network.subr revision 65532
1#!/bin/sh - 2# 3# $FreeBSD: head/etc/network.subr 65532 2000-09-06 18:16:48Z nectar $ 4# From: @(#)netstart 5.9 (Berkeley) 3/30/91 5 6# Note that almost all of the user-configurable behavior is no longer in 7# this file, but rather in /etc/defaults/rc.conf. Please check that file 8# first before contemplating any changes here. If you do need to change 9# this file for some reason, we would like to know about it. 10 11# First pass startup stuff. 12# 13network_pass1() { 14 echo -n 'Doing initial network setup:' 15 16 # Convert host.conf to nsswitch.conf if necessary 17 if [ -f "/etc/host.conf" ]; then 18 echo "" 19 echo "Warning: /etc/host.conf is no longer used" 20 if [ -f "/etc/nsswitch.conf" ]; then 21 echo " /etc/nsswitch.conf will be used instead" 22 else 23 echo " /etc/nsswitch.conf will be created for you" 24 convert_host_conf /etc/host.conf /etc/nsswitch.conf 25 fi 26 fi 27 28 # Set the host name if it is not already set 29 # 30 if [ -z "`hostname -s`" ]; then 31 hostname ${hostname} 32 echo -n ' hostname' 33 fi 34 35 # Set the domainname if we're using NIS 36 # 37 case ${nisdomainname} in 38 [Nn][Oo] | '') 39 ;; 40 *) 41 domainname ${nisdomainname} 42 echo -n ' domain' 43 ;; 44 esac 45 46 echo '.' 47 48 # Initial ATM interface configuration 49 # 50 case ${atm_enable} in 51 [Yy][Ee][Ss]) 52 if [ -r /etc/rc.atm ]; then 53 . /etc/rc.atm 54 atm_pass1 55 fi 56 ;; 57 esac 58 59 # Special options for sppp(4) interfaces go here. These need 60 # to go _before_ the general ifconfig section, since in the case 61 # of hardwired (no link1 flag) but required authentication, you 62 # cannot pass auth parameters down to the already running interface. 63 # 64 for ifn in ${sppp_interfaces}; do 65 eval spppcontrol_args=\$spppconfig_${ifn} 66 if [ -n "${spppcontrol_args}" ]; then 67 # The auth secrets might contain spaces; in order 68 # to retain the quotation, we need to eval them 69 # here. 70 eval spppcontrol ${ifn} ${spppcontrol_args} 71 fi 72 done 73 74 # Set up all the network interfaces, calling startup scripts if needed 75 # 76 case ${network_interfaces} in 77 [Aa][Uu][Tt][Oo]) 78 network_interfaces="`ifconfig -l`" 79 ;; 80 esac 81 82 dhcp_interfaces="" 83 for ifn in ${network_interfaces}; do 84 if [ -r /etc/start_if.${ifn} ]; then 85 . /etc/start_if.${ifn} 86 eval showstat_$ifn=1 87 fi 88 89 # Do the primary ifconfig if specified 90 # 91 eval ifconfig_args=\$ifconfig_${ifn} 92 93 case ${ifconfig_args} in 94 '') 95 ;; 96 [Dd][Hh][Cc][Pp]) 97 # DHCP inits are done all in one go below 98 dhcp_interfaces="$dhcp_interfaces $ifn" 99 eval showstat_$ifn=1 100 ;; 101 *) 102 ifconfig ${ifn} ${ifconfig_args} 103 eval showstat_$ifn=1 104 ;; 105 esac 106 done 107 108 if [ ! -z "${dhcp_interfaces}" ]; then 109 ${dhcp_program:-/sbin/dhclient} ${dhcp_flags} ${dhcp_interfaces} 110 fi 111 112 for ifn in ${network_interfaces}; do 113 # Check to see if aliases need to be added 114 # 115 alias=0 116 while : ; do 117 eval ifconfig_args=\$ifconfig_${ifn}_alias${alias} 118 if [ -n "${ifconfig_args}" ]; then 119 ifconfig ${ifn} ${ifconfig_args} alias 120 eval showstat_$ifn=1 121 alias=`expr ${alias} + 1` 122 else 123 break; 124 fi 125 done 126 127 # Do ipx address if specified 128 # 129 eval ifconfig_args=\$ifconfig_${ifn}_ipx 130 if [ -n "${ifconfig_args}" ]; then 131 ifconfig ${ifn} ${ifconfig_args} 132 eval showstat_$ifn=1 133 fi 134 done 135 136 for ifn in ${network_interfaces}; do 137 eval showstat=\$showstat_${ifn} 138 if [ ! -z ${showstat} ]; then 139 ifconfig ${ifn} 140 fi 141 done 142 143 # ISDN subsystem startup 144 # 145 case ${isdn_enable} in 146 [Yy][Ee][Ss]) 147 if [ -r /etc/rc.isdn ]; then 148 . /etc/rc.isdn 149 fi 150 ;; 151 esac 152 153 # Start user ppp if required. This must happen before natd. 154 # 155 case ${ppp_enable} in 156 [Yy][Ee][Ss]) 157 # Establish ppp mode. 158 # 159 if [ "${ppp_mode}" != "ddial" -a "${ppp_mode}" != "direct" \ 160 -a "${ppp_mode}" != "dedicated" \ 161 -a "${ppp_mode}" != "background" ]; then 162 ppp_mode="auto" 163 fi 164 165 ppp_command="/usr/sbin/ppp -quiet -${ppp_mode}" 166 167 # Switch on NAT mode? 168 # 169 case ${ppp_nat} in 170 [Yy][Ee][Ss]) 171 ppp_command="${ppp_command} -nat" 172 ;; 173 esac 174 175 ppp_command="${ppp_command} ${ppp_profile}" 176 177 echo -n "Starting ppp as \"${ppp_user}\"" 178 su ${ppp_user} -c "exec ${ppp_command}" 179 ;; 180 esac 181 182 # Initialize IP filtering using ipfw 183 # 184 if /sbin/ipfw -q flush > /dev/null 2>&1; then 185 firewall_in_kernel=1 186 else 187 firewall_in_kernel=0 188 fi 189 190 case ${firewall_enable} in 191 [Yy][Ee][Ss]) 192 if [ "${firewall_in_kernel}" -eq 0 ] && kldload ipfw; then 193 firewall_in_kernel=1 194 echo "Kernel firewall module loaded." 195 elif [ "${firewall_in_kernel}" -eq 0 ]; then 196 echo "Warning: firewall kernel module failed to load." 197 fi 198 ;; 199 esac 200 201 # Load the filters if required 202 # 203 case ${firewall_in_kernel} in 204 1) 205 if [ -z "${firewall_script}" ]; then 206 firewall_script=/etc/rc.firewall 207 fi 208 209 case ${firewall_enable} in 210 [Yy][Ee][Ss]) 211 if [ -r "${firewall_script}" ]; then 212 . "${firewall_script}" 213 echo -n 'Firewall rules loaded, starting divert daemons:' 214 215 # Network Address Translation daemon 216 # 217 case ${natd_enable} in 218 [Yy][Ee][Ss]) 219 if [ -n "${natd_interface}" ]; then 220 if echo ${natd_interface} | \ 221 grep -q -E '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$'; then 222 natd_ifarg="-a ${natd_interface}" 223 else 224 natd_ifarg="-n ${natd_interface}" 225 fi 226 227 echo -n ' natd'; ${natd_program:-/sbin/natd} ${natd_flags} ${natd_ifarg} 228 fi 229 ;; 230 esac 231 232 echo '.' 233 234 elif [ "`ipfw l 65535`" = "65535 deny ip from any to any" ]; then 235 echo -n "Warning: kernel has firewall functionality, " 236 echo "but firewall rules are not enabled." 237 echo " All ip services are disabled." 238 fi 239 240 case ${firewall_logging} in 241 [Yy][Ee][Ss] | '') 242 echo 'Firewall logging=YES' 243 sysctl -w net.inet.ip.fw.verbose=1 >/dev/null 244 ;; 245 *) 246 ;; 247 esac 248 249 ;; 250 esac 251 ;; 252 esac 253 254 # Additional ATM interface configuration 255 # 256 if [ -n "${atm_pass1_done}" ]; then 257 atm_pass2 258 fi 259 260 # Configure routing 261 # 262 case ${defaultrouter} in 263 [Nn][Oo] | '') 264 ;; 265 *) 266 static_routes="default ${static_routes}" 267 route_default="default ${defaultrouter}" 268 ;; 269 esac 270 271 # Set up any static routes. This should be done before router discovery. 272 # 273 if [ -n "${static_routes}" ]; then 274 for i in ${static_routes}; do 275 eval route_args=\$route_${i} 276 route add ${route_args} 277 done 278 fi 279 280 echo -n 'Additional routing options:' 281 case ${tcp_extensions} in 282 [Yy][Ee][Ss] | '') 283 ;; 284 *) 285 echo -n ' tcp extensions=NO' 286 sysctl -w net.inet.tcp.rfc1323=0 >/dev/null 287 ;; 288 esac 289 290 case ${icmp_bmcastecho} in 291 [Yy][Ee][Ss]) 292 echo -n ' broadcast ping responses=YES' 293 sysctl -w net.inet.icmp.bmcastecho=1 >/dev/null 294 ;; 295 esac 296 297 case ${icmp_drop_redirect} in 298 [Yy][Ee][Ss]) 299 echo -n ' ignore ICMP redirect=YES' 300 sysctl -w net.inet.icmp.drop_redirect=1 >/dev/null 301 ;; 302 esac 303 304 case ${icmp_log_redirect} in 305 [Yy][Ee][Ss]) 306 echo -n ' log ICMP redirect=YES' 307 sysctl -w net.inet.icmp.log_redirect=1 >/dev/null 308 ;; 309 esac 310 311 case ${gateway_enable} in 312 [Yy][Ee][Ss]) 313 echo -n ' IP gateway=YES' 314 sysctl -w net.inet.ip.forwarding=1 >/dev/null 315 ;; 316 esac 317 318 case ${forward_sourceroute} in 319 [Yy][Ee][Ss]) 320 echo -n ' do source routing=YES' 321 sysctl -w net.inet.ip.sourceroute=1 >/dev/null 322 ;; 323 esac 324 325 case ${accept_sourceroute} in 326 [Yy][Ee][Ss]) 327 echo -n ' accept source routing=YES' 328 sysctl -w net.inet.ip.accept_sourceroute=1 >/dev/null 329 ;; 330 esac 331 332 case ${tcp_keepalive} in 333 [Yy][Ee][Ss]) 334 echo -n ' TCP keepalive=YES' 335 sysctl -w net.inet.tcp.always_keepalive=1 >/dev/null 336 ;; 337 esac 338 339 case ${tcp_restrict_rst} in 340 [Yy][Ee][Ss]) 341 echo -n ' restrict TCP reset=YES' 342 sysctl -w net.inet.tcp.restrict_rst=1 >/dev/null 343 ;; 344 esac 345 346 case ${tcp_drop_synfin} in 347 [Yy][Ee][Ss]) 348 echo -n ' drop SYN+FIN packets=YES' 349 sysctl -w net.inet.tcp.drop_synfin=1 >/dev/null 350 ;; 351 esac 352 353 case ${ipxgateway_enable} in 354 [Yy][Ee][Ss]) 355 echo -n ' IPX gateway=YES' 356 sysctl -w net.ipx.ipx.ipxforwarding=1 >/dev/null 357 ;; 358 esac 359 360 case ${arpproxy_all} in 361 [Yy][Ee][Ss]) 362 echo -n ' ARP proxyall=YES' 363 sysctl -w net.link.ether.inet.proxyall=1 >/dev/null 364 ;; 365 esac 366 367 case ${ip_portrange_first} in 368 [Nn][Oo] | '') 369 ;; 370 *) 371 echo -n ' ip_portrange_first=$ip_portrange_first' 372 sysctl -w net.inet.ip.portrange.first=$ip_portrange_first >/dev/null 373 ;; 374 esac 375 376 case ${ip_portrange_last} in 377 [Nn][Oo] | '') 378 ;; 379 *) 380 echo -n ' ip_portrange_last=$ip_portrange_last' 381 sysctl -w net.inet.ip.portrange.last=$ip_portrange_last >/dev/null 382 ;; 383 esac 384 385 echo '.' 386 387 case ${ipsec_enable} in 388 [Yy][Ee][Ss]) 389 if [ -f ${ipsec_file} ]; then 390 echo ' ipsec: enabled' 391 setkey -f ${ipsec_file} 392 else 393 echo ' ipsec: file not found' 394 fi 395 ;; 396 esac 397 398 echo -n 'routing daemons:' 399 case ${router_enable} in 400 [Yy][Ee][Ss]) 401 echo -n " ${router}"; ${router} ${router_flags} 402 ;; 403 esac 404 405 case ${ipxrouted_enable} in 406 [Yy][Ee][Ss]) 407 echo -n ' IPXrouted' 408 IPXrouted ${ipxrouted_flags} > /dev/null 2>&1 409 ;; 410 esac 411 412 case ${mrouted_enable} in 413 [Yy][Ee][Ss]) 414 echo -n ' mrouted'; mrouted ${mrouted_flags} 415 ;; 416 esac 417 418 case ${rarpd_enable} in 419 [Yy][Ee][Ss]) 420 echo -n ' rarpd'; rarpd ${rarpd_flags} 421 ;; 422 esac 423 echo '.' 424 425 # Let future generations know we made it. 426 # 427 network_pass1_done=YES 428} 429 430network_pass2() { 431 echo -n 'Doing additional network setup:' 432 case ${named_enable} in 433 [Yy][Ee][Ss]) 434 echo -n ' named'; ${named_program:-named} ${named_flags} 435 ;; 436 esac 437 438 case ${ntpdate_enable} in 439 [Yy][Ee][Ss]) 440 echo -n ' ntpdate' 441 ${ntpdate_program:-ntpdate} ${ntpdate_flags} >/dev/null 2>&1 442 ;; 443 esac 444 445 case ${xntpd_enable} in 446 [Yy][Ee][Ss]) 447 echo -n ' ntpd'; ${xntpd_program:-ntpd} ${xntpd_flags} 448 ;; 449 esac 450 451 case ${timed_enable} in 452 [Yy][Ee][Ss]) 453 echo -n ' timed'; timed ${timed_flags} 454 ;; 455 esac 456 457 case ${portmap_enable} in 458 [Yy][Ee][Ss]) 459 echo -n ' portmap'; ${portmap_program:-/usr/sbin/portmap} ${portmap_flags} 460 ;; 461 esac 462 463 # Start ypserv if we're an NIS server. 464 # Run rpc.ypxfrd and rpc.yppasswdd only on the NIS master server. 465 # 466 case ${nis_server_enable} in 467 [Yy][Ee][Ss]) 468 echo -n ' ypserv'; ypserv ${nis_server_flags} 469 470 case ${nis_ypxfrd_enable} in 471 [Yy][Ee][Ss]) 472 echo -n ' rpc.ypxfrd' 473 rpc.ypxfrd ${nis_ypxfrd_flags} 474 ;; 475 esac 476 477 case ${nis_yppasswdd_enable} in 478 [Yy][Ee][Ss]) 479 echo -n ' rpc.yppasswdd' 480 rpc.yppasswdd ${nis_yppasswdd_flags} 481 ;; 482 esac 483 ;; 484 esac 485 486 # Start ypbind if we're an NIS client 487 # 488 case ${nis_client_enable} in 489 [Yy][Ee][Ss]) 490 echo -n ' ypbind'; ypbind ${nis_client_flags} 491 case ${nis_ypset_enable} in 492 [Yy][Ee][Ss]) 493 echo -n ' ypset'; ypset ${nis_ypset_flags} 494 ;; 495 esac 496 ;; 497 esac 498 499 # Start keyserv if we are running Secure RPC 500 # 501 case ${keyserv_enable} in 502 [Yy][Ee][Ss]) 503 echo -n ' keyserv'; keyserv ${keyserv_flags} 504 ;; 505 esac 506 507 # Start ypupdated if we are running Secure RPC and we are NIS master 508 # 509 case ${rpc_ypupdated_enable} in 510 [Yy][Ee][Ss]) 511 echo -n ' rpc.ypupdated'; rpc.ypupdated 512 ;; 513 esac 514 515 # Start ATM daemons 516 if [ -n "${atm_pass2_done}" ]; then 517 atm_pass3 518 fi 519 520 echo '.' 521 network_pass2_done=YES 522} 523 524network_pass3() { 525 echo -n 'Starting final network daemons:' 526 527 case ${nfs_server_enable} in 528 [Yy][Ee][Ss]) 529 if [ -r /etc/exports ]; then 530 echo -n ' mountd' 531 532 case ${weak_mountd_authentication} in 533 [Yy][Ee][Ss]) 534 mountd_flags="${mountd_flags} -n" 535 ;; 536 esac 537 538 mountd ${mountd_flags} 539 540 case ${nfs_reserved_port_only} in 541 [Yy][Ee][Ss]) 542 echo -n ' NFS on reserved port only=YES' 543 sysctl -w vfs.nfs.nfs_privport=1 >/dev/null 544 ;; 545 esac 546 547 echo -n ' nfsd'; nfsd ${nfs_server_flags} 548 549 if [ -n "${nfs_bufpackets}" ]; then 550 sysctl -w vfs.nfs.bufpackets=${nfs_bufpackets} \ 551 > /dev/null 552 fi 553 554 case ${rpc_lockd_enable} in 555 [Yy][Ee][Ss]) 556 echo -n ' rpc.lockd'; rpc.lockd 557 ;; 558 esac 559 560 case ${rpc_statd_enable} in 561 [Yy][Ee][Ss]) 562 echo -n ' rpc.statd'; rpc.statd 563 ;; 564 esac 565 fi 566 ;; 567 *) 568 case ${single_mountd_enable} in 569 [Yy][Ee][Ss]) 570 if [ -r /etc/exports ]; then 571 echo -n ' mountd' 572 573 case ${weak_mountd_authentication} in 574 [Yy][Ee][Ss]) 575 mountd_flags="-n" 576 ;; 577 esac 578 579 mountd ${mountd_flags} 580 fi 581 ;; 582 esac 583 ;; 584 esac 585 586 case ${nfs_client_enable} in 587 [Yy][Ee][Ss]) 588 echo -n ' nfsiod'; nfsiod ${nfs_client_flags} 589 if [ -n "${nfs_access_cache}" ]; then 590 echo -n " NFS access cache time=${nfs_access_cache}" 591 sysctl -w vfs.nfs.access_cache_timeout=${nfs_access_cache} \ 592 >/dev/null 593 fi 594 ;; 595 esac 596 597 # If /var/db/mounttab exists, some nfs-server has not been 598 # sucessfully notified about a previous client shutdown. 599 # If there is no /var/db/mounttab, we do nothing. 600 if [ -f /var/db/mounttab ]; then 601 rpc.umntall -k 602 fi 603 604 case ${amd_enable} in 605 [Yy][Ee][Ss]) 606 echo -n ' amd' 607 case ${amd_map_program} in 608 [Nn][Oo] | '') 609 ;; 610 *) 611 amd_flags="${amd_flags} `eval ${amd_map_program}`" 612 ;; 613 esac 614 615 if [ -n "${amd_flags}" ]; then 616 amd -p ${amd_flags} > /var/run/amd.pid 2> /dev/null 617 else 618 amd 2> /dev/null 619 fi 620 ;; 621 esac 622 623 case ${rwhod_enable} in 624 [Yy][Ee][Ss]) 625 echo -n ' rwhod'; rwhod ${rwhod_flags} 626 ;; 627 esac 628 629 # Kerberos runs ONLY on the Kerberos server machine 630 case ${kerberos_server_enable} in 631 [Yy][Ee][Ss]) 632 case ${kerberos_stash} in 633 [Yy][Ee][Ss]) 634 stash_flag=-n 635 ;; 636 *) 637 stash_flag= 638 ;; 639 esac 640 641 echo -n ' kerberos' 642 kerberos ${stash_flag} >> /var/log/kerberos.log & 643 644 case ${kadmind_server_enable} in 645 [Yy][Ee][Ss]) 646 echo -n ' kadmind' 647 (sleep 20; kadmind ${stash_flag} >/dev/null 2>&1 &) & 648 ;; 649 esac 650 unset stash_flag 651 ;; 652 esac 653 654 case ${pppoed_enable} in 655 [Yy][Ee][Ss]) 656 if [ -n "${pppoed_provider}" ]; then 657 pppoed_flags="${pppoed_flags} -p ${pppoed_provider}" 658 fi 659 echo -n ' pppoed'; 660 /usr/libexec/pppoed ${pppoed_flags} ${pppoed_interface} 661 ;; 662 esac 663 664 case ${sshd_enable} in 665 [Yy][Ee][Ss]) 666 if [ ! -f /etc/ssh/ssh_host_key ]; then 667 echo ' creating ssh RSA host key'; 668 /usr/bin/ssh-keygen -N "" -f /etc/ssh/ssh_host_key 669 fi 670 if [ ! -f /etc/ssh/ssh_host_dsa_key ]; then 671 echo ' creating ssh DSA host key'; 672 /usr/bin/ssh-keygen -d -N "" -f /etc/ssh/ssh_host_dsa_key 673 fi 674 ;; 675 esac 676 677 echo '.' 678 network_pass3_done=YES 679} 680 681network_pass4() { 682 echo -n 'Additional TCP options:' 683 case ${log_in_vain} in 684 [Nn][Oo] | '') 685 ;; 686 *) 687 echo -n ' log_in_vain=YES' 688 sysctl -w net.inet.tcp.log_in_vain=1 >/dev/null 689 sysctl -w net.inet.udp.log_in_vain=1 >/dev/null 690 ;; 691 esac 692 693 echo '.' 694 network_pass4_done=YES 695} 696 697convert_host_conf() { 698 host_conf=$1; shift; 699 nsswitch_conf=$1; shift; 700 awk ' \ 701 /^[:blank:]*#/ { next } \ 702 /(hosts|local|file)/ { nsswitch[c] = "files"; c++; next } \ 703 /(dns|bind)/ { nsswitch[c] = "dns"; c++; next } \ 704 /nis/ { nsswitch[c] = "nis"; c++; next } \ 705 { printf "Warning: unrecognized line [%s]", $0 > "/dev/stderr" } \ 706 END { \ 707 printf "hosts: "; \ 708 for (i in nsswitch) printf "%s ", nsswitch[i]; \ 709 printf "\n"; \ 710 }' < $host_conf > $nsswitch_conf 711} 712 713