#!/bin/sh - # # Copyright (c) 1993 The FreeBSD Project # All rights reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions # are met: # 1. Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # 2. Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in the # documentation and/or other materials provided with the distribution. # # THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE # ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF # SUCH DAMAGE. # # $FreeBSD: src/etc/rc.network,v 1.74.2.43 2003/02/08 21:10:25 gshapiro Exp $ # From: @(#)netstart 5.9 (Berkeley) 3/30/91 # # Note that almost all of the user-configurable behavior is no longer in # this file, but rather in /etc/defaults/rc.conf. Please check that file # first before contemplating any changes here. If you do need to change # this file for some reason, we would like to know about it. # First pass startup stuff. # network_pass1() { echo -n 'Doing initial network setup:' # Set the host name if it is not already set # if [ -z "`hostname -s`" ]; then hostname ${hostname} echo -n ' hostname' fi # Establish ipfilter ruleset as early as possible (best in # addition to IPFILTER_DEFAULT_BLOCK in the kernel config file) # check whether ipfilter and/or ipnat is enabled ipfilter_active="NO" case ${ipfilter_enable} in [Yy][Ee][Ss]) ipfilter_active="YES" ;; esac case ${ipnat_enable} in [Yy][Ee][Ss]) ipfilter_active="YES" ;; esac case ${ipfilter_active} in [Yy][Ee][Ss]) # load ipfilter kernel module if needed if ! sysctl net.inet.ipf.fr_pass > /dev/null 2>&1; then if kldload ipl; then echo 'IP-filter module loaded.' else echo 'Warning: IP-filter module failed to load.' # avoid further errors ipfilter_active="NO" ipmon_enable="NO" ipfilter_enable="NO" ipnat_enable="NO" ipfs_enable="NO" fi fi # start ipmon before loading any rules case "${ipmon_enable}" in [Yy][Ee][Ss]) echo -n ' ipmon' ${ipmon_program:-/sbin/ipmon} ${ipmon_flags} ;; esac case "${ipfilter_enable}" in [Yy][Ee][Ss]) if [ -r "${ipfilter_rules}" -o \ -r "${ipv6_ipfilter_rules}" ]; then echo -n ' ipfilter' ${ipfilter_program:-/sbin/ipf} -Fa if [ -r "${ipfilter_rules}" ]; then ${ipfilter_program:-/sbin/ipf} \ -f "${ipfilter_rules}" \ ${ipfilter_flags} fi if [ -r "${ipv6_ipfilter_rules}" ]; then ${ipfilter_program:-/sbin/ipf} -6 \ -f "${ipv6_ipfilter_rules}" \ ${ipfilter_flags} fi else ipfilter_enable="NO" echo -n ' NO IPF RULES' fi ;; esac case "${ipnat_enable}" in [Yy][Ee][Ss]) if [ -r "${ipnat_rules}" ]; then echo -n ' ipnat' eval ${ipnat_program:-/sbin/ipnat} -CF -f \ "${ipnat_rules}" ${ipnat_flags} else ipnat_enable="NO" echo -n ' NO IPNAT RULES' fi ;; esac # restore filter/NAT state tables after loading the rules case "${ipfs_enable}" in [Yy][Ee][Ss]) if [ -r "/var/db/ipf/ipstate.ipf" ]; then echo -n ' ipfs' ${ipfs_program:-/sbin/ipfs} -R ${ipfs_flags} # remove files to avoid reloading old state # after an ungraceful shutdown rm -f /var/db/ipf/ipstate.ipf rm -f /var/db/ipf/ipnat.ipf fi ;; esac ;; esac # Set the domainname if we're using NIS # case ${nisdomainname} in [Nn][Oo] | '') ;; *) domainname ${nisdomainname} echo -n ' domain' ;; esac echo '.' # Initial ATM interface configuration # case ${atm_enable} in [Yy][Ee][Ss]) if [ -r /etc/rc.atm ]; then . /etc/rc.atm atm_pass1 fi ;; esac # Attempt to create cloned interfaces. for ifn in ${cloned_interfaces}; do ifconfig ${ifn} create done # Special options for sppp(4) interfaces go here. These need # to go _before_ the general ifconfig section, since in the case # of hardwired (no link1 flag) but required authentication, you # cannot pass auth parameters down to the already running interface. # for ifn in ${sppp_interfaces}; do eval spppcontrol_args=\$spppconfig_${ifn} if [ -n "${spppcontrol_args}" ]; then # The auth secrets might contain spaces; in order # to retain the quotation, we need to eval them # here. eval spppcontrol ${ifn} ${spppcontrol_args} fi done # gifconfig network_gif_setup # Set up all the network interfaces, calling startup scripts if needed # case ${network_interfaces} in [Aa][Uu][Tt][Oo]) network_interfaces="`ifconfig -l`" ;; *) network_interfaces="${network_interfaces} ${cloned_interfaces}" ;; esac dhcp_interfaces="" for ifn in ${network_interfaces}; do if [ -r /etc/start_if.${ifn} ]; then . /etc/start_if.${ifn} eval showstat_$ifn=1 fi # Do the primary ifconfig if specified # eval ifconfig_args=\$ifconfig_${ifn} case ${ifconfig_args} in '') ;; [Dd][Hh][Cc][Pp]) # DHCP inits are done all in one go below dhcp_interfaces="$dhcp_interfaces $ifn" eval showstat_$ifn=1 ;; *) ifconfig ${ifn} ${ifconfig_args} eval showstat_$ifn=1 ;; esac done if [ ! -z "${dhcp_interfaces}" ]; then ${dhcp_program:-/sbin/dhclient} ${dhcp_flags} ${dhcp_interfaces} fi for ifn in ${network_interfaces}; do # Check to see if aliases need to be added # alias=0 while : ; do eval ifconfig_args=\$ifconfig_${ifn}_alias${alias} if [ -n "${ifconfig_args}" ]; then ifconfig ${ifn} ${ifconfig_args} alias eval showstat_$ifn=1 alias=$((${alias} + 1)) else break; fi done # Do ipx address if specified # eval ifconfig_args=\$ifconfig_${ifn}_ipx if [ -n "${ifconfig_args}" ]; then ifconfig ${ifn} ${ifconfig_args} eval showstat_$ifn=1 fi done for ifn in ${network_interfaces}; do eval showstat=\$showstat_${ifn} if [ ! -z ${showstat} ]; then ifconfig ${ifn} fi done # ISDN subsystem startup # case ${isdn_enable} in [Yy][Ee][Ss]) if [ -r /etc/rc.isdn ]; then . /etc/rc.isdn fi ;; esac # Start user ppp if required. This must happen before natd. # case ${ppp_enable} in [Yy][Ee][Ss]) # Establish ppp mode. # if [ "${ppp_mode}" != "ddial" -a "${ppp_mode}" != "direct" \ -a "${ppp_mode}" != "dedicated" \ -a "${ppp_mode}" != "background" ]; then ppp_mode="auto" fi ppp_command="/usr/sbin/ppp -quiet -${ppp_mode}" # Switch on NAT mode? # case ${ppp_nat} in [Yy][Ee][Ss]) ppp_command="${ppp_command} -nat" ;; esac ppp_command="${ppp_command} ${ppp_profile}" echo "Starting ppp as \"${ppp_user}\"" su -m ${ppp_user} -c "exec ${ppp_command}" ;; esac # Re-Sync ipfilter so it picks up any new network interfaces # case ${ipfilter_active} in [Yy][Ee][Ss]) ${ipfilter_program:-/sbin/ipf} -y ${ipfilter_flags} >/dev/null ;; esac unset ipfilter_active # Initialize IP filtering using ipfw # if /sbin/ipfw -q flush > /dev/null 2>&1; then firewall_in_kernel=1 else firewall_in_kernel=0 fi case ${firewall_enable} in [Yy][Ee][Ss]) if [ "${firewall_in_kernel}" -eq 0 ] && kldload ipfw; then firewall_in_kernel=1 echo 'Kernel firewall module loaded' elif [ "${firewall_in_kernel}" -eq 0 ]; then echo 'Warning: firewall kernel module failed to load' fi ;; esac # Load the filters if required # case ${firewall_in_kernel} in 1) if [ -z "${firewall_script}" ]; then firewall_script=/etc/rc.firewall fi case ${firewall_enable} in [Yy][Ee][Ss]) if [ -r "${firewall_script}" ]; then . "${firewall_script}" echo -n 'Firewall rules loaded, starting divert daemons:' # Network Address Translation daemon # case ${natd_enable} in [Yy][Ee][Ss]) if [ -n "${natd_interface}" ]; then if echo ${natd_interface} | \ grep -q -E '^[0-9]+(\.[0-9]+){0,3}$'; then natd_flags="$natd_flags -a ${natd_interface}" else natd_flags="$natd_flags -n ${natd_interface}" fi fi echo -n ' natd'; ${natd_program:-/sbin/natd} ${natd_flags} ;; esac echo '.' elif [ "`ipfw l 65535`" = "65535 deny ip from any to any" ]; then echo 'Warning: kernel has firewall functionality,' \ 'but firewall rules are not enabled.' echo ' All ip services are disabled.' fi case ${firewall_logging} in [Yy][Ee][Ss] | '') echo 'Firewall logging=YES' sysctl net.inet.ip.fw.verbose=1 >/dev/null ;; *) ;; esac ;; esac ;; esac # Additional ATM interface configuration # if [ -n "${atm_pass1_done}" ]; then atm_pass2 fi # Configure routing # case ${defaultrouter} in [Nn][Oo] | '') ;; *) static_routes="default ${static_routes}" route_default="default ${defaultrouter}" ;; esac # Set up any static routes. This should be done before router discovery. # if [ -n "${static_routes}" ]; then for i in ${static_routes}; do eval route_args=\$route_${i} route add ${route_args} done fi echo -n 'Additional routing options:' case ${tcp_extensions} in [Yy][Ee][Ss] | '') ;; *) echo -n ' tcp extensions=NO' sysctl net.inet.tcp.rfc1323=0 >/dev/null ;; esac case ${icmp_bmcastecho} in [Yy][Ee][Ss]) echo -n ' broadcast ping responses=YES' sysctl net.inet.icmp.bmcastecho=1 >/dev/null ;; esac case ${icmp_drop_redirect} in [Yy][Ee][Ss]) echo -n ' ignore ICMP redirect=YES' sysctl net.inet.icmp.drop_redirect=1 >/dev/null ;; esac case ${icmp_log_redirect} in [Yy][Ee][Ss]) echo -n ' log ICMP redirect=YES' sysctl net.inet.icmp.log_redirect=1 >/dev/null ;; esac case ${gateway_enable} in [Yy][Ee][Ss]) echo -n ' IP gateway=YES' sysctl net.inet.ip.forwarding=1 >/dev/null ;; esac case ${forward_sourceroute} in [Yy][Ee][Ss]) echo -n ' do source routing=YES' sysctl net.inet.ip.sourceroute=1 >/dev/null ;; esac case ${accept_sourceroute} in [Yy][Ee][Ss]) echo -n ' accept source routing=YES' sysctl net.inet.ip.accept_sourceroute=1 >/dev/null ;; esac case ${tcp_keepalive} in [Yy][Ee][Ss]) echo -n ' TCP keepalive=YES' sysctl net.inet.tcp.always_keepalive=1 >/dev/null ;; esac case ${tcp_drop_synfin} in [Yy][Ee][Ss]) echo -n ' drop SYN+FIN packets=YES' sysctl net.inet.tcp.drop_synfin=1 >/dev/null ;; esac case ${ipxgateway_enable} in [Yy][Ee][Ss]) echo -n ' IPX gateway=YES' sysctl net.ipx.ipx.ipxforwarding=1 >/dev/null ;; esac case ${arpproxy_all} in [Yy][Ee][Ss]) echo -n ' ARP proxyall=YES' sysctl net.link.ether.inet.proxyall=1 >/dev/null ;; esac case ${ip_portrange_first} in [Nn][Oo] | '') ;; *) echo -n " ip_portrange_first=$ip_portrange_first" sysctl net.inet.ip.portrange.first=$ip_portrange_first >/dev/null ;; esac case ${ip_portrange_last} in [Nn][Oo] | '') ;; *) echo -n " ip_portrange_last=$ip_portrange_last" sysctl net.inet.ip.portrange.last=$ip_portrange_last >/dev/null ;; esac echo '.' case ${ipsec_enable} in [Yy][Ee][Ss]) if [ -f ${ipsec_file} ]; then echo ' ipsec: enabled' setkey -f ${ipsec_file} else echo ' ipsec: file not found' fi ;; esac echo -n 'Routing daemons:' case ${router_enable} in [Yy][Ee][Ss]) echo -n " ${router}"; ${router} ${router_flags} ;; esac case ${ipxrouted_enable} in [Yy][Ee][Ss]) echo -n ' IPXrouted' IPXrouted ${ipxrouted_flags} > /dev/null 2>&1 ;; esac case ${mrouted_enable} in [Yy][Ee][Ss]) echo -n ' mrouted'; mrouted ${mrouted_flags} ;; esac case ${rarpd_enable} in [Yy][Ee][Ss]) echo -n ' rarpd'; rarpd ${rarpd_flags} ;; esac echo '.' # Let future generations know we made it. # network_pass1_done=YES } network_pass2() { echo -n 'Doing additional network setup:' case ${named_enable} in [Yy][Ee][Ss]) echo -n ' named'; ${named_program:-named} ${named_flags} ;; esac case ${ntpdate_enable} in [Yy][Ee][Ss]) echo -n ' ntpdate' ${ntpdate_program:-ntpdate} ${ntpdate_flags} >/dev/null 2>&1 ;; esac case ${xntpd_enable} in [Yy][Ee][Ss]) echo -n ' ntpd'; ${xntpd_program:-ntpd} ${xntpd_flags} ;; esac case ${timed_enable} in [Yy][Ee][Ss]) echo -n ' timed'; timed ${timed_flags} ;; esac case ${portmap_enable} in [Yy][Ee][Ss]) echo -n ' portmap'; ${portmap_program:-/usr/sbin/portmap} ${portmap_flags} ;; esac # Start ypserv if we're an NIS server. # Run rpc.ypxfrd and rpc.yppasswdd only on the NIS master server. # case ${nis_server_enable} in [Yy][Ee][Ss]) echo -n ' ypserv'; ypserv ${nis_server_flags} case ${nis_ypxfrd_enable} in [Yy][Ee][Ss]) echo -n ' rpc.ypxfrd' rpc.ypxfrd ${nis_ypxfrd_flags} ;; esac case ${nis_yppasswdd_enable} in [Yy][Ee][Ss]) echo -n ' rpc.yppasswdd' rpc.yppasswdd ${nis_yppasswdd_flags} ;; esac ;; esac # Start ypbind if we're an NIS client # case ${nis_client_enable} in [Yy][Ee][Ss]) echo -n ' ypbind'; ypbind ${nis_client_flags} case ${nis_ypset_enable} in [Yy][Ee][Ss]) echo -n ' ypset'; ypset ${nis_ypset_flags} ;; esac ;; esac # Start keyserv if we are running Secure RPC # case ${keyserv_enable} in [Yy][Ee][Ss]) echo -n ' keyserv'; keyserv ${keyserv_flags} ;; esac # Start ypupdated if we are running Secure RPC and we are NIS master # case ${rpc_ypupdated_enable} in [Yy][Ee][Ss]) echo -n ' rpc.ypupdated'; rpc.ypupdated ;; esac # Start ATM daemons if [ -n "${atm_pass2_done}" ]; then atm_pass3 fi echo '.' network_pass2_done=YES } network_pass3() { echo -n 'Starting final network daemons:' case ${nfs_server_enable} in [Yy][Ee][Ss]) if [ -r /etc/exports ]; then echo -n ' mountd' case ${weak_mountd_authentication} in [Yy][Ee][Ss]) mountd_flags="${mountd_flags} -n" ;; esac mountd ${mountd_flags} case ${nfs_reserved_port_only} in [Yy][Ee][Ss]) echo -n ' NFS on reserved port only=YES' sysctl vfs.nfs.nfs_privport=1 >/dev/null ;; esac echo -n ' nfsd'; nfsd ${nfs_server_flags} case ${rpc_lockd_enable} in [Yy][Ee][Ss]) echo -n ' rpc.lockd'; rpc.lockd ;; esac case ${rpc_statd_enable} in [Yy][Ee][Ss]) echo -n ' rpc.statd'; rpc.statd ;; esac fi ;; *) case ${single_mountd_enable} in [Yy][Ee][Ss]) if [ -r /etc/exports ]; then echo -n ' mountd' case ${weak_mountd_authentication} in [Yy][Ee][Ss]) mountd_flags="-n" ;; esac mountd ${mountd_flags} fi ;; esac ;; esac case ${nfs_client_enable} in [Yy][Ee][Ss]) nfs_in_kernel=0 # Handle absent nfs client support if sysctl vfs.nfs >/dev/null 2>&1; then nfs_in_kernel=1 else kldload nfs && nfs_in_kernel=1 fi if [ ${nfs_in_kernel} -eq 1 ] then echo -n ' nfsiod'; nfsiod ${nfs_client_flags} if [ -n "${nfs_access_cache}" ]; then echo -n " NFS access cache time=${nfs_access_cache}" sysctl vfs.nfs.access_cache_timeout=${nfs_access_cache} >/dev/null fi if [ -n "${nfs_bufpackets}" ]; then sysctl vfs.nfs.bufpackets=${nfs_bufpackets} \ > /dev/null fi case ${amd_enable} in [Yy][Ee][Ss]) echo -n ' amd' case ${amd_map_program} in [Nn][Oo] | '') ;; *) amd_flags="${amd_flags} `eval \ ${amd_map_program}`" ;; esac case "${amd_flags}" in '') if [ -r /etc/amd.conf ]; then amd & else echo '' echo 'Warning: amd will not load without arguments' fi ;; *) amd -p ${amd_flags} >/var/run/amd.pid \ 2>/dev/null & ;; esac ;; esac fi ;; esac # If /var/db/mounttab exists, some nfs-server has not been # sucessfully notified about a previous client shutdown. # If there is no /var/db/mounttab, we do nothing. if [ -f /var/db/mounttab ]; then rpc.umntall -k fi case ${rwhod_enable} in [Yy][Ee][Ss]) echo -n ' rwhod'; rwhod ${rwhod_flags} ;; esac # Kerberos servers run ONLY on the Kerberos server machine case ${kerberos_server_enable} in [Yy][Ee][Ss]) case ${kerberos_stash} in [Yy][Ee][Ss]) stash_flag=-n ;; *) stash_flag= ;; esac echo -n ' kerberosIV' kerberos ${stash_flag} >> /var/log/kerberos.log & case ${kadmind_server_enable} in [Yy][Ee][Ss]) echo -n ' kadmindIV' ( sleep 20; kadmind ${stash_flag} >/dev/null 2>&1 & ) & ;; esac unset stash_flag ;; esac case ${kerberos5_server_enable} in [Yy][Ee][Ss]) echo -n ' kerberos5' ${kerberos5_server} & case ${kadmind5_server_enable} in [Yy][Ee][Ss]) echo -n ' kadmind5' ${kadmind5_server} & ;; esac ;; esac case ${pppoed_enable} in [Yy][Ee][Ss]) if [ -n "${pppoed_provider}" ]; then pppoed_flags="${pppoed_flags} -p ${pppoed_provider}" fi echo -n ' pppoed'; _opts=$-; set -f /usr/libexec/pppoed ${pppoed_flags} ${pppoed_interface} set +f; set -${_opts} ;; esac case ${sshd_enable} in [Yy][Ee][Ss]) if [ -x /usr/bin/ssh-keygen ]; then if [ ! -f /etc/ssh/ssh_host_key ]; then echo ' creating ssh1 RSA host key'; /usr/bin/ssh-keygen -t rsa1 -N "" \ -f /etc/ssh/ssh_host_key fi if [ ! -f /etc/ssh/ssh_host_rsa_key ]; then echo ' creating ssh2 RSA host key'; /usr/bin/ssh-keygen -t rsa -N "" \ -f /etc/ssh/ssh_host_rsa_key fi if [ ! -f /etc/ssh/ssh_host_dsa_key ]; then echo ' creating ssh2 DSA host key'; /usr/bin/ssh-keygen -t dsa -N "" \ -f /etc/ssh/ssh_host_dsa_key fi fi ;; esac echo '.' network_pass3_done=YES } network_pass4() { echo -n 'Additional TCP options:' case ${log_in_vain} in [Nn][Oo] | '') log_in_vain=0 ;; [Yy][Ee][Ss]) log_in_vain=1 ;; [0-9]*) ;; *) echo " invalid log_in_vain setting: ${log_in_vain}" log_in_vain=0 ;; esac if [ "${log_in_vain}" -ne 0 ]; then echo -n " log_in_vain=${log_in_vain}" sysctl net.inet.tcp.log_in_vain="${log_in_vain}" >/dev/null sysctl net.inet.udp.log_in_vain="${log_in_vain}" >/dev/null fi echo '.' network_pass4_done=YES } network_gif_setup() { case ${gif_interfaces} in [Nn][Oo] | '') ;; *) for i in ${gif_interfaces}; do eval peers=\$gifconfig_$i case ${peers} in '') continue ;; *) ifconfig $i create >/dev/null 2>&1 ifconfig $i tunnel ${peers} ifconfig $i up ;; esac done ;; esac }