routing revision 92184 
1139749Simp#!/bin/sh -
2135048Swpaul#
3135048Swpaul# Copyright (c) 1993  The FreeBSD Project
4135048Swpaul# All rights reserved.
5135048Swpaul#
6135048Swpaul# Redistribution and use in source and binary forms, with or without
7135048Swpaul# modification, are permitted provided that the following conditions
8135048Swpaul# are met:
9135048Swpaul# 1. Redistributions of source code must retain the above copyright
10135048Swpaul#    notice, this list of conditions and the following disclaimer.
11135048Swpaul# 2. Redistributions in binary form must reproduce the above copyright
12135048Swpaul#    notice, this list of conditions and the following disclaimer in the
13135048Swpaul#    documentation and/or other materials provided with the distribution.
14135048Swpaul#
15135048Swpaul# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
16135048Swpaul# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17135048Swpaul# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18135048Swpaul# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
19135048Swpaul# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20135048Swpaul# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
21135048Swpaul# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
22135048Swpaul# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
23135048Swpaul# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
24135048Swpaul# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
25135048Swpaul# SUCH DAMAGE.
26135048Swpaul#
27135048Swpaul# $FreeBSD: head/etc/rc.d/routing 92184 2002-03-12 20:25:25Z cjc $
28135048Swpaul#	From: @(#)netstart	5.9 (Berkeley) 3/30/91
29135048Swpaul#
30135048Swpaul
31135048Swpaul# Note that almost all of the user-configurable behavior is no longer in
32135048Swpaul# this file, but rather in /etc/defaults/rc.conf.  Please check that file
33135048Swpaul# first before contemplating any changes here.  If you do need to change
34135048Swpaul# this file for some reason, we would like to know about it.
35135048Swpaul
36135048Swpaul# First pass startup stuff.
37178598Sraj#
38135048Swpaulnetwork_pass1() {
39135048Swpaul	echo -n 'Doing initial network setup:'
40135048Swpaul
41135048Swpaul	# Generate host.conf for compatibility
42135048Swpaul	#
43135048Swpaul	if [ -f "/etc/nsswitch.conf" ]; then
44135048Swpaul		echo -n ' host.conf'
45135048Swpaul		generate_host_conf /etc/nsswitch.conf /etc/host.conf
46135048Swpaul	fi
47135048Swpaul
48135048Swpaul	# Convert host.conf to nsswitch.conf if necessary
49135048Swpaul	#
50135048Swpaul	if [ -f "/etc/host.conf" -a ! -f "/etc/nsswitch.conf" ]; then
51135048Swpaul		echo ''
52135048Swpaul		echo 'Warning: /etc/host.conf is no longer used'
53135048Swpaul		echo '  /etc/nsswitch.conf will be created for you'
54135048Swpaul		convert_host_conf /etc/host.conf /etc/nsswitch.conf
55135048Swpaul	fi
56135048Swpaul
57135048Swpaul	# Set the host name if it is not already set
58135048Swpaul	#
59135048Swpaul	if [ -z "`hostname -s`" ]; then
60213893Smarius		hostname ${hostname}
61135048Swpaul		echo -n ' hostname'
62135048Swpaul	fi
63135048Swpaul
64135048Swpaul	# Establish ipfilter ruleset as early as possible (best in
65135048Swpaul	# addition to IPFILTER_DEFAULT_BLOCK in the kernel config file)
66135048Swpaul
67135048Swpaul	# check whether ipfilter and/or ipnat is enabled
68135048Swpaul	ipfilter_active="NO"
69135048Swpaul	case ${ipfilter_enable} in
70135048Swpaul	[Yy][Ee][Ss])
71135048Swpaul		ipfilter_active="YES"
72135048Swpaul		;;
73135048Swpaul	esac
74135048Swpaul	case ${ipnat_enable} in
75135048Swpaul	[Yy][Ee][Ss])
76135048Swpaul		ipfilter_active="YES"
77135048Swpaul		;;
78135048Swpaul	esac
79135048Swpaul	case ${ipfilter_active} in
80135048Swpaul	[Yy][Ee][Ss])
81135048Swpaul		# load ipfilter kernel module if needed
82135048Swpaul		if ! sysctl net.inet.ipf.fr_pass > /dev/null 2>&1; then
83135048Swpaul			if kldload ipl; then
84135048Swpaul				echo 'IP-filter module loaded.'
85135048Swpaul			else
86135048Swpaul				echo 'Warning: IP-filter module failed to load.'
87135048Swpaul				# avoid further errors
88164827Smarius				ipmon_enable="NO"
89164827Smarius				ipfilter_enable="NO"
90164827Smarius				ipnat_enable="NO"
91164827Smarius				ipfs_enable="NO"
92176773Sraj			fi
93184192Syongari		fi
94178598Sraj		# start ipmon before loading any rules
95170365Syongari		case "${ipmon_enable}" in
96164827Smarius		[Yy][Ee][Ss])
97164827Smarius			echo -n ' ipmon'
98164827Smarius			${ipmon_program:-/sbin/ipmon} ${ipmon_flags}
99135048Swpaul			;;
100150763Simp		esac
101135048Swpaul		case "${ipfilter_enable}" in
102135048Swpaul		[Yy][Ee][Ss])
103164827Smarius			if [ -r "${ipfilter_rules}" ]; then
104135048Swpaul				echo -n ' ipfilter'
105135048Swpaul				${ipfilter_program:-/sbin/ipf} -Fa -f \
106135048Swpaul				    "${ipfilter_rules}" ${ipfilter_flags}
107150763Simp			else
108135048Swpaul				ipfilter_enable="NO"
109135048Swpaul				echo -n ' NO IPF RULES'
110135048Swpaul			fi
111135048Swpaul			;;
112135048Swpaul		esac
113135048Swpaul		case "${ipnat_enable}" in
114135048Swpaul		[Yy][Ee][Ss])
115135048Swpaul			if [ -r "${ipnat_rules}" ]; then
116213229Smarius				echo -n ' ipnat'
117135048Swpaul				eval ${ipnat_program:-/sbin/ipnat} -CF -f \
118135048Swpaul				    "${ipnat_rules}" ${ipnat_flags}
119213893Smarius			else
120213364Smarius				ipnat_enable="NO"
121135048Swpaul				echo -n ' NO IPNAT RULES'
122135048Swpaul			fi
123135048Swpaul			;;
124135048Swpaul		esac
125135048Swpaul		# restore filter/NAT state tables after loading the rules
126135048Swpaul		case "${ipfs_enable}" in
127135048Swpaul		[Yy][Ee][Ss])
128135048Swpaul			if [ -r "/var/db/ipf/ipstate.ipf" ]; then
129213364Smarius				echo -n ' ipfs'
130135048Swpaul				${ipfs_program:-/sbin/ipfs} -R ${ipfs_flags}
131135048Swpaul				# remove files to avoid reloading old state
132135048Swpaul				# after an ungraceful shutdown
133135048Swpaul				rm -f /var/db/ipf/ipstate.ipf
134135048Swpaul				rm -f /var/db/ipf/ipnat.ipf
135135048Swpaul			fi
136135048Swpaul			;;
137164705Smarius		esac
138135048Swpaul		;;
139135048Swpaul	esac
140135048Swpaul
141150763Simp	# Set the domainname if we're using NIS
142135048Swpaul	#
143135048Swpaul	case ${nisdomainname} in
144135048Swpaul	[Nn][Oo] | '')
145135048Swpaul		;;
146135048Swpaul	*)
147135048Swpaul		domainname ${nisdomainname}
148135048Swpaul		echo -n ' domain'
149135048Swpaul		;;
150135048Swpaul	esac
151135048Swpaul
152135048Swpaul	echo '.'
153135048Swpaul
154135048Swpaul	# Initial ATM interface configuration
155135048Swpaul	#
156135048Swpaul	case ${atm_enable} in
157135048Swpaul	[Yy][Ee][Ss])
158135048Swpaul		if [ -r /etc/rc.atm ]; then
159135048Swpaul			. /etc/rc.atm
160135048Swpaul			atm_pass1
161135048Swpaul		fi
162135048Swpaul		;;
163135048Swpaul	esac
164135048Swpaul
165135048Swpaul	# Attempt to create cloned interfaces.
166135048Swpaul	for ifn in ${cloned_interfaces}; do
167135048Swpaul		ifconfig ${ifn} create
168135048Swpaul	done
169135048Swpaul
170135048Swpaul	# Special options for sppp(4) interfaces go here.  These need
171135048Swpaul	# to go _before_ the general ifconfig section, since in the case
172135048Swpaul	# of hardwired (no link1 flag) but required authentication, you
173135048Swpaul	# cannot pass auth parameters down to the already running interface.
174135048Swpaul	#
175135048Swpaul	for ifn in ${sppp_interfaces}; do
176135048Swpaul		eval spppcontrol_args=\$spppconfig_${ifn}
177135048Swpaul		if [ -n "${spppcontrol_args}" ]; then
178135048Swpaul			# The auth secrets might contain spaces; in order
179135048Swpaul			# to retain the quotation, we need to eval them
180135048Swpaul			# here.
181135048Swpaul			eval spppcontrol ${ifn} ${spppcontrol_args}
182135048Swpaul		fi
183135048Swpaul	done
184135048Swpaul
185135048Swpaul	# gifconfig
186135048Swpaul	network_gif_setup
187135048Swpaul
188135048Swpaul	# Set up all the network interfaces, calling startup scripts if needed
189135048Swpaul	#
190164705Smarius	case ${network_interfaces} in
191135048Swpaul	[Aa][Uu][Tt][Oo])
192135048Swpaul		network_interfaces="`ifconfig -l`"
193135048Swpaul		;;
194135048Swpaul	*)
195135048Swpaul		network_interfaces="${network_interfaces} ${cloned_interfaces}"
196135048Swpaul		;;
197135048Swpaul	esac
198135048Swpaul
199135048Swpaul	dhcp_interfaces=""
200135048Swpaul	for ifn in ${network_interfaces}; do
201135048Swpaul		if [ -r /etc/start_if.${ifn} ]; then
202135048Swpaul			. /etc/start_if.${ifn}
203135048Swpaul			eval showstat_$ifn=1
204135048Swpaul		fi
205135048Swpaul
206135048Swpaul		# Do the primary ifconfig if specified
207135048Swpaul		#
208135048Swpaul		eval ifconfig_args=\$ifconfig_${ifn}
209135048Swpaul
210135048Swpaul		case ${ifconfig_args} in
211135048Swpaul		'')
212135048Swpaul			;;
213135048Swpaul		[Dd][Hh][Cc][Pp])
214135048Swpaul			# DHCP inits are done all in one go below
215135048Swpaul			dhcp_interfaces="$dhcp_interfaces $ifn"
216135048Swpaul			eval showstat_$ifn=1
217135048Swpaul			;;
218135048Swpaul		*)
219135048Swpaul			ifconfig ${ifn} ${ifconfig_args}
220135048Swpaul			eval showstat_$ifn=1
221135048Swpaul			;;
222135048Swpaul		esac
223135048Swpaul	done
224135048Swpaul
225135048Swpaul	if [ ! -z "${dhcp_interfaces}" ]; then
226135048Swpaul		${dhcp_program:-/sbin/dhclient} ${dhcp_flags} ${dhcp_interfaces}
227135048Swpaul	fi
228135048Swpaul
229135048Swpaul	for ifn in ${network_interfaces}; do
230135048Swpaul		# Check to see if aliases need to be added
231135048Swpaul		#
232135048Swpaul		alias=0
233135048Swpaul		while : ; do
234135048Swpaul			eval ifconfig_args=\$ifconfig_${ifn}_alias${alias}
235135048Swpaul			if [ -n "${ifconfig_args}" ]; then
236135048Swpaul				ifconfig ${ifn} ${ifconfig_args} alias
237135048Swpaul				eval showstat_$ifn=1
238135048Swpaul				alias=$((${alias} + 1))
239135048Swpaul			else
240135048Swpaul				break;
241135048Swpaul			fi
242135048Swpaul		done
243135048Swpaul
244183488Syongari		# Do ipx address if specified
245183488Syongari		#
246183488Syongari		eval ifconfig_args=\$ifconfig_${ifn}_ipx
247135048Swpaul		if [ -n "${ifconfig_args}" ]; then
248183489Syongari			ifconfig ${ifn} ${ifconfig_args}
249135048Swpaul			eval showstat_$ifn=1
250183489Syongari		fi
251135048Swpaul	done
252164705Smarius
253135048Swpaul	for ifn in ${network_interfaces}; do
254135048Swpaul		eval showstat=\$showstat_${ifn}
255183490Syongari		if [ ! -z ${showstat} ]; then
256135048Swpaul			ifconfig ${ifn}
257135048Swpaul		fi
258135048Swpaul	done
259135048Swpaul
260135048Swpaul	# ISDN subsystem startup
261135048Swpaul	#
262135048Swpaul	case ${isdn_enable} in
263135048Swpaul	[Yy][Ee][Ss])
264135048Swpaul		if [ -r /etc/rc.isdn ]; then
265164705Smarius			. /etc/rc.isdn
266135048Swpaul		fi
267135048Swpaul		;;
268135048Swpaul	esac
269135048Swpaul
270135048Swpaul	# Start user ppp if required.  This must happen before natd.
271135048Swpaul	#
272135048Swpaul	case ${ppp_enable} in
273135048Swpaul	[Yy][Ee][Ss])
274135048Swpaul		# Establish ppp mode.
275150763Simp		#
276135048Swpaul		if [ "${ppp_mode}" != "ddial" -a "${ppp_mode}" != "direct" \
277135048Swpaul			-a "${ppp_mode}" != "dedicated" \
278135048Swpaul			-a "${ppp_mode}" != "background" ]; then
279135048Swpaul			ppp_mode="auto"
280135048Swpaul		fi
281135048Swpaul
282135048Swpaul		ppp_command="/usr/sbin/ppp -quiet -${ppp_mode}"
283135048Swpaul
284135048Swpaul		# Switch on NAT mode?
285135048Swpaul		#
286135048Swpaul		case ${ppp_nat} in
287135048Swpaul		[Yy][Ee][Ss])
288135048Swpaul			ppp_command="${ppp_command} -nat"
289135048Swpaul			;;
290135048Swpaul		esac
291135048Swpaul
292135048Swpaul		ppp_command="${ppp_command} ${ppp_profile}"
293135048Swpaul
294135048Swpaul		echo "Starting ppp as \"${ppp_user}\""
295135048Swpaul		su -m ${ppp_user} -c "exec ${ppp_command}"
296135048Swpaul		;;
297135048Swpaul	esac
298135048Swpaul
299135048Swpaul	# Re-Sync ipfilter so it picks up any new network interfaces
300135048Swpaul	#
301135048Swpaul	case ${ipfilter_enable} in
302135048Swpaul	[Yy][Ee][Ss])
303135048Swpaul		${ipfilter_program:-/sbin/ipf} -y ${ipfilter_flags} >/dev/null
304135048Swpaul		;;
305135048Swpaul	esac
306135048Swpaul
307135048Swpaul	# Initialize IP filtering using ipfw
308135048Swpaul	#
309135048Swpaul	if /sbin/ipfw -q flush > /dev/null 2>&1; then
310135048Swpaul		firewall_in_kernel=1
311135048Swpaul	else
312135048Swpaul		firewall_in_kernel=0
313135048Swpaul	fi
314135048Swpaul
315135048Swpaul	case ${firewall_enable} in
316135048Swpaul	[Yy][Ee][Ss])
317135048Swpaul		if [ "${firewall_in_kernel}" -eq 0 ] && kldload ipfw; then
318135048Swpaul			firewall_in_kernel=1
319135048Swpaul			echo 'Kernel firewall module loaded'
320183491Syongari		elif [ "${firewall_in_kernel}" -eq 0 ]; then
321183491Syongari			echo 'Warning: firewall kernel module failed to load'
322135048Swpaul		fi
323135048Swpaul		;;
324135048Swpaul	esac
325135048Swpaul
326135048Swpaul	# Load the filters if required
327164830Smarius	#
328135048Swpaul	case ${firewall_in_kernel} in
329135048Swpaul	1)
330135048Swpaul		if [ -z "${firewall_script}" ]; then
331135048Swpaul			firewall_script=/etc/rc.firewall
332135048Swpaul		fi
333135048Swpaul
334135048Swpaul		case ${firewall_enable} in
335135048Swpaul		[Yy][Ee][Ss])
336135048Swpaul			if [ -r "${firewall_script}" ]; then
337135048Swpaul				. "${firewall_script}"
338135048Swpaul				echo -n 'Firewall rules loaded, starting divert daemons:'
339135048Swpaul
340135048Swpaul				# Network Address Translation daemon
341135048Swpaul				#
342170365Syongari				case ${natd_enable} in
343135048Swpaul				[Yy][Ee][Ss])
344135048Swpaul					if [ -n "${natd_interface}" ]; then
345135048Swpaul						if echo ${natd_interface} | \
346135048Swpaul							grep -q -E '^[0-9]+(\.[0-9]+){0,3}$'; then
347135048Swpaul							natd_flags="$natd_flags -a ${natd_interface}"
348170365Syongari						else
349170365Syongari							natd_flags="$natd_flags -n ${natd_interface}"
350170365Syongari						fi
351170365Syongari					fi
352170365Syongari					echo -n ' natd'; ${natd_program:-/sbin/natd} ${natd_flags}
353170365Syongari					;;
354170365Syongari				esac
355170365Syongari
356170365Syongari				echo '.'
357170365Syongari
358170365Syongari			elif [ "`ipfw l 65535`" = "65535 deny ip from any to any" ]; then
359170365Syongari				echo 'Warning: kernel has firewall functionality,' \
360170365Syongari				     'but firewall rules are not enabled.'
361170365Syongari				echo '		 All ip services are disabled.'
362170365Syongari			fi
363170365Syongari
364135048Swpaul			case ${firewall_logging} in
365176773Sraj			[Yy][Ee][Ss] | '')
366135048Swpaul				echo 'Firewall logging=YES'
367135048Swpaul				sysctl net.inet.ip.fw.verbose=1 >/dev/null
368135048Swpaul				;;
369135048Swpaul			*)
370135048Swpaul				;;
371135048Swpaul			esac
372135048Swpaul
373135048Swpaul			;;
374135048Swpaul		esac
375135048Swpaul		;;
376135048Swpaul	esac
377135048Swpaul
378135048Swpaul	# Additional ATM interface configuration
379135048Swpaul	#
380135048Swpaul	if [ -n "${atm_pass1_done}" ]; then
381135048Swpaul		atm_pass2
382135048Swpaul	fi
383135048Swpaul
384135048Swpaul	# Configure routing
385135048Swpaul	#
386135048Swpaul	case ${defaultrouter} in
387135048Swpaul	[Nn][Oo] | '')
388135048Swpaul		;;
389135048Swpaul	*)
390135048Swpaul		static_routes="default ${static_routes}"
391135048Swpaul		route_default="default ${defaultrouter}"
392135048Swpaul		;;
393135048Swpaul	esac
394135048Swpaul
395135048Swpaul	# Set up any static routes.  This should be done before router discovery.
396135048Swpaul	#
397135048Swpaul	if [ -n "${static_routes}" ]; then
398135048Swpaul		for i in ${static_routes}; do
399135048Swpaul			eval route_args=\$route_${i}
400135048Swpaul			route add ${route_args}
401135048Swpaul		done
402184192Syongari	fi
403178598Sraj
404170365Syongari	echo -n 'Additional routing options:'
405170365Syongari	case ${tcp_extensions} in
406135048Swpaul	[Yy][Ee][Ss] | '')
407135048Swpaul		;;
408135048Swpaul	*)
409135048Swpaul		echo -n ' tcp extensions=NO'
410135048Swpaul		sysctl net.inet.tcp.rfc1323=0 >/dev/null
411135048Swpaul		;;
412	esac
413
414	case ${icmp_bmcastecho} in
415	[Yy][Ee][Ss])
416		echo -n ' broadcast ping responses=YES'
417		sysctl net.inet.icmp.bmcastecho=1 >/dev/null
418		;;
419	esac
420
421	case ${icmp_drop_redirect} in
422	[Yy][Ee][Ss])
423		echo -n ' ignore ICMP redirect=YES'
424		sysctl net.inet.icmp.drop_redirect=1 >/dev/null
425		;;
426	esac
427
428	case ${icmp_log_redirect} in
429	[Yy][Ee][Ss])
430		echo -n ' log ICMP redirect=YES'
431		sysctl net.inet.icmp.log_redirect=1 >/dev/null
432		;;
433	esac
434
435	case ${gateway_enable} in
436	[Yy][Ee][Ss])
437		echo -n ' IP gateway=YES'
438		sysctl net.inet.ip.forwarding=1 >/dev/null
439		;;
440	esac
441
442	case ${forward_sourceroute} in
443	[Yy][Ee][Ss])
444		echo -n ' do source routing=YES'
445		sysctl net.inet.ip.sourceroute=1 >/dev/null
446		;;
447	esac
448
449	case ${accept_sourceroute} in
450	[Yy][Ee][Ss])
451		echo -n ' accept source routing=YES'
452		sysctl net.inet.ip.accept_sourceroute=1 >/dev/null
453		;;
454	esac
455
456	case ${tcp_keepalive} in
457	[Nn][Oo])
458		echo -n ' TCP keepalive=NO'
459		sysctl net.inet.tcp.always_keepalive=0 >/dev/null
460		;;
461	esac
462
463	case ${tcp_drop_synfin} in
464	[Yy][Ee][Ss])
465		echo -n ' drop SYN+FIN packets=YES'
466		sysctl net.inet.tcp.drop_synfin=1 >/dev/null
467		;;
468	esac
469
470	case ${ipxgateway_enable} in
471	[Yy][Ee][Ss])
472		echo -n ' IPX gateway=YES'
473		sysctl net.ipx.ipx.ipxforwarding=1 >/dev/null
474		;;
475	esac
476
477	case ${arpproxy_all} in
478	[Yy][Ee][Ss])
479		echo -n ' ARP proxyall=YES'
480		sysctl net.link.ether.inet.proxyall=1 >/dev/null
481		;;
482	esac
483
484	case ${ip_portrange_first} in
485	[Nn][Oo] | '')
486		;;
487	*)
488		echo -n " ip_portrange_first=$ip_portrange_first"
489		sysctl net.inet.ip.portrange.first=$ip_portrange_first >/dev/null
490		;;
491	esac
492
493	case ${ip_portrange_last} in
494	[Nn][Oo] | '')
495		;;
496	*)
497		echo -n " ip_portrange_last=$ip_portrange_last"
498		sysctl net.inet.ip.portrange.last=$ip_portrange_last >/dev/null
499		;;
500	esac
501
502	echo '.'
503
504	case ${ipsec_enable} in
505	[Yy][Ee][Ss])
506		if [ -f ${ipsec_file} ]; then
507		    echo ' ipsec: enabled'
508		    setkey -f ${ipsec_file}
509		else
510		    echo ' ipsec: file not found'
511		fi
512		;;
513	esac
514
515	echo -n 'Routing daemons:'
516	case ${router_enable} in
517	[Yy][Ee][Ss])
518		echo -n " ${router}";	${router} ${router_flags}
519		;;
520	esac
521
522	case ${ipxrouted_enable} in
523	[Yy][Ee][Ss])
524		echo -n ' IPXrouted'
525		IPXrouted ${ipxrouted_flags} > /dev/null 2>&1
526		;;
527	esac
528
529	case ${mrouted_enable} in
530	[Yy][Ee][Ss])
531		echo -n ' mrouted';	mrouted ${mrouted_flags}
532		;;
533	esac
534
535	case ${rarpd_enable} in
536	[Yy][Ee][Ss])
537		echo -n ' rarpd';	rarpd ${rarpd_flags}
538		;;
539	esac
540	echo '.'
541
542	# Let future generations know we made it.
543	#
544	network_pass1_done=YES
545}
546
547network_pass2() {
548	echo -n 'Doing additional network setup:'
549	case ${named_enable} in
550	[Yy][Ee][Ss])
551		echo -n ' named';	${named_program:-named} ${named_flags}
552		;;
553	esac
554
555	case ${ntpdate_enable} in
556	[Yy][Ee][Ss])
557		echo -n ' ntpdate'
558		${ntpdate_program:-ntpdate} ${ntpdate_flags} >/dev/null 2>&1
559		;;
560	esac
561
562	case ${xntpd_enable} in
563	[Yy][Ee][Ss])
564		echo -n ' ntpd';	${xntpd_program:-ntpd} ${xntpd_flags}
565		;;
566	esac
567
568	case ${timed_enable} in
569	[Yy][Ee][Ss])
570		echo -n ' timed';	timed ${timed_flags}
571		;;
572	esac
573
574	case ${portmap_enable} in
575	[Yy][Ee][Ss])
576		echo -n ' rpcbind';	${portmap_program:-/usr/sbin/rpcbind} \
577			${portmap_flags}
578
579		# Start ypserv if we're an NIS server.
580		# Run rpc.ypxfrd and rpc.yppasswdd only on the NIS master server.
581		#
582		case ${nis_server_enable} in
583		[Yy][Ee][Ss])
584			echo -n ' ypserv'; ypserv ${nis_server_flags}
585
586			case ${nis_ypxfrd_enable} in
587			[Yy][Ee][Ss])
588				echo -n ' rpc.ypxfrd'
589				rpc.ypxfrd ${nis_ypxfrd_flags}
590				;;
591			esac
592
593			case ${nis_yppasswdd_enable} in
594			[Yy][Ee][Ss])
595				echo -n ' rpc.yppasswdd'
596				rpc.yppasswdd ${nis_yppasswdd_flags}
597				;;
598			esac
599			;;
600		esac
601
602		# Start ypbind if we're an NIS client
603		#
604		case ${nis_client_enable} in
605		[Yy][Ee][Ss])
606			echo -n ' ypbind'; ypbind ${nis_client_flags}
607			case ${nis_ypset_enable} in
608			[Yy][Ee][Ss])
609				echo -n ' ypset';	ypset ${nis_ypset_flags}
610				;;
611			esac
612			;;
613		esac
614
615		# Start keyserv if we are running Secure RPC
616		#
617		case ${keyserv_enable} in
618		[Yy][Ee][Ss])
619			echo -n ' keyserv';	keyserv ${keyserv_flags}
620			;;
621		esac
622
623		# Start ypupdated if we are running Secure RPC
624		# and we are NIS master
625		#
626		case ${rpc_ypupdated_enable} in
627		[Yy][Ee][Ss])
628			echo -n ' rpc.ypupdated';	rpc.ypupdated
629			;;
630		esac
631		;;
632	esac
633
634	# Start ATM daemons
635	if [ -n "${atm_pass2_done}" ]; then
636		atm_pass3
637	fi
638
639	echo '.'
640	network_pass2_done=YES
641}
642
643network_pass3() {
644	echo -n 'Starting final network daemons:'
645
646	case ${portmap_enable} in
647	[Yy][Ee][Ss])
648		case ${nfs_server_enable} in
649		[Yy][Ee][Ss])
650			# Handle absent nfs server support
651			nfsserver_in_kernel=0
652			if sysctl vfs.nfsrv >/dev/null 2>&1; then
653				nfsserver_in_kernel=1
654			else
655				kldload nfsserver && nfsserver_in_kernel=1
656			fi
657
658			if [ -r /etc/exports -a \
659			    ${nfsserver_in_kernel} -eq 1 ]; then
660				echo -n ' mountd'
661
662				case ${weak_mountd_authentication} in
663				[Yy][Ee][Ss])
664					mountd_flags="${mountd_flags} -n"
665					;;
666				esac
667
668				mountd ${mountd_flags}
669
670				case ${nfs_reserved_port_only} in
671				[Yy][Ee][Ss])
672					echo -n ' NFS on reserved port only=YES'
673					sysctl vfs.nfsrv.nfs_privport=1 > /dev/null
674					;;
675				esac
676
677				echo -n ' nfsd';	nfsd ${nfs_server_flags}
678
679				case ${rpc_statd_enable} in
680				[Yy][Ee][Ss])
681					echo -n ' rpc.statd';	rpc.statd
682					;;
683				esac
684
685				case ${rpc_lockd_enable} in
686				[Yy][Ee][Ss])
687					echo -n ' rpc.lockd';	rpc.lockd
688					;;
689				esac
690			else
691				echo -n ' Warning: nfs server failed'
692			fi
693			;;
694		*)
695			case ${single_mountd_enable} in
696			[Yy][Ee][Ss])
697				if [ -r /etc/exports ]; then
698					echo -n ' mountd'
699
700					case ${weak_mountd_authentication} in
701					[Yy][Ee][Ss])
702						mountd_flags="-n"
703						;;
704					esac
705
706					mountd ${mountd_flags}
707				fi
708				;;
709			esac
710			;;
711		esac
712
713		case ${nfs_client_enable} in
714		[Yy][Ee][Ss])
715			nfsclient_in_kernel=0
716			# Handle absent nfs client support
717			if sysctl vfs.nfs >/dev/null 2>&1; then
718				nfsclient_in_kernel=1
719			else
720				kldload nfsclient && nfsclient_in_kernel=1
721			fi
722
723			if [ ${nfsclient_in_kernel} -eq 1 ]
724			then
725				if [ -n "${nfs_access_cache}" ]; then
726					echo -n " NFS access cache time=${nfs_access_cache}"
727					sysctl vfs.nfs.access_cache_timeout=${nfs_access_cache} >/dev/null
728				fi
729				if [ -n "${nfs_bufpackets}" ]; then
730					sysctl vfs.nfs.bufpackets=${nfs_bufpackets} > /dev/null
731				fi
732				case ${rpc_statd_enable} in
733				[Yy][Ee][Ss])
734					echo -n ' rpc.statd';	rpc.statd
735					;;
736				esac
737
738				case ${rpc_lockd_enable} in
739				[Yy][Ee][Ss])
740					echo -n ' rpc.lockd';	rpc.lockd
741					;;
742				esac
743
744				case ${amd_enable} in
745				[Yy][Ee][Ss])
746					echo -n ' amd'
747					case ${amd_map_program} in
748					[Nn][Oo] | '')
749						;;
750					*)
751						amd_flags="${amd_flags} `eval\
752							${amd_map_program}`"
753						;;
754					esac
755
756					amd -p ${amd_flags} > /var/run/amd.pid \
757						2> /dev/null &
758					;;
759				esac
760			else
761				echo 'Warning: NFS client kernel module failed to load'
762				nfs_client_enable=NO
763			fi
764			;;
765		esac
766
767		# If /var/db/mounttab exists, some nfs-server has not been
768		# successfully notified about a previous client shutdown.
769		# If there is no /var/db/mounttab, we do nothing.
770		if [ -f /var/db/mounttab ]; then
771			rpc.umntall -k
772		fi
773
774		;;
775	esac
776
777	case ${rwhod_enable} in
778	[Yy][Ee][Ss])
779		echo -n ' rwhod';	rwhod ${rwhod_flags}
780		;;
781	esac
782
783	# Kerberos servers run ONLY on the Kerberos server machine
784	case ${kerberos4_server_enable} in
785	[Yy][Ee][Ss])
786		case ${kerberos_stash} in
787		[Yy][Ee][Ss])
788			stash=-n
789			;;
790		*)
791			stash=
792			;;
793		esac
794
795		echo -n ' kerberosIV'
796		${kerberos4_server} ${stash} >> /var/log/kerberos.log &
797
798		case ${kadmind4_server_enable} in
799		[Yy][Ee][Ss])
800			echo -n ' kadmindIV'
801			(
802				sleep 20;
803				${kadmind4_server} ${stash} >/dev/null 2>&1 &
804			) &
805			;;
806		esac
807		unset stash_flag
808		;;
809	esac
810
811	case ${kerberos5_server_enable} in
812	[Yy][Ee][Ss])
813		echo -n ' kerberos5'
814		${kerberos5_server} &
815
816		case ${kadmind5_server_enable} in
817		[Yy][Ee][Ss])
818			echo -n ' kadmind5'
819			${kadmind5_server} &
820			;;
821		esac
822		;;
823	esac
824
825	case ${pppoed_enable} in
826	[Yy][Ee][Ss])
827		if [ -n "${pppoed_provider}" ]; then
828			pppoed_flags="${pppoed_flags} -p ${pppoed_provider}"
829		fi
830		echo -n ' pppoed';
831		_opts=$-; set -f
832		/usr/libexec/pppoed ${pppoed_flags} ${pppoed_interface}
833		set +f; set -${_opts}
834		;;
835	esac
836
837	case ${sshd_enable} in
838	[Yy][Ee][Ss])
839		if [ ! -f /etc/ssh/ssh_host_key ]; then
840			echo ' creating ssh RSA host key';
841			/usr/bin/ssh-keygen -N "" -f /etc/ssh/ssh_host_key
842		fi
843		if [ ! -f /etc/ssh/ssh_host_dsa_key ]; then
844			echo ' creating ssh DSA host key';
845			/usr/bin/ssh-keygen -d -N "" -f /etc/ssh/ssh_host_dsa_key
846		fi
847		;;
848	esac
849
850	echo '.'
851	network_pass3_done=YES
852}
853
854network_pass4() {
855	echo -n 'Additional TCP options:'
856	case ${log_in_vain} in
857	[Nn][Oo] | '')
858		log_in_vain=0
859		;;
860	[Yy][Ee][Ss])
861		log_in_vain=1
862		;;
863	[0-9]*)
864		;;
865	*)
866		echo " invalid log_in_vain setting: ${log_in_vain}"
867		log_in_vain=0
868		;;
869	esac
870
871	[ "${log_in_vain}" -ne 0 ] && (
872	    echo -n " log_in_vain=${log_in_vain}"
873	    sysctl net.inet.tcp.log_in_vain="${log_in_vain}" >/dev/null
874	    sysctl net.inet.udp.log_in_vain="${log_in_vain}" >/dev/null
875	)
876	echo '.'
877	network_pass4_done=YES
878}
879
880network_gif_setup() {
881	case ${gif_interfaces} in
882	[Nn][Oo] | '')
883		;;
884	*)
885		for i in ${gif_interfaces}; do
886			eval peers=\$gifconfig_$i
887			case ${peers} in
888			'')
889				continue
890				;;
891			*)
892				ifconfig $i create >/dev/null 2>&1
893				ifconfig $i tunnel ${peers}
894				;;
895			esac
896		done
897		;;
898	esac
899}
900
901convert_host_conf() {
902    host_conf=$1; shift;
903    nsswitch_conf=$1; shift;
904    awk '                                                                   \
905        /^[:blank:]*#/       { next }                                       \
906        /(hosts|local|file)/ { nsswitch[c] = "files"; c++; next }           \
907        /(dns|bind)/         { nsswitch[c] = "dns";   c++; next }           \
908        /nis/                { nsswitch[c] = "nis";   c++; next }           \
909        { printf "Warning: unrecognized line [%s]", $0 > "/dev/stderr" }    \
910        END {                                                               \
911                printf "hosts: ";                                           \
912                for (i in nsswitch) printf "%s ", nsswitch[i];              \
913                printf "\n";                                                \
914        }' < $host_conf > $nsswitch_conf
915}
916
917generate_host_conf() {
918    nsswitch_conf=$1; shift;
919    host_conf=$1; shift;
920    
921    awk '
922BEGIN {
923    xlat["files"] = "hosts";
924    xlat["dns"] = "bind";
925    xlat["nis"] = "nis";
926    cont = 0;
927}
928sub(/^[\t ]*hosts:/, "") || cont {
929    if (!cont)
930	srcs = ""
931    sub(/#.*/, "")
932    gsub(/[][]/, " & ")
933    cont = sub(/\\$/, "")
934    srcs = srcs " " $0
935}
936END {
937    print "# Auto-generated from nsswitch.conf, do not edit"
938    ns = split(srcs, s)
939    for (n = 1; n <= ns; ++n) {
940        if (s[n] in xlat)
941            print xlat[s[n]]
942    }
943}
944' <$nsswitch_conf >$host_conf
945}
946