defaultroute revision 94391 
11558Srgrimes#!/bin/sh -
21558Srgrimes#
31558Srgrimes# Copyright (c) 1993  The FreeBSD Project
41558Srgrimes# All rights reserved.
51558Srgrimes#
61558Srgrimes# Redistribution and use in source and binary forms, with or without
71558Srgrimes# modification, are permitted provided that the following conditions
81558Srgrimes# are met:
91558Srgrimes# 1. Redistributions of source code must retain the above copyright
101558Srgrimes#    notice, this list of conditions and the following disclaimer.
111558Srgrimes# 2. Redistributions in binary form must reproduce the above copyright
121558Srgrimes#    notice, this list of conditions and the following disclaimer in the
131558Srgrimes#    documentation and/or other materials provided with the distribution.
141558Srgrimes#
151558Srgrimes# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
161558Srgrimes# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
171558Srgrimes# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
181558Srgrimes# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
191558Srgrimes# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
201558Srgrimes# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
211558Srgrimes# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
221558Srgrimes# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
231558Srgrimes# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
241558Srgrimes# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
251558Srgrimes# SUCH DAMAGE.
261558Srgrimes#
271558Srgrimes# $FreeBSD: head/etc/rc.d/routing 94391 2002-04-10 22:30:54Z peter $
281558Srgrimes#	From: @(#)netstart	5.9 (Berkeley) 3/30/91
291558Srgrimes#
301558Srgrimes
311558Srgrimes# Note that almost all of the user-configurable behavior is no longer in
321558Srgrimes# this file, but rather in /etc/defaults/rc.conf.  Please check that file
331558Srgrimes# first before contemplating any changes here.  If you do need to change
341558Srgrimes# this file for some reason, we would like to know about it.
351558Srgrimes
361558Srgrimes# First pass startup stuff.
371558Srgrimes#
381558Srgrimesnetwork_pass1() {
391558Srgrimes	echo -n 'Doing initial network setup:'
401558Srgrimes
411558Srgrimes	# Generate host.conf for compatibility
421558Srgrimes	#
431558Srgrimes	if [ -f "/etc/nsswitch.conf" ]; then
441558Srgrimes		echo -n ' host.conf'
451558Srgrimes		generate_host_conf /etc/nsswitch.conf /etc/host.conf
461558Srgrimes	fi
471558Srgrimes
481558Srgrimes	# Convert host.conf to nsswitch.conf if necessary
491558Srgrimes	#
501558Srgrimes	if [ -f "/etc/host.conf" -a ! -f "/etc/nsswitch.conf" ]; then
511558Srgrimes		echo ''
521558Srgrimes		echo 'Warning: /etc/host.conf is no longer used'
531558Srgrimes		echo '  /etc/nsswitch.conf will be created for you'
541558Srgrimes		convert_host_conf /etc/host.conf /etc/nsswitch.conf
551558Srgrimes	fi
561558Srgrimes
571558Srgrimes	# Set the host name if it is not already set
581558Srgrimes	#
591558Srgrimes	if [ -z "`hostname -s`" ]; then
601558Srgrimes		hostname ${hostname}
611558Srgrimes		echo -n ' hostname'
621558Srgrimes	fi
631558Srgrimes
641558Srgrimes	# Establish ipfilter ruleset as early as possible (best in
651558Srgrimes	# addition to IPFILTER_DEFAULT_BLOCK in the kernel config file)
661558Srgrimes
671558Srgrimes	# check whether ipfilter and/or ipnat is enabled
681558Srgrimes	ipfilter_active="NO"
691558Srgrimes	case ${ipfilter_enable} in
701558Srgrimes	[Yy][Ee][Ss])
711558Srgrimes		ipfilter_active="YES"
721558Srgrimes		;;
731558Srgrimes	esac
741558Srgrimes	case ${ipnat_enable} in
751558Srgrimes	[Yy][Ee][Ss])
761558Srgrimes		ipfilter_active="YES"
771558Srgrimes		;;
781558Srgrimes	esac
791558Srgrimes	case ${ipfilter_active} in
801558Srgrimes	[Yy][Ee][Ss])
811558Srgrimes		# load ipfilter kernel module if needed
821558Srgrimes		if ! sysctl net.inet.ipf.fr_pass > /dev/null 2>&1; then
831558Srgrimes			if kldload ipl; then
841558Srgrimes				echo 'IP-filter module loaded.'
851558Srgrimes			else
861558Srgrimes				echo 'Warning: IP-filter module failed to load.'
871558Srgrimes				# avoid further errors
881558Srgrimes				ipfilter_active="NO"
891558Srgrimes				ipmon_enable="NO"
901558Srgrimes				ipfilter_enable="NO"
911558Srgrimes				ipnat_enable="NO"
921558Srgrimes				ipfs_enable="NO"
931558Srgrimes			fi
941558Srgrimes		fi
951558Srgrimes		# start ipmon before loading any rules
961558Srgrimes		case "${ipmon_enable}" in
971558Srgrimes		[Yy][Ee][Ss])
981558Srgrimes			echo -n ' ipmon'
991558Srgrimes			${ipmon_program:-/sbin/ipmon} ${ipmon_flags}
1001558Srgrimes			;;
1011558Srgrimes		esac
1021558Srgrimes		case "${ipfilter_enable}" in
1031558Srgrimes		[Yy][Ee][Ss])
1041558Srgrimes			if [ -r "${ipfilter_rules}" ]; then
1051558Srgrimes				echo -n ' ipfilter'
1061558Srgrimes				${ipfilter_program:-/sbin/ipf} -Fa -f \
1071558Srgrimes				    "${ipfilter_rules}" ${ipfilter_flags}
1081558Srgrimes			else
1091558Srgrimes				ipfilter_enable="NO"
1101558Srgrimes				echo -n ' NO IPF RULES'
1111558Srgrimes			fi
1121558Srgrimes			;;
1131558Srgrimes		esac
1141558Srgrimes		case "${ipnat_enable}" in
1151558Srgrimes		[Yy][Ee][Ss])
1161558Srgrimes			if [ -r "${ipnat_rules}" ]; then
1171558Srgrimes				echo -n ' ipnat'
1181558Srgrimes				eval ${ipnat_program:-/sbin/ipnat} -CF -f \
1191558Srgrimes				    "${ipnat_rules}" ${ipnat_flags}
1201558Srgrimes			else
1211558Srgrimes				ipnat_enable="NO"
1221558Srgrimes				echo -n ' NO IPNAT RULES'
1231558Srgrimes			fi
1241558Srgrimes			;;
1251558Srgrimes		esac
1261558Srgrimes		# restore filter/NAT state tables after loading the rules
1271558Srgrimes		case "${ipfs_enable}" in
1281558Srgrimes		[Yy][Ee][Ss])
1291558Srgrimes			if [ -r "/var/db/ipf/ipstate.ipf" ]; then
1301558Srgrimes				echo -n ' ipfs'
1311558Srgrimes				${ipfs_program:-/sbin/ipfs} -R ${ipfs_flags}
1321558Srgrimes				# remove files to avoid reloading old state
1331558Srgrimes				# after an ungraceful shutdown
1341558Srgrimes				rm -f /var/db/ipf/ipstate.ipf
1351558Srgrimes				rm -f /var/db/ipf/ipnat.ipf
1361558Srgrimes			fi
1371558Srgrimes			;;
1381558Srgrimes		esac
1391558Srgrimes		;;
1401558Srgrimes	esac
1411558Srgrimes
1421558Srgrimes	# Set the domainname if we're using NIS
1431558Srgrimes	#
1441558Srgrimes	case ${nisdomainname} in
1451558Srgrimes	[Nn][Oo] | '')
1461558Srgrimes		;;
1471558Srgrimes	*)
1481558Srgrimes		domainname ${nisdomainname}
1491558Srgrimes		echo -n ' domain'
1501558Srgrimes		;;
1511558Srgrimes	esac
1521558Srgrimes
1531558Srgrimes	echo '.'
1541558Srgrimes
1551558Srgrimes	# Initial ATM interface configuration
1561558Srgrimes	#
1571558Srgrimes	case ${atm_enable} in
1581558Srgrimes	[Yy][Ee][Ss])
1591558Srgrimes		if [ -r /etc/rc.atm ]; then
1601558Srgrimes			. /etc/rc.atm
1611558Srgrimes			atm_pass1
1621558Srgrimes		fi
1631558Srgrimes		;;
1641558Srgrimes	esac
1651558Srgrimes
1661558Srgrimes	# Attempt to create cloned interfaces.
1671558Srgrimes	for ifn in ${cloned_interfaces}; do
1681558Srgrimes		ifconfig ${ifn} create
1691558Srgrimes	done
1701558Srgrimes
1711558Srgrimes	# Special options for sppp(4) interfaces go here.  These need
1721558Srgrimes	# to go _before_ the general ifconfig section, since in the case
1731558Srgrimes	# of hardwired (no link1 flag) but required authentication, you
1741558Srgrimes	# cannot pass auth parameters down to the already running interface.
1751558Srgrimes	#
1761558Srgrimes	for ifn in ${sppp_interfaces}; do
1771558Srgrimes		eval spppcontrol_args=\$spppconfig_${ifn}
1781558Srgrimes		if [ -n "${spppcontrol_args}" ]; then
1791558Srgrimes			# The auth secrets might contain spaces; in order
1801558Srgrimes			# to retain the quotation, we need to eval them
1811558Srgrimes			# here.
1821558Srgrimes			eval spppcontrol ${ifn} ${spppcontrol_args}
1831558Srgrimes		fi
1841558Srgrimes	done
1851558Srgrimes
1861558Srgrimes	# gifconfig
1871558Srgrimes	network_gif_setup
1881558Srgrimes
1891558Srgrimes	# Set up all the network interfaces, calling startup scripts if needed
1901558Srgrimes	#
1911558Srgrimes	case ${network_interfaces} in
1921558Srgrimes	[Aa][Uu][Tt][Oo])
1931558Srgrimes		network_interfaces="`ifconfig -l`"
1941558Srgrimes		;;
1951558Srgrimes	*)
1961558Srgrimes		network_interfaces="${network_interfaces} ${cloned_interfaces}"
1971558Srgrimes		;;
1981558Srgrimes	esac
1991558Srgrimes
2001558Srgrimes	dhcp_interfaces=""
2011558Srgrimes	for ifn in ${network_interfaces}; do
2021558Srgrimes		if [ -r /etc/start_if.${ifn} ]; then
2031558Srgrimes			. /etc/start_if.${ifn}
2041558Srgrimes			eval showstat_$ifn=1
2051558Srgrimes		fi
2061558Srgrimes
2071558Srgrimes		# Do the primary ifconfig if specified
2081558Srgrimes		#
2091558Srgrimes		eval ifconfig_args=\$ifconfig_${ifn}
2101558Srgrimes
2111558Srgrimes		case ${ifconfig_args} in
2121558Srgrimes		'')
2131558Srgrimes			;;
2141558Srgrimes		[Dd][Hh][Cc][Pp])
2151558Srgrimes			# DHCP inits are done all in one go below
2161558Srgrimes			dhcp_interfaces="$dhcp_interfaces $ifn"
2171558Srgrimes			eval showstat_$ifn=1
2181558Srgrimes			;;
2191558Srgrimes		*)
2201558Srgrimes			ifconfig ${ifn} ${ifconfig_args}
2211558Srgrimes			eval showstat_$ifn=1
2221558Srgrimes			;;
2231558Srgrimes		esac
2241558Srgrimes	done
2251558Srgrimes
2261558Srgrimes	if [ ! -z "${dhcp_interfaces}" ]; then
2271558Srgrimes		${dhcp_program:-/sbin/dhclient} ${dhcp_flags} ${dhcp_interfaces}
2281558Srgrimes	fi
2291558Srgrimes
2301558Srgrimes	for ifn in ${network_interfaces}; do
2311558Srgrimes		# Check to see if aliases need to be added
2321558Srgrimes		#
2331558Srgrimes		alias=0
2341558Srgrimes		while : ; do
2351558Srgrimes			eval ifconfig_args=\$ifconfig_${ifn}_alias${alias}
2361558Srgrimes			if [ -n "${ifconfig_args}" ]; then
2371558Srgrimes				ifconfig ${ifn} ${ifconfig_args} alias
2381558Srgrimes				eval showstat_$ifn=1
2391558Srgrimes				alias=$((${alias} + 1))
2401558Srgrimes			else
2411558Srgrimes				break;
2421558Srgrimes			fi
2431558Srgrimes		done
2441558Srgrimes
2451558Srgrimes		# Do ipx address if specified
2461558Srgrimes		#
2471558Srgrimes		eval ifconfig_args=\$ifconfig_${ifn}_ipx
2481558Srgrimes		if [ -n "${ifconfig_args}" ]; then
2491558Srgrimes			ifconfig ${ifn} ${ifconfig_args}
2501558Srgrimes			eval showstat_$ifn=1
2511558Srgrimes		fi
2521558Srgrimes	done
2531558Srgrimes
2541558Srgrimes	for ifn in ${network_interfaces}; do
2551558Srgrimes		eval showstat=\$showstat_${ifn}
2561558Srgrimes		if [ ! -z ${showstat} ]; then
2571558Srgrimes			ifconfig ${ifn}
2581558Srgrimes		fi
2591558Srgrimes	done
2601558Srgrimes
2611558Srgrimes	# ISDN subsystem startup
2621558Srgrimes	#
2631558Srgrimes	case ${isdn_enable} in
2641558Srgrimes	[Yy][Ee][Ss])
2651558Srgrimes		if [ -r /etc/rc.isdn ]; then
2661558Srgrimes			. /etc/rc.isdn
2671558Srgrimes		fi
2681558Srgrimes		;;
2691558Srgrimes	esac
2701558Srgrimes
2711558Srgrimes	# Start user ppp if required.  This must happen before natd.
2721558Srgrimes	#
2731558Srgrimes	case ${ppp_enable} in
2741558Srgrimes	[Yy][Ee][Ss])
2751558Srgrimes		# Establish ppp mode.
2761558Srgrimes		#
2771558Srgrimes		if [ "${ppp_mode}" != "ddial" -a "${ppp_mode}" != "direct" \
2781558Srgrimes			-a "${ppp_mode}" != "dedicated" \
2791558Srgrimes			-a "${ppp_mode}" != "background" ]; then
2801558Srgrimes			ppp_mode="auto"
2811558Srgrimes		fi
2821558Srgrimes
2831558Srgrimes		ppp_command="/usr/sbin/ppp -quiet -${ppp_mode}"
2841558Srgrimes
2851558Srgrimes		# Switch on NAT mode?
2861558Srgrimes		#
2871558Srgrimes		case ${ppp_nat} in
2881558Srgrimes		[Yy][Ee][Ss])
2891558Srgrimes			ppp_command="${ppp_command} -nat"
2901558Srgrimes			;;
2911558Srgrimes		esac
2921558Srgrimes
2931558Srgrimes		ppp_command="${ppp_command} ${ppp_profile}"
2941558Srgrimes
2951558Srgrimes		echo "Starting ppp as \"${ppp_user}\""
2961558Srgrimes		su -m ${ppp_user} -c "exec ${ppp_command}"
2971558Srgrimes		;;
2981558Srgrimes	esac
2991558Srgrimes
3001558Srgrimes	# Re-Sync ipfilter so it picks up any new network interfaces
3011558Srgrimes	#
3021558Srgrimes	case ${ipfilter_active} in
3031558Srgrimes	[Yy][Ee][Ss])
3041558Srgrimes		${ipfilter_program:-/sbin/ipf} -y ${ipfilter_flags} >/dev/null
3051558Srgrimes		;;
3061558Srgrimes	esac
3071558Srgrimes	unset ipfilter_active
3081558Srgrimes
3091558Srgrimes	# Initialize IP filtering using ipfw
3101558Srgrimes	#
3111558Srgrimes	if /sbin/ipfw -q flush > /dev/null 2>&1; then
3121558Srgrimes		firewall_in_kernel=1
3131558Srgrimes	else
3141558Srgrimes		firewall_in_kernel=0
3151558Srgrimes	fi
3161558Srgrimes
3171558Srgrimes	case ${firewall_enable} in
3181558Srgrimes	[Yy][Ee][Ss])
3191558Srgrimes		if [ "${firewall_in_kernel}" -eq 0 ] && kldload ipfw; then
3201558Srgrimes			firewall_in_kernel=1
3211558Srgrimes			echo 'Kernel firewall module loaded'
3221558Srgrimes		elif [ "${firewall_in_kernel}" -eq 0 ]; then
3231558Srgrimes			echo 'Warning: firewall kernel module failed to load'
3241558Srgrimes		fi
3251558Srgrimes		;;
3261558Srgrimes	esac
3271558Srgrimes
3281558Srgrimes	# Load the filters if required
3291558Srgrimes	#
3301558Srgrimes	case ${firewall_in_kernel} in
3311558Srgrimes	1)
3321558Srgrimes		if [ -z "${firewall_script}" ]; then
3331558Srgrimes			firewall_script=/etc/rc.firewall
3341558Srgrimes		fi
3351558Srgrimes
3361558Srgrimes		case ${firewall_enable} in
3371558Srgrimes		[Yy][Ee][Ss])
3381558Srgrimes			if [ -r "${firewall_script}" ]; then
3391558Srgrimes				. "${firewall_script}"
3401558Srgrimes				echo -n 'Firewall rules loaded, starting divert daemons:'
3411558Srgrimes
3421558Srgrimes				# Network Address Translation daemon
3431558Srgrimes				#
3441558Srgrimes				case ${natd_enable} in
3451558Srgrimes				[Yy][Ee][Ss])
3461558Srgrimes					if [ -n "${natd_interface}" ]; then
3471558Srgrimes						if echo ${natd_interface} | \
3481558Srgrimes							grep -q -E '^[0-9]+(\.[0-9]+){0,3}$'; then
3491558Srgrimes							natd_flags="$natd_flags -a ${natd_interface}"
3501558Srgrimes						else
3511558Srgrimes							natd_flags="$natd_flags -n ${natd_interface}"
3521558Srgrimes						fi
3531558Srgrimes					fi
3541558Srgrimes					echo -n ' natd'; ${natd_program:-/sbin/natd} ${natd_flags}
3551558Srgrimes					;;
3561558Srgrimes				esac
3571558Srgrimes
3581558Srgrimes				echo '.'
3591558Srgrimes
3601558Srgrimes			elif [ "`ipfw l 65535`" = "65535 deny ip from any to any" ]; then
3611558Srgrimes				echo 'Warning: kernel has firewall functionality,' \
3621558Srgrimes				     'but firewall rules are not enabled.'
3631558Srgrimes				echo '		 All ip services are disabled.'
3641558Srgrimes			fi
3651558Srgrimes
3661558Srgrimes			case ${firewall_logging} in
3671558Srgrimes			[Yy][Ee][Ss] | '')
3681558Srgrimes				echo 'Firewall logging=YES'
3691558Srgrimes				sysctl net.inet.ip.fw.verbose=1 >/dev/null
3701558Srgrimes				;;
3711558Srgrimes			*)
3721558Srgrimes				;;
3731558Srgrimes			esac
3741558Srgrimes
3751558Srgrimes			;;
3761558Srgrimes		esac
3771558Srgrimes		;;
3781558Srgrimes	esac
3791558Srgrimes
3801558Srgrimes	# Additional ATM interface configuration
3811558Srgrimes	#
3821558Srgrimes	if [ -n "${atm_pass1_done}" ]; then
3831558Srgrimes		atm_pass2
3841558Srgrimes	fi
3851558Srgrimes
3861558Srgrimes	# Configure routing
3871558Srgrimes	#
3881558Srgrimes	case ${defaultrouter} in
3891558Srgrimes	[Nn][Oo] | '')
3901558Srgrimes		;;
3911558Srgrimes	*)
3921558Srgrimes		static_routes="default ${static_routes}"
3931558Srgrimes		route_default="default ${defaultrouter}"
3941558Srgrimes		;;
3951558Srgrimes	esac
3961558Srgrimes
3971558Srgrimes	# Set up any static routes.  This should be done before router discovery.
3981558Srgrimes	#
3991558Srgrimes	if [ -n "${static_routes}" ]; then
4001558Srgrimes		for i in ${static_routes}; do
4011558Srgrimes			eval route_args=\$route_${i}
4021558Srgrimes			route add ${route_args}
4031558Srgrimes		done
4041558Srgrimes	fi
4051558Srgrimes
4061558Srgrimes	echo -n 'Additional routing options:'
4071558Srgrimes	case ${tcp_extensions} in
4081558Srgrimes	[Yy][Ee][Ss] | '')
4091558Srgrimes		;;
4101558Srgrimes	*)
4111558Srgrimes		echo -n ' tcp extensions=NO'
4121558Srgrimes		sysctl net.inet.tcp.rfc1323=0 >/dev/null
4131558Srgrimes		;;
4141558Srgrimes	esac
4151558Srgrimes
4161558Srgrimes	case ${icmp_bmcastecho} in
4171558Srgrimes	[Yy][Ee][Ss])
4181558Srgrimes		echo -n ' broadcast ping responses=YES'
4191558Srgrimes		sysctl net.inet.icmp.bmcastecho=1 >/dev/null
4201558Srgrimes		;;
4211558Srgrimes	esac
4221558Srgrimes
4231558Srgrimes	case ${icmp_drop_redirect} in
4241558Srgrimes	[Yy][Ee][Ss])
4251558Srgrimes		echo -n ' ignore ICMP redirect=YES'
4261558Srgrimes		sysctl net.inet.icmp.drop_redirect=1 >/dev/null
4271558Srgrimes		;;
4281558Srgrimes	esac
4291558Srgrimes
4301558Srgrimes	case ${icmp_log_redirect} in
4311558Srgrimes	[Yy][Ee][Ss])
4321558Srgrimes		echo -n ' log ICMP redirect=YES'
4331558Srgrimes		sysctl net.inet.icmp.log_redirect=1 >/dev/null
4341558Srgrimes		;;
4351558Srgrimes	esac
4361558Srgrimes
4371558Srgrimes	case ${gateway_enable} in
4381558Srgrimes	[Yy][Ee][Ss])
4391558Srgrimes		echo -n ' IP gateway=YES'
4401558Srgrimes		sysctl net.inet.ip.forwarding=1 >/dev/null
4411558Srgrimes		;;
4421558Srgrimes	esac
4431558Srgrimes
4441558Srgrimes	case ${forward_sourceroute} in
4451558Srgrimes	[Yy][Ee][Ss])
4461558Srgrimes		echo -n ' do source routing=YES'
4471558Srgrimes		sysctl net.inet.ip.sourceroute=1 >/dev/null
4481558Srgrimes		;;
4491558Srgrimes	esac
4501558Srgrimes
4511558Srgrimes	case ${accept_sourceroute} in
4521558Srgrimes	[Yy][Ee][Ss])
4531558Srgrimes		echo -n ' accept source routing=YES'
4541558Srgrimes		sysctl net.inet.ip.accept_sourceroute=1 >/dev/null
4551558Srgrimes		;;
4561558Srgrimes	esac
4571558Srgrimes
4581558Srgrimes	case ${tcp_keepalive} in
4591558Srgrimes	[Nn][Oo])
4601558Srgrimes		echo -n ' TCP keepalive=NO'
4611558Srgrimes		sysctl net.inet.tcp.always_keepalive=0 >/dev/null
4621558Srgrimes		;;
4631558Srgrimes	esac
4641558Srgrimes
4651558Srgrimes	case ${tcp_drop_synfin} in
4661558Srgrimes	[Yy][Ee][Ss])
4671558Srgrimes		echo -n ' drop SYN+FIN packets=YES'
4681558Srgrimes		sysctl net.inet.tcp.drop_synfin=1 >/dev/null
4691558Srgrimes		;;
4701558Srgrimes	esac
4711558Srgrimes
4721558Srgrimes	case ${ipxgateway_enable} in
4731558Srgrimes	[Yy][Ee][Ss])
4741558Srgrimes		echo -n ' IPX gateway=YES'
4751558Srgrimes		sysctl net.ipx.ipx.ipxforwarding=1 >/dev/null
4761558Srgrimes		;;
4771558Srgrimes	esac
4781558Srgrimes
4791558Srgrimes	case ${arpproxy_all} in
4801558Srgrimes	[Yy][Ee][Ss])
4811558Srgrimes		echo -n ' ARP proxyall=YES'
4821558Srgrimes		sysctl net.link.ether.inet.proxyall=1 >/dev/null
4831558Srgrimes		;;
4841558Srgrimes	esac
4851558Srgrimes
4861558Srgrimes	case ${ip_portrange_first} in
4871558Srgrimes	[Nn][Oo] | '')
4881558Srgrimes		;;
4891558Srgrimes	*)
4901558Srgrimes		echo -n " ip_portrange_first=$ip_portrange_first"
4911558Srgrimes		sysctl net.inet.ip.portrange.first=$ip_portrange_first >/dev/null
4921558Srgrimes		;;
4931558Srgrimes	esac
4941558Srgrimes
4951558Srgrimes	case ${ip_portrange_last} in
4961558Srgrimes	[Nn][Oo] | '')
4971558Srgrimes		;;
4981558Srgrimes	*)
4991558Srgrimes		echo -n " ip_portrange_last=$ip_portrange_last"
5001558Srgrimes		sysctl net.inet.ip.portrange.last=$ip_portrange_last >/dev/null
5011558Srgrimes		;;
5021558Srgrimes	esac
5031558Srgrimes
5041558Srgrimes	echo '.'
5051558Srgrimes
5061558Srgrimes	case ${ipsec_enable} in
5071558Srgrimes	[Yy][Ee][Ss])
5081558Srgrimes		if [ -f ${ipsec_file} ]; then
5091558Srgrimes		    echo ' ipsec: enabled'
5101558Srgrimes		    setkey -f ${ipsec_file}
5111558Srgrimes		else
5121558Srgrimes		    echo ' ipsec: file not found'
5131558Srgrimes		fi
5141558Srgrimes		;;
5151558Srgrimes	esac
5161558Srgrimes
5171558Srgrimes	echo -n 'Routing daemons:'
5181558Srgrimes	case ${router_enable} in
5191558Srgrimes	[Yy][Ee][Ss])
5201558Srgrimes		echo -n " ${router}";	${router} ${router_flags}
5211558Srgrimes		;;
5221558Srgrimes	esac
5231558Srgrimes
5241558Srgrimes	case ${ipxrouted_enable} in
5251558Srgrimes	[Yy][Ee][Ss])
5261558Srgrimes		echo -n ' IPXrouted'
5271558Srgrimes		IPXrouted ${ipxrouted_flags} > /dev/null 2>&1
5281558Srgrimes		;;
5291558Srgrimes	esac
5301558Srgrimes
5311558Srgrimes	case ${mrouted_enable} in
5321558Srgrimes	[Yy][Ee][Ss])
5331558Srgrimes		echo -n ' mrouted';	mrouted ${mrouted_flags}
5341558Srgrimes		;;
5351558Srgrimes	esac
5361558Srgrimes
5371558Srgrimes	case ${rarpd_enable} in
5381558Srgrimes	[Yy][Ee][Ss])
5391558Srgrimes		echo -n ' rarpd';	rarpd ${rarpd_flags}
5401558Srgrimes		;;
5411558Srgrimes	esac
5421558Srgrimes	echo '.'
5431558Srgrimes
5441558Srgrimes	# Let future generations know we made it.
5451558Srgrimes	#
5461558Srgrimes	network_pass1_done=YES
5471558Srgrimes}
5481558Srgrimes
5491558Srgrimesnetwork_pass2() {
5501558Srgrimes	echo -n 'Doing additional network setup:'
5511558Srgrimes	case ${named_enable} in
5521558Srgrimes	[Yy][Ee][Ss])
5531558Srgrimes		echo -n ' named';	${named_program:-named} ${named_flags}
5541558Srgrimes		;;
5551558Srgrimes	esac
5561558Srgrimes
5571558Srgrimes	case ${ntpdate_enable} in
5581558Srgrimes	[Yy][Ee][Ss])
5591558Srgrimes		echo -n ' ntpdate'
5601558Srgrimes		${ntpdate_program:-ntpdate} ${ntpdate_flags} >/dev/null 2>&1
5611558Srgrimes		;;
5621558Srgrimes	esac
5631558Srgrimes
5641558Srgrimes	case ${xntpd_enable} in
5651558Srgrimes	[Yy][Ee][Ss])
5661558Srgrimes		echo -n ' ntpd';	${xntpd_program:-ntpd} ${xntpd_flags}
5671558Srgrimes		;;
5681558Srgrimes	esac
5691558Srgrimes
5701558Srgrimes	case ${timed_enable} in
5711558Srgrimes	[Yy][Ee][Ss])
5721558Srgrimes		echo -n ' timed';	timed ${timed_flags}
5731558Srgrimes		;;
5741558Srgrimes	esac
5751558Srgrimes
5761558Srgrimes	case ${portmap_enable} in
5771558Srgrimes	[Yy][Ee][Ss])
5781558Srgrimes		echo -n ' rpcbind';	${portmap_program:-/usr/sbin/rpcbind} \
5791558Srgrimes			${portmap_flags}
5801558Srgrimes
5811558Srgrimes		# Start ypserv if we're an NIS server.
5821558Srgrimes		# Run rpc.ypxfrd and rpc.yppasswdd only on the NIS master server.
5831558Srgrimes		#
5841558Srgrimes		case ${nis_server_enable} in
5851558Srgrimes		[Yy][Ee][Ss])
5861558Srgrimes			echo -n ' ypserv'; ypserv ${nis_server_flags}
5871558Srgrimes
5881558Srgrimes			case ${nis_ypxfrd_enable} in
5891558Srgrimes			[Yy][Ee][Ss])
5901558Srgrimes				echo -n ' rpc.ypxfrd'
5911558Srgrimes				rpc.ypxfrd ${nis_ypxfrd_flags}
5921558Srgrimes				;;
5931558Srgrimes			esac
5941558Srgrimes
5951558Srgrimes			case ${nis_yppasswdd_enable} in
5961558Srgrimes			[Yy][Ee][Ss])
5971558Srgrimes				echo -n ' rpc.yppasswdd'
5981558Srgrimes				rpc.yppasswdd ${nis_yppasswdd_flags}
5991558Srgrimes				;;
6001558Srgrimes			esac
6011558Srgrimes			;;
6021558Srgrimes		esac
6031558Srgrimes
6041558Srgrimes		# Start ypbind if we're an NIS client
6051558Srgrimes		#
6061558Srgrimes		case ${nis_client_enable} in
6071558Srgrimes		[Yy][Ee][Ss])
6081558Srgrimes			echo -n ' ypbind'; ypbind ${nis_client_flags}
6091558Srgrimes			case ${nis_ypset_enable} in
6101558Srgrimes			[Yy][Ee][Ss])
6111558Srgrimes				echo -n ' ypset';	ypset ${nis_ypset_flags}
6121558Srgrimes				;;
6131558Srgrimes			esac
6141558Srgrimes			;;
6151558Srgrimes		esac
6161558Srgrimes
6171558Srgrimes		# Start keyserv if we are running Secure RPC
6181558Srgrimes		#
6191558Srgrimes		case ${keyserv_enable} in
6201558Srgrimes		[Yy][Ee][Ss])
6211558Srgrimes			echo -n ' keyserv';	keyserv ${keyserv_flags}
6221558Srgrimes			;;
6231558Srgrimes		esac
6241558Srgrimes
6251558Srgrimes		# Start ypupdated if we are running Secure RPC
6261558Srgrimes		# and we are NIS master
6271558Srgrimes		#
6281558Srgrimes		case ${rpc_ypupdated_enable} in
6291558Srgrimes		[Yy][Ee][Ss])
6301558Srgrimes			echo -n ' rpc.ypupdated';	rpc.ypupdated
6311558Srgrimes			;;
6321558Srgrimes		esac
6331558Srgrimes		;;
6341558Srgrimes	esac
6351558Srgrimes
6361558Srgrimes	# Start ATM daemons
6371558Srgrimes	if [ -n "${atm_pass2_done}" ]; then
6381558Srgrimes		atm_pass3
6391558Srgrimes	fi
6401558Srgrimes
6411558Srgrimes	echo '.'
6421558Srgrimes	network_pass2_done=YES
6431558Srgrimes}
6441558Srgrimes
6451558Srgrimesnetwork_pass3() {
6461558Srgrimes	echo -n 'Starting final network daemons:'
6471558Srgrimes
6481558Srgrimes	case ${portmap_enable} in
6491558Srgrimes	[Yy][Ee][Ss])
6501558Srgrimes		case ${nfs_server_enable} in
6511558Srgrimes		[Yy][Ee][Ss])
6521558Srgrimes			# Handle absent nfs server support
6531558Srgrimes			nfsserver_in_kernel=0
6541558Srgrimes			if sysctl vfs.nfsrv >/dev/null 2>&1; then
6551558Srgrimes				nfsserver_in_kernel=1
6561558Srgrimes			else
6571558Srgrimes				kldload nfsserver && nfsserver_in_kernel=1
6581558Srgrimes			fi
6591558Srgrimes
6601558Srgrimes			if [ -r /etc/exports -a \
6611558Srgrimes			    ${nfsserver_in_kernel} -eq 1 ]; then
6621558Srgrimes				echo -n ' mountd'
6631558Srgrimes
6641558Srgrimes				case ${weak_mountd_authentication} in
6651558Srgrimes				[Yy][Ee][Ss])
6661558Srgrimes					mountd_flags="${mountd_flags} -n"
6671558Srgrimes					;;
6681558Srgrimes				esac
6691558Srgrimes
6701558Srgrimes				mountd ${mountd_flags}
6711558Srgrimes
6721558Srgrimes				case ${nfs_reserved_port_only} in
6731558Srgrimes				[Yy][Ee][Ss])
6741558Srgrimes					echo -n ' NFS on reserved port only=YES'
6751558Srgrimes					sysctl vfs.nfsrv.nfs_privport=1 > /dev/null
6761558Srgrimes					;;
6771558Srgrimes				esac
6781558Srgrimes
6791558Srgrimes				echo -n ' nfsd';	nfsd ${nfs_server_flags}
6801558Srgrimes
6811558Srgrimes				case ${rpc_statd_enable} in
6821558Srgrimes				[Yy][Ee][Ss])
6831558Srgrimes					echo -n ' rpc.statd';	rpc.statd
6841558Srgrimes					;;
6851558Srgrimes				esac
6861558Srgrimes
6871558Srgrimes				case ${rpc_lockd_enable} in
6881558Srgrimes				[Yy][Ee][Ss])
6891558Srgrimes					echo -n ' rpc.lockd';	rpc.lockd
6901558Srgrimes					;;
6911558Srgrimes				esac
6921558Srgrimes			else
6931558Srgrimes				echo -n ' Warning: nfs server failed'
6941558Srgrimes			fi
6951558Srgrimes			;;
6961558Srgrimes		*)
6971558Srgrimes			case ${single_mountd_enable} in
6981558Srgrimes			[Yy][Ee][Ss])
6991558Srgrimes				if [ -r /etc/exports ]; then
7001558Srgrimes					echo -n ' mountd'
7011558Srgrimes
7021558Srgrimes					case ${weak_mountd_authentication} in
7031558Srgrimes					[Yy][Ee][Ss])
7041558Srgrimes						mountd_flags="-n"
7051558Srgrimes						;;
7061558Srgrimes					esac
7071558Srgrimes
7081558Srgrimes					mountd ${mountd_flags}
7091558Srgrimes				fi
7101558Srgrimes				;;
7111558Srgrimes			esac
7121558Srgrimes			;;
7131558Srgrimes		esac
7141558Srgrimes
7151558Srgrimes		case ${nfs_client_enable} in
7161558Srgrimes		[Yy][Ee][Ss])
7171558Srgrimes			nfsclient_in_kernel=0
7181558Srgrimes			# Handle absent nfs client support
7191558Srgrimes			if sysctl vfs.nfs >/dev/null 2>&1; then
7201558Srgrimes				nfsclient_in_kernel=1
7211558Srgrimes			else
7221558Srgrimes				kldload nfsclient && nfsclient_in_kernel=1
7231558Srgrimes			fi
7241558Srgrimes
7251558Srgrimes			if [ ${nfsclient_in_kernel} -eq 1 ]
7261558Srgrimes			then
7271558Srgrimes				if [ -n "${nfs_access_cache}" ]; then
7281558Srgrimes					echo -n " NFS access cache time=${nfs_access_cache}"
7291558Srgrimes					sysctl vfs.nfs.access_cache_timeout=${nfs_access_cache} >/dev/null
7301558Srgrimes				fi
7311558Srgrimes				if [ -n "${nfs_bufpackets}" ]; then
7321558Srgrimes					sysctl vfs.nfs.bufpackets=${nfs_bufpackets} > /dev/null
7331558Srgrimes				fi
7341558Srgrimes				case ${rpc_statd_enable} in
7351558Srgrimes				[Yy][Ee][Ss])
7361558Srgrimes					echo -n ' rpc.statd';	rpc.statd
7371558Srgrimes					;;
7381558Srgrimes				esac
7391558Srgrimes
7401558Srgrimes				case ${rpc_lockd_enable} in
7411558Srgrimes				[Yy][Ee][Ss])
7421558Srgrimes					echo -n ' rpc.lockd';	rpc.lockd
7431558Srgrimes					;;
7441558Srgrimes				esac
7451558Srgrimes
7461558Srgrimes				case ${amd_enable} in
7471558Srgrimes				[Yy][Ee][Ss])
7481558Srgrimes					echo -n ' amd'
7491558Srgrimes					case ${amd_map_program} in
7501558Srgrimes					[Nn][Oo] | '')
7511558Srgrimes						;;
7521558Srgrimes					*)
7531558Srgrimes						amd_flags="${amd_flags} `eval\
7541558Srgrimes							${amd_map_program}`"
7551558Srgrimes						;;
7561558Srgrimes					esac
7571558Srgrimes
7581558Srgrimes					case "${amd_flags}" in
7591558Srgrimes					'')
7601558Srgrimes						if [ -r /etc/amd.conf ]; then
7611558Srgrimes							amd &
7621558Srgrimes						else
7631558Srgrimes							echo ''
7641558Srgrimes			echo 'Warning: amd will not load without arguments'
7651558Srgrimes						fi
7661558Srgrimes						;;
7671558Srgrimes					*)
7681558Srgrimes						amd -p ${amd_flags} \
7691558Srgrimes							 >/var/run/amd.pid \
7701558Srgrimes							2>/dev/null &
7711558Srgrimes						;;
7721558Srgrimes					esac
7731558Srgrimes					;;
7741558Srgrimes				esac
7751558Srgrimes			else
7761558Srgrimes				echo 'Warning: NFS client kernel module failed to load'
7771558Srgrimes				nfs_client_enable=NO
7781558Srgrimes			fi
7791558Srgrimes			;;
7801558Srgrimes		esac
7811558Srgrimes
7821558Srgrimes		# If /var/db/mounttab exists, some nfs-server has not been
7831558Srgrimes		# successfully notified about a previous client shutdown.
7841558Srgrimes		# If there is no /var/db/mounttab, we do nothing.
7851558Srgrimes		if [ -f /var/db/mounttab ]; then
7861558Srgrimes			rpc.umntall -k
7871558Srgrimes		fi
7881558Srgrimes
7891558Srgrimes		;;
7901558Srgrimes	esac
7911558Srgrimes
7921558Srgrimes	case ${rwhod_enable} in
7931558Srgrimes	[Yy][Ee][Ss])
7941558Srgrimes		echo -n ' rwhod';	rwhod ${rwhod_flags}
7951558Srgrimes		;;
7961558Srgrimes	esac
7971558Srgrimes
7981558Srgrimes	# Kerberos servers run ONLY on the Kerberos server machine
7991558Srgrimes	case ${kerberos4_server_enable} in
8001558Srgrimes	[Yy][Ee][Ss])
8011558Srgrimes		case ${kerberos_stash} in
8021558Srgrimes		[Yy][Ee][Ss])
8031558Srgrimes			stash=-n
8041558Srgrimes			;;
8051558Srgrimes		*)
8061558Srgrimes			stash=
8071558Srgrimes			;;
8081558Srgrimes		esac
8091558Srgrimes
8101558Srgrimes		echo -n ' kerberosIV'
8111558Srgrimes		${kerberos4_server} ${stash} >> /var/log/kerberos.log &
8121558Srgrimes
8131558Srgrimes		case ${kadmind4_server_enable} in
8141558Srgrimes		[Yy][Ee][Ss])
8151558Srgrimes			echo -n ' kadmindIV'
8161558Srgrimes			(
8171558Srgrimes				sleep 20;
8181558Srgrimes				${kadmind4_server} ${stash} >/dev/null 2>&1 &
8191558Srgrimes			) &
820			;;
821		esac
822		unset stash_flag
823		;;
824	esac
825
826	case ${kerberos5_server_enable} in
827	[Yy][Ee][Ss])
828		echo -n ' kerberos5'
829		${kerberos5_server} &
830
831		case ${kadmind5_server_enable} in
832		[Yy][Ee][Ss])
833			echo -n ' kadmind5'
834			${kadmind5_server} &
835			;;
836		esac
837		;;
838	esac
839
840	case ${pppoed_enable} in
841	[Yy][Ee][Ss])
842		if [ -n "${pppoed_provider}" ]; then
843			pppoed_flags="${pppoed_flags} -p ${pppoed_provider}"
844		fi
845		echo -n ' pppoed';
846		_opts=$-; set -f
847		/usr/libexec/pppoed ${pppoed_flags} ${pppoed_interface}
848		set +f; set -${_opts}
849		;;
850	esac
851
852	case ${sshd_enable} in
853	[Yy][Ee][Ss])
854		if [ -x /usr/bin/ssh-keygen ]; then
855			if [ ! -f /etc/ssh/ssh_host_key ]; then
856				echo ' creating ssh protocol v1 RSA host key';
857				/usr/bin/ssh-keygen -t rsa1 -N "" \
858					-f /etc/ssh/ssh_host_key
859			fi
860			if [ ! -f /etc/ssh/ssh_host_dsa_key ]; then
861				echo ' creating ssh protocol v2 DSA host key';
862				/usr/bin/ssh-keygen -t dsa -N "" \
863					-f /etc/ssh/ssh_host_dsa_key
864			fi
865			if [ ! -f /etc/ssh/ssh_host_rsa_key ]; then
866				echo ' creating ssh protocol v2 RSA host key';
867				/usr/bin/ssh-keygen -t rsa -N "" \
868					-f /etc/ssh/ssh_host_rsa_key
869			fi
870		fi
871		;;
872	esac
873
874	echo '.'
875	network_pass3_done=YES
876}
877
878network_pass4() {
879	echo -n 'Additional TCP options:'
880	case ${log_in_vain} in
881	[Nn][Oo] | '')
882		log_in_vain=0
883		;;
884	[Yy][Ee][Ss])
885		log_in_vain=1
886		;;
887	[0-9]*)
888		;;
889	*)
890		echo " invalid log_in_vain setting: ${log_in_vain}"
891		log_in_vain=0
892		;;
893	esac
894
895	[ "${log_in_vain}" -ne 0 ] && (
896	    echo -n " log_in_vain=${log_in_vain}"
897	    sysctl net.inet.tcp.log_in_vain="${log_in_vain}" >/dev/null
898	    sysctl net.inet.udp.log_in_vain="${log_in_vain}" >/dev/null
899	)
900	echo '.'
901	network_pass4_done=YES
902}
903
904network_gif_setup() {
905	case ${gif_interfaces} in
906	[Nn][Oo] | '')
907		;;
908	*)
909		for i in ${gif_interfaces}; do
910			eval peers=\$gifconfig_$i
911			case ${peers} in
912			'')
913				continue
914				;;
915			*)
916				ifconfig $i create >/dev/null 2>&1
917				ifconfig $i tunnel ${peers}
918				;;
919			esac
920		done
921		;;
922	esac
923}
924
925convert_host_conf() {
926    host_conf=$1; shift;
927    nsswitch_conf=$1; shift;
928    awk '                                                                   \
929        /^[:blank:]*#/       { next }                                       \
930        /(hosts|local|file)/ { nsswitch[c] = "files"; c++; next }           \
931        /(dns|bind)/         { nsswitch[c] = "dns";   c++; next }           \
932        /nis/                { nsswitch[c] = "nis";   c++; next }           \
933        { printf "Warning: unrecognized line [%s]", $0 > "/dev/stderr" }    \
934        END {                                                               \
935                printf "hosts: ";                                           \
936                for (i in nsswitch) printf "%s ", nsswitch[i];              \
937                printf "\n";                                                \
938        }' < $host_conf > $nsswitch_conf
939}
940
941generate_host_conf() {
942    nsswitch_conf=$1; shift;
943    host_conf=$1; shift;
944    
945    awk '
946BEGIN {
947    xlat["files"] = "hosts";
948    xlat["dns"] = "bind";
949    xlat["nis"] = "nis";
950    cont = 0;
951}
952sub(/^[\t ]*hosts:/, "") || cont {
953    if (!cont)
954	srcs = ""
955    sub(/#.*/, "")
956    gsub(/[][]/, " & ")
957    cont = sub(/\\$/, "")
958    srcs = srcs " " $0
959}
960END {
961    print "# Auto-generated from nsswitch.conf, do not edit"
962    ns = split(srcs, s)
963    for (n = 1; n <= ns; ++n) {
964        if (s[n] in xlat)
965            print xlat[s[n]]
966    }
967}
968' <$nsswitch_conf >$host_conf
969}
970