routing revision 91626 
1123120Simp#!/bin/sh -
2123120Simp#
3123120Simp# Copyright (c) 1993  The FreeBSD Project
4123120Simp# All rights reserved.
5123120Simp#
6123120Simp# Redistribution and use in source and binary forms, with or without
7123120Simp# modification, are permitted provided that the following conditions
8123120Simp# are met:
9123120Simp# 1. Redistributions of source code must retain the above copyright
10123120Simp#    notice, this list of conditions and the following disclaimer.
11123120Simp# 2. Redistributions in binary form must reproduce the above copyright
12123120Simp#    notice, this list of conditions and the following disclaimer in the
13123120Simp#    documentation and/or other materials provided with the distribution.
14123120Simp#
15123120Simp# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
16123120Simp# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17123120Simp# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18123120Simp# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
19123120Simp# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20123120Simp# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
21123120Simp# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
22123120Simp# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
23123120Simp# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
24123120Simp# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
25123120Simp# SUCH DAMAGE.
26123120Simp#
27123120Simp# $FreeBSD: head/etc/rc.d/routing 91626 2002-03-04 10:30:24Z dd $
28123120Simp#	From: @(#)netstart	5.9 (Berkeley) 3/30/91
29123120Simp#
30123120Simp
31123120Simp# Note that almost all of the user-configurable behavior is no longer in
32123120Simp# this file, but rather in /etc/defaults/rc.conf.  Please check that file
33123120Simp# first before contemplating any changes here.  If you do need to change
34123120Simp# this file for some reason, we would like to know about it.
35123120Simp
36123120Simp# First pass startup stuff.
37123120Simp#
38123120Simpnetwork_pass1() {
39123120Simp	echo -n 'Doing initial network setup:'
40123120Simp
41123120Simp	# Generate host.conf for compatibility
42123120Simp	#
43123120Simp	if [ -f "/etc/nsswitch.conf" ]; then
44123120Simp		echo -n ' host.conf'
45123120Simp		generate_host_conf /etc/nsswitch.conf /etc/host.conf
46123120Simp	fi
47123120Simp
48123120Simp	# Convert host.conf to nsswitch.conf if necessary
49123120Simp	#
50123120Simp	if [ -f "/etc/host.conf" -a ! -f "/etc/nsswitch.conf" ]; then
51123120Simp		echo ''
52123120Simp		echo 'Warning: /etc/host.conf is no longer used'
53123120Simp		echo '  /etc/nsswitch.conf will be created for you'
54123120Simp		convert_host_conf /etc/host.conf /etc/nsswitch.conf
55123120Simp	fi
56123120Simp
57123120Simp	# Set the host name if it is not already set
58123120Simp	#
59123120Simp	if [ -z "`hostname -s`" ]; then
60123120Simp		hostname ${hostname}
61123120Simp		echo -n ' hostname'
62123120Simp	fi
63123120Simp
64123120Simp	# Establish ipfilter ruleset as early as possible (best in
65123120Simp	# addition to IPFILTER_DEFAULT_BLOCK in the kernel config file)
66123120Simp
67123120Simp	# check whether ipfilter and/or ipnat is enabled
68123120Simp	ipfilter_active="NO"
69123120Simp	case ${ipfilter_enable} in
70123120Simp	[Yy][Ee][Ss])
71123120Simp		ipfilter_active="YES"
72123120Simp		;;
73123120Simp	esac
74123120Simp	case ${ipnat_enable} in
75123120Simp	[Yy][Ee][Ss])
76123120Simp		ipfilter_active="YES"
77123120Simp		;;
78123120Simp	esac
79123120Simp	case ${ipfilter_active} in
80123120Simp	[Yy][Ee][Ss])
81123120Simp		# load ipfilter kernel module if needed
82123120Simp		if ! sysctl net.inet.ipf.fr_pass > /dev/null 2>&1; then
83123120Simp			if kldload ipl; then
84123120Simp				echo 'IP-filter module loaded.'
85123120Simp			else
86123120Simp				echo 'Warning: IP-filter module failed to load.'
87123120Simp				# avoid further errors
88123120Simp				ipmon_enable="NO"
89123120Simp				ipfilter_enable="NO"
90123120Simp				ipnat_enable="NO"
91123120Simp				ipfs_enable="NO"
92123120Simp			fi
93123120Simp		fi
94123120Simp		# start ipmon before loading any rules
95123120Simp		case "${ipmon_enable}" in
96123120Simp		[Yy][Ee][Ss])
97123120Simp			echo -n ' ipmon'
98123120Simp			${ipmon_program:-/sbin/ipmon} ${ipmon_flags}
99123120Simp			;;
100123120Simp		esac
101123120Simp		case "${ipfilter_enable}" in
102123120Simp		[Yy][Ee][Ss])
103123120Simp			if [ -r "${ipfilter_rules}" ]; then
104123120Simp				echo -n ' ipfilter'
105123120Simp				${ipfilter_program:-/sbin/ipf} -Fa -f \
106123120Simp				    "${ipfilter_rules}" ${ipfilter_flags}
107123120Simp			else
108123120Simp				ipfilter_enable="NO"
109123120Simp				echo -n ' NO IPF RULES'
110123120Simp			fi
111123120Simp			;;
112123120Simp		esac
113123120Simp		case "${ipnat_enable}" in
114123120Simp		[Yy][Ee][Ss])
115123120Simp			if [ -r "${ipnat_rules}" ]; then
116123120Simp				echo -n ' ipnat'
117123120Simp				eval ${ipnat_program:-/sbin/ipnat} -CF -f \
118123120Simp				    "${ipnat_rules}" ${ipnat_flags}
119123120Simp			else
120123120Simp				ipnat_enable="NO"
121123120Simp				echo -n ' NO IPNAT RULES'
122123120Simp			fi
123123120Simp			;;
124123120Simp		esac
125123120Simp		# restore filter/NAT state tables after loading the rules
126123120Simp		case "${ipfs_enable}" in
127123120Simp		[Yy][Ee][Ss])
128123120Simp			if [ -r "/var/db/ipf/ipstate.ipf" ]; then
129123120Simp				echo -n ' ipfs'
130123120Simp				${ipfs_program:-/sbin/ipfs} -R ${ipfs_flags}
131123120Simp				# remove files to avoid reloading old state
132123120Simp				# after an ungraceful shutdown
133123120Simp				rm -f /var/db/ipf/ipstate.ipf
134123120Simp				rm -f /var/db/ipf/ipnat.ipf
135123120Simp			fi
136123120Simp			;;
137123120Simp		esac
138123120Simp		;;
139123120Simp	esac
140123120Simp
141123120Simp	# Set the domainname if we're using NIS
142123120Simp	#
143123120Simp	case ${nisdomainname} in
144123120Simp	[Nn][Oo] | '')
145123120Simp		;;
146123120Simp	*)
147123120Simp		domainname ${nisdomainname}
148123120Simp		echo -n ' domain'
149123120Simp		;;
150123120Simp	esac
151123120Simp
152123120Simp	echo '.'
153123120Simp
154123120Simp	# Initial ATM interface configuration
155123120Simp	#
156123120Simp	case ${atm_enable} in
157123120Simp	[Yy][Ee][Ss])
158123120Simp		if [ -r /etc/rc.atm ]; then
159123120Simp			. /etc/rc.atm
160123120Simp			atm_pass1
161123120Simp		fi
162123120Simp		;;
163123120Simp	esac
164123120Simp
165123120Simp	# Attempt to create cloned interfaces.
166123120Simp	for ifn in ${cloned_interfaces}; do
167123120Simp		ifconfig ${ifn} create
168123120Simp	done
169123120Simp
170123120Simp	# Special options for sppp(4) interfaces go here.  These need
171123120Simp	# to go _before_ the general ifconfig section, since in the case
172123120Simp	# of hardwired (no link1 flag) but required authentication, you
173123120Simp	# cannot pass auth parameters down to the already running interface.
174123120Simp	#
175123120Simp	for ifn in ${sppp_interfaces}; do
176123120Simp		eval spppcontrol_args=\$spppconfig_${ifn}
177123120Simp		if [ -n "${spppcontrol_args}" ]; then
178123120Simp			# The auth secrets might contain spaces; in order
179123120Simp			# to retain the quotation, we need to eval them
180123120Simp			# here.
181123120Simp			eval spppcontrol ${ifn} ${spppcontrol_args}
182123120Simp		fi
183123120Simp	done
184123120Simp
185123120Simp	# gifconfig
186123120Simp	network_gif_setup
187123120Simp
188123120Simp	# Set up all the network interfaces, calling startup scripts if needed
189123120Simp	#
190123120Simp	case ${network_interfaces} in
191123120Simp	[Aa][Uu][Tt][Oo])
192123120Simp		network_interfaces="`ifconfig -l`"
193123120Simp		;;
194123120Simp	*)
195123120Simp		network_interfaces="${network_interfaces} ${cloned_interfaces}"
196123120Simp		;;
197123120Simp	esac
198123120Simp
199123120Simp	dhcp_interfaces=""
200123120Simp	for ifn in ${network_interfaces}; do
201123120Simp		if [ -r /etc/start_if.${ifn} ]; then
202123120Simp			. /etc/start_if.${ifn}
203123120Simp			eval showstat_$ifn=1
204123120Simp		fi
205123120Simp
206123120Simp		# Do the primary ifconfig if specified
207123120Simp		#
208123120Simp		eval ifconfig_args=\$ifconfig_${ifn}
209123120Simp
210123120Simp		case ${ifconfig_args} in
211123120Simp		'')
212123120Simp			;;
213123120Simp		[Dd][Hh][Cc][Pp])
214123120Simp			# DHCP inits are done all in one go below
215123120Simp			dhcp_interfaces="$dhcp_interfaces $ifn"
216123120Simp			eval showstat_$ifn=1
217123120Simp			;;
218123120Simp		*)
219123120Simp			ifconfig ${ifn} ${ifconfig_args}
220123120Simp			eval showstat_$ifn=1
221123120Simp			;;
222123120Simp		esac
223123120Simp	done
224123120Simp
225123120Simp	if [ ! -z "${dhcp_interfaces}" ]; then
226123120Simp		${dhcp_program:-/sbin/dhclient} ${dhcp_flags} ${dhcp_interfaces}
227123120Simp	fi
228123120Simp
229123120Simp	for ifn in ${network_interfaces}; do
230123120Simp		# Check to see if aliases need to be added
231123120Simp		#
232123120Simp		alias=0
233123120Simp		while : ; do
234123120Simp			eval ifconfig_args=\$ifconfig_${ifn}_alias${alias}
235123120Simp			if [ -n "${ifconfig_args}" ]; then
236123120Simp				ifconfig ${ifn} ${ifconfig_args} alias
237123120Simp				eval showstat_$ifn=1
238123120Simp				alias=$((${alias} + 1))
239123120Simp			else
240123120Simp				break;
241123120Simp			fi
242123120Simp		done
243123120Simp
244123120Simp		# Do ipx address if specified
245123120Simp		#
246123120Simp		eval ifconfig_args=\$ifconfig_${ifn}_ipx
247123120Simp		if [ -n "${ifconfig_args}" ]; then
248123120Simp			ifconfig ${ifn} ${ifconfig_args}
249123120Simp			eval showstat_$ifn=1
250123120Simp		fi
251123120Simp	done
252123120Simp
253123120Simp	for ifn in ${network_interfaces}; do
254123120Simp		eval showstat=\$showstat_${ifn}
255123120Simp		if [ ! -z ${showstat} ]; then
256123120Simp			ifconfig ${ifn}
257123120Simp		fi
258123120Simp	done
259123120Simp
260123120Simp	# ISDN subsystem startup
261123120Simp	#
262123120Simp	case ${isdn_enable} in
263123120Simp	[Yy][Ee][Ss])
264123120Simp		if [ -r /etc/rc.isdn ]; then
265123120Simp			. /etc/rc.isdn
266123120Simp		fi
267123120Simp		;;
268123120Simp	esac
269123120Simp
270123120Simp	# Start user ppp if required.  This must happen before natd.
271123120Simp	#
272123120Simp	case ${ppp_enable} in
273123120Simp	[Yy][Ee][Ss])
274123120Simp		# Establish ppp mode.
275123120Simp		#
276123120Simp		if [ "${ppp_mode}" != "ddial" -a "${ppp_mode}" != "direct" \
277123120Simp			-a "${ppp_mode}" != "dedicated" \
278123120Simp			-a "${ppp_mode}" != "background" ]; then
279123120Simp			ppp_mode="auto"
280123120Simp		fi
281123120Simp
282123120Simp		ppp_command="/usr/sbin/ppp -quiet -${ppp_mode}"
283123120Simp
284123120Simp		# Switch on NAT mode?
285123120Simp		#
286123120Simp		case ${ppp_nat} in
287123120Simp		[Yy][Ee][Ss])
288123120Simp			ppp_command="${ppp_command} -nat"
289123120Simp			;;
290123120Simp		esac
291123120Simp
292123120Simp		ppp_command="${ppp_command} ${ppp_profile}"
293123120Simp
294123120Simp		echo "Starting ppp as \"${ppp_user}\""
295123120Simp		su -m ${ppp_user} -c "exec ${ppp_command}"
296123120Simp		;;
297123120Simp	esac
298123120Simp
299123120Simp	# Re-Sync ipfilter so it picks up any new network interfaces
300123120Simp	#
301123120Simp	case ${ipfilter_active} in
302123120Simp	[Yy][Ee][Ss])
303123120Simp		${ipfilter_program:-/sbin/ipf} -y ${ipfilter_flags} >/dev/null
304123120Simp		;;
305123120Simp	esac
306123120Simp	unset ipfilter_active
307123120Simp
308123120Simp	# Initialize IP filtering using ipfw
309123120Simp	#
310123120Simp	if /sbin/ipfw -q flush > /dev/null 2>&1; then
311123120Simp		firewall_in_kernel=1
312123120Simp	else
313123120Simp		firewall_in_kernel=0
314123120Simp	fi
315123120Simp
316123120Simp	case ${firewall_enable} in
317123120Simp	[Yy][Ee][Ss])
318123120Simp		if [ "${firewall_in_kernel}" -eq 0 ] && kldload ipfw; then
319123120Simp			firewall_in_kernel=1
320123120Simp			echo 'Kernel firewall module loaded'
321123120Simp		elif [ "${firewall_in_kernel}" -eq 0 ]; then
322123120Simp			echo 'Warning: firewall kernel module failed to load'
323123120Simp		fi
324123120Simp		;;
325123120Simp	esac
326123120Simp
327123120Simp	# Load the filters if required
328123120Simp	#
329123120Simp	case ${firewall_in_kernel} in
330123120Simp	1)
331123120Simp		if [ -z "${firewall_script}" ]; then
332123120Simp			firewall_script=/etc/rc.firewall
333123120Simp		fi
334123120Simp
335123120Simp		case ${firewall_enable} in
336123120Simp		[Yy][Ee][Ss])
337123120Simp			if [ -r "${firewall_script}" ]; then
338123120Simp				. "${firewall_script}"
339123120Simp				echo -n 'Firewall rules loaded, starting divert daemons:'
340123120Simp
341123120Simp				# Network Address Translation daemon
342123120Simp				#
343123120Simp				case ${natd_enable} in
344123120Simp				[Yy][Ee][Ss])
345123120Simp					if [ -n "${natd_interface}" ]; then
346123120Simp						if echo ${natd_interface} | \
347123120Simp							grep -q -E '^[0-9]+(\.[0-9]+){0,3}$'; then
348123120Simp							natd_flags="$natd_flags -a ${natd_interface}"
349123120Simp						else
350123120Simp							natd_flags="$natd_flags -n ${natd_interface}"
351123120Simp						fi
352123120Simp					fi
353123120Simp					echo -n ' natd'; ${natd_program:-/sbin/natd} ${natd_flags}
354123120Simp					;;
355123120Simp				esac
356123120Simp
357123120Simp				echo '.'
358123120Simp
359123120Simp			elif [ "`ipfw l 65535`" = "65535 deny ip from any to any" ]; then
360123120Simp				echo 'Warning: kernel has firewall functionality,' \
361123120Simp				     'but firewall rules are not enabled.'
362123120Simp				echo '		 All ip services are disabled.'
363123120Simp			fi
364123120Simp
365123120Simp			case ${firewall_logging} in
366123120Simp			[Yy][Ee][Ss] | '')
367123120Simp				echo 'Firewall logging=YES'
368123120Simp				sysctl net.inet.ip.fw.verbose=1 >/dev/null
369123120Simp				;;
370123120Simp			*)
371123120Simp				;;
372123120Simp			esac
373123120Simp
374123120Simp			;;
375123120Simp		esac
376123120Simp		;;
377123120Simp	esac
378123120Simp
379123120Simp	# Additional ATM interface configuration
380123120Simp	#
381123120Simp	if [ -n "${atm_pass1_done}" ]; then
382123120Simp		atm_pass2
383123120Simp	fi
384123120Simp
385123120Simp	# Configure routing
386123120Simp	#
387123120Simp	case ${defaultrouter} in
388123120Simp	[Nn][Oo] | '')
389123120Simp		;;
390123120Simp	*)
391123120Simp		static_routes="default ${static_routes}"
392123120Simp		route_default="default ${defaultrouter}"
393123120Simp		;;
394123120Simp	esac
395123120Simp
396123120Simp	# Set up any static routes.  This should be done before router discovery.
397123120Simp	#
398123120Simp	if [ -n "${static_routes}" ]; then
399123120Simp		for i in ${static_routes}; do
400123120Simp			eval route_args=\$route_${i}
401123120Simp			route add ${route_args}
402123120Simp		done
403123120Simp	fi
404123120Simp
405123120Simp	echo -n 'Additional routing options:'
406123120Simp	case ${tcp_extensions} in
407123120Simp	[Yy][Ee][Ss] | '')
408123120Simp		;;
409123120Simp	*)
410123120Simp		echo -n ' tcp extensions=NO'
411123120Simp		sysctl net.inet.tcp.rfc1323=0 >/dev/null
412123120Simp		;;
413123120Simp	esac
414123120Simp
415123120Simp	case ${icmp_bmcastecho} in
416123120Simp	[Yy][Ee][Ss])
417123120Simp		echo -n ' broadcast ping responses=YES'
418123120Simp		sysctl net.inet.icmp.bmcastecho=1 >/dev/null
419123120Simp		;;
420123120Simp	esac
421123120Simp
422123120Simp	case ${icmp_drop_redirect} in
423123120Simp	[Yy][Ee][Ss])
424123120Simp		echo -n ' ignore ICMP redirect=YES'
425123120Simp		sysctl net.inet.icmp.drop_redirect=1 >/dev/null
426123120Simp		;;
427123120Simp	esac
428123120Simp
429123120Simp	case ${icmp_log_redirect} in
430123120Simp	[Yy][Ee][Ss])
431123120Simp		echo -n ' log ICMP redirect=YES'
432123120Simp		sysctl net.inet.icmp.log_redirect=1 >/dev/null
433123120Simp		;;
434123120Simp	esac
435123120Simp
436123120Simp	case ${gateway_enable} in
437123120Simp	[Yy][Ee][Ss])
438123120Simp		echo -n ' IP gateway=YES'
439123120Simp		sysctl net.inet.ip.forwarding=1 >/dev/null
440123120Simp		;;
441123120Simp	esac
442123120Simp
443123120Simp	case ${forward_sourceroute} in
444123120Simp	[Yy][Ee][Ss])
445123120Simp		echo -n ' do source routing=YES'
446123120Simp		sysctl net.inet.ip.sourceroute=1 >/dev/null
447123120Simp		;;
448123120Simp	esac
449123120Simp
450123120Simp	case ${accept_sourceroute} in
451123120Simp	[Yy][Ee][Ss])
452123120Simp		echo -n ' accept source routing=YES'
453123120Simp		sysctl net.inet.ip.accept_sourceroute=1 >/dev/null
454123120Simp		;;
455123120Simp	esac
456123120Simp
457123120Simp	case ${tcp_keepalive} in
458123120Simp	[Nn][Oo])
459123120Simp		echo -n ' TCP keepalive=NO'
460123120Simp		sysctl net.inet.tcp.always_keepalive=0 >/dev/null
461123120Simp		;;
462123120Simp	esac
463123120Simp
464123120Simp	case ${tcp_drop_synfin} in
465123120Simp	[Yy][Ee][Ss])
466123120Simp		echo -n ' drop SYN+FIN packets=YES'
467123120Simp		sysctl net.inet.tcp.drop_synfin=1 >/dev/null
468123120Simp		;;
469123120Simp	esac
470123120Simp
471123120Simp	case ${ipxgateway_enable} in
472123120Simp	[Yy][Ee][Ss])
473123120Simp		echo -n ' IPX gateway=YES'
474123120Simp		sysctl net.ipx.ipx.ipxforwarding=1 >/dev/null
475123120Simp		;;
476123120Simp	esac
477123120Simp
478123120Simp	case ${arpproxy_all} in
479123120Simp	[Yy][Ee][Ss])
480123120Simp		echo -n ' ARP proxyall=YES'
481123120Simp		sysctl net.link.ether.inet.proxyall=1 >/dev/null
482123120Simp		;;
483123120Simp	esac
484123120Simp
485123120Simp	case ${ip_portrange_first} in
486123120Simp	[Nn][Oo] | '')
487123120Simp		;;
488123120Simp	*)
489123120Simp		echo -n " ip_portrange_first=$ip_portrange_first"
490123120Simp		sysctl net.inet.ip.portrange.first=$ip_portrange_first >/dev/null
491123120Simp		;;
492123120Simp	esac
493123120Simp
494123120Simp	case ${ip_portrange_last} in
495123120Simp	[Nn][Oo] | '')
496123120Simp		;;
497123120Simp	*)
498123120Simp		echo -n " ip_portrange_last=$ip_portrange_last"
499123120Simp		sysctl net.inet.ip.portrange.last=$ip_portrange_last >/dev/null
500123120Simp		;;
501123120Simp	esac
502123120Simp
503123120Simp	echo '.'
504123120Simp
505123120Simp	case ${ipsec_enable} in
506123120Simp	[Yy][Ee][Ss])
507123120Simp		if [ -f ${ipsec_file} ]; then
508123120Simp		    echo ' ipsec: enabled'
509123120Simp		    setkey -f ${ipsec_file}
510123120Simp		else
511123120Simp		    echo ' ipsec: file not found'
512123120Simp		fi
513123120Simp		;;
514123120Simp	esac
515123120Simp
516123120Simp	echo -n 'Routing daemons:'
517123120Simp	case ${router_enable} in
518123120Simp	[Yy][Ee][Ss])
519123120Simp		echo -n " ${router}";	${router} ${router_flags}
520123120Simp		;;
521123120Simp	esac
522123120Simp
523123120Simp	case ${ipxrouted_enable} in
524123120Simp	[Yy][Ee][Ss])
525123120Simp		echo -n ' IPXrouted'
526123120Simp		IPXrouted ${ipxrouted_flags} > /dev/null 2>&1
527123120Simp		;;
528123120Simp	esac
529123120Simp
530123120Simp	case ${mrouted_enable} in
531123120Simp	[Yy][Ee][Ss])
532123120Simp		echo -n ' mrouted';	mrouted ${mrouted_flags}
533123120Simp		;;
534123120Simp	esac
535123120Simp
536123120Simp	case ${rarpd_enable} in
537123120Simp	[Yy][Ee][Ss])
538123120Simp		echo -n ' rarpd';	rarpd ${rarpd_flags}
539123120Simp		;;
540123120Simp	esac
541123120Simp	echo '.'
542123120Simp
543123120Simp	# Let future generations know we made it.
544123120Simp	#
545123120Simp	network_pass1_done=YES
546123120Simp}
547123120Simp
548123120Simpnetwork_pass2() {
549123120Simp	echo -n 'Doing additional network setup:'
550123120Simp	case ${named_enable} in
551123120Simp	[Yy][Ee][Ss])
552123120Simp		echo -n ' named';	${named_program:-named} ${named_flags}
553123120Simp		;;
554123120Simp	esac
555123120Simp
556123120Simp	case ${ntpdate_enable} in
557123120Simp	[Yy][Ee][Ss])
558123120Simp		echo -n ' ntpdate'
559123120Simp		${ntpdate_program:-ntpdate} ${ntpdate_flags} >/dev/null 2>&1
560123120Simp		;;
561123120Simp	esac
562123120Simp
563123120Simp	case ${xntpd_enable} in
564123120Simp	[Yy][Ee][Ss])
565123120Simp		echo -n ' ntpd';	${xntpd_program:-ntpd} ${xntpd_flags}
566123120Simp		;;
567123120Simp	esac
568123120Simp
569123120Simp	case ${timed_enable} in
570123120Simp	[Yy][Ee][Ss])
571123120Simp		echo -n ' timed';	timed ${timed_flags}
572123120Simp		;;
573123120Simp	esac
574123120Simp
575123120Simp	case ${portmap_enable} in
576123120Simp	[Yy][Ee][Ss])
577123120Simp		echo -n ' rpcbind';	${portmap_program:-/usr/sbin/rpcbind} \
578123120Simp			${portmap_flags}
579123120Simp
580123120Simp		# Start ypserv if we're an NIS server.
581123120Simp		# Run rpc.ypxfrd and rpc.yppasswdd only on the NIS master server.
582123120Simp		#
583123120Simp		case ${nis_server_enable} in
584123120Simp		[Yy][Ee][Ss])
585123120Simp			echo -n ' ypserv'; ypserv ${nis_server_flags}
586123120Simp
587123120Simp			case ${nis_ypxfrd_enable} in
588123120Simp			[Yy][Ee][Ss])
589123120Simp				echo -n ' rpc.ypxfrd'
590123120Simp				rpc.ypxfrd ${nis_ypxfrd_flags}
591123120Simp				;;
592123120Simp			esac
593123120Simp
594123120Simp			case ${nis_yppasswdd_enable} in
595123120Simp			[Yy][Ee][Ss])
596123120Simp				echo -n ' rpc.yppasswdd'
597123120Simp				rpc.yppasswdd ${nis_yppasswdd_flags}
598123120Simp				;;
599123120Simp			esac
600123120Simp			;;
601123120Simp		esac
602123120Simp
603123120Simp		# Start ypbind if we're an NIS client
604123120Simp		#
605123120Simp		case ${nis_client_enable} in
606123120Simp		[Yy][Ee][Ss])
607123120Simp			echo -n ' ypbind'; ypbind ${nis_client_flags}
608123120Simp			case ${nis_ypset_enable} in
609123120Simp			[Yy][Ee][Ss])
610123120Simp				echo -n ' ypset';	ypset ${nis_ypset_flags}
611123120Simp				;;
612123120Simp			esac
613123120Simp			;;
614123120Simp		esac
615123120Simp
616123120Simp		# Start keyserv if we are running Secure RPC
617123120Simp		#
618123120Simp		case ${keyserv_enable} in
619123120Simp		[Yy][Ee][Ss])
620123120Simp			echo -n ' keyserv';	keyserv ${keyserv_flags}
621123120Simp			;;
622123120Simp		esac
623123120Simp
624123120Simp		# Start ypupdated if we are running Secure RPC
625123120Simp		# and we are NIS master
626123120Simp		#
627123120Simp		case ${rpc_ypupdated_enable} in
628123120Simp		[Yy][Ee][Ss])
629123120Simp			echo -n ' rpc.ypupdated';	rpc.ypupdated
630123120Simp			;;
631123120Simp		esac
632123120Simp		;;
633123120Simp	esac
634123120Simp
635123120Simp	# Start ATM daemons
636123120Simp	if [ -n "${atm_pass2_done}" ]; then
637123120Simp		atm_pass3
638123120Simp	fi
639123120Simp
640123120Simp	echo '.'
641123120Simp	network_pass2_done=YES
642123120Simp}
643123120Simp
644123120Simpnetwork_pass3() {
645123120Simp	echo -n 'Starting final network daemons:'
646123120Simp
647123120Simp	case ${portmap_enable} in
648123120Simp	[Yy][Ee][Ss])
649123120Simp		case ${nfs_server_enable} in
650123120Simp		[Yy][Ee][Ss])
651123120Simp			# Handle absent nfs server support
652123120Simp			nfsserver_in_kernel=0
653123120Simp			if sysctl vfs.nfsrv >/dev/null 2>&1; then
654123120Simp				nfsserver_in_kernel=1
655123120Simp			else
656123120Simp				kldload nfsserver && nfsserver_in_kernel=1
657123120Simp			fi
658123120Simp
659123120Simp			if [ -r /etc/exports -a \
660123120Simp			    ${nfsserver_in_kernel} -eq 1 ]; then
661123120Simp				echo -n ' mountd'
662123120Simp
663123120Simp				case ${weak_mountd_authentication} in
664123120Simp				[Yy][Ee][Ss])
665123120Simp					mountd_flags="${mountd_flags} -n"
666123120Simp					;;
667123120Simp				esac
668123120Simp
669123120Simp				mountd ${mountd_flags}
670123120Simp
671123120Simp				case ${nfs_reserved_port_only} in
672123120Simp				[Yy][Ee][Ss])
673123120Simp					echo -n ' NFS on reserved port only=YES'
674123120Simp					sysctl vfs.nfsrv.nfs_privport=1 > /dev/null
675123120Simp					;;
676123120Simp				esac
677123120Simp
678123120Simp				echo -n ' nfsd';	nfsd ${nfs_server_flags}
679123120Simp
680123120Simp				case ${rpc_statd_enable} in
681123120Simp				[Yy][Ee][Ss])
682123120Simp					echo -n ' rpc.statd';	rpc.statd
683123120Simp					;;
684123120Simp				esac
685123120Simp
686123120Simp				case ${rpc_lockd_enable} in
687123120Simp				[Yy][Ee][Ss])
688123120Simp					echo -n ' rpc.lockd';	rpc.lockd
689123120Simp					;;
690123120Simp				esac
691123120Simp			else
692123120Simp				echo -n ' Warning: nfs server failed'
693123120Simp			fi
694123120Simp			;;
695123120Simp		*)
696123120Simp			case ${single_mountd_enable} in
697123120Simp			[Yy][Ee][Ss])
698123120Simp				if [ -r /etc/exports ]; then
699123120Simp					echo -n ' mountd'
700123120Simp
701123120Simp					case ${weak_mountd_authentication} in
702123120Simp					[Yy][Ee][Ss])
703123120Simp						mountd_flags="-n"
704123120Simp						;;
705123120Simp					esac
706123120Simp
707123120Simp					mountd ${mountd_flags}
708123120Simp				fi
709123120Simp				;;
710123120Simp			esac
711123120Simp			;;
712123120Simp		esac
713123120Simp
714123120Simp		case ${nfs_client_enable} in
715123120Simp		[Yy][Ee][Ss])
716123120Simp			nfsclient_in_kernel=0
717123120Simp			# Handle absent nfs client support
718123120Simp			if sysctl vfs.nfs >/dev/null 2>&1; then
719123120Simp				nfsclient_in_kernel=1
720123120Simp			else
721123120Simp				kldload nfsclient && nfsclient_in_kernel=1
722123120Simp			fi
723123120Simp
724123120Simp			if [ ${nfsclient_in_kernel} -eq 1 ]
725123120Simp			then
726123120Simp				if [ -n "${nfs_access_cache}" ]; then
727123120Simp					echo -n " NFS access cache time=${nfs_access_cache}"
728123120Simp					sysctl vfs.nfs.access_cache_timeout=${nfs_access_cache} >/dev/null
729123120Simp				fi
730123120Simp				if [ -n "${nfs_bufpackets}" ]; then
731123120Simp					sysctl vfs.nfs.bufpackets=${nfs_bufpackets} > /dev/null
732123120Simp				fi
733123120Simp				case ${rpc_statd_enable} in
734123120Simp				[Yy][Ee][Ss])
735123120Simp					echo -n ' rpc.statd';	rpc.statd
736123120Simp					;;
737123120Simp				esac
738123120Simp
739123120Simp				case ${rpc_lockd_enable} in
740123120Simp				[Yy][Ee][Ss])
741123120Simp					echo -n ' rpc.lockd';	rpc.lockd
742123120Simp					;;
743123120Simp				esac
744123120Simp
745123120Simp				case ${amd_enable} in
746123120Simp				[Yy][Ee][Ss])
747123120Simp					echo -n ' amd'
748123120Simp					case ${amd_map_program} in
749123120Simp					[Nn][Oo] | '')
750123120Simp						;;
751123120Simp					*)
752123120Simp						amd_flags="${amd_flags} `eval\
753123120Simp							${amd_map_program}`"
754123120Simp						;;
755123120Simp					esac
756123120Simp
757123120Simp					if [ -n "${amd_flags}" ]; then
758123120Simp						amd -p ${amd_flags}\
759123120Simp							> /var/run/amd.pid 2> /dev/null
760123120Simp					else
761123120Simp						amd 2> /dev/null
762123120Simp					fi
763123120Simp					;;
764123120Simp				esac
765123120Simp			else
766123120Simp				echo 'Warning: NFS client kernel module failed to load'
767123120Simp				nfs_client_enable=NO
768123120Simp			fi
769123120Simp			;;
770123120Simp		esac
771123120Simp
772123120Simp		# If /var/db/mounttab exists, some nfs-server has not been
773123120Simp		# successfully notified about a previous client shutdown.
774123120Simp		# If there is no /var/db/mounttab, we do nothing.
775123120Simp		if [ -f /var/db/mounttab ]; then
776123120Simp			rpc.umntall -k
777123120Simp		fi
778123120Simp
779123120Simp		;;
780123120Simp	esac
781123120Simp
782123120Simp	case ${rwhod_enable} in
783123120Simp	[Yy][Ee][Ss])
784123120Simp		echo -n ' rwhod';	rwhod ${rwhod_flags}
785123120Simp		;;
786123120Simp	esac
787123120Simp
788123120Simp	# Kerberos servers run ONLY on the Kerberos server machine
789123120Simp	case ${kerberos4_server_enable} in
790123120Simp	[Yy][Ee][Ss])
791123120Simp		case ${kerberos_stash} in
792123120Simp		[Yy][Ee][Ss])
793123120Simp			stash=-n
794123120Simp			;;
795123120Simp		*)
796123120Simp			stash=
797123120Simp			;;
798123120Simp		esac
799123120Simp
800123120Simp		echo -n ' kerberosIV'
801123120Simp		${kerberos4_server} ${stash} >> /var/log/kerberos.log &
802123120Simp
803123120Simp		case ${kadmind4_server_enable} in
804123120Simp		[Yy][Ee][Ss])
805123120Simp			echo -n ' kadmindIV'
806123120Simp			(
807123120Simp				sleep 20;
808123120Simp				${kadmind4_server} ${stash} >/dev/null 2>&1 &
809123120Simp			) &
810123120Simp			;;
811123120Simp		esac
812123120Simp		unset stash_flag
813123120Simp		;;
814123120Simp	esac
815123120Simp
816123120Simp	case ${kerberos5_server_enable} in
817123120Simp	[Yy][Ee][Ss])
818123120Simp		echo -n ' kerberos5'
819123120Simp		${kerberos5_server} &
820123120Simp
821123120Simp		case ${kadmind5_server_enable} in
822123120Simp		[Yy][Ee][Ss])
823123120Simp			echo -n ' kadmind5'
824123120Simp			${kadmind5_server} &
825123120Simp			;;
826123120Simp		esac
827123120Simp		;;
828123120Simp	esac
829123120Simp
830123120Simp	case ${pppoed_enable} in
831123120Simp	[Yy][Ee][Ss])
832123120Simp		if [ -n "${pppoed_provider}" ]; then
833123120Simp			pppoed_flags="${pppoed_flags} -p ${pppoed_provider}"
834123120Simp		fi
835123120Simp		echo -n ' pppoed';
836123120Simp		_opts=$-; set -f
837123120Simp		/usr/libexec/pppoed ${pppoed_flags} ${pppoed_interface}
838123120Simp		set +f; set -${_opts}
839123120Simp		;;
840123120Simp	esac
841123120Simp
842123120Simp	case ${sshd_enable} in
843123120Simp	[Yy][Ee][Ss])
844123120Simp		if [ ! -f /etc/ssh/ssh_host_key ]; then
845123120Simp			echo ' creating ssh RSA host key';
846123120Simp			/usr/bin/ssh-keygen -N "" -f /etc/ssh/ssh_host_key
847123120Simp		fi
848123120Simp		if [ ! -f /etc/ssh/ssh_host_dsa_key ]; then
849123120Simp			echo ' creating ssh DSA host key';
850123120Simp			/usr/bin/ssh-keygen -d -N "" -f /etc/ssh/ssh_host_dsa_key
851123120Simp		fi
852123120Simp		;;
853	esac
854
855	echo '.'
856	network_pass3_done=YES
857}
858
859network_pass4() {
860	echo -n 'Additional TCP options:'
861	case ${log_in_vain} in
862	[Nn][Oo] | '')
863		log_in_vain=0
864		;;
865	[Yy][Ee][Ss])
866		log_in_vain=1
867		;;
868	[0-9]*)
869		;;
870	*)
871		echo " invalid log_in_vain setting: ${log_in_vain}"
872		log_in_vain=0
873		;;
874	esac
875
876	[ "${log_in_vain}" -ne 0 ] && (
877	    echo -n " log_in_vain=${log_in_vain}"
878	    sysctl net.inet.tcp.log_in_vain="${log_in_vain}" >/dev/null
879	    sysctl net.inet.udp.log_in_vain="${log_in_vain}" >/dev/null
880	)
881	echo '.'
882	network_pass4_done=YES
883}
884
885network_gif_setup() {
886	case ${gif_interfaces} in
887	[Nn][Oo] | '')
888		;;
889	*)
890		for i in ${gif_interfaces}; do
891			eval peers=\$gifconfig_$i
892			case ${peers} in
893			'')
894				continue
895				;;
896			*)
897				ifconfig $i create >/dev/null 2>&1
898				ifconfig $i tunnel ${peers}
899				;;
900			esac
901		done
902		;;
903	esac
904}
905
906convert_host_conf() {
907    host_conf=$1; shift;
908    nsswitch_conf=$1; shift;
909    awk '                                                                   \
910        /^[:blank:]*#/       { next }                                       \
911        /(hosts|local|file)/ { nsswitch[c] = "files"; c++; next }           \
912        /(dns|bind)/         { nsswitch[c] = "dns";   c++; next }           \
913        /nis/                { nsswitch[c] = "nis";   c++; next }           \
914        { printf "Warning: unrecognized line [%s]", $0 > "/dev/stderr" }    \
915        END {                                                               \
916                printf "hosts: ";                                           \
917                for (i in nsswitch) printf "%s ", nsswitch[i];              \
918                printf "\n";                                                \
919        }' < $host_conf > $nsswitch_conf
920}
921
922generate_host_conf() {
923    nsswitch_conf=$1; shift;
924    host_conf=$1; shift;
925    
926    awk '
927BEGIN {
928    xlat["files"] = "hosts";
929    xlat["dns"] = "bind";
930    xlat["nis"] = "nis";
931    cont = 0;
932}
933sub(/^[\t ]*hosts:/, "") || cont {
934    if (!cont)
935	srcs = ""
936    sub(/#.*/, "")
937    gsub(/[][]/, " & ")
938    cont = sub(/\\$/, "")
939    srcs = srcs " " $0
940}
941END {
942    print "# Auto-generated from nsswitch.conf, do not edit"
943    ns = split(srcs, s)
944    for (n = 1; n <= ns; ++n) {
945        if (s[n] in xlat)
946            print xlat[s[n]]
947    }
948}
949' <$nsswitch_conf >$host_conf
950}
951