3 # Copyright (c) 2000 The KAME Project
6 # Redistribution and use in source and binary forms, with or without
7 # modification, are permitted provided that the following conditions
9 # 1. Redistributions of source code must retain the above copyright
10 # notice, this list of conditions and the following disclaimer.
11 # 2. Redistributions in binary form must reproduce the above copyright
12 # notice, this list of conditions and the following disclaimer in the
13 # documentation and/or other materials provided with the distribution.
15 # THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
16 # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18 # ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
19 # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20 # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
21 # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
22 # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
23 # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
24 # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27 # $FreeBSD: src/etc/rc.network6,v 1.5.2.23 2002/07/24 18:25:42 ume Exp $
30 # Note that almost all of the user-configurable behavior is not in this
31 # file, but rather in /etc/defaults/rc.conf. Please check that file
32 # first before contemplating any changes here. If you do need to change
33 # this file for some reason, we would like to know about it.
38 echo -n 'Doing IPv6 network setup:'
40 # Initialize IP filtering using ip6fw
42 if /sbin/ip6fw -q flush > /dev/null 2>&1; then
43 ipv6_firewall_in_kernel=1
45 ipv6_firewall_in_kernel=0
48 case ${ipv6_firewall_enable} in
50 if [ "${ipv6_firewall_in_kernel}" -eq 0 ] && kldload ip6fw; then
51 ipv6_firewall_in_kernel=1
52 echo "Kernel IPv6 firewall module loaded."
53 elif [ "${ipv6_firewall_in_kernel}" -eq 0 ]; then
54 echo "Warning: IPv6 firewall kernel module failed to load."
59 # Load the filters if required
61 case ${ipv6_firewall_in_kernel} in
63 if [ -z "${ipv6_firewall_script}" ]; then
64 ipv6_firewall_script=/etc/rc.firewall6
67 case ${ipv6_firewall_enable} in
69 if [ -r "${ipv6_firewall_script}" ]; then
70 . "${ipv6_firewall_script}"
71 echo -n 'IPv6 Firewall rules loaded.'
72 elif [ "`ip6fw l 65535`" = "65535 deny ipv6 from any to any" ]; then
73 echo -n "Warning: kernel has IPv6 firewall functionality, "
74 echo "but IPv6 firewall rules are not enabled."
75 echo " All ipv6 services are disabled."
78 case ${ipv6_firewall_logging} in
80 echo 'IPv6 Firewall logging=YES'
81 sysctl net.inet6.ip6.fw.verbose=1 >/dev/null
92 case ${ipv6_network_interfaces} in
95 # list of interfaces, and prefix for interfaces
97 ipv6_network_interfaces="`ifconfig -l`"
100 ipv6_network_interfaces=''
107 # disallow "internal" addresses to appear on the wire
108 route add -inet6 ::ffff:0.0.0.0 -prefixlen 96 ::1 -reject
109 route add -inet6 ::0.0.0.0 -prefixlen 96 ::1 -reject
111 case ${ipv6_gateway_enable} in
114 sysctl net.inet6.ip6.forwarding=1
115 sysctl net.inet6.ip6.accept_rtadv=0
118 for i in $ipv6_network_interfaces; do
121 sleep `sysctl -n net.inet6.ip6.dad_count`
125 # act as endhost - start with manual configuration
126 # Setup of net.inet6.ip6.accept_rtadv is done later by
127 # network6_interface_setup.
128 sysctl net.inet6.ip6.forwarding=0
132 if [ -n "${ipv6_network_interfaces}" ]; then
133 # setting up interfaces
134 network6_interface_setup $ipv6_network_interfaces
136 # wait for DAD's completion (for global addrs)
137 sleep `sysctl -n net.inet6.ip6.dad_count`
141 case ${ipv6_gateway_enable} in
143 # Filter out interfaces on which IPv6 addr init failed.
144 ipv6_working_interfaces=""
145 for i in ${ipv6_network_interfaces}; do
146 laddr=`network6_getladdr $i exclude_tentative`
151 ipv6_working_interfaces="$i \
152 ${ipv6_working_interfaces}"
156 ipv6_network_interfaces=${ipv6_working_interfaces}
163 # install the "default interface" to kernel, which will be used
164 # as the default route when there's no router.
165 network6_default_interface_setup
167 # setup static routes
168 network6_static_routes_setup
174 case ${ipv6_router_enable} in
176 if [ -x ${ipv6_router} ]; then
177 echo -n " ${ipv6_router}"
178 ${ipv6_router} ${ipv6_router_flags}
184 case ${ipv6_gateway_enable} in
187 # This should enabled with a great care.
188 # You may want to fine-tune /etc/rtadvd.conf.
190 # And if you wish your rtadvd to receive and process
191 # router renumbering messages, specify your Router Renumbering
192 # security policy by -R option.
194 # See `man 3 ipsec_set_policy` for IPsec policy specification
196 # (CAUTION: This enables your routers prefix renumbering
197 # from another machine, so if you enable this, do it with
200 case ${rtadvd_enable} in
203 case ${rtadvd_interfaces} in
205 for i in ${ipv6_network_interfaces}; do
207 lo0|gif[0-9]*|stf[0-9]*|faith[0-9]*|lp[0-9]*|sl[0-9]*|tun[0-9]*)
211 rtadvd_interfaces="${rtadvd_interfaces} ${i}"
217 rtadvd ${rtadvd_interfaces}
219 # Enable Router Renumbering, unicast case
220 # (use correct src/dst addr)
221 # rtadvd -R "in ipsec ah/transport/fec0:0:0:1::1-fec0:0:0:10::1/require" \
222 # ${ipv6_network_interfaces}
223 # Enable Router Renumbering, multicast case
224 # (use correct src addr)
225 # rtadvd -R "in ipsec ah/transport/ff05::2-fec0:0:0:10::1/require" \
226 # ${ipv6_network_interfaces}
231 case ${mroute6d_enable} in
233 if [ -x ${mroute6d_program} ]; then
234 echo -n " ${mroute6d_program}"
235 ${mroute6d_program} ${mroute6d_flags}
242 case ${ipv6_ipv4mapping} in
244 echo -n ' IPv4 mapped IPv6 address support=YES'
245 sysctl net.inet6.ip6.v6only=0 >/dev/null
248 echo -n ' IPv4 mapped IPv6 address support=NO'
249 sysctl net.inet6.ip6.v6only=1 >/dev/null
255 # Let future generations know we made it.
257 network6_pass1_done=YES
260 network6_interface_setup() {
263 case ${ipv6_gateway_enable} in
271 for i in $interfaces; do
273 eval prefix=\$ipv6_prefix_$i
274 if [ -n "${prefix}" ]; then
277 laddr=`network6_getladdr $i`
278 hostid=`expr "${laddr}" : 'fe80::\(.*\)%\(.*\)'`
279 for j in ${prefix}; do
280 address=$j\:${hostid}
281 ifconfig $i inet6 ${address} prefixlen 64 alias
283 case ${ipv6_gateway_enable} in
285 # subnet-router anycast address
287 ifconfig $i inet6 $j:: prefixlen 64 \
293 eval ipv6_ifconfig=\$ipv6_ifconfig_$i
294 if [ -n "${ipv6_ifconfig}" ]; then
297 ifconfig $i inet6 ${ipv6_ifconfig} alias
300 if [ ${rtsol_available} = yes -a ${rtsol_interface} = yes ]
303 lo0|gif[0-9]*|stf[0-9]*|faith[0-9]*|lp[0-9]*|sl[0-9]*|tun[0-9]*)
306 rtsol_interfaces="${rtsol_interfaces} ${i}"
314 if [ ${rtsol_available} = yes -a -n "${rtsol_interfaces}" ]; then
315 # Act as endhost - automatically configured.
316 # You can configure only single interface, as
317 # specification assumes that autoconfigured host has
318 # single interface only.
319 sysctl net.inet6.ip6.accept_rtadv=1
320 set ${rtsol_interfaces}
325 for i in $interfaces; do
328 eval ipv6_ifconfig=\$ipv6_ifconfig_${i}_alias${alias}
329 if [ -z "${ipv6_ifconfig}" ]; then
332 ifconfig $i inet6 ${ipv6_ifconfig} alias
333 alias=$((${alias} + 1))
338 network6_stf_setup() {
339 case ${stf_interface_ipv4addr} in
343 # assign IPv6 addr and interface route for 6to4 interface
344 stf_prefixlen=$((16+${stf_interface_ipv4plen:-0}))
347 set ${stf_interface_ipv4addr}
349 ipv4_in_hexformat=`printf "%x:%x\n" \
350 $(($1*256 + $2)) $(($3*256 + $4))`
351 case ${stf_interface_ipv6_ifid} in
352 [Aa][Uu][Tt][Oo] | '')
353 for i in ${ipv6_network_interfaces}; do
354 laddr=`network6_getladdr ${i}`
363 stf_interface_ipv6_ifid=`expr "${laddr}" : \
364 'fe80::\(.*\)%\(.*\)'`
365 case ${stf_interface_ipv6_ifid} in
367 stf_interface_ipv6_ifid=0:0:0:1
372 ifconfig stf0 inet6 2002:${ipv4_in_hexformat}:${stf_interface_ipv6_slaid:-0}:${stf_interface_ipv6_ifid} \
373 prefixlen ${stf_prefixlen}
374 # disallow packets to malicious 6to4 prefix
375 route add -inet6 2002:e000:: -prefixlen 20 ::1 -reject
376 route add -inet6 2002:7f00:: -prefixlen 24 ::1 -reject
377 route add -inet6 2002:0000:: -prefixlen 24 ::1 -reject
378 route add -inet6 2002:ff00:: -prefixlen 24 ::1 -reject
383 network6_static_routes_setup() {
384 # Set up any static routes.
385 case ${ipv6_defaultrouter} in
389 ipv6_static_routes="default ${ipv6_static_routes}"
390 ipv6_route_default="default ${ipv6_defaultrouter}"
393 case ${ipv6_static_routes} in
397 for i in ${ipv6_static_routes}; do
398 eval ipv6_route_args=\$ipv6_route_${i}
399 route add -inet6 ${ipv6_route_args}
405 network6_faith_setup() {
406 case ${ipv6_faith_prefix} in
410 sysctl net.inet6.ip6.keepfaith=1
411 ifconfig faith0 create >/dev/null 2>&1
413 for prefix in ${ipv6_faith_prefix}; do
414 prefixlen=`expr "${prefix}" : ".*/\(.*\)"`
420 prefix=`expr "${prefix}" : \
421 "\(.*\)/${prefixlen}"`
424 route add -inet6 ${prefix} -prefixlen ${prefixlen} ::1
425 route change -inet6 ${prefix} -prefixlen ${prefixlen} \
432 network6_default_interface_setup() {
433 # Choose IPv6 default interface if it is not clearly specified.
434 case ${ipv6_default_interface} in
436 for i in ${ipv6_network_interfaces}; do
442 laddr=`network6_getladdr $i exclude_tentative`
447 ipv6_default_interface=$i
455 # Disallow unicast packets without outgoing scope identifiers,
456 # or route such packets to a "default" interface, if it is specified.
457 route add -inet6 fe80:: -prefixlen 10 ::1 -reject
458 case ${ipv6_default_interface} in
460 route add -inet6 ff02:: -prefixlen 16 ::1 -reject
463 laddr=`network6_getladdr ${ipv6_default_interface}`
464 route add -inet6 ff02:: ${laddr} -prefixlen 16 -interface \
467 # Disable installing the default interface with the
468 # case net.inet6.ip6.forwarding=0 and
469 # net.inet6.ip6.accept_rtadv=0, due to avoid conflict
470 # between the default router list and the manual
471 # configured default route.
472 case ${ipv6_gateway_enable} in
476 if [ `sysctl -n net.inet6.ip6.accept_rtadv` -eq 1 ]
478 ndp -I ${ipv6_default_interface}
486 network6_getladdr() {
487 ifconfig $1 2>/dev/null | while read proto addr rest; do