 uports6=`$SERVINFO -p -u6 -s $iana_name 2>/dev/null`
275 fi
276
277 # IPv6 ports are also reachable through IPv4, so include
278 # them when generating IPv4 rules.
279 if [ -n "$tports" -o -n "$tports6" ]; then
280 tports=`unique_ports $tports $tports6`
281 for tport in $tports; do
282 generate_rules $FMRI $policy "tcp" $tport $file
283 done
284 fi
285
286 if [ -n "$tports6" ]; then
287 for tport6 in $tports6; do
288 generate_rules $FMRI $policy "tcp" $tport6 $file6 _6
289 done
290 fi
291
292 if [ -n "$uports" -o -n "$uports6" ]; then
293 uports=`unique_ports $uports $uports6`
294 for uport in $uports; do
295 generate_rules $FMRI $policy "udp" $uport $file
296 done
297 fi
298
299 if [ -n "$uports6" ]; then
300 for uport6 in $uports6; do
301 generate_rules $FMRI $policy "udp" $uport6 $file6 _6
302 done
303 fi
304 fi
305
306 ;;
307
308 *)
309 echo "Usage: $0 { start | stop | refresh }"
310 exit 1
311 ;;
312 esac
313 exit $SMF_EXIT_OK