netoptions revision 66745
1#!/bin/sh - 2# 3# $FreeBSD: head/etc/rc.d/netoptions 66745 2000-10-06 12:24:45Z darrenr $ 4# From: @(#)netstart 5.9 (Berkeley) 3/30/91 5 6# Note that almost all of the user-configurable behavior is no longer in 7# this file, but rather in /etc/defaults/rc.conf. Please check that file 8# first before contemplating any changes here. If you do need to change 9# this file for some reason, we would like to know about it. 10 11# First pass startup stuff. 12# 13network_pass1() { 14 echo -n 'Doing initial network setup:' 15 16 # Convert host.conf to nsswitch.conf if necessary 17 if [ -f "/etc/host.conf" ]; then 18 echo "" 19 echo "Warning: /etc/host.conf is no longer used" 20 if [ -f "/etc/nsswitch.conf" ]; then 21 echo " /etc/nsswitch.conf will be used instead" 22 else 23 echo " /etc/nsswitch.conf will be created for you" 24 convert_host_conf /etc/host.conf /etc/nsswitch.conf 25 fi 26 fi 27 28 # Set the host name if it is not already set 29 # 30 if [ -z "`hostname -s`" ]; then 31 hostname ${hostname} 32 echo -n ' hostname' 33 fi 34 35 # Establish ipfilter ruleset as early as possible (best in 36 # addition to IPFILTER_DEFAULT_BLOCK in the kernel config file) 37 # 38 case "${ipfilter_enable}" in 39 [Yy][Ee][Ss]) 40 if [ -r "${ipfilter_rules}" ]; then 41 echo -n ' ipfilter'; 42 ${ipfilter_program:-ipf -Fa -f} "${ipfilter_rules}" ${ipfilter_flags} 43 case "${ipmon_enable}" in 44 [Yy][Ee][Ss]) 45 echo -n ' ipmon' 46 ${ipmon_program:-ipmon} ${ipmon_flags} 47 ;; 48 esac 49 case "${ipnat_enable}" in 50 [Yy][Ee][Ss]) 51 if [ -r "${ipnat_rules}" ]; then 52 echo -n ' ipnat'; 53 ${ipnat_program:-ipnat -CF -f} "${ipnat_rules}" ${ipnat_flags} 54 else 55 echo -n ' NO IPNAT RULES' 56 fi 57 ;; 58 esac 59 else 60 ipfilter_enable="NO" 61 echo -n ' NO IPF RULES' 62 fi 63 ;; 64 esac 65 66 # Set the domainname if we're using NIS 67 # 68 case ${nisdomainname} in 69 [Nn][Oo] | '') 70 ;; 71 *) 72 domainname ${nisdomainname} 73 echo -n ' domain' 74 ;; 75 esac 76 77 echo '.' 78 79 # Initial ATM interface configuration 80 # 81 case ${atm_enable} in 82 [Yy][Ee][Ss]) 83 if [ -r /etc/rc.atm ]; then 84 . /etc/rc.atm 85 atm_pass1 86 fi 87 ;; 88 esac 89 90 # Special options for sppp(4) interfaces go here. These need 91 # to go _before_ the general ifconfig section, since in the case 92 # of hardwired (no link1 flag) but required authentication, you 93 # cannot pass auth parameters down to the already running interface. 94 # 95 for ifn in ${sppp_interfaces}; do 96 eval spppcontrol_args=\$spppconfig_${ifn} 97 if [ -n "${spppcontrol_args}" ]; then 98 # The auth secrets might contain spaces; in order 99 # to retain the quotation, we need to eval them 100 # here. 101 eval spppcontrol ${ifn} ${spppcontrol_args} 102 fi 103 done 104 105 # Set up all the network interfaces, calling startup scripts if needed 106 # 107 case ${network_interfaces} in 108 [Aa][Uu][Tt][Oo]) 109 network_interfaces="`ifconfig -l`" 110 ;; 111 esac 112 113 dhcp_interfaces="" 114 for ifn in ${network_interfaces}; do 115 if [ -r /etc/start_if.${ifn} ]; then 116 . /etc/start_if.${ifn} 117 eval showstat_$ifn=1 118 fi 119 120 # Do the primary ifconfig if specified 121 # 122 eval ifconfig_args=\$ifconfig_${ifn} 123 124 case ${ifconfig_args} in 125 '') 126 ;; 127 [Dd][Hh][Cc][Pp]) 128 # DHCP inits are done all in one go below 129 dhcp_interfaces="$dhcp_interfaces $ifn" 130 eval showstat_$ifn=1 131 ;; 132 *) 133 ifconfig ${ifn} ${ifconfig_args} 134 eval showstat_$ifn=1 135 ;; 136 esac 137 done 138 139 if [ ! -z "${dhcp_interfaces}" ]; then 140 ${dhcp_program:-/sbin/dhclient} ${dhcp_flags} ${dhcp_interfaces} 141 fi 142 143 for ifn in ${network_interfaces}; do 144 # Check to see if aliases need to be added 145 # 146 alias=0 147 while : ; do 148 eval ifconfig_args=\$ifconfig_${ifn}_alias${alias} 149 if [ -n "${ifconfig_args}" ]; then 150 ifconfig ${ifn} ${ifconfig_args} alias 151 eval showstat_$ifn=1 152 alias=`expr ${alias} + 1` 153 else 154 break; 155 fi 156 done 157 158 # Do ipx address if specified 159 # 160 eval ifconfig_args=\$ifconfig_${ifn}_ipx 161 if [ -n "${ifconfig_args}" ]; then 162 ifconfig ${ifn} ${ifconfig_args} 163 eval showstat_$ifn=1 164 fi 165 done 166 167 for ifn in ${network_interfaces}; do 168 eval showstat=\$showstat_${ifn} 169 if [ ! -z ${showstat} ]; then 170 ifconfig ${ifn} 171 fi 172 done 173 174 # ISDN subsystem startup 175 # 176 case ${isdn_enable} in 177 [Yy][Ee][Ss]) 178 if [ -r /etc/rc.isdn ]; then 179 . /etc/rc.isdn 180 fi 181 ;; 182 esac 183 184 # Start user ppp if required. This must happen before natd. 185 # 186 case ${ppp_enable} in 187 [Yy][Ee][Ss]) 188 # Establish ppp mode. 189 # 190 if [ "${ppp_mode}" != "ddial" -a "${ppp_mode}" != "direct" \ 191 -a "${ppp_mode}" != "dedicated" \ 192 -a "${ppp_mode}" != "background" ]; then 193 ppp_mode="auto" 194 fi 195 196 ppp_command="/usr/sbin/ppp -quiet -${ppp_mode}" 197 198 # Switch on NAT mode? 199 # 200 case ${ppp_nat} in 201 [Yy][Ee][Ss]) 202 ppp_command="${ppp_command} -nat" 203 ;; 204 esac 205 206 ppp_command="${ppp_command} ${ppp_profile}" 207 208 echo -n "Starting ppp as \"${ppp_user}\"" 209 su -m ${ppp_user} -c "exec ${ppp_command}" 210 ;; 211 esac 212 213 # Initialize IP filtering using ipfw 214 # 215 if /sbin/ipfw -q flush > /dev/null 2>&1; then 216 firewall_in_kernel=1 217 else 218 firewall_in_kernel=0 219 fi 220 221 case ${firewall_enable} in 222 [Yy][Ee][Ss]) 223 if [ "${firewall_in_kernel}" -eq 0 ] && kldload ipfw; then 224 firewall_in_kernel=1 225 echo "Kernel firewall module loaded." 226 elif [ "${firewall_in_kernel}" -eq 0 ]; then 227 echo "Warning: firewall kernel module failed to load." 228 fi 229 ;; 230 esac 231 232 # Load the filters if required 233 # 234 case ${firewall_in_kernel} in 235 1) 236 if [ -z "${firewall_script}" ]; then 237 firewall_script=/etc/rc.firewall 238 fi 239 240 case ${firewall_enable} in 241 [Yy][Ee][Ss]) 242 if [ -r "${firewall_script}" ]; then 243 . "${firewall_script}" 244 echo -n 'Firewall rules loaded, starting divert daemons:' 245 246 # Network Address Translation daemon 247 # 248 case ${natd_enable} in 249 [Yy][Ee][Ss]) 250 if [ -n "${natd_interface}" ]; then 251 if echo ${natd_interface} | \ 252 grep -q -E '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$'; then 253 natd_ifarg="-a ${natd_interface}" 254 else 255 natd_ifarg="-n ${natd_interface}" 256 fi 257 258 echo -n ' natd'; ${natd_program:-/sbin/natd} ${natd_flags} ${natd_ifarg} 259 fi 260 ;; 261 esac 262 263 echo '.' 264 265 elif [ "`ipfw l 65535`" = "65535 deny ip from any to any" ]; then 266 echo -n "Warning: kernel has firewall functionality, " 267 echo "but firewall rules are not enabled." 268 echo " All ip services are disabled." 269 fi 270 271 case ${firewall_logging} in 272 [Yy][Ee][Ss] | '') 273 echo 'Firewall logging=YES' 274 sysctl -w net.inet.ip.fw.verbose=1 >/dev/null 275 ;; 276 *) 277 ;; 278 esac 279 280 ;; 281 esac 282 ;; 283 esac 284 285 # Additional ATM interface configuration 286 # 287 if [ -n "${atm_pass1_done}" ]; then 288 atm_pass2 289 fi 290 291 # Configure routing 292 # 293 case ${defaultrouter} in 294 [Nn][Oo] | '') 295 ;; 296 *) 297 static_routes="default ${static_routes}" 298 route_default="default ${defaultrouter}" 299 ;; 300 esac 301 302 # Set up any static routes. This should be done before router discovery. 303 # 304 if [ -n "${static_routes}" ]; then 305 for i in ${static_routes}; do 306 eval route_args=\$route_${i} 307 route add ${route_args} 308 done 309 fi 310 311 echo -n 'Additional routing options:' 312 case ${tcp_extensions} in 313 [Yy][Ee][Ss] | '') 314 ;; 315 *) 316 echo -n ' tcp extensions=NO' 317 sysctl -w net.inet.tcp.rfc1323=0 >/dev/null 318 ;; 319 esac 320 321 case ${icmp_bmcastecho} in 322 [Yy][Ee][Ss]) 323 echo -n ' broadcast ping responses=YES' 324 sysctl -w net.inet.icmp.bmcastecho=1 >/dev/null 325 ;; 326 esac 327 328 case ${icmp_drop_redirect} in 329 [Yy][Ee][Ss]) 330 echo -n ' ignore ICMP redirect=YES' 331 sysctl -w net.inet.icmp.drop_redirect=1 >/dev/null 332 ;; 333 esac 334 335 case ${icmp_log_redirect} in 336 [Yy][Ee][Ss]) 337 echo -n ' log ICMP redirect=YES' 338 sysctl -w net.inet.icmp.log_redirect=1 >/dev/null 339 ;; 340 esac 341 342 case ${gateway_enable} in 343 [Yy][Ee][Ss]) 344 echo -n ' IP gateway=YES' 345 sysctl -w net.inet.ip.forwarding=1 >/dev/null 346 ;; 347 esac 348 349 case ${forward_sourceroute} in 350 [Yy][Ee][Ss]) 351 echo -n ' do source routing=YES' 352 sysctl -w net.inet.ip.sourceroute=1 >/dev/null 353 ;; 354 esac 355 356 case ${accept_sourceroute} in 357 [Yy][Ee][Ss]) 358 echo -n ' accept source routing=YES' 359 sysctl -w net.inet.ip.accept_sourceroute=1 >/dev/null 360 ;; 361 esac 362 363 case ${tcp_keepalive} in 364 [Yy][Ee][Ss]) 365 echo -n ' TCP keepalive=YES' 366 sysctl -w net.inet.tcp.always_keepalive=1 >/dev/null 367 ;; 368 esac 369 370 case ${tcp_restrict_rst} in 371 [Yy][Ee][Ss]) 372 echo -n ' restrict TCP reset=YES' 373 sysctl -w net.inet.tcp.restrict_rst=1 >/dev/null 374 ;; 375 esac 376 377 case ${tcp_drop_synfin} in 378 [Yy][Ee][Ss]) 379 echo -n ' drop SYN+FIN packets=YES' 380 sysctl -w net.inet.tcp.drop_synfin=1 >/dev/null 381 ;; 382 esac 383 384 case ${ipxgateway_enable} in 385 [Yy][Ee][Ss]) 386 echo -n ' IPX gateway=YES' 387 sysctl -w net.ipx.ipx.ipxforwarding=1 >/dev/null 388 ;; 389 esac 390 391 case ${arpproxy_all} in 392 [Yy][Ee][Ss]) 393 echo -n ' ARP proxyall=YES' 394 sysctl -w net.link.ether.inet.proxyall=1 >/dev/null 395 ;; 396 esac 397 398 case ${ip_portrange_first} in 399 [Nn][Oo] | '') 400 ;; 401 *) 402 echo -n ' ip_portrange_first=$ip_portrange_first' 403 sysctl -w net.inet.ip.portrange.first=$ip_portrange_first >/dev/null 404 ;; 405 esac 406 407 case ${ip_portrange_last} in 408 [Nn][Oo] | '') 409 ;; 410 *) 411 echo -n ' ip_portrange_last=$ip_portrange_last' 412 sysctl -w net.inet.ip.portrange.last=$ip_portrange_last >/dev/null 413 ;; 414 esac 415 416 echo '.' 417 418 case ${ipsec_enable} in 419 [Yy][Ee][Ss]) 420 if [ -f ${ipsec_file} ]; then 421 echo ' ipsec: enabled' 422 setkey -f ${ipsec_file} 423 else 424 echo ' ipsec: file not found' 425 fi 426 ;; 427 esac 428 429 echo -n 'routing daemons:' 430 case ${router_enable} in 431 [Yy][Ee][Ss]) 432 echo -n " ${router}"; ${router} ${router_flags} 433 ;; 434 esac 435 436 case ${ipxrouted_enable} in 437 [Yy][Ee][Ss]) 438 echo -n ' IPXrouted' 439 IPXrouted ${ipxrouted_flags} > /dev/null 2>&1 440 ;; 441 esac 442 443 case ${mrouted_enable} in 444 [Yy][Ee][Ss]) 445 echo -n ' mrouted'; mrouted ${mrouted_flags} 446 ;; 447 esac 448 449 case ${rarpd_enable} in 450 [Yy][Ee][Ss]) 451 echo -n ' rarpd'; rarpd ${rarpd_flags} 452 ;; 453 esac 454 echo '.' 455 456 # Let future generations know we made it. 457 # 458 network_pass1_done=YES 459} 460 461network_pass2() { 462 echo -n 'Doing additional network setup:' 463 case ${named_enable} in 464 [Yy][Ee][Ss]) 465 echo -n ' named'; ${named_program:-named} ${named_flags} 466 ;; 467 esac 468 469 case ${ntpdate_enable} in 470 [Yy][Ee][Ss]) 471 echo -n ' ntpdate' 472 ${ntpdate_program:-ntpdate} ${ntpdate_flags} >/dev/null 2>&1 473 ;; 474 esac 475 476 case ${xntpd_enable} in 477 [Yy][Ee][Ss]) 478 echo -n ' ntpd'; ${xntpd_program:-ntpd} ${xntpd_flags} 479 ;; 480 esac 481 482 case ${timed_enable} in 483 [Yy][Ee][Ss]) 484 echo -n ' timed'; timed ${timed_flags} 485 ;; 486 esac 487 488 case ${portmap_enable} in 489 [Yy][Ee][Ss]) 490 echo -n ' portmap'; ${portmap_program:-/usr/sbin/portmap} ${portmap_flags} 491 ;; 492 esac 493 494 # Start ypserv if we're an NIS server. 495 # Run rpc.ypxfrd and rpc.yppasswdd only on the NIS master server. 496 # 497 case ${nis_server_enable} in 498 [Yy][Ee][Ss]) 499 echo -n ' ypserv'; ypserv ${nis_server_flags} 500 501 case ${nis_ypxfrd_enable} in 502 [Yy][Ee][Ss]) 503 echo -n ' rpc.ypxfrd' 504 rpc.ypxfrd ${nis_ypxfrd_flags} 505 ;; 506 esac 507 508 case ${nis_yppasswdd_enable} in 509 [Yy][Ee][Ss]) 510 echo -n ' rpc.yppasswdd' 511 rpc.yppasswdd ${nis_yppasswdd_flags} 512 ;; 513 esac 514 ;; 515 esac 516 517 # Start ypbind if we're an NIS client 518 # 519 case ${nis_client_enable} in 520 [Yy][Ee][Ss]) 521 echo -n ' ypbind'; ypbind ${nis_client_flags} 522 case ${nis_ypset_enable} in 523 [Yy][Ee][Ss]) 524 echo -n ' ypset'; ypset ${nis_ypset_flags} 525 ;; 526 esac 527 ;; 528 esac 529 530 # Start keyserv if we are running Secure RPC 531 # 532 case ${keyserv_enable} in 533 [Yy][Ee][Ss]) 534 echo -n ' keyserv'; keyserv ${keyserv_flags} 535 ;; 536 esac 537 538 # Start ypupdated if we are running Secure RPC and we are NIS master 539 # 540 case ${rpc_ypupdated_enable} in 541 [Yy][Ee][Ss]) 542 echo -n ' rpc.ypupdated'; rpc.ypupdated 543 ;; 544 esac 545 546 # Start ATM daemons 547 if [ -n "${atm_pass2_done}" ]; then 548 atm_pass3 549 fi 550 551 echo '.' 552 network_pass2_done=YES 553} 554 555network_pass3() { 556 echo -n 'Starting final network daemons:' 557 558 case ${nfs_server_enable} in 559 [Yy][Ee][Ss]) 560 if [ -r /etc/exports ]; then 561 echo -n ' mountd' 562 563 case ${weak_mountd_authentication} in 564 [Yy][Ee][Ss]) 565 mountd_flags="${mountd_flags} -n" 566 ;; 567 esac 568 569 mountd ${mountd_flags} 570 571 case ${nfs_reserved_port_only} in 572 [Yy][Ee][Ss]) 573 echo -n ' NFS on reserved port only=YES' 574 sysctl -w vfs.nfs.nfs_privport=1 >/dev/null 575 ;; 576 esac 577 578 echo -n ' nfsd'; nfsd ${nfs_server_flags} 579 580 if [ -n "${nfs_bufpackets}" ]; then 581 sysctl -w vfs.nfs.bufpackets=${nfs_bufpackets} \ 582 > /dev/null 583 fi 584 585 case ${rpc_lockd_enable} in 586 [Yy][Ee][Ss]) 587 echo -n ' rpc.lockd'; rpc.lockd 588 ;; 589 esac 590 591 case ${rpc_statd_enable} in 592 [Yy][Ee][Ss]) 593 echo -n ' rpc.statd'; rpc.statd 594 ;; 595 esac 596 fi 597 ;; 598 *) 599 case ${single_mountd_enable} in 600 [Yy][Ee][Ss]) 601 if [ -r /etc/exports ]; then 602 echo -n ' mountd' 603 604 case ${weak_mountd_authentication} in 605 [Yy][Ee][Ss]) 606 mountd_flags="-n" 607 ;; 608 esac 609 610 mountd ${mountd_flags} 611 fi 612 ;; 613 esac 614 ;; 615 esac 616 617 case ${nfs_client_enable} in 618 [Yy][Ee][Ss]) 619 echo -n ' nfsiod'; nfsiod ${nfs_client_flags} 620 if [ -n "${nfs_access_cache}" ]; then 621 echo -n " NFS access cache time=${nfs_access_cache}" 622 sysctl -w vfs.nfs.access_cache_timeout=${nfs_access_cache} \ 623 >/dev/null 624 fi 625 ;; 626 esac 627 628 # If /var/db/mounttab exists, some nfs-server has not been 629 # sucessfully notified about a previous client shutdown. 630 # If there is no /var/db/mounttab, we do nothing. 631 if [ -f /var/db/mounttab ]; then 632 rpc.umntall -k 633 fi 634 635 case ${amd_enable} in 636 [Yy][Ee][Ss]) 637 echo -n ' amd' 638 case ${amd_map_program} in 639 [Nn][Oo] | '') 640 ;; 641 *) 642 amd_flags="${amd_flags} `eval ${amd_map_program}`" 643 ;; 644 esac 645 646 if [ -n "${amd_flags}" ]; then 647 amd -p ${amd_flags} > /var/run/amd.pid 2> /dev/null 648 else 649 amd 2> /dev/null 650 fi 651 ;; 652 esac 653 654 case ${rwhod_enable} in 655 [Yy][Ee][Ss]) 656 echo -n ' rwhod'; rwhod ${rwhod_flags} 657 ;; 658 esac 659 660 # Kerberos runs ONLY on the Kerberos server machine 661 case ${kerberos_server_enable} in 662 [Yy][Ee][Ss]) 663 case ${kerberos_stash} in 664 [Yy][Ee][Ss]) 665 stash_flag=-n 666 ;; 667 *) 668 stash_flag= 669 ;; 670 esac 671 672 echo -n ' kerberos' 673 kerberos ${stash_flag} >> /var/log/kerberos.log & 674 675 case ${kadmind_server_enable} in 676 [Yy][Ee][Ss]) 677 echo -n ' kadmind' 678 (sleep 20; kadmind ${stash_flag} >/dev/null 2>&1 &) & 679 ;; 680 esac 681 unset stash_flag 682 ;; 683 esac 684 685 case ${pppoed_enable} in 686 [Yy][Ee][Ss]) 687 if [ -n "${pppoed_provider}" ]; then 688 pppoed_flags="${pppoed_flags} -p ${pppoed_provider}" 689 fi 690 echo -n ' pppoed'; 691 /usr/libexec/pppoed ${pppoed_flags} ${pppoed_interface} 692 ;; 693 esac 694 695 case ${sshd_enable} in 696 [Yy][Ee][Ss]) 697 if [ ! -f /etc/ssh/ssh_host_key ]; then 698 echo ' creating ssh RSA host key'; 699 /usr/bin/ssh-keygen -N "" -f /etc/ssh/ssh_host_key 700 fi 701 if [ ! -f /etc/ssh/ssh_host_dsa_key ]; then 702 echo ' creating ssh DSA host key'; 703 /usr/bin/ssh-keygen -d -N "" -f /etc/ssh/ssh_host_dsa_key 704 fi 705 ;; 706 esac 707 708 echo '.' 709 network_pass3_done=YES 710} 711 712network_pass4() { 713 echo -n 'Additional TCP options:' 714 case ${log_in_vain} in 715 [Nn][Oo] | '') 716 ;; 717 *) 718 echo -n ' log_in_vain=YES' 719 sysctl -w net.inet.tcp.log_in_vain=1 >/dev/null 720 sysctl -w net.inet.udp.log_in_vain=1 >/dev/null 721 ;; 722 esac 723 724 echo '.' 725 network_pass4_done=YES 726} 727 728convert_host_conf() { 729 host_conf=$1; shift; 730 nsswitch_conf=$1; shift; 731 awk ' \ 732 /^[:blank:]*#/ { next } \ 733 /(hosts|local|file)/ { nsswitch[c] = "files"; c++; next } \ 734 /(dns|bind)/ { nsswitch[c] = "dns"; c++; next } \ 735 /nis/ { nsswitch[c] = "nis"; c++; next } \ 736 { printf "Warning: unrecognized line [%s]", $0 > "/dev/stderr" } \ 737 END { \ 738 printf "hosts: "; \ 739 for (i in nsswitch) printf "%s ", nsswitch[i]; \ 740 printf "\n"; \ 741 }' < $host_conf > $nsswitch_conf 742} 743 744