network.subr revision 65532 
1#!/bin/sh -
2#
3# $FreeBSD: head/etc/network.subr 65532 2000-09-06 18:16:48Z nectar $
4#	From: @(#)netstart	5.9 (Berkeley) 3/30/91
5
6# Note that almost all of the user-configurable behavior is no longer in
7# this file, but rather in /etc/defaults/rc.conf.  Please check that file
8# first before contemplating any changes here.  If you do need to change
9# this file for some reason, we would like to know about it.
10
11# First pass startup stuff.
12#
13network_pass1() {
14	echo -n 'Doing initial network setup:'
15
16	# Convert host.conf to nsswitch.conf if necessary
17	if [ -f "/etc/host.conf" ]; then
18		echo ""
19		echo "Warning: /etc/host.conf is no longer used"
20		if [ -f "/etc/nsswitch.conf" ]; then
21		    echo "  /etc/nsswitch.conf will be used instead"
22		else
23		    echo "  /etc/nsswitch.conf will be created for you"
24		    convert_host_conf /etc/host.conf /etc/nsswitch.conf
25		fi
26	fi
27
28	# Set the host name if it is not already set
29	#
30	if [ -z "`hostname -s`" ]; then
31		hostname ${hostname}
32		echo -n ' hostname'
33	fi
34
35	# Set the domainname if we're using NIS
36	#
37	case ${nisdomainname} in
38	[Nn][Oo] | '')
39		;;
40	*)
41		domainname ${nisdomainname}
42		echo -n ' domain'
43		;;
44	esac
45
46	echo '.'
47
48	# Initial ATM interface configuration
49	#
50	case ${atm_enable} in
51	[Yy][Ee][Ss])
52		if [ -r /etc/rc.atm ]; then
53			. /etc/rc.atm
54			atm_pass1
55		fi
56		;;
57	esac
58
59	# Special options for sppp(4) interfaces go here.  These need
60	# to go _before_ the general ifconfig section, since in the case
61	# of hardwired (no link1 flag) but required authentication, you
62	# cannot pass auth parameters down to the already running interface.
63	#
64	for ifn in ${sppp_interfaces}; do
65		eval spppcontrol_args=\$spppconfig_${ifn}
66		if [ -n "${spppcontrol_args}" ]; then
67			# The auth secrets might contain spaces; in order
68			# to retain the quotation, we need to eval them
69			# here.
70			eval spppcontrol ${ifn} ${spppcontrol_args}
71		fi
72	done
73
74	# Set up all the network interfaces, calling startup scripts if needed
75	#
76	case ${network_interfaces} in
77	[Aa][Uu][Tt][Oo])
78		network_interfaces="`ifconfig -l`"
79		;;
80	esac
81
82	dhcp_interfaces=""
83	for ifn in ${network_interfaces}; do
84		if [ -r /etc/start_if.${ifn} ]; then
85			. /etc/start_if.${ifn}
86			eval showstat_$ifn=1
87		fi
88
89		# Do the primary ifconfig if specified
90		#
91		eval ifconfig_args=\$ifconfig_${ifn}
92
93		case ${ifconfig_args} in
94		'')
95			;;
96		[Dd][Hh][Cc][Pp])
97			# DHCP inits are done all in one go below
98			dhcp_interfaces="$dhcp_interfaces $ifn"
99			eval showstat_$ifn=1
100			;;
101		*)
102			ifconfig ${ifn} ${ifconfig_args}
103			eval showstat_$ifn=1
104			;;
105		esac
106	done
107
108	if [ ! -z "${dhcp_interfaces}" ]; then
109		${dhcp_program:-/sbin/dhclient} ${dhcp_flags} ${dhcp_interfaces}
110	fi
111
112	for ifn in ${network_interfaces}; do
113		# Check to see if aliases need to be added
114		#
115		alias=0
116		while : ; do
117			eval ifconfig_args=\$ifconfig_${ifn}_alias${alias}
118			if [ -n "${ifconfig_args}" ]; then
119				ifconfig ${ifn} ${ifconfig_args} alias
120				eval showstat_$ifn=1
121				alias=`expr ${alias} + 1`
122			else
123				break;
124			fi
125		done
126
127		# Do ipx address if specified
128		#
129		eval ifconfig_args=\$ifconfig_${ifn}_ipx
130		if [ -n "${ifconfig_args}" ]; then
131			ifconfig ${ifn} ${ifconfig_args}
132			eval showstat_$ifn=1
133		fi
134	done
135
136	for ifn in ${network_interfaces}; do
137		eval showstat=\$showstat_${ifn}
138		if [ ! -z ${showstat} ]; then
139			ifconfig ${ifn}
140		fi
141	done
142
143	# ISDN subsystem startup
144	#
145	case ${isdn_enable} in
146	[Yy][Ee][Ss])
147		if [ -r /etc/rc.isdn ]; then
148			. /etc/rc.isdn
149		fi
150		;;
151	esac
152
153	# Start user ppp if required.  This must happen before natd.
154	#
155	case ${ppp_enable} in
156	[Yy][Ee][Ss])
157		# Establish ppp mode.
158		#
159		if [ "${ppp_mode}" != "ddial" -a "${ppp_mode}" != "direct" \
160			-a "${ppp_mode}" != "dedicated" \
161			-a "${ppp_mode}" != "background" ]; then
162			ppp_mode="auto"
163		fi
164
165		ppp_command="/usr/sbin/ppp -quiet -${ppp_mode}"
166
167		# Switch on NAT mode?
168		#
169		case ${ppp_nat} in
170		[Yy][Ee][Ss])
171			ppp_command="${ppp_command} -nat"
172			;;
173		esac
174
175		ppp_command="${ppp_command} ${ppp_profile}"
176
177		echo -n "Starting ppp as \"${ppp_user}\""
178		su ${ppp_user} -c "exec ${ppp_command}"
179		;;
180	esac
181
182	# Initialize IP filtering using ipfw
183	#
184	if /sbin/ipfw -q flush > /dev/null 2>&1; then
185		firewall_in_kernel=1
186	else
187		firewall_in_kernel=0
188	fi
189
190	case ${firewall_enable} in
191	[Yy][Ee][Ss])
192		if [ "${firewall_in_kernel}" -eq 0 ] && kldload ipfw; then
193			firewall_in_kernel=1
194			echo "Kernel firewall module loaded."
195		elif [ "${firewall_in_kernel}" -eq 0 ]; then
196			echo "Warning: firewall kernel module failed to load."
197		fi
198		;;
199	esac
200
201	# Load the filters if required
202	#
203	case ${firewall_in_kernel} in
204	1)
205		if [ -z "${firewall_script}" ]; then
206			firewall_script=/etc/rc.firewall
207		fi
208
209		case ${firewall_enable} in
210		[Yy][Ee][Ss])
211			if [ -r "${firewall_script}" ]; then
212				. "${firewall_script}"
213				echo -n 'Firewall rules loaded, starting divert daemons:'
214
215				# Network Address Translation daemon
216				#
217				case ${natd_enable} in
218				[Yy][Ee][Ss])
219					if [ -n "${natd_interface}" ]; then
220						if echo ${natd_interface} | \
221							grep -q -E '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$'; then
222							natd_ifarg="-a ${natd_interface}"
223						else
224							natd_ifarg="-n ${natd_interface}"
225						fi
226
227						echo -n ' natd'; ${natd_program:-/sbin/natd} ${natd_flags} ${natd_ifarg}
228					fi
229					;;
230				esac
231
232				echo '.'
233
234			elif [ "`ipfw l 65535`" = "65535 deny ip from any to any" ]; then
235				echo -n "Warning: kernel has firewall functionality, "
236				echo "but firewall rules are not enabled."
237				echo "		 All ip services are disabled."
238			fi
239
240			case ${firewall_logging} in
241			[Yy][Ee][Ss] | '')
242				echo 'Firewall logging=YES'
243				sysctl -w net.inet.ip.fw.verbose=1 >/dev/null
244				;;
245			*)
246				;;
247			esac
248
249			;;
250		esac
251		;;
252	esac
253
254	# Additional ATM interface configuration
255	#
256	if [ -n "${atm_pass1_done}" ]; then
257		atm_pass2
258	fi
259
260	# Configure routing
261	#
262	case ${defaultrouter} in
263	[Nn][Oo] | '')
264		;;
265	*)
266		static_routes="default ${static_routes}"
267		route_default="default ${defaultrouter}"
268		;;
269	esac
270
271	# Set up any static routes.  This should be done before router discovery.
272	#
273	if [ -n "${static_routes}" ]; then
274		for i in ${static_routes}; do
275			eval route_args=\$route_${i}
276			route add ${route_args}
277		done
278	fi
279
280	echo -n 'Additional routing options:'
281	case ${tcp_extensions} in
282	[Yy][Ee][Ss] | '')
283		;;
284	*)
285		echo -n ' tcp extensions=NO'
286		sysctl -w net.inet.tcp.rfc1323=0 >/dev/null
287		;;
288	esac
289
290	case ${icmp_bmcastecho} in
291	[Yy][Ee][Ss])
292		echo -n ' broadcast ping responses=YES'
293		sysctl -w net.inet.icmp.bmcastecho=1 >/dev/null
294		;;
295	esac
296
297	case ${icmp_drop_redirect} in
298	[Yy][Ee][Ss])
299		echo -n ' ignore ICMP redirect=YES'
300		sysctl -w net.inet.icmp.drop_redirect=1 >/dev/null
301		;;
302	esac
303
304	case ${icmp_log_redirect} in
305	[Yy][Ee][Ss])
306		echo -n ' log ICMP redirect=YES'
307		sysctl -w net.inet.icmp.log_redirect=1 >/dev/null
308		;;
309	esac
310
311	case ${gateway_enable} in
312	[Yy][Ee][Ss])
313		echo -n ' IP gateway=YES'
314		sysctl -w net.inet.ip.forwarding=1 >/dev/null
315		;;
316	esac
317
318	case ${forward_sourceroute} in
319	[Yy][Ee][Ss])
320		echo -n ' do source routing=YES'
321		sysctl -w net.inet.ip.sourceroute=1 >/dev/null
322		;;
323	esac
324
325	case ${accept_sourceroute} in
326	[Yy][Ee][Ss])
327		echo -n ' accept source routing=YES'
328		sysctl -w net.inet.ip.accept_sourceroute=1 >/dev/null
329		;;
330	esac
331
332	case ${tcp_keepalive} in
333	[Yy][Ee][Ss])
334		echo -n ' TCP keepalive=YES'
335		sysctl -w net.inet.tcp.always_keepalive=1 >/dev/null
336		;;
337	esac
338
339	case ${tcp_restrict_rst} in
340	[Yy][Ee][Ss])
341		echo -n ' restrict TCP reset=YES'
342		sysctl -w net.inet.tcp.restrict_rst=1 >/dev/null
343		;;
344	esac
345
346	case ${tcp_drop_synfin} in
347	[Yy][Ee][Ss])
348		echo -n ' drop SYN+FIN packets=YES'
349		sysctl -w net.inet.tcp.drop_synfin=1 >/dev/null
350		;;
351	esac
352
353	case ${ipxgateway_enable} in
354	[Yy][Ee][Ss])
355		echo -n ' IPX gateway=YES'
356		sysctl -w net.ipx.ipx.ipxforwarding=1 >/dev/null
357		;;
358	esac
359
360	case ${arpproxy_all} in
361	[Yy][Ee][Ss])
362		echo -n ' ARP proxyall=YES'
363		sysctl -w net.link.ether.inet.proxyall=1 >/dev/null
364		;;
365	esac
366
367	case ${ip_portrange_first} in
368	[Nn][Oo] | '')
369		;;
370	*)
371		echo -n ' ip_portrange_first=$ip_portrange_first'
372		sysctl -w net.inet.ip.portrange.first=$ip_portrange_first >/dev/null
373		;;
374	esac
375
376	case ${ip_portrange_last} in
377	[Nn][Oo] | '')
378		;;
379	*)
380		echo -n ' ip_portrange_last=$ip_portrange_last'
381		sysctl -w net.inet.ip.portrange.last=$ip_portrange_last >/dev/null
382		;;
383	esac
384
385	echo '.'
386
387	case ${ipsec_enable} in
388	[Yy][Ee][Ss])
389		if [ -f ${ipsec_file} ]; then
390		    echo ' ipsec: enabled'
391		    setkey -f ${ipsec_file}
392		else
393		    echo ' ipsec: file not found'
394		fi
395		;;
396	esac
397
398	echo -n 'routing daemons:'
399	case ${router_enable} in
400	[Yy][Ee][Ss])
401		echo -n " ${router}";	${router} ${router_flags}
402		;;
403	esac
404
405	case ${ipxrouted_enable} in
406	[Yy][Ee][Ss])
407		echo -n ' IPXrouted'
408		IPXrouted ${ipxrouted_flags} > /dev/null 2>&1
409		;;
410	esac
411
412	case ${mrouted_enable} in
413	[Yy][Ee][Ss])
414		echo -n ' mrouted';	mrouted ${mrouted_flags}
415		;;
416	esac
417
418	case ${rarpd_enable} in
419	[Yy][Ee][Ss])
420		echo -n ' rarpd';	rarpd ${rarpd_flags}
421		;;
422	esac
423	echo '.'
424
425	# Let future generations know we made it.
426	#
427	network_pass1_done=YES
428}
429
430network_pass2() {
431	echo -n 'Doing additional network setup:'
432	case ${named_enable} in
433	[Yy][Ee][Ss])
434		echo -n ' named';	${named_program:-named} ${named_flags}
435		;;
436	esac
437
438	case ${ntpdate_enable} in
439	[Yy][Ee][Ss])
440		echo -n ' ntpdate'
441		${ntpdate_program:-ntpdate} ${ntpdate_flags} >/dev/null 2>&1
442		;;
443	esac
444
445	case ${xntpd_enable} in
446	[Yy][Ee][Ss])
447		echo -n ' ntpd';	${xntpd_program:-ntpd} ${xntpd_flags}
448		;;
449	esac
450
451	case ${timed_enable} in
452	[Yy][Ee][Ss])
453		echo -n ' timed';	timed ${timed_flags}
454		;;
455	esac
456
457	case ${portmap_enable} in
458	[Yy][Ee][Ss])
459		echo -n ' portmap';	${portmap_program:-/usr/sbin/portmap} ${portmap_flags}
460		;;
461	esac
462
463	# Start ypserv if we're an NIS server.
464	# Run rpc.ypxfrd and rpc.yppasswdd only on the NIS master server.
465	#
466	case ${nis_server_enable} in
467	[Yy][Ee][Ss])
468		echo -n ' ypserv'; ypserv ${nis_server_flags}
469
470		case ${nis_ypxfrd_enable} in
471		[Yy][Ee][Ss])
472			echo -n ' rpc.ypxfrd'
473			rpc.ypxfrd ${nis_ypxfrd_flags}
474			;;
475		esac
476
477		case ${nis_yppasswdd_enable} in
478		[Yy][Ee][Ss])
479			echo -n ' rpc.yppasswdd'
480			rpc.yppasswdd ${nis_yppasswdd_flags}
481			;;
482		esac
483		;;
484	esac
485
486	# Start ypbind if we're an NIS client
487	#
488	case ${nis_client_enable} in
489	[Yy][Ee][Ss])
490		echo -n ' ypbind'; ypbind ${nis_client_flags}
491		case ${nis_ypset_enable} in
492		[Yy][Ee][Ss])
493			echo -n ' ypset';	ypset ${nis_ypset_flags}
494			;;
495		esac
496		;;
497	esac
498
499	# Start keyserv if we are running Secure RPC
500	#
501	case ${keyserv_enable} in
502	[Yy][Ee][Ss])
503		echo -n ' keyserv';	keyserv ${keyserv_flags}
504		;;
505	esac
506
507	# Start ypupdated if we are running Secure RPC and we are NIS master
508	#
509	case ${rpc_ypupdated_enable} in
510	[Yy][Ee][Ss])
511		echo -n ' rpc.ypupdated';	rpc.ypupdated
512		;;
513	esac
514
515	# Start ATM daemons
516	if [ -n "${atm_pass2_done}" ]; then
517		atm_pass3
518	fi
519
520	echo '.'
521	network_pass2_done=YES
522}
523
524network_pass3() {
525	echo -n 'Starting final network daemons:'
526
527	case ${nfs_server_enable} in
528	[Yy][Ee][Ss])
529		if [ -r /etc/exports ]; then
530			echo -n ' mountd'
531
532			case ${weak_mountd_authentication} in
533			[Yy][Ee][Ss])
534				mountd_flags="${mountd_flags} -n"
535				;;
536			esac
537
538			mountd ${mountd_flags}
539
540			case ${nfs_reserved_port_only} in
541			[Yy][Ee][Ss])
542				echo -n ' NFS on reserved port only=YES'
543				sysctl -w vfs.nfs.nfs_privport=1 >/dev/null
544				;;
545			esac
546
547			echo -n ' nfsd';	nfsd ${nfs_server_flags}
548
549			if [ -n "${nfs_bufpackets}" ]; then
550				sysctl -w vfs.nfs.bufpackets=${nfs_bufpackets} \
551					> /dev/null
552			fi
553
554			case ${rpc_lockd_enable} in
555			[Yy][Ee][Ss])
556				echo -n ' rpc.lockd';	rpc.lockd
557				;;
558			esac
559
560			case ${rpc_statd_enable} in
561			[Yy][Ee][Ss])
562				echo -n ' rpc.statd';	rpc.statd
563				;;
564			esac
565		fi
566		;;
567	*)
568		case ${single_mountd_enable} in
569		[Yy][Ee][Ss])
570			if [ -r /etc/exports ]; then
571				echo -n ' mountd'
572
573				case ${weak_mountd_authentication} in
574				[Yy][Ee][Ss])
575					mountd_flags="-n"
576					;;
577				esac
578
579				mountd ${mountd_flags}
580			fi
581			;;
582		esac
583		;;
584	esac
585
586	case ${nfs_client_enable} in
587	[Yy][Ee][Ss])
588		echo -n ' nfsiod';	nfsiod ${nfs_client_flags}
589		if [ -n "${nfs_access_cache}" ]; then
590		echo -n " NFS access cache time=${nfs_access_cache}"
591		sysctl -w vfs.nfs.access_cache_timeout=${nfs_access_cache} \
592			>/dev/null
593		fi
594		;;
595	esac
596
597	# If /var/db/mounttab exists, some nfs-server has not been
598	# sucessfully notified about a previous client shutdown.
599	# If there is no /var/db/mounttab, we do nothing.
600	if [ -f /var/db/mounttab ]; then
601		rpc.umntall -k
602	fi
603
604	case ${amd_enable} in
605	[Yy][Ee][Ss])
606		echo -n ' amd'
607		case ${amd_map_program} in
608		[Nn][Oo] | '')
609			;;
610		*)
611			amd_flags="${amd_flags} `eval ${amd_map_program}`"
612			;;
613		esac
614
615		if [ -n "${amd_flags}" ]; then
616			amd -p ${amd_flags} > /var/run/amd.pid 2> /dev/null
617		else
618			amd 2> /dev/null
619		fi
620		;;
621	esac
622
623	case ${rwhod_enable} in
624	[Yy][Ee][Ss])
625		echo -n ' rwhod';	rwhod ${rwhod_flags}
626		;;
627	esac
628
629	# Kerberos runs ONLY on the Kerberos server machine
630	case ${kerberos_server_enable} in
631	[Yy][Ee][Ss])
632		case ${kerberos_stash} in
633		[Yy][Ee][Ss])
634			stash_flag=-n
635			;;
636		*)
637			stash_flag=
638			;;
639		esac
640
641		echo -n ' kerberos'
642		kerberos ${stash_flag} >> /var/log/kerberos.log &
643
644		case ${kadmind_server_enable} in
645		[Yy][Ee][Ss])
646			echo -n ' kadmind'
647			(sleep 20; kadmind ${stash_flag} >/dev/null 2>&1 &) &
648			;;
649		esac
650		unset stash_flag
651		;;
652	esac
653
654	case ${pppoed_enable} in
655	[Yy][Ee][Ss])
656		if [ -n "${pppoed_provider}" ]; then
657			pppoed_flags="${pppoed_flags} -p ${pppoed_provider}"
658		fi
659		echo -n ' pppoed';
660		/usr/libexec/pppoed ${pppoed_flags} ${pppoed_interface}
661		;;
662	esac
663
664	case ${sshd_enable} in
665	[Yy][Ee][Ss])
666		if [ ! -f /etc/ssh/ssh_host_key ]; then
667			echo ' creating ssh RSA host key';
668			/usr/bin/ssh-keygen -N "" -f /etc/ssh/ssh_host_key
669		fi
670		if [ ! -f /etc/ssh/ssh_host_dsa_key ]; then
671			echo ' creating ssh DSA host key';
672			/usr/bin/ssh-keygen -d -N "" -f /etc/ssh/ssh_host_dsa_key
673		fi
674		;;
675	esac
676
677	echo '.'
678	network_pass3_done=YES
679}
680
681network_pass4() {
682	echo -n 'Additional TCP options:'
683	case ${log_in_vain} in
684	[Nn][Oo] | '')
685		;;
686	*)
687		echo -n ' log_in_vain=YES'
688		sysctl -w net.inet.tcp.log_in_vain=1 >/dev/null
689		sysctl -w net.inet.udp.log_in_vain=1 >/dev/null
690		;;
691	esac
692
693	echo '.'
694	network_pass4_done=YES
695}
696
697convert_host_conf() {
698    host_conf=$1; shift;
699    nsswitch_conf=$1; shift;
700    awk '                                                                   \
701        /^[:blank:]*#/       { next }                                       \
702        /(hosts|local|file)/ { nsswitch[c] = "files"; c++; next }           \
703        /(dns|bind)/         { nsswitch[c] = "dns";   c++; next }           \
704        /nis/                { nsswitch[c] = "nis";   c++; next }           \
705        { printf "Warning: unrecognized line [%s]", $0 > "/dev/stderr" }    \
706        END {                                                               \
707                printf "hosts: ";                                           \
708                for (i in nsswitch) printf "%s ", nsswitch[i];              \
709                printf "\n";                                                \
710        }' < $host_conf > $nsswitch_conf
711}
712
713