3 # Copyright (c) 1993 The FreeBSD Project
6 # Redistribution and use in source and binary forms, with or without
7 # modification, are permitted provided that the following conditions
9 # 1. Redistributions of source code must retain the above copyright
10 # notice, this list of conditions and the following disclaimer.
11 # 2. Redistributions in binary form must reproduce the above copyright
12 # notice, this list of conditions and the following disclaimer in the
13 # documentation and/or other materials provided with the distribution.
15 # THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
16 # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18 # ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
19 # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20 # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
21 # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
22 # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
23 # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
24 # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27 # $FreeBSD: src/etc/rc.network,v 1.74.2.43 2003/02/08 21:10:25 gshapiro Exp $
28 # From: @(#)netstart 5.9 (Berkeley) 3/30/91
31 # Note that almost all of the user-configurable behavior is no longer in
32 # this file, but rather in /etc/defaults/rc.conf. Please check that file
33 # first before contemplating any changes here. If you do need to change
34 # this file for some reason, we would like to know about it.
36 # First pass startup stuff.
39 echo -n 'Doing initial network setup:'
41 # Set the host name if it is not already set
43 if [ -z "`hostname -s`" ]; then
48 # Establish ipfilter ruleset as early as possible (best in
49 # addition to IPFILTER_DEFAULT_BLOCK in the kernel config file)
51 # check whether ipfilter and/or ipnat is enabled
53 case ${ipfilter_enable} in
58 case ${ipnat_enable} in
63 case ${ipfilter_active} in
65 # load ipfilter kernel module if needed
66 if ! sysctl net.inet.ipf.fr_pass > /dev/null 2>&1; then
68 echo 'IP-filter module loaded.'
70 echo 'Warning: IP-filter module failed to load.'
71 # avoid further errors
79 # start ipmon before loading any rules
80 case "${ipmon_enable}" in
83 ${ipmon_program:-/sbin/ipmon} ${ipmon_flags}
86 case "${ipfilter_enable}" in
88 if [ -r "${ipfilter_rules}" -o \
89 -r "${ipv6_ipfilter_rules}" ]; then
91 ${ipfilter_program:-/sbin/ipf} -Fa
92 if [ -r "${ipfilter_rules}" ]; then
93 ${ipfilter_program:-/sbin/ipf} \
94 -f "${ipfilter_rules}" \
97 if [ -r "${ipv6_ipfilter_rules}" ]; then
98 ${ipfilter_program:-/sbin/ipf} -6 \
99 -f "${ipv6_ipfilter_rules}" \
104 echo -n ' NO IPF RULES'
108 case "${ipnat_enable}" in
110 if [ -r "${ipnat_rules}" ]; then
112 eval ${ipnat_program:-/sbin/ipnat} -CF -f \
113 "${ipnat_rules}" ${ipnat_flags}
116 echo -n ' NO IPNAT RULES'
120 # restore filter/NAT state tables after loading the rules
121 case "${ipfs_enable}" in
123 if [ -r "/var/db/ipf/ipstate.ipf" ]; then
125 ${ipfs_program:-/sbin/ipfs} -R ${ipfs_flags}
126 # remove files to avoid reloading old state
127 # after an ungraceful shutdown
128 rm -f /var/db/ipf/ipstate.ipf
129 rm -f /var/db/ipf/ipnat.ipf
136 # Set the domainname if we're using NIS
138 case ${nisdomainname} in
142 domainname ${nisdomainname}
149 # Initial ATM interface configuration
151 case ${atm_enable} in
153 if [ -r /etc/rc.atm ]; then
160 # Attempt to create cloned interfaces.
161 for ifn in ${cloned_interfaces}; do
162 ifconfig ${ifn} create
165 # Special options for sppp(4) interfaces go here. These need
166 # to go _before_ the general ifconfig section, since in the case
167 # of hardwired (no link1 flag) but required authentication, you
168 # cannot pass auth parameters down to the already running interface.
170 for ifn in ${sppp_interfaces}; do
171 eval spppcontrol_args=\$spppconfig_${ifn}
172 if [ -n "${spppcontrol_args}" ]; then
173 # The auth secrets might contain spaces; in order
174 # to retain the quotation, we need to eval them
176 eval spppcontrol ${ifn} ${spppcontrol_args}
183 # Set up all the network interfaces, calling startup scripts if needed
185 case ${network_interfaces} in
187 network_interfaces="`ifconfig -l`"
190 network_interfaces="${network_interfaces} ${cloned_interfaces}"
195 for ifn in ${network_interfaces}; do
196 if [ -r /etc/start_if.${ifn} ]; then
197 . /etc/start_if.${ifn}
201 # Do the primary ifconfig if specified
203 eval ifconfig_args=\$ifconfig_${ifn}
205 case ${ifconfig_args} in
209 # DHCP inits are done all in one go below
210 dhcp_interfaces="$dhcp_interfaces $ifn"
214 ifconfig ${ifn} ${ifconfig_args}
220 if [ ! -z "${dhcp_interfaces}" ]; then
221 ${dhcp_program:-/sbin/dhclient} ${dhcp_flags} ${dhcp_interfaces}
224 for ifn in ${network_interfaces}; do
225 # Check to see if aliases need to be added
229 eval ifconfig_args=\$ifconfig_${ifn}_alias${alias}
230 if [ -n "${ifconfig_args}" ]; then
231 ifconfig ${ifn} ${ifconfig_args} alias
233 alias=$((${alias} + 1))
239 # Do ipx address if specified
241 eval ifconfig_args=\$ifconfig_${ifn}_ipx
242 if [ -n "${ifconfig_args}" ]; then
243 ifconfig ${ifn} ${ifconfig_args}
248 for ifn in ${network_interfaces}; do
249 eval showstat=\$showstat_${ifn}
250 if [ ! -z ${showstat} ]; then
255 # ISDN subsystem startup
257 case ${isdn_enable} in
259 if [ -r /etc/rc.isdn ]; then
265 # Start user ppp if required. This must happen before natd.
267 case ${ppp_enable} in
269 # Establish ppp mode.
271 if [ "${ppp_mode}" != "ddial" -a "${ppp_mode}" != "direct" \
272 -a "${ppp_mode}" != "dedicated" \
273 -a "${ppp_mode}" != "background" ]; then
277 ppp_command="/usr/sbin/ppp -quiet -${ppp_mode}"
279 # Switch on NAT mode?
283 ppp_command="${ppp_command} -nat"
287 ppp_command="${ppp_command} ${ppp_profile}"
289 echo "Starting ppp as \"${ppp_user}\""
290 su -m ${ppp_user} -c "exec ${ppp_command}"
294 # Re-Sync ipfilter so it picks up any new network interfaces
296 case ${ipfilter_active} in
298 ${ipfilter_program:-/sbin/ipf} -y ${ipfilter_flags} >/dev/null
301 unset ipfilter_active
303 # Initialize IP filtering using ipfw
305 if /sbin/ipfw -q flush > /dev/null 2>&1; then
311 case ${firewall_enable} in
313 if [ "${firewall_in_kernel}" -eq 0 ] && kldload ipfw; then
315 echo 'Kernel firewall module loaded'
316 elif [ "${firewall_in_kernel}" -eq 0 ]; then
317 echo 'Warning: firewall kernel module failed to load'
322 # Load the filters if required
324 case ${firewall_in_kernel} in
326 if [ -z "${firewall_script}" ]; then
327 firewall_script=/etc/rc.firewall
330 case ${firewall_enable} in
332 if [ -r "${firewall_script}" ]; then
333 . "${firewall_script}"
334 echo -n 'Firewall rules loaded, starting divert daemons:'
336 # Network Address Translation daemon
338 case ${natd_enable} in
340 if [ -n "${natd_interface}" ]; then
341 if echo ${natd_interface} | \
342 grep -q -E '^[0-9]+(\.[0-9]+){0,3}$'; then
343 natd_flags="$natd_flags -a ${natd_interface}"
345 natd_flags="$natd_flags -n ${natd_interface}"
348 echo -n ' natd'; ${natd_program:-/sbin/natd} ${natd_flags}
354 elif [ "`ipfw l 65535`" = "65535 deny ip from any to any" ]; then
355 echo 'Warning: kernel has firewall functionality,' \
356 'but firewall rules are not enabled.'
357 echo ' All ip services are disabled.'
360 case ${firewall_logging} in
362 echo 'Firewall logging=YES'
363 sysctl net.inet.ip.fw.verbose=1 >/dev/null
374 # Additional ATM interface configuration
376 if [ -n "${atm_pass1_done}" ]; then
382 case ${defaultrouter} in
386 static_routes="default ${static_routes}"
387 route_default="default ${defaultrouter}"
391 # Set up any static routes. This should be done before router discovery.
393 if [ -n "${static_routes}" ]; then
394 for i in ${static_routes}; do
395 eval route_args=\$route_${i}
396 route add ${route_args}
400 echo -n 'Additional routing options:'
401 case ${tcp_extensions} in
405 echo -n ' tcp extensions=NO'
406 sysctl net.inet.tcp.rfc1323=0 >/dev/null
410 case ${icmp_bmcastecho} in
412 echo -n ' broadcast ping responses=YES'
413 sysctl net.inet.icmp.bmcastecho=1 >/dev/null
417 case ${icmp_drop_redirect} in
419 echo -n ' ignore ICMP redirect=YES'
420 sysctl net.inet.icmp.drop_redirect=1 >/dev/null
424 case ${icmp_log_redirect} in
426 echo -n ' log ICMP redirect=YES'
427 sysctl net.inet.icmp.log_redirect=1 >/dev/null
431 case ${gateway_enable} in
433 echo -n ' IP gateway=YES'
434 sysctl net.inet.ip.forwarding=1 >/dev/null
438 case ${forward_sourceroute} in
440 echo -n ' do source routing=YES'
441 sysctl net.inet.ip.sourceroute=1 >/dev/null
445 case ${accept_sourceroute} in
447 echo -n ' accept source routing=YES'
448 sysctl net.inet.ip.accept_sourceroute=1 >/dev/null
452 case ${tcp_keepalive} in
454 echo -n ' TCP keepalive=YES'
455 sysctl net.inet.tcp.always_keepalive=1 >/dev/null
459 case ${tcp_drop_synfin} in
461 echo -n ' drop SYN+FIN packets=YES'
462 sysctl net.inet.tcp.drop_synfin=1 >/dev/null
466 case ${ipxgateway_enable} in
468 echo -n ' IPX gateway=YES'
469 sysctl net.ipx.ipx.ipxforwarding=1 >/dev/null
473 case ${arpproxy_all} in
475 echo -n ' ARP proxyall=YES'
476 sysctl net.link.ether.inet.proxyall=1 >/dev/null
480 case ${ip_portrange_first} in
484 echo -n " ip_portrange_first=$ip_portrange_first"
485 sysctl net.inet.ip.portrange.first=$ip_portrange_first >/dev/null
489 case ${ip_portrange_last} in
493 echo -n " ip_portrange_last=$ip_portrange_last"
494 sysctl net.inet.ip.portrange.last=$ip_portrange_last >/dev/null
500 case ${ipsec_enable} in
502 if [ -f ${ipsec_file} ]; then
503 echo ' ipsec: enabled'
504 setkey -f ${ipsec_file}
506 echo ' ipsec: file not found'
511 echo -n 'Routing daemons:'
512 case ${router_enable} in
514 echo -n " ${router}"; ${router} ${router_flags}
518 case ${ipxrouted_enable} in
521 IPXrouted ${ipxrouted_flags} > /dev/null 2>&1
525 case ${mrouted_enable} in
527 echo -n ' mrouted'; mrouted ${mrouted_flags}
531 case ${rarpd_enable} in
533 echo -n ' rarpd'; rarpd ${rarpd_flags}
538 # Let future generations know we made it.
540 network_pass1_done=YES
544 echo -n 'Doing additional network setup:'
545 case ${named_enable} in
547 echo -n ' named'; ${named_program:-named} ${named_flags}
551 case ${ntpdate_enable} in
554 ${ntpdate_program:-ntpdate} ${ntpdate_flags} >/dev/null 2>&1
558 case ${xntpd_enable} in
560 echo -n ' ntpd'; ${xntpd_program:-ntpd} ${xntpd_flags}
564 case ${timed_enable} in
566 echo -n ' timed'; timed ${timed_flags}
570 case ${portmap_enable} in
572 echo -n ' portmap'; ${portmap_program:-/usr/sbin/portmap} ${portmap_flags}
576 # Start ypserv if we're an NIS server.
577 # Run rpc.ypxfrd and rpc.yppasswdd only on the NIS master server.
579 case ${nis_server_enable} in
581 echo -n ' ypserv'; ypserv ${nis_server_flags}
583 case ${nis_ypxfrd_enable} in
585 echo -n ' rpc.ypxfrd'
586 rpc.ypxfrd ${nis_ypxfrd_flags}
590 case ${nis_yppasswdd_enable} in
592 echo -n ' rpc.yppasswdd'
593 rpc.yppasswdd ${nis_yppasswdd_flags}
599 # Start ypbind if we're an NIS client
601 case ${nis_client_enable} in
603 echo -n ' ypbind'; ypbind ${nis_client_flags}
604 case ${nis_ypset_enable} in
606 echo -n ' ypset'; ypset ${nis_ypset_flags}
612 # Start keyserv if we are running Secure RPC
614 case ${keyserv_enable} in
616 echo -n ' keyserv'; keyserv ${keyserv_flags}
620 # Start ypupdated if we are running Secure RPC and we are NIS master
622 case ${rpc_ypupdated_enable} in
624 echo -n ' rpc.ypupdated'; rpc.ypupdated
629 if [ -n "${atm_pass2_done}" ]; then
634 network_pass2_done=YES
638 echo -n 'Starting final network daemons:'
640 case ${nfs_server_enable} in
642 if [ -r /etc/exports ]; then
645 case ${weak_mountd_authentication} in
647 mountd_flags="${mountd_flags} -n"
651 mountd ${mountd_flags}
653 case ${nfs_reserved_port_only} in
655 echo -n ' NFS on reserved port only=YES'
656 sysctl vfs.nfs.nfs_privport=1 >/dev/null
660 echo -n ' nfsd'; nfsd ${nfs_server_flags}
662 case ${rpc_lockd_enable} in
664 echo -n ' rpc.lockd'; rpc.lockd
668 case ${rpc_statd_enable} in
670 echo -n ' rpc.statd'; rpc.statd
676 case ${single_mountd_enable} in
678 if [ -r /etc/exports ]; then
681 case ${weak_mountd_authentication} in
687 mountd ${mountd_flags}
694 case ${nfs_client_enable} in
697 # Handle absent nfs client support
698 if sysctl vfs.nfs >/dev/null 2>&1; then
701 kldload nfs && nfs_in_kernel=1
703 if [ ${nfs_in_kernel} -eq 1 ]
705 echo -n ' nfsiod'; nfsiod ${nfs_client_flags}
706 if [ -n "${nfs_access_cache}" ]; then
707 echo -n " NFS access cache time=${nfs_access_cache}"
708 sysctl vfs.nfs.access_cache_timeout=${nfs_access_cache} >/dev/null
711 if [ -n "${nfs_bufpackets}" ]; then
712 sysctl vfs.nfs.bufpackets=${nfs_bufpackets} \
716 case ${amd_enable} in
719 case ${amd_map_program} in
723 amd_flags="${amd_flags} `eval \
728 case "${amd_flags}" in
730 if [ -r /etc/amd.conf ]; then
734 echo 'Warning: amd will not load without arguments'
738 amd -p ${amd_flags} >/var/run/amd.pid \
748 # If /var/db/mounttab exists, some nfs-server has not been
749 # sucessfully notified about a previous client shutdown.
750 # If there is no /var/db/mounttab, we do nothing.
751 if [ -f /var/db/mounttab ]; then
755 case ${rwhod_enable} in
757 echo -n ' rwhod'; rwhod ${rwhod_flags}
761 # Kerberos servers run ONLY on the Kerberos server machine
762 case ${kerberos_server_enable} in
764 case ${kerberos_stash} in
773 echo -n ' kerberosIV'
774 kerberos ${stash_flag} >> /var/log/kerberos.log &
776 case ${kadmind_server_enable} in
781 kadmind ${stash_flag} >/dev/null 2>&1 &
789 case ${kerberos5_server_enable} in
792 ${kerberos5_server} &
794 case ${kadmind5_server_enable} in
803 case ${pppoed_enable} in
805 if [ -n "${pppoed_provider}" ]; then
806 pppoed_flags="${pppoed_flags} -p ${pppoed_provider}"
810 /usr/libexec/pppoed ${pppoed_flags} ${pppoed_interface}
811 set +f; set -${_opts}
815 case ${sshd_enable} in
817 if [ -x /usr/bin/ssh-keygen ]; then
818 if [ ! -f /etc/ssh/ssh_host_key ]; then
819 echo ' creating ssh1 RSA host key';
820 /usr/bin/ssh-keygen -t rsa1 -N "" \
821 -f /etc/ssh/ssh_host_key
823 if [ ! -f /etc/ssh/ssh_host_rsa_key ]; then
824 echo ' creating ssh2 RSA host key';
825 /usr/bin/ssh-keygen -t rsa -N "" \
826 -f /etc/ssh/ssh_host_rsa_key
828 if [ ! -f /etc/ssh/ssh_host_dsa_key ]; then
829 echo ' creating ssh2 DSA host key';
830 /usr/bin/ssh-keygen -t dsa -N "" \
831 -f /etc/ssh/ssh_host_dsa_key
838 network_pass3_done=YES
842 echo -n 'Additional TCP options:'
843 case ${log_in_vain} in
853 echo " invalid log_in_vain setting: ${log_in_vain}"
858 if [ "${log_in_vain}" -ne 0 ]; then
859 echo -n " log_in_vain=${log_in_vain}"
860 sysctl net.inet.tcp.log_in_vain="${log_in_vain}" >/dev/null
861 sysctl net.inet.udp.log_in_vain="${log_in_vain}" >/dev/null
865 network_pass4_done=YES
868 network_gif_setup() {
869 case ${gif_interfaces} in
873 for i in ${gif_interfaces}; do
874 eval peers=\$gifconfig_$i
880 ifconfig $i create >/dev/null 2>&1
881 ifconfig $i tunnel ${peers}