defaultroute revision 94391
11558Srgrimes#!/bin/sh - 21558Srgrimes# 31558Srgrimes# Copyright (c) 1993 The FreeBSD Project 41558Srgrimes# All rights reserved. 51558Srgrimes# 61558Srgrimes# Redistribution and use in source and binary forms, with or without 71558Srgrimes# modification, are permitted provided that the following conditions 81558Srgrimes# are met: 91558Srgrimes# 1. Redistributions of source code must retain the above copyright 101558Srgrimes# notice, this list of conditions and the following disclaimer. 111558Srgrimes# 2. Redistributions in binary form must reproduce the above copyright 121558Srgrimes# notice, this list of conditions and the following disclaimer in the 131558Srgrimes# documentation and/or other materials provided with the distribution. 141558Srgrimes# 151558Srgrimes# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 161558Srgrimes# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 171558Srgrimes# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 181558Srgrimes# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 191558Srgrimes# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 201558Srgrimes# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 211558Srgrimes# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 221558Srgrimes# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 231558Srgrimes# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 241558Srgrimes# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 251558Srgrimes# SUCH DAMAGE. 261558Srgrimes# 271558Srgrimes# $FreeBSD: head/etc/rc.d/routing 94391 2002-04-10 22:30:54Z peter $ 281558Srgrimes# From: @(#)netstart 5.9 (Berkeley) 3/30/91 291558Srgrimes# 301558Srgrimes 311558Srgrimes# Note that almost all of the user-configurable behavior is no longer in 321558Srgrimes# this file, but rather in /etc/defaults/rc.conf. Please check that file 331558Srgrimes# first before contemplating any changes here. If you do need to change 341558Srgrimes# this file for some reason, we would like to know about it. 351558Srgrimes 361558Srgrimes# First pass startup stuff. 371558Srgrimes# 381558Srgrimesnetwork_pass1() { 391558Srgrimes echo -n 'Doing initial network setup:' 401558Srgrimes 411558Srgrimes # Generate host.conf for compatibility 421558Srgrimes # 431558Srgrimes if [ -f "/etc/nsswitch.conf" ]; then 441558Srgrimes echo -n ' host.conf' 451558Srgrimes generate_host_conf /etc/nsswitch.conf /etc/host.conf 461558Srgrimes fi 471558Srgrimes 481558Srgrimes # Convert host.conf to nsswitch.conf if necessary 491558Srgrimes # 501558Srgrimes if [ -f "/etc/host.conf" -a ! -f "/etc/nsswitch.conf" ]; then 511558Srgrimes echo '' 521558Srgrimes echo 'Warning: /etc/host.conf is no longer used' 531558Srgrimes echo ' /etc/nsswitch.conf will be created for you' 541558Srgrimes convert_host_conf /etc/host.conf /etc/nsswitch.conf 551558Srgrimes fi 561558Srgrimes 571558Srgrimes # Set the host name if it is not already set 581558Srgrimes # 591558Srgrimes if [ -z "`hostname -s`" ]; then 601558Srgrimes hostname ${hostname} 611558Srgrimes echo -n ' hostname' 621558Srgrimes fi 631558Srgrimes 641558Srgrimes # Establish ipfilter ruleset as early as possible (best in 651558Srgrimes # addition to IPFILTER_DEFAULT_BLOCK in the kernel config file) 661558Srgrimes 671558Srgrimes # check whether ipfilter and/or ipnat is enabled 681558Srgrimes ipfilter_active="NO" 691558Srgrimes case ${ipfilter_enable} in 701558Srgrimes [Yy][Ee][Ss]) 711558Srgrimes ipfilter_active="YES" 721558Srgrimes ;; 731558Srgrimes esac 741558Srgrimes case ${ipnat_enable} in 751558Srgrimes [Yy][Ee][Ss]) 761558Srgrimes ipfilter_active="YES" 771558Srgrimes ;; 781558Srgrimes esac 791558Srgrimes case ${ipfilter_active} in 801558Srgrimes [Yy][Ee][Ss]) 811558Srgrimes # load ipfilter kernel module if needed 821558Srgrimes if ! sysctl net.inet.ipf.fr_pass > /dev/null 2>&1; then 831558Srgrimes if kldload ipl; then 841558Srgrimes echo 'IP-filter module loaded.' 851558Srgrimes else 861558Srgrimes echo 'Warning: IP-filter module failed to load.' 871558Srgrimes # avoid further errors 881558Srgrimes ipfilter_active="NO" 891558Srgrimes ipmon_enable="NO" 901558Srgrimes ipfilter_enable="NO" 911558Srgrimes ipnat_enable="NO" 921558Srgrimes ipfs_enable="NO" 931558Srgrimes fi 941558Srgrimes fi 951558Srgrimes # start ipmon before loading any rules 961558Srgrimes case "${ipmon_enable}" in 971558Srgrimes [Yy][Ee][Ss]) 981558Srgrimes echo -n ' ipmon' 991558Srgrimes ${ipmon_program:-/sbin/ipmon} ${ipmon_flags} 1001558Srgrimes ;; 1011558Srgrimes esac 1021558Srgrimes case "${ipfilter_enable}" in 1031558Srgrimes [Yy][Ee][Ss]) 1041558Srgrimes if [ -r "${ipfilter_rules}" ]; then 1051558Srgrimes echo -n ' ipfilter' 1061558Srgrimes ${ipfilter_program:-/sbin/ipf} -Fa -f \ 1071558Srgrimes "${ipfilter_rules}" ${ipfilter_flags} 1081558Srgrimes else 1091558Srgrimes ipfilter_enable="NO" 1101558Srgrimes echo -n ' NO IPF RULES' 1111558Srgrimes fi 1121558Srgrimes ;; 1131558Srgrimes esac 1141558Srgrimes case "${ipnat_enable}" in 1151558Srgrimes [Yy][Ee][Ss]) 1161558Srgrimes if [ -r "${ipnat_rules}" ]; then 1171558Srgrimes echo -n ' ipnat' 1181558Srgrimes eval ${ipnat_program:-/sbin/ipnat} -CF -f \ 1191558Srgrimes "${ipnat_rules}" ${ipnat_flags} 1201558Srgrimes else 1211558Srgrimes ipnat_enable="NO" 1221558Srgrimes echo -n ' NO IPNAT RULES' 1231558Srgrimes fi 1241558Srgrimes ;; 1251558Srgrimes esac 1261558Srgrimes # restore filter/NAT state tables after loading the rules 1271558Srgrimes case "${ipfs_enable}" in 1281558Srgrimes [Yy][Ee][Ss]) 1291558Srgrimes if [ -r "/var/db/ipf/ipstate.ipf" ]; then 1301558Srgrimes echo -n ' ipfs' 1311558Srgrimes ${ipfs_program:-/sbin/ipfs} -R ${ipfs_flags} 1321558Srgrimes # remove files to avoid reloading old state 1331558Srgrimes # after an ungraceful shutdown 1341558Srgrimes rm -f /var/db/ipf/ipstate.ipf 1351558Srgrimes rm -f /var/db/ipf/ipnat.ipf 1361558Srgrimes fi 1371558Srgrimes ;; 1381558Srgrimes esac 1391558Srgrimes ;; 1401558Srgrimes esac 1411558Srgrimes 1421558Srgrimes # Set the domainname if we're using NIS 1431558Srgrimes # 1441558Srgrimes case ${nisdomainname} in 1451558Srgrimes [Nn][Oo] | '') 1461558Srgrimes ;; 1471558Srgrimes *) 1481558Srgrimes domainname ${nisdomainname} 1491558Srgrimes echo -n ' domain' 1501558Srgrimes ;; 1511558Srgrimes esac 1521558Srgrimes 1531558Srgrimes echo '.' 1541558Srgrimes 1551558Srgrimes # Initial ATM interface configuration 1561558Srgrimes # 1571558Srgrimes case ${atm_enable} in 1581558Srgrimes [Yy][Ee][Ss]) 1591558Srgrimes if [ -r /etc/rc.atm ]; then 1601558Srgrimes . /etc/rc.atm 1611558Srgrimes atm_pass1 1621558Srgrimes fi 1631558Srgrimes ;; 1641558Srgrimes esac 1651558Srgrimes 1661558Srgrimes # Attempt to create cloned interfaces. 1671558Srgrimes for ifn in ${cloned_interfaces}; do 1681558Srgrimes ifconfig ${ifn} create 1691558Srgrimes done 1701558Srgrimes 1711558Srgrimes # Special options for sppp(4) interfaces go here. These need 1721558Srgrimes # to go _before_ the general ifconfig section, since in the case 1731558Srgrimes # of hardwired (no link1 flag) but required authentication, you 1741558Srgrimes # cannot pass auth parameters down to the already running interface. 1751558Srgrimes # 1761558Srgrimes for ifn in ${sppp_interfaces}; do 1771558Srgrimes eval spppcontrol_args=\$spppconfig_${ifn} 1781558Srgrimes if [ -n "${spppcontrol_args}" ]; then 1791558Srgrimes # The auth secrets might contain spaces; in order 1801558Srgrimes # to retain the quotation, we need to eval them 1811558Srgrimes # here. 1821558Srgrimes eval spppcontrol ${ifn} ${spppcontrol_args} 1831558Srgrimes fi 1841558Srgrimes done 1851558Srgrimes 1861558Srgrimes # gifconfig 1871558Srgrimes network_gif_setup 1881558Srgrimes 1891558Srgrimes # Set up all the network interfaces, calling startup scripts if needed 1901558Srgrimes # 1911558Srgrimes case ${network_interfaces} in 1921558Srgrimes [Aa][Uu][Tt][Oo]) 1931558Srgrimes network_interfaces="`ifconfig -l`" 1941558Srgrimes ;; 1951558Srgrimes *) 1961558Srgrimes network_interfaces="${network_interfaces} ${cloned_interfaces}" 1971558Srgrimes ;; 1981558Srgrimes esac 1991558Srgrimes 2001558Srgrimes dhcp_interfaces="" 2011558Srgrimes for ifn in ${network_interfaces}; do 2021558Srgrimes if [ -r /etc/start_if.${ifn} ]; then 2031558Srgrimes . /etc/start_if.${ifn} 2041558Srgrimes eval showstat_$ifn=1 2051558Srgrimes fi 2061558Srgrimes 2071558Srgrimes # Do the primary ifconfig if specified 2081558Srgrimes # 2091558Srgrimes eval ifconfig_args=\$ifconfig_${ifn} 2101558Srgrimes 2111558Srgrimes case ${ifconfig_args} in 2121558Srgrimes '') 2131558Srgrimes ;; 2141558Srgrimes [Dd][Hh][Cc][Pp]) 2151558Srgrimes # DHCP inits are done all in one go below 2161558Srgrimes dhcp_interfaces="$dhcp_interfaces $ifn" 2171558Srgrimes eval showstat_$ifn=1 2181558Srgrimes ;; 2191558Srgrimes *) 2201558Srgrimes ifconfig ${ifn} ${ifconfig_args} 2211558Srgrimes eval showstat_$ifn=1 2221558Srgrimes ;; 2231558Srgrimes esac 2241558Srgrimes done 2251558Srgrimes 2261558Srgrimes if [ ! -z "${dhcp_interfaces}" ]; then 2271558Srgrimes ${dhcp_program:-/sbin/dhclient} ${dhcp_flags} ${dhcp_interfaces} 2281558Srgrimes fi 2291558Srgrimes 2301558Srgrimes for ifn in ${network_interfaces}; do 2311558Srgrimes # Check to see if aliases need to be added 2321558Srgrimes # 2331558Srgrimes alias=0 2341558Srgrimes while : ; do 2351558Srgrimes eval ifconfig_args=\$ifconfig_${ifn}_alias${alias} 2361558Srgrimes if [ -n "${ifconfig_args}" ]; then 2371558Srgrimes ifconfig ${ifn} ${ifconfig_args} alias 2381558Srgrimes eval showstat_$ifn=1 2391558Srgrimes alias=$((${alias} + 1)) 2401558Srgrimes else 2411558Srgrimes break; 2421558Srgrimes fi 2431558Srgrimes done 2441558Srgrimes 2451558Srgrimes # Do ipx address if specified 2461558Srgrimes # 2471558Srgrimes eval ifconfig_args=\$ifconfig_${ifn}_ipx 2481558Srgrimes if [ -n "${ifconfig_args}" ]; then 2491558Srgrimes ifconfig ${ifn} ${ifconfig_args} 2501558Srgrimes eval showstat_$ifn=1 2511558Srgrimes fi 2521558Srgrimes done 2531558Srgrimes 2541558Srgrimes for ifn in ${network_interfaces}; do 2551558Srgrimes eval showstat=\$showstat_${ifn} 2561558Srgrimes if [ ! -z ${showstat} ]; then 2571558Srgrimes ifconfig ${ifn} 2581558Srgrimes fi 2591558Srgrimes done 2601558Srgrimes 2611558Srgrimes # ISDN subsystem startup 2621558Srgrimes # 2631558Srgrimes case ${isdn_enable} in 2641558Srgrimes [Yy][Ee][Ss]) 2651558Srgrimes if [ -r /etc/rc.isdn ]; then 2661558Srgrimes . /etc/rc.isdn 2671558Srgrimes fi 2681558Srgrimes ;; 2691558Srgrimes esac 2701558Srgrimes 2711558Srgrimes # Start user ppp if required. This must happen before natd. 2721558Srgrimes # 2731558Srgrimes case ${ppp_enable} in 2741558Srgrimes [Yy][Ee][Ss]) 2751558Srgrimes # Establish ppp mode. 2761558Srgrimes # 2771558Srgrimes if [ "${ppp_mode}" != "ddial" -a "${ppp_mode}" != "direct" \ 2781558Srgrimes -a "${ppp_mode}" != "dedicated" \ 2791558Srgrimes -a "${ppp_mode}" != "background" ]; then 2801558Srgrimes ppp_mode="auto" 2811558Srgrimes fi 2821558Srgrimes 2831558Srgrimes ppp_command="/usr/sbin/ppp -quiet -${ppp_mode}" 2841558Srgrimes 2851558Srgrimes # Switch on NAT mode? 2861558Srgrimes # 2871558Srgrimes case ${ppp_nat} in 2881558Srgrimes [Yy][Ee][Ss]) 2891558Srgrimes ppp_command="${ppp_command} -nat" 2901558Srgrimes ;; 2911558Srgrimes esac 2921558Srgrimes 2931558Srgrimes ppp_command="${ppp_command} ${ppp_profile}" 2941558Srgrimes 2951558Srgrimes echo "Starting ppp as \"${ppp_user}\"" 2961558Srgrimes su -m ${ppp_user} -c "exec ${ppp_command}" 2971558Srgrimes ;; 2981558Srgrimes esac 2991558Srgrimes 3001558Srgrimes # Re-Sync ipfilter so it picks up any new network interfaces 3011558Srgrimes # 3021558Srgrimes case ${ipfilter_active} in 3031558Srgrimes [Yy][Ee][Ss]) 3041558Srgrimes ${ipfilter_program:-/sbin/ipf} -y ${ipfilter_flags} >/dev/null 3051558Srgrimes ;; 3061558Srgrimes esac 3071558Srgrimes unset ipfilter_active 3081558Srgrimes 3091558Srgrimes # Initialize IP filtering using ipfw 3101558Srgrimes # 3111558Srgrimes if /sbin/ipfw -q flush > /dev/null 2>&1; then 3121558Srgrimes firewall_in_kernel=1 3131558Srgrimes else 3141558Srgrimes firewall_in_kernel=0 3151558Srgrimes fi 3161558Srgrimes 3171558Srgrimes case ${firewall_enable} in 3181558Srgrimes [Yy][Ee][Ss]) 3191558Srgrimes if [ "${firewall_in_kernel}" -eq 0 ] && kldload ipfw; then 3201558Srgrimes firewall_in_kernel=1 3211558Srgrimes echo 'Kernel firewall module loaded' 3221558Srgrimes elif [ "${firewall_in_kernel}" -eq 0 ]; then 3231558Srgrimes echo 'Warning: firewall kernel module failed to load' 3241558Srgrimes fi 3251558Srgrimes ;; 3261558Srgrimes esac 3271558Srgrimes 3281558Srgrimes # Load the filters if required 3291558Srgrimes # 3301558Srgrimes case ${firewall_in_kernel} in 3311558Srgrimes 1) 3321558Srgrimes if [ -z "${firewall_script}" ]; then 3331558Srgrimes firewall_script=/etc/rc.firewall 3341558Srgrimes fi 3351558Srgrimes 3361558Srgrimes case ${firewall_enable} in 3371558Srgrimes [Yy][Ee][Ss]) 3381558Srgrimes if [ -r "${firewall_script}" ]; then 3391558Srgrimes . "${firewall_script}" 3401558Srgrimes echo -n 'Firewall rules loaded, starting divert daemons:' 3411558Srgrimes 3421558Srgrimes # Network Address Translation daemon 3431558Srgrimes # 3441558Srgrimes case ${natd_enable} in 3451558Srgrimes [Yy][Ee][Ss]) 3461558Srgrimes if [ -n "${natd_interface}" ]; then 3471558Srgrimes if echo ${natd_interface} | \ 3481558Srgrimes grep -q -E '^[0-9]+(\.[0-9]+){0,3}$'; then 3491558Srgrimes natd_flags="$natd_flags -a ${natd_interface}" 3501558Srgrimes else 3511558Srgrimes natd_flags="$natd_flags -n ${natd_interface}" 3521558Srgrimes fi 3531558Srgrimes fi 3541558Srgrimes echo -n ' natd'; ${natd_program:-/sbin/natd} ${natd_flags} 3551558Srgrimes ;; 3561558Srgrimes esac 3571558Srgrimes 3581558Srgrimes echo '.' 3591558Srgrimes 3601558Srgrimes elif [ "`ipfw l 65535`" = "65535 deny ip from any to any" ]; then 3611558Srgrimes echo 'Warning: kernel has firewall functionality,' \ 3621558Srgrimes 'but firewall rules are not enabled.' 3631558Srgrimes echo ' All ip services are disabled.' 3641558Srgrimes fi 3651558Srgrimes 3661558Srgrimes case ${firewall_logging} in 3671558Srgrimes [Yy][Ee][Ss] | '') 3681558Srgrimes echo 'Firewall logging=YES' 3691558Srgrimes sysctl net.inet.ip.fw.verbose=1 >/dev/null 3701558Srgrimes ;; 3711558Srgrimes *) 3721558Srgrimes ;; 3731558Srgrimes esac 3741558Srgrimes 3751558Srgrimes ;; 3761558Srgrimes esac 3771558Srgrimes ;; 3781558Srgrimes esac 3791558Srgrimes 3801558Srgrimes # Additional ATM interface configuration 3811558Srgrimes # 3821558Srgrimes if [ -n "${atm_pass1_done}" ]; then 3831558Srgrimes atm_pass2 3841558Srgrimes fi 3851558Srgrimes 3861558Srgrimes # Configure routing 3871558Srgrimes # 3881558Srgrimes case ${defaultrouter} in 3891558Srgrimes [Nn][Oo] | '') 3901558Srgrimes ;; 3911558Srgrimes *) 3921558Srgrimes static_routes="default ${static_routes}" 3931558Srgrimes route_default="default ${defaultrouter}" 3941558Srgrimes ;; 3951558Srgrimes esac 3961558Srgrimes 3971558Srgrimes # Set up any static routes. This should be done before router discovery. 3981558Srgrimes # 3991558Srgrimes if [ -n "${static_routes}" ]; then 4001558Srgrimes for i in ${static_routes}; do 4011558Srgrimes eval route_args=\$route_${i} 4021558Srgrimes route add ${route_args} 4031558Srgrimes done 4041558Srgrimes fi 4051558Srgrimes 4061558Srgrimes echo -n 'Additional routing options:' 4071558Srgrimes case ${tcp_extensions} in 4081558Srgrimes [Yy][Ee][Ss] | '') 4091558Srgrimes ;; 4101558Srgrimes *) 4111558Srgrimes echo -n ' tcp extensions=NO' 4121558Srgrimes sysctl net.inet.tcp.rfc1323=0 >/dev/null 4131558Srgrimes ;; 4141558Srgrimes esac 4151558Srgrimes 4161558Srgrimes case ${icmp_bmcastecho} in 4171558Srgrimes [Yy][Ee][Ss]) 4181558Srgrimes echo -n ' broadcast ping responses=YES' 4191558Srgrimes sysctl net.inet.icmp.bmcastecho=1 >/dev/null 4201558Srgrimes ;; 4211558Srgrimes esac 4221558Srgrimes 4231558Srgrimes case ${icmp_drop_redirect} in 4241558Srgrimes [Yy][Ee][Ss]) 4251558Srgrimes echo -n ' ignore ICMP redirect=YES' 4261558Srgrimes sysctl net.inet.icmp.drop_redirect=1 >/dev/null 4271558Srgrimes ;; 4281558Srgrimes esac 4291558Srgrimes 4301558Srgrimes case ${icmp_log_redirect} in 4311558Srgrimes [Yy][Ee][Ss]) 4321558Srgrimes echo -n ' log ICMP redirect=YES' 4331558Srgrimes sysctl net.inet.icmp.log_redirect=1 >/dev/null 4341558Srgrimes ;; 4351558Srgrimes esac 4361558Srgrimes 4371558Srgrimes case ${gateway_enable} in 4381558Srgrimes [Yy][Ee][Ss]) 4391558Srgrimes echo -n ' IP gateway=YES' 4401558Srgrimes sysctl net.inet.ip.forwarding=1 >/dev/null 4411558Srgrimes ;; 4421558Srgrimes esac 4431558Srgrimes 4441558Srgrimes case ${forward_sourceroute} in 4451558Srgrimes [Yy][Ee][Ss]) 4461558Srgrimes echo -n ' do source routing=YES' 4471558Srgrimes sysctl net.inet.ip.sourceroute=1 >/dev/null 4481558Srgrimes ;; 4491558Srgrimes esac 4501558Srgrimes 4511558Srgrimes case ${accept_sourceroute} in 4521558Srgrimes [Yy][Ee][Ss]) 4531558Srgrimes echo -n ' accept source routing=YES' 4541558Srgrimes sysctl net.inet.ip.accept_sourceroute=1 >/dev/null 4551558Srgrimes ;; 4561558Srgrimes esac 4571558Srgrimes 4581558Srgrimes case ${tcp_keepalive} in 4591558Srgrimes [Nn][Oo]) 4601558Srgrimes echo -n ' TCP keepalive=NO' 4611558Srgrimes sysctl net.inet.tcp.always_keepalive=0 >/dev/null 4621558Srgrimes ;; 4631558Srgrimes esac 4641558Srgrimes 4651558Srgrimes case ${tcp_drop_synfin} in 4661558Srgrimes [Yy][Ee][Ss]) 4671558Srgrimes echo -n ' drop SYN+FIN packets=YES' 4681558Srgrimes sysctl net.inet.tcp.drop_synfin=1 >/dev/null 4691558Srgrimes ;; 4701558Srgrimes esac 4711558Srgrimes 4721558Srgrimes case ${ipxgateway_enable} in 4731558Srgrimes [Yy][Ee][Ss]) 4741558Srgrimes echo -n ' IPX gateway=YES' 4751558Srgrimes sysctl net.ipx.ipx.ipxforwarding=1 >/dev/null 4761558Srgrimes ;; 4771558Srgrimes esac 4781558Srgrimes 4791558Srgrimes case ${arpproxy_all} in 4801558Srgrimes [Yy][Ee][Ss]) 4811558Srgrimes echo -n ' ARP proxyall=YES' 4821558Srgrimes sysctl net.link.ether.inet.proxyall=1 >/dev/null 4831558Srgrimes ;; 4841558Srgrimes esac 4851558Srgrimes 4861558Srgrimes case ${ip_portrange_first} in 4871558Srgrimes [Nn][Oo] | '') 4881558Srgrimes ;; 4891558Srgrimes *) 4901558Srgrimes echo -n " ip_portrange_first=$ip_portrange_first" 4911558Srgrimes sysctl net.inet.ip.portrange.first=$ip_portrange_first >/dev/null 4921558Srgrimes ;; 4931558Srgrimes esac 4941558Srgrimes 4951558Srgrimes case ${ip_portrange_last} in 4961558Srgrimes [Nn][Oo] | '') 4971558Srgrimes ;; 4981558Srgrimes *) 4991558Srgrimes echo -n " ip_portrange_last=$ip_portrange_last" 5001558Srgrimes sysctl net.inet.ip.portrange.last=$ip_portrange_last >/dev/null 5011558Srgrimes ;; 5021558Srgrimes esac 5031558Srgrimes 5041558Srgrimes echo '.' 5051558Srgrimes 5061558Srgrimes case ${ipsec_enable} in 5071558Srgrimes [Yy][Ee][Ss]) 5081558Srgrimes if [ -f ${ipsec_file} ]; then 5091558Srgrimes echo ' ipsec: enabled' 5101558Srgrimes setkey -f ${ipsec_file} 5111558Srgrimes else 5121558Srgrimes echo ' ipsec: file not found' 5131558Srgrimes fi 5141558Srgrimes ;; 5151558Srgrimes esac 5161558Srgrimes 5171558Srgrimes echo -n 'Routing daemons:' 5181558Srgrimes case ${router_enable} in 5191558Srgrimes [Yy][Ee][Ss]) 5201558Srgrimes echo -n " ${router}"; ${router} ${router_flags} 5211558Srgrimes ;; 5221558Srgrimes esac 5231558Srgrimes 5241558Srgrimes case ${ipxrouted_enable} in 5251558Srgrimes [Yy][Ee][Ss]) 5261558Srgrimes echo -n ' IPXrouted' 5271558Srgrimes IPXrouted ${ipxrouted_flags} > /dev/null 2>&1 5281558Srgrimes ;; 5291558Srgrimes esac 5301558Srgrimes 5311558Srgrimes case ${mrouted_enable} in 5321558Srgrimes [Yy][Ee][Ss]) 5331558Srgrimes echo -n ' mrouted'; mrouted ${mrouted_flags} 5341558Srgrimes ;; 5351558Srgrimes esac 5361558Srgrimes 5371558Srgrimes case ${rarpd_enable} in 5381558Srgrimes [Yy][Ee][Ss]) 5391558Srgrimes echo -n ' rarpd'; rarpd ${rarpd_flags} 5401558Srgrimes ;; 5411558Srgrimes esac 5421558Srgrimes echo '.' 5431558Srgrimes 5441558Srgrimes # Let future generations know we made it. 5451558Srgrimes # 5461558Srgrimes network_pass1_done=YES 5471558Srgrimes} 5481558Srgrimes 5491558Srgrimesnetwork_pass2() { 5501558Srgrimes echo -n 'Doing additional network setup:' 5511558Srgrimes case ${named_enable} in 5521558Srgrimes [Yy][Ee][Ss]) 5531558Srgrimes echo -n ' named'; ${named_program:-named} ${named_flags} 5541558Srgrimes ;; 5551558Srgrimes esac 5561558Srgrimes 5571558Srgrimes case ${ntpdate_enable} in 5581558Srgrimes [Yy][Ee][Ss]) 5591558Srgrimes echo -n ' ntpdate' 5601558Srgrimes ${ntpdate_program:-ntpdate} ${ntpdate_flags} >/dev/null 2>&1 5611558Srgrimes ;; 5621558Srgrimes esac 5631558Srgrimes 5641558Srgrimes case ${xntpd_enable} in 5651558Srgrimes [Yy][Ee][Ss]) 5661558Srgrimes echo -n ' ntpd'; ${xntpd_program:-ntpd} ${xntpd_flags} 5671558Srgrimes ;; 5681558Srgrimes esac 5691558Srgrimes 5701558Srgrimes case ${timed_enable} in 5711558Srgrimes [Yy][Ee][Ss]) 5721558Srgrimes echo -n ' timed'; timed ${timed_flags} 5731558Srgrimes ;; 5741558Srgrimes esac 5751558Srgrimes 5761558Srgrimes case ${portmap_enable} in 5771558Srgrimes [Yy][Ee][Ss]) 5781558Srgrimes echo -n ' rpcbind'; ${portmap_program:-/usr/sbin/rpcbind} \ 5791558Srgrimes ${portmap_flags} 5801558Srgrimes 5811558Srgrimes # Start ypserv if we're an NIS server. 5821558Srgrimes # Run rpc.ypxfrd and rpc.yppasswdd only on the NIS master server. 5831558Srgrimes # 5841558Srgrimes case ${nis_server_enable} in 5851558Srgrimes [Yy][Ee][Ss]) 5861558Srgrimes echo -n ' ypserv'; ypserv ${nis_server_flags} 5871558Srgrimes 5881558Srgrimes case ${nis_ypxfrd_enable} in 5891558Srgrimes [Yy][Ee][Ss]) 5901558Srgrimes echo -n ' rpc.ypxfrd' 5911558Srgrimes rpc.ypxfrd ${nis_ypxfrd_flags} 5921558Srgrimes ;; 5931558Srgrimes esac 5941558Srgrimes 5951558Srgrimes case ${nis_yppasswdd_enable} in 5961558Srgrimes [Yy][Ee][Ss]) 5971558Srgrimes echo -n ' rpc.yppasswdd' 5981558Srgrimes rpc.yppasswdd ${nis_yppasswdd_flags} 5991558Srgrimes ;; 6001558Srgrimes esac 6011558Srgrimes ;; 6021558Srgrimes esac 6031558Srgrimes 6041558Srgrimes # Start ypbind if we're an NIS client 6051558Srgrimes # 6061558Srgrimes case ${nis_client_enable} in 6071558Srgrimes [Yy][Ee][Ss]) 6081558Srgrimes echo -n ' ypbind'; ypbind ${nis_client_flags} 6091558Srgrimes case ${nis_ypset_enable} in 6101558Srgrimes [Yy][Ee][Ss]) 6111558Srgrimes echo -n ' ypset'; ypset ${nis_ypset_flags} 6121558Srgrimes ;; 6131558Srgrimes esac 6141558Srgrimes ;; 6151558Srgrimes esac 6161558Srgrimes 6171558Srgrimes # Start keyserv if we are running Secure RPC 6181558Srgrimes # 6191558Srgrimes case ${keyserv_enable} in 6201558Srgrimes [Yy][Ee][Ss]) 6211558Srgrimes echo -n ' keyserv'; keyserv ${keyserv_flags} 6221558Srgrimes ;; 6231558Srgrimes esac 6241558Srgrimes 6251558Srgrimes # Start ypupdated if we are running Secure RPC 6261558Srgrimes # and we are NIS master 6271558Srgrimes # 6281558Srgrimes case ${rpc_ypupdated_enable} in 6291558Srgrimes [Yy][Ee][Ss]) 6301558Srgrimes echo -n ' rpc.ypupdated'; rpc.ypupdated 6311558Srgrimes ;; 6321558Srgrimes esac 6331558Srgrimes ;; 6341558Srgrimes esac 6351558Srgrimes 6361558Srgrimes # Start ATM daemons 6371558Srgrimes if [ -n "${atm_pass2_done}" ]; then 6381558Srgrimes atm_pass3 6391558Srgrimes fi 6401558Srgrimes 6411558Srgrimes echo '.' 6421558Srgrimes network_pass2_done=YES 6431558Srgrimes} 6441558Srgrimes 6451558Srgrimesnetwork_pass3() { 6461558Srgrimes echo -n 'Starting final network daemons:' 6471558Srgrimes 6481558Srgrimes case ${portmap_enable} in 6491558Srgrimes [Yy][Ee][Ss]) 6501558Srgrimes case ${nfs_server_enable} in 6511558Srgrimes [Yy][Ee][Ss]) 6521558Srgrimes # Handle absent nfs server support 6531558Srgrimes nfsserver_in_kernel=0 6541558Srgrimes if sysctl vfs.nfsrv >/dev/null 2>&1; then 6551558Srgrimes nfsserver_in_kernel=1 6561558Srgrimes else 6571558Srgrimes kldload nfsserver && nfsserver_in_kernel=1 6581558Srgrimes fi 6591558Srgrimes 6601558Srgrimes if [ -r /etc/exports -a \ 6611558Srgrimes ${nfsserver_in_kernel} -eq 1 ]; then 6621558Srgrimes echo -n ' mountd' 6631558Srgrimes 6641558Srgrimes case ${weak_mountd_authentication} in 6651558Srgrimes [Yy][Ee][Ss]) 6661558Srgrimes mountd_flags="${mountd_flags} -n" 6671558Srgrimes ;; 6681558Srgrimes esac 6691558Srgrimes 6701558Srgrimes mountd ${mountd_flags} 6711558Srgrimes 6721558Srgrimes case ${nfs_reserved_port_only} in 6731558Srgrimes [Yy][Ee][Ss]) 6741558Srgrimes echo -n ' NFS on reserved port only=YES' 6751558Srgrimes sysctl vfs.nfsrv.nfs_privport=1 > /dev/null 6761558Srgrimes ;; 6771558Srgrimes esac 6781558Srgrimes 6791558Srgrimes echo -n ' nfsd'; nfsd ${nfs_server_flags} 6801558Srgrimes 6811558Srgrimes case ${rpc_statd_enable} in 6821558Srgrimes [Yy][Ee][Ss]) 6831558Srgrimes echo -n ' rpc.statd'; rpc.statd 6841558Srgrimes ;; 6851558Srgrimes esac 6861558Srgrimes 6871558Srgrimes case ${rpc_lockd_enable} in 6881558Srgrimes [Yy][Ee][Ss]) 6891558Srgrimes echo -n ' rpc.lockd'; rpc.lockd 6901558Srgrimes ;; 6911558Srgrimes esac 6921558Srgrimes else 6931558Srgrimes echo -n ' Warning: nfs server failed' 6941558Srgrimes fi 6951558Srgrimes ;; 6961558Srgrimes *) 6971558Srgrimes case ${single_mountd_enable} in 6981558Srgrimes [Yy][Ee][Ss]) 6991558Srgrimes if [ -r /etc/exports ]; then 7001558Srgrimes echo -n ' mountd' 7011558Srgrimes 7021558Srgrimes case ${weak_mountd_authentication} in 7031558Srgrimes [Yy][Ee][Ss]) 7041558Srgrimes mountd_flags="-n" 7051558Srgrimes ;; 7061558Srgrimes esac 7071558Srgrimes 7081558Srgrimes mountd ${mountd_flags} 7091558Srgrimes fi 7101558Srgrimes ;; 7111558Srgrimes esac 7121558Srgrimes ;; 7131558Srgrimes esac 7141558Srgrimes 7151558Srgrimes case ${nfs_client_enable} in 7161558Srgrimes [Yy][Ee][Ss]) 7171558Srgrimes nfsclient_in_kernel=0 7181558Srgrimes # Handle absent nfs client support 7191558Srgrimes if sysctl vfs.nfs >/dev/null 2>&1; then 7201558Srgrimes nfsclient_in_kernel=1 7211558Srgrimes else 7221558Srgrimes kldload nfsclient && nfsclient_in_kernel=1 7231558Srgrimes fi 7241558Srgrimes 7251558Srgrimes if [ ${nfsclient_in_kernel} -eq 1 ] 7261558Srgrimes then 7271558Srgrimes if [ -n "${nfs_access_cache}" ]; then 7281558Srgrimes echo -n " NFS access cache time=${nfs_access_cache}" 7291558Srgrimes sysctl vfs.nfs.access_cache_timeout=${nfs_access_cache} >/dev/null 7301558Srgrimes fi 7311558Srgrimes if [ -n "${nfs_bufpackets}" ]; then 7321558Srgrimes sysctl vfs.nfs.bufpackets=${nfs_bufpackets} > /dev/null 7331558Srgrimes fi 7341558Srgrimes case ${rpc_statd_enable} in 7351558Srgrimes [Yy][Ee][Ss]) 7361558Srgrimes echo -n ' rpc.statd'; rpc.statd 7371558Srgrimes ;; 7381558Srgrimes esac 7391558Srgrimes 7401558Srgrimes case ${rpc_lockd_enable} in 7411558Srgrimes [Yy][Ee][Ss]) 7421558Srgrimes echo -n ' rpc.lockd'; rpc.lockd 7431558Srgrimes ;; 7441558Srgrimes esac 7451558Srgrimes 7461558Srgrimes case ${amd_enable} in 7471558Srgrimes [Yy][Ee][Ss]) 7481558Srgrimes echo -n ' amd' 7491558Srgrimes case ${amd_map_program} in 7501558Srgrimes [Nn][Oo] | '') 7511558Srgrimes ;; 7521558Srgrimes *) 7531558Srgrimes amd_flags="${amd_flags} `eval\ 7541558Srgrimes ${amd_map_program}`" 7551558Srgrimes ;; 7561558Srgrimes esac 7571558Srgrimes 7581558Srgrimes case "${amd_flags}" in 7591558Srgrimes '') 7601558Srgrimes if [ -r /etc/amd.conf ]; then 7611558Srgrimes amd & 7621558Srgrimes else 7631558Srgrimes echo '' 7641558Srgrimes echo 'Warning: amd will not load without arguments' 7651558Srgrimes fi 7661558Srgrimes ;; 7671558Srgrimes *) 7681558Srgrimes amd -p ${amd_flags} \ 7691558Srgrimes >/var/run/amd.pid \ 7701558Srgrimes 2>/dev/null & 7711558Srgrimes ;; 7721558Srgrimes esac 7731558Srgrimes ;; 7741558Srgrimes esac 7751558Srgrimes else 7761558Srgrimes echo 'Warning: NFS client kernel module failed to load' 7771558Srgrimes nfs_client_enable=NO 7781558Srgrimes fi 7791558Srgrimes ;; 7801558Srgrimes esac 7811558Srgrimes 7821558Srgrimes # If /var/db/mounttab exists, some nfs-server has not been 7831558Srgrimes # successfully notified about a previous client shutdown. 7841558Srgrimes # If there is no /var/db/mounttab, we do nothing. 7851558Srgrimes if [ -f /var/db/mounttab ]; then 7861558Srgrimes rpc.umntall -k 7871558Srgrimes fi 7881558Srgrimes 7891558Srgrimes ;; 7901558Srgrimes esac 7911558Srgrimes 7921558Srgrimes case ${rwhod_enable} in 7931558Srgrimes [Yy][Ee][Ss]) 7941558Srgrimes echo -n ' rwhod'; rwhod ${rwhod_flags} 7951558Srgrimes ;; 7961558Srgrimes esac 7971558Srgrimes 7981558Srgrimes # Kerberos servers run ONLY on the Kerberos server machine 7991558Srgrimes case ${kerberos4_server_enable} in 8001558Srgrimes [Yy][Ee][Ss]) 8011558Srgrimes case ${kerberos_stash} in 8021558Srgrimes [Yy][Ee][Ss]) 8031558Srgrimes stash=-n 8041558Srgrimes ;; 8051558Srgrimes *) 8061558Srgrimes stash= 8071558Srgrimes ;; 8081558Srgrimes esac 8091558Srgrimes 8101558Srgrimes echo -n ' kerberosIV' 8111558Srgrimes ${kerberos4_server} ${stash} >> /var/log/kerberos.log & 8121558Srgrimes 8131558Srgrimes case ${kadmind4_server_enable} in 8141558Srgrimes [Yy][Ee][Ss]) 8151558Srgrimes echo -n ' kadmindIV' 8161558Srgrimes ( 8171558Srgrimes sleep 20; 8181558Srgrimes ${kadmind4_server} ${stash} >/dev/null 2>&1 & 8191558Srgrimes ) & 820 ;; 821 esac 822 unset stash_flag 823 ;; 824 esac 825 826 case ${kerberos5_server_enable} in 827 [Yy][Ee][Ss]) 828 echo -n ' kerberos5' 829 ${kerberos5_server} & 830 831 case ${kadmind5_server_enable} in 832 [Yy][Ee][Ss]) 833 echo -n ' kadmind5' 834 ${kadmind5_server} & 835 ;; 836 esac 837 ;; 838 esac 839 840 case ${pppoed_enable} in 841 [Yy][Ee][Ss]) 842 if [ -n "${pppoed_provider}" ]; then 843 pppoed_flags="${pppoed_flags} -p ${pppoed_provider}" 844 fi 845 echo -n ' pppoed'; 846 _opts=$-; set -f 847 /usr/libexec/pppoed ${pppoed_flags} ${pppoed_interface} 848 set +f; set -${_opts} 849 ;; 850 esac 851 852 case ${sshd_enable} in 853 [Yy][Ee][Ss]) 854 if [ -x /usr/bin/ssh-keygen ]; then 855 if [ ! -f /etc/ssh/ssh_host_key ]; then 856 echo ' creating ssh protocol v1 RSA host key'; 857 /usr/bin/ssh-keygen -t rsa1 -N "" \ 858 -f /etc/ssh/ssh_host_key 859 fi 860 if [ ! -f /etc/ssh/ssh_host_dsa_key ]; then 861 echo ' creating ssh protocol v2 DSA host key'; 862 /usr/bin/ssh-keygen -t dsa -N "" \ 863 -f /etc/ssh/ssh_host_dsa_key 864 fi 865 if [ ! -f /etc/ssh/ssh_host_rsa_key ]; then 866 echo ' creating ssh protocol v2 RSA host key'; 867 /usr/bin/ssh-keygen -t rsa -N "" \ 868 -f /etc/ssh/ssh_host_rsa_key 869 fi 870 fi 871 ;; 872 esac 873 874 echo '.' 875 network_pass3_done=YES 876} 877 878network_pass4() { 879 echo -n 'Additional TCP options:' 880 case ${log_in_vain} in 881 [Nn][Oo] | '') 882 log_in_vain=0 883 ;; 884 [Yy][Ee][Ss]) 885 log_in_vain=1 886 ;; 887 [0-9]*) 888 ;; 889 *) 890 echo " invalid log_in_vain setting: ${log_in_vain}" 891 log_in_vain=0 892 ;; 893 esac 894 895 [ "${log_in_vain}" -ne 0 ] && ( 896 echo -n " log_in_vain=${log_in_vain}" 897 sysctl net.inet.tcp.log_in_vain="${log_in_vain}" >/dev/null 898 sysctl net.inet.udp.log_in_vain="${log_in_vain}" >/dev/null 899 ) 900 echo '.' 901 network_pass4_done=YES 902} 903 904network_gif_setup() { 905 case ${gif_interfaces} in 906 [Nn][Oo] | '') 907 ;; 908 *) 909 for i in ${gif_interfaces}; do 910 eval peers=\$gifconfig_$i 911 case ${peers} in 912 '') 913 continue 914 ;; 915 *) 916 ifconfig $i create >/dev/null 2>&1 917 ifconfig $i tunnel ${peers} 918 ;; 919 esac 920 done 921 ;; 922 esac 923} 924 925convert_host_conf() { 926 host_conf=$1; shift; 927 nsswitch_conf=$1; shift; 928 awk ' \ 929 /^[:blank:]*#/ { next } \ 930 /(hosts|local|file)/ { nsswitch[c] = "files"; c++; next } \ 931 /(dns|bind)/ { nsswitch[c] = "dns"; c++; next } \ 932 /nis/ { nsswitch[c] = "nis"; c++; next } \ 933 { printf "Warning: unrecognized line [%s]", $0 > "/dev/stderr" } \ 934 END { \ 935 printf "hosts: "; \ 936 for (i in nsswitch) printf "%s ", nsswitch[i]; \ 937 printf "\n"; \ 938 }' < $host_conf > $nsswitch_conf 939} 940 941generate_host_conf() { 942 nsswitch_conf=$1; shift; 943 host_conf=$1; shift; 944 945 awk ' 946BEGIN { 947 xlat["files"] = "hosts"; 948 xlat["dns"] = "bind"; 949 xlat["nis"] = "nis"; 950 cont = 0; 951} 952sub(/^[\t ]*hosts:/, "") || cont { 953 if (!cont) 954 srcs = "" 955 sub(/#.*/, "") 956 gsub(/[][]/, " & ") 957 cont = sub(/\\$/, "") 958 srcs = srcs " " $0 959} 960END { 961 print "# Auto-generated from nsswitch.conf, do not edit" 962 ns = split(srcs, s) 963 for (n = 1; n <= ns; ++n) { 964 if (s[n] in xlat) 965 print xlat[s[n]] 966 } 967} 968' <$nsswitch_conf >$host_conf 969} 970