Manual Pages
Table of Contents
na_fpolicy - configure file policies
fpolicy
fpolicy help [ <command> ]
fpolicy create <PolicyName> <PolicyType>
fpolicy destroy <PolicyName>
fpolicy disable <PolicyName>
fpolicy enable <PolicyName> [-f]
fpolicy ext[ension] { exc[lude] | inc[lude] } { reset|show
} <PolicyName>
fpolicy ext[ension] { exc[lude] | inc[lude] } {
add|remove|set } <PolicyName> <ext>[,<ext>]*
fpolicy mon[itor] { add | remove | set } <PolicyName> [-p
{ cifs | nfs | cifs,nfs }] [-f] <op-spec>[,<op_spec>]*
fpolicy options <PolicyName> required [ on | off ]
fpolicy options <PolicyName> secondary_servers [<IP_address>[,<IP-address>]*]
fpolicy options <PolicyName> cifs_setattr [ on | off ]
fpolicy options <PolicyName> monitor_ads [ on | off ]
fpolicy options <PolicyName> reqcancel_timeout [ <timeout_in-secs>
]
fpolicy options <PolicyName> serverprogress_timeout [
<timeout-in-secs> ]
fpolicy options <PolicyName> cifs_disconnect_check [ on
off ]
fpolicy servers show <PolicyName>
fpolicy servers show -I <IP-address>
fpolicy servers stop <PolicyName> <IP-address>
fpolicy show <PolicyName>
fpolicy vol[ume] { inc[lude] | exc[lude] } { reset | show
| eval } <PolicyName>
fpolicy vol[ume] { inc[lude] | exc[lude] } { add | remove
| set } <PolicyName> <vol_spec>[,<vol_spec>]*
The fpolicy command enables control and configuration of
file policies.
fpolicy
Displays FPolicy settings and provides summary
information about policies.
fpolicy help [ <command> ]
Displays information about specific commands available
in the FPolicy subsystem of the storage system.
A list of commands, or syntax for a specific
command, can be obtained.
fpolicy create <PolicyName> <PolicyType>
Creates a new policy. Policy names must be unique.
The only file policy type supported is "screen"
(file screening).
fpolicy destroy <PolicyName>
Destroys an existing policy.
fpolicy disable <PolicyName>
Disables a policy.
fpolicy enable <PolicyName> [-f]
Enables a policy. The -f force flag forces the policy
to be enabled even if there are no servers
available to enforce the policy.
fpolicy ext[ension] { exc[lude] | inc[lude] } { reset|show
} <PolicyName>
fpolicy ext[ension] { exc[lude] | inc[lude] } {
add|remove|set } <PolicyName> <ext>[,<ext>]*
<ext>[,<ext>]* is a comma separated list of extensions.
The maximum length allowed for a single
extension is 260 characters. Upto 255 extensions
can be specified in a list.The include list determines
if a given file should be screened. The
exclude list determines if a given file should not
be screened. If an extension is listed on both the
exclude and the include list, files with that
extension are not screened. If an extension is not
listed on either the include list or the exclude
list, files with that extension are not screened.
The character ? is a wild card. When it is not the
last character, it matches any single character.
When it is the last character, or part of a trailing
sequence of ? , it matches any number of characters
(0, 1 or more).
fpolicy extensions { include | exclude } show <PolicyName>
Displays the current file extension list.
fpolicy extensions { include | exclude } reset <Policy_Name>
Resets the file extension list to the default list.
fpolicy extensions { include | exclude } set <PolicyName>
<ext>[,<ext>]*
Specifies a new extension list which replaces the
current list.
fpolicy extensions { include | exclude } add <PolicyName>
<ext>[,<ext>]*
Adds new entries to the current file extension
list.
fpolicy extensions { include | exclude } remove <Policy_Name>
<ext>[,<ext>]*
Removes entries from the current file extension
list.
fpolicy mon[itor] { add | remove | set } <PolicyName> [-p
{ cifs | nfs | cifs,nfs }] [-f] <op-spec>[,<op_spec>]*
Typically the list of operations monitored by a
file policy is set by an FPolicy server for the
policy. However, the list of operations can be configured
with the fpolicy monitor command. Note that
if an FPolicy server sets the list after this command
is entered, the FPolicy server will override
the effect of this command.
Operations may be added or removed from an existing
list of operations, or the existing list may be
discarded and set to a new list. Note that some
FPolicy servers may not function correctly if their
set of designated operations is changed. For example,
an FPolicy server may wish to match file opens
with file closes and malfunction if it stops
receiving notifications of files that are closed.
By default all protocols are selected. A subset of
protocols can be chosen by providing a comma separated
list following the -p flag. The -f force flag
causes the command to be executed even if there are
no servers available to enforce the policy. <op_spec>[,<op_spec>]*
is a comma separated list of
operations for which the policy will receive notifications.
Supported values are all, none, close,
create, create_dir, delete, delete_dir, getattr,
link, lookup, open, read, rename, rename_dir,
setattr, symlink, write. Note: Selecting read or
write is rarely desirable. Notification for operations
which occur frequently have a detrimental
effect on performance.
fpolicy options <PolicyName>
Displays the current values of the file policy
options.
fpolicy options <PolicyName> required [ on | off ]
Displays the current setting for the required
option. If set to "on", user requests are denied if
a file policy server is not available to implement
the policy. If set to "off", user requests are
allowed when it is not possible to apply the policy
to the file because no file policy server is available.
fpolicy options <PolicyName> secondary_servers [
<server_list> ]
Displays the current setting for the secondary_servers
option. If a comma separated list of
IP addresses is provided, the current list is
replaced by the new list. The storage system avoids
the use of secondary servers to enforce file policies
unless there are no primary servers available.
fpolicy options <PolicyName> cifs_setattr [ on | off ]
Displays the current setting for the cifs_setattr
option. If set to "on" then CIFS requests to change
file security descriptor will be screened by the
policy. File security descriptor changes that will
be screened are file owner change, file primary
owner group change, changes in SACL and DACL. If
set to "off" cifs security descriptor change
requests will not be screened by the policy. By
default option is set to "off".
fpolicy options <PolicyName> reqcancel_timeout [ <timeout_in-secs>
]
Set or display the value of reqcancel_timeout for
the policy. This is the maximum time allowed to an
FPolicy server to screen a request. Upon timeout,
the screen request is cancelled from the FPolicy
server. A value of 0 implies that the feature is
disabled. The default value is 0.
fpolicy options <PolicyName> serverprogress_timeout [
<timeout-in-secs> ]
Set or display the value of serverprogress_timeout
for the policy. This is the maximum time an FPolicy
server can remain unresponsive while processing the
maximum allowed number of screen requests. Upon
timeout, the unresponsive FPolicy server will be
disconnected from the storage system. A value of 0
implies that the feature is disabled. The default
value is 0.
fpolicy options <PolicyName> cifs_disconnect_check [ on
off ]
Set or display the value of cifs_disconnect_check
for the policy. If this option is enabled, CIFS
requests associated with disconnected sessions will
not be sent to FPolicy servers for screening. The
default setting for this option is "off".
fpolicy options <PolicyName> monitor_ads [ on | off ]
Displays the current setting for the monitor_ads
option. If set to "on", the CIFS requests for
alternate data streams (ADS) are monitored by the
policy. If set to "off", the policy will not monitor
any cifs requests for alternate data streams.
NFS requests for alternate data streams is not supported
by FPolicy.
fpolicy servers show <PolicyName>
Displays a list of FPolicy servers which have
offered to apply file policies for the storage system.
Each FPolicy server that registers for a policy
can enable optional parameters.
fpolicy servers show -I <IP-address>
Displays a list of FPolicy servers connected to the
storage system from the given IP address.
fpolicy servers show <PolicyName> and fpolicy servers show
-I <IP-address> will print all the options enabled by the
FPolicy server in the "Options enabled:" field. Following
are the options that can be enabled by the FPolicy server:
version2
FPolicy server is using version 2 of the FPolicy
interface. Version 2 enables read redirect and support
for NFS version 4 protocol (See the SDK for
more details).
size_and_owner
File size and owner information is included with
the the FPolicy event notification. Size reported
to the FPolicy server will be the logical file
size. Owner information will be reported in Windows
SID format. If the file has windows security
descriptor, the owner information will be based on
it. If the file has no windows security descriptor,
storage system will try to get an equivalent windows
SID from Unix UID information and report it to
the FPolicy server. If this translation of windows
SID from Unix UID fails, storage system will report
the well known CREATOR_OWNER SID to the FPolicy
server.
async FPolicy server needs asynchronous screen request
notifications. When FPolicy server registers for
asynchronous notifications, storage system will
notify FPolicy server about the file events as and
when they occur but does not wait for the response
from FPolicy server. The storage system will complete
the cifs/nfs request immediately after sending
FPolicy screen notification to the FPolicy
server.
snapid FPolicy server needs the snapshot ID of the file
being accessed. A snapshot ID is a persistent identifier
that can be used to identify a snapshot of a
a file system. The active filesystem has a distinct
snapshot ID.
fpolicy show <PolicyName>
Displays status for <PolicyName> which will include
operations configured for the policy, extentions
monitored by the policy, FPolicy servers registered
for the policy and the options enabled by each
FPolicy server. It will indicate the total number
of requests screened by the FPolicy server, number
of requests blocked by the FPolicy server and number
of requests blocked locally for the given policy.
This CLI will also inform that FPolicy servers
registered for this policy need inode to pathname
translation for NFS screen requests and if they
need notifications for offline files only.
fpolicy servers stop <PolicyName> <IP-address>
Terminates the connection between the storage
system and the FPolicy server registered for the
file policy <PolicyName> from <IP-address>.
fpolicy vol[ume] { inc[lude] | exc[lude] } { reset | show
| eval } <PolicyName>
fpolicy vol[ume] { inc[lude] | exc[lude] } { add | remove
| set } <PolicyName> <vol_spec>[,<vol_spec>]*
<vol_spec>[,<vol_spec>]* is a comma separated list
of storage system volumes. Regular expressions
including wildcard characters ? and * are also
supported. The include volume list specifies which
volumes the policy applies to. The exclude volume
list specifies which volumes are not monitored by
the policy. When an exclude list is specified any
volumes not excluded are controlled by the policy.
If both lists are specified for a policy the
exclude list takes precedence and the include list
is ignored. If neither volume list is set, the
policy is applied to all volumes.
fpolicy vol[ume] { inc[lude] | exc[lude] } add <Policy_Name>
<vol_spec>[,<vol_spec>]*
Adds new entries to the current volume list.
fpolicy vol[ume] { inc[lude] | exc[lude] } remove <Policy_Name>
<vol_spec>[,<vol_spec>]*
Removes entries from the current volume list.
fpolicy vol[ume] { inc[lude] | exc[lude] } set <Policy_Name>
<vol_spec>[,<vol_spec>]*
Specifies a new volume list which replaces the current
list.
fpolicy vol[ume] { inc[lude] | exc[lude] } reset <Policy_Name>
Resets the volume list to an empty list.
fpolicy vol[ume] { inc[lude] | exc[lude] } show <Policy_Name>
Displays the current volume list.
fpolicy vol[ume] { inc[lude] | exc[lude] } eval <Policy_Name>
Prints the list of volumes that this policy applies
to.
fpolicy extensions include set p1 C??
This command will cause storage system to screen
the files ABC.C, ABC.CPP, ABC.C++, ABC.CPLUS and so
on for policy p1.
-
fpolicy extensions include set p1 C?
This command will cause storage system to screen
the files ABC.C, ABC.CP and so, but not ABC.CPP for
policy p1.
-
fpolicy extensions include set p1 A?C
This command will cause storage system to screen
the files XYZ.ABC, XYZ.ACC and so but not XYZ.APP
for policy p1.
-
fpolicy extensions include set p1 ?
This command will cause storage system to screen
the files ABC.A, ABC.C, ABC and so on, but not
ABC.AC p1.
When run from a vFiler context, (e.g. via the vfiler run
command), fpolicy operates on the affected vFiler.
na_vfiler(1)
Table of Contents