netoptions revision 66745 
1#!/bin/sh -
2#
3# $FreeBSD: head/etc/rc.d/netoptions 66745 2000-10-06 12:24:45Z darrenr $
4#	From: @(#)netstart	5.9 (Berkeley) 3/30/91
5
6# Note that almost all of the user-configurable behavior is no longer in
7# this file, but rather in /etc/defaults/rc.conf.  Please check that file
8# first before contemplating any changes here.  If you do need to change
9# this file for some reason, we would like to know about it.
10
11# First pass startup stuff.
12#
13network_pass1() {
14	echo -n 'Doing initial network setup:'
15
16	# Convert host.conf to nsswitch.conf if necessary
17	if [ -f "/etc/host.conf" ]; then
18		echo ""
19		echo "Warning: /etc/host.conf is no longer used"
20		if [ -f "/etc/nsswitch.conf" ]; then
21		    echo "  /etc/nsswitch.conf will be used instead"
22		else
23		    echo "  /etc/nsswitch.conf will be created for you"
24		    convert_host_conf /etc/host.conf /etc/nsswitch.conf
25		fi
26	fi
27
28	# Set the host name if it is not already set
29	#
30	if [ -z "`hostname -s`" ]; then
31		hostname ${hostname}
32		echo -n ' hostname'
33	fi
34
35	# Establish ipfilter ruleset as early as possible (best in
36	# addition to IPFILTER_DEFAULT_BLOCK in the kernel config file)
37	#
38	case "${ipfilter_enable}" in
39	[Yy][Ee][Ss])
40		if [ -r "${ipfilter_rules}" ]; then
41			echo -n ' ipfilter';
42			${ipfilter_program:-ipf -Fa -f} "${ipfilter_rules}" ${ipfilter_flags}
43			case "${ipmon_enable}" in
44			[Yy][Ee][Ss])
45				echo -n ' ipmon'
46				${ipmon_program:-ipmon} ${ipmon_flags}
47				;;
48			esac
49			case "${ipnat_enable}" in
50			[Yy][Ee][Ss])
51				if [ -r "${ipnat_rules}" ]; then
52					echo -n ' ipnat';
53					${ipnat_program:-ipnat -CF -f} "${ipnat_rules}" ${ipnat_flags}
54				else
55					echo -n ' NO IPNAT RULES'
56				fi
57				;;
58			esac
59		else
60			ipfilter_enable="NO"
61			echo -n ' NO IPF RULES'
62		fi
63		;;
64	esac
65
66	# Set the domainname if we're using NIS
67	#
68	case ${nisdomainname} in
69	[Nn][Oo] | '')
70		;;
71	*)
72		domainname ${nisdomainname}
73		echo -n ' domain'
74		;;
75	esac
76
77	echo '.'
78
79	# Initial ATM interface configuration
80	#
81	case ${atm_enable} in
82	[Yy][Ee][Ss])
83		if [ -r /etc/rc.atm ]; then
84			. /etc/rc.atm
85			atm_pass1
86		fi
87		;;
88	esac
89
90	# Special options for sppp(4) interfaces go here.  These need
91	# to go _before_ the general ifconfig section, since in the case
92	# of hardwired (no link1 flag) but required authentication, you
93	# cannot pass auth parameters down to the already running interface.
94	#
95	for ifn in ${sppp_interfaces}; do
96		eval spppcontrol_args=\$spppconfig_${ifn}
97		if [ -n "${spppcontrol_args}" ]; then
98			# The auth secrets might contain spaces; in order
99			# to retain the quotation, we need to eval them
100			# here.
101			eval spppcontrol ${ifn} ${spppcontrol_args}
102		fi
103	done
104
105	# Set up all the network interfaces, calling startup scripts if needed
106	#
107	case ${network_interfaces} in
108	[Aa][Uu][Tt][Oo])
109		network_interfaces="`ifconfig -l`"
110		;;
111	esac
112
113	dhcp_interfaces=""
114	for ifn in ${network_interfaces}; do
115		if [ -r /etc/start_if.${ifn} ]; then
116			. /etc/start_if.${ifn}
117			eval showstat_$ifn=1
118		fi
119
120		# Do the primary ifconfig if specified
121		#
122		eval ifconfig_args=\$ifconfig_${ifn}
123
124		case ${ifconfig_args} in
125		'')
126			;;
127		[Dd][Hh][Cc][Pp])
128			# DHCP inits are done all in one go below
129			dhcp_interfaces="$dhcp_interfaces $ifn"
130			eval showstat_$ifn=1
131			;;
132		*)
133			ifconfig ${ifn} ${ifconfig_args}
134			eval showstat_$ifn=1
135			;;
136		esac
137	done
138
139	if [ ! -z "${dhcp_interfaces}" ]; then
140		${dhcp_program:-/sbin/dhclient} ${dhcp_flags} ${dhcp_interfaces}
141	fi
142
143	for ifn in ${network_interfaces}; do
144		# Check to see if aliases need to be added
145		#
146		alias=0
147		while : ; do
148			eval ifconfig_args=\$ifconfig_${ifn}_alias${alias}
149			if [ -n "${ifconfig_args}" ]; then
150				ifconfig ${ifn} ${ifconfig_args} alias
151				eval showstat_$ifn=1
152				alias=`expr ${alias} + 1`
153			else
154				break;
155			fi
156		done
157
158		# Do ipx address if specified
159		#
160		eval ifconfig_args=\$ifconfig_${ifn}_ipx
161		if [ -n "${ifconfig_args}" ]; then
162			ifconfig ${ifn} ${ifconfig_args}
163			eval showstat_$ifn=1
164		fi
165	done
166
167	for ifn in ${network_interfaces}; do
168		eval showstat=\$showstat_${ifn}
169		if [ ! -z ${showstat} ]; then
170			ifconfig ${ifn}
171		fi
172	done
173
174	# ISDN subsystem startup
175	#
176	case ${isdn_enable} in
177	[Yy][Ee][Ss])
178		if [ -r /etc/rc.isdn ]; then
179			. /etc/rc.isdn
180		fi
181		;;
182	esac
183
184	# Start user ppp if required.  This must happen before natd.
185	#
186	case ${ppp_enable} in
187	[Yy][Ee][Ss])
188		# Establish ppp mode.
189		#
190		if [ "${ppp_mode}" != "ddial" -a "${ppp_mode}" != "direct" \
191			-a "${ppp_mode}" != "dedicated" \
192			-a "${ppp_mode}" != "background" ]; then
193			ppp_mode="auto"
194		fi
195
196		ppp_command="/usr/sbin/ppp -quiet -${ppp_mode}"
197
198		# Switch on NAT mode?
199		#
200		case ${ppp_nat} in
201		[Yy][Ee][Ss])
202			ppp_command="${ppp_command} -nat"
203			;;
204		esac
205
206		ppp_command="${ppp_command} ${ppp_profile}"
207
208		echo -n "Starting ppp as \"${ppp_user}\""
209		su -m ${ppp_user} -c "exec ${ppp_command}"
210		;;
211	esac
212
213	# Initialize IP filtering using ipfw
214	#
215	if /sbin/ipfw -q flush > /dev/null 2>&1; then
216		firewall_in_kernel=1
217	else
218		firewall_in_kernel=0
219	fi
220
221	case ${firewall_enable} in
222	[Yy][Ee][Ss])
223		if [ "${firewall_in_kernel}" -eq 0 ] && kldload ipfw; then
224			firewall_in_kernel=1
225			echo "Kernel firewall module loaded."
226		elif [ "${firewall_in_kernel}" -eq 0 ]; then
227			echo "Warning: firewall kernel module failed to load."
228		fi
229		;;
230	esac
231
232	# Load the filters if required
233	#
234	case ${firewall_in_kernel} in
235	1)
236		if [ -z "${firewall_script}" ]; then
237			firewall_script=/etc/rc.firewall
238		fi
239
240		case ${firewall_enable} in
241		[Yy][Ee][Ss])
242			if [ -r "${firewall_script}" ]; then
243				. "${firewall_script}"
244				echo -n 'Firewall rules loaded, starting divert daemons:'
245
246				# Network Address Translation daemon
247				#
248				case ${natd_enable} in
249				[Yy][Ee][Ss])
250					if [ -n "${natd_interface}" ]; then
251						if echo ${natd_interface} | \
252							grep -q -E '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$'; then
253							natd_ifarg="-a ${natd_interface}"
254						else
255							natd_ifarg="-n ${natd_interface}"
256						fi
257
258						echo -n ' natd'; ${natd_program:-/sbin/natd} ${natd_flags} ${natd_ifarg}
259					fi
260					;;
261				esac
262
263				echo '.'
264
265			elif [ "`ipfw l 65535`" = "65535 deny ip from any to any" ]; then
266				echo -n "Warning: kernel has firewall functionality, "
267				echo "but firewall rules are not enabled."
268				echo "		 All ip services are disabled."
269			fi
270
271			case ${firewall_logging} in
272			[Yy][Ee][Ss] | '')
273				echo 'Firewall logging=YES'
274				sysctl -w net.inet.ip.fw.verbose=1 >/dev/null
275				;;
276			*)
277				;;
278			esac
279
280			;;
281		esac
282		;;
283	esac
284
285	# Additional ATM interface configuration
286	#
287	if [ -n "${atm_pass1_done}" ]; then
288		atm_pass2
289	fi
290
291	# Configure routing
292	#
293	case ${defaultrouter} in
294	[Nn][Oo] | '')
295		;;
296	*)
297		static_routes="default ${static_routes}"
298		route_default="default ${defaultrouter}"
299		;;
300	esac
301
302	# Set up any static routes.  This should be done before router discovery.
303	#
304	if [ -n "${static_routes}" ]; then
305		for i in ${static_routes}; do
306			eval route_args=\$route_${i}
307			route add ${route_args}
308		done
309	fi
310
311	echo -n 'Additional routing options:'
312	case ${tcp_extensions} in
313	[Yy][Ee][Ss] | '')
314		;;
315	*)
316		echo -n ' tcp extensions=NO'
317		sysctl -w net.inet.tcp.rfc1323=0 >/dev/null
318		;;
319	esac
320
321	case ${icmp_bmcastecho} in
322	[Yy][Ee][Ss])
323		echo -n ' broadcast ping responses=YES'
324		sysctl -w net.inet.icmp.bmcastecho=1 >/dev/null
325		;;
326	esac
327
328	case ${icmp_drop_redirect} in
329	[Yy][Ee][Ss])
330		echo -n ' ignore ICMP redirect=YES'
331		sysctl -w net.inet.icmp.drop_redirect=1 >/dev/null
332		;;
333	esac
334
335	case ${icmp_log_redirect} in
336	[Yy][Ee][Ss])
337		echo -n ' log ICMP redirect=YES'
338		sysctl -w net.inet.icmp.log_redirect=1 >/dev/null
339		;;
340	esac
341
342	case ${gateway_enable} in
343	[Yy][Ee][Ss])
344		echo -n ' IP gateway=YES'
345		sysctl -w net.inet.ip.forwarding=1 >/dev/null
346		;;
347	esac
348
349	case ${forward_sourceroute} in
350	[Yy][Ee][Ss])
351		echo -n ' do source routing=YES'
352		sysctl -w net.inet.ip.sourceroute=1 >/dev/null
353		;;
354	esac
355
356	case ${accept_sourceroute} in
357	[Yy][Ee][Ss])
358		echo -n ' accept source routing=YES'
359		sysctl -w net.inet.ip.accept_sourceroute=1 >/dev/null
360		;;
361	esac
362
363	case ${tcp_keepalive} in
364	[Yy][Ee][Ss])
365		echo -n ' TCP keepalive=YES'
366		sysctl -w net.inet.tcp.always_keepalive=1 >/dev/null
367		;;
368	esac
369
370	case ${tcp_restrict_rst} in
371	[Yy][Ee][Ss])
372		echo -n ' restrict TCP reset=YES'
373		sysctl -w net.inet.tcp.restrict_rst=1 >/dev/null
374		;;
375	esac
376
377	case ${tcp_drop_synfin} in
378	[Yy][Ee][Ss])
379		echo -n ' drop SYN+FIN packets=YES'
380		sysctl -w net.inet.tcp.drop_synfin=1 >/dev/null
381		;;
382	esac
383
384	case ${ipxgateway_enable} in
385	[Yy][Ee][Ss])
386		echo -n ' IPX gateway=YES'
387		sysctl -w net.ipx.ipx.ipxforwarding=1 >/dev/null
388		;;
389	esac
390
391	case ${arpproxy_all} in
392	[Yy][Ee][Ss])
393		echo -n ' ARP proxyall=YES'
394		sysctl -w net.link.ether.inet.proxyall=1 >/dev/null
395		;;
396	esac
397
398	case ${ip_portrange_first} in
399	[Nn][Oo] | '')
400		;;
401	*)
402		echo -n ' ip_portrange_first=$ip_portrange_first'
403		sysctl -w net.inet.ip.portrange.first=$ip_portrange_first >/dev/null
404		;;
405	esac
406
407	case ${ip_portrange_last} in
408	[Nn][Oo] | '')
409		;;
410	*)
411		echo -n ' ip_portrange_last=$ip_portrange_last'
412		sysctl -w net.inet.ip.portrange.last=$ip_portrange_last >/dev/null
413		;;
414	esac
415
416	echo '.'
417
418	case ${ipsec_enable} in
419	[Yy][Ee][Ss])
420		if [ -f ${ipsec_file} ]; then
421		    echo ' ipsec: enabled'
422		    setkey -f ${ipsec_file}
423		else
424		    echo ' ipsec: file not found'
425		fi
426		;;
427	esac
428
429	echo -n 'routing daemons:'
430	case ${router_enable} in
431	[Yy][Ee][Ss])
432		echo -n " ${router}";	${router} ${router_flags}
433		;;
434	esac
435
436	case ${ipxrouted_enable} in
437	[Yy][Ee][Ss])
438		echo -n ' IPXrouted'
439		IPXrouted ${ipxrouted_flags} > /dev/null 2>&1
440		;;
441	esac
442
443	case ${mrouted_enable} in
444	[Yy][Ee][Ss])
445		echo -n ' mrouted';	mrouted ${mrouted_flags}
446		;;
447	esac
448
449	case ${rarpd_enable} in
450	[Yy][Ee][Ss])
451		echo -n ' rarpd';	rarpd ${rarpd_flags}
452		;;
453	esac
454	echo '.'
455
456	# Let future generations know we made it.
457	#
458	network_pass1_done=YES
459}
460
461network_pass2() {
462	echo -n 'Doing additional network setup:'
463	case ${named_enable} in
464	[Yy][Ee][Ss])
465		echo -n ' named';	${named_program:-named} ${named_flags}
466		;;
467	esac
468
469	case ${ntpdate_enable} in
470	[Yy][Ee][Ss])
471		echo -n ' ntpdate'
472		${ntpdate_program:-ntpdate} ${ntpdate_flags} >/dev/null 2>&1
473		;;
474	esac
475
476	case ${xntpd_enable} in
477	[Yy][Ee][Ss])
478		echo -n ' ntpd';	${xntpd_program:-ntpd} ${xntpd_flags}
479		;;
480	esac
481
482	case ${timed_enable} in
483	[Yy][Ee][Ss])
484		echo -n ' timed';	timed ${timed_flags}
485		;;
486	esac
487
488	case ${portmap_enable} in
489	[Yy][Ee][Ss])
490		echo -n ' portmap';	${portmap_program:-/usr/sbin/portmap} ${portmap_flags}
491		;;
492	esac
493
494	# Start ypserv if we're an NIS server.
495	# Run rpc.ypxfrd and rpc.yppasswdd only on the NIS master server.
496	#
497	case ${nis_server_enable} in
498	[Yy][Ee][Ss])
499		echo -n ' ypserv'; ypserv ${nis_server_flags}
500
501		case ${nis_ypxfrd_enable} in
502		[Yy][Ee][Ss])
503			echo -n ' rpc.ypxfrd'
504			rpc.ypxfrd ${nis_ypxfrd_flags}
505			;;
506		esac
507
508		case ${nis_yppasswdd_enable} in
509		[Yy][Ee][Ss])
510			echo -n ' rpc.yppasswdd'
511			rpc.yppasswdd ${nis_yppasswdd_flags}
512			;;
513		esac
514		;;
515	esac
516
517	# Start ypbind if we're an NIS client
518	#
519	case ${nis_client_enable} in
520	[Yy][Ee][Ss])
521		echo -n ' ypbind'; ypbind ${nis_client_flags}
522		case ${nis_ypset_enable} in
523		[Yy][Ee][Ss])
524			echo -n ' ypset';	ypset ${nis_ypset_flags}
525			;;
526		esac
527		;;
528	esac
529
530	# Start keyserv if we are running Secure RPC
531	#
532	case ${keyserv_enable} in
533	[Yy][Ee][Ss])
534		echo -n ' keyserv';	keyserv ${keyserv_flags}
535		;;
536	esac
537
538	# Start ypupdated if we are running Secure RPC and we are NIS master
539	#
540	case ${rpc_ypupdated_enable} in
541	[Yy][Ee][Ss])
542		echo -n ' rpc.ypupdated';	rpc.ypupdated
543		;;
544	esac
545
546	# Start ATM daemons
547	if [ -n "${atm_pass2_done}" ]; then
548		atm_pass3
549	fi
550
551	echo '.'
552	network_pass2_done=YES
553}
554
555network_pass3() {
556	echo -n 'Starting final network daemons:'
557
558	case ${nfs_server_enable} in
559	[Yy][Ee][Ss])
560		if [ -r /etc/exports ]; then
561			echo -n ' mountd'
562
563			case ${weak_mountd_authentication} in
564			[Yy][Ee][Ss])
565				mountd_flags="${mountd_flags} -n"
566				;;
567			esac
568
569			mountd ${mountd_flags}
570
571			case ${nfs_reserved_port_only} in
572			[Yy][Ee][Ss])
573				echo -n ' NFS on reserved port only=YES'
574				sysctl -w vfs.nfs.nfs_privport=1 >/dev/null
575				;;
576			esac
577
578			echo -n ' nfsd';	nfsd ${nfs_server_flags}
579
580			if [ -n "${nfs_bufpackets}" ]; then
581				sysctl -w vfs.nfs.bufpackets=${nfs_bufpackets} \
582					> /dev/null
583			fi
584
585			case ${rpc_lockd_enable} in
586			[Yy][Ee][Ss])
587				echo -n ' rpc.lockd';	rpc.lockd
588				;;
589			esac
590
591			case ${rpc_statd_enable} in
592			[Yy][Ee][Ss])
593				echo -n ' rpc.statd';	rpc.statd
594				;;
595			esac
596		fi
597		;;
598	*)
599		case ${single_mountd_enable} in
600		[Yy][Ee][Ss])
601			if [ -r /etc/exports ]; then
602				echo -n ' mountd'
603
604				case ${weak_mountd_authentication} in
605				[Yy][Ee][Ss])
606					mountd_flags="-n"
607					;;
608				esac
609
610				mountd ${mountd_flags}
611			fi
612			;;
613		esac
614		;;
615	esac
616
617	case ${nfs_client_enable} in
618	[Yy][Ee][Ss])
619		echo -n ' nfsiod';	nfsiod ${nfs_client_flags}
620		if [ -n "${nfs_access_cache}" ]; then
621		echo -n " NFS access cache time=${nfs_access_cache}"
622		sysctl -w vfs.nfs.access_cache_timeout=${nfs_access_cache} \
623			>/dev/null
624		fi
625		;;
626	esac
627
628	# If /var/db/mounttab exists, some nfs-server has not been
629	# sucessfully notified about a previous client shutdown.
630	# If there is no /var/db/mounttab, we do nothing.
631	if [ -f /var/db/mounttab ]; then
632		rpc.umntall -k
633	fi
634
635	case ${amd_enable} in
636	[Yy][Ee][Ss])
637		echo -n ' amd'
638		case ${amd_map_program} in
639		[Nn][Oo] | '')
640			;;
641		*)
642			amd_flags="${amd_flags} `eval ${amd_map_program}`"
643			;;
644		esac
645
646		if [ -n "${amd_flags}" ]; then
647			amd -p ${amd_flags} > /var/run/amd.pid 2> /dev/null
648		else
649			amd 2> /dev/null
650		fi
651		;;
652	esac
653
654	case ${rwhod_enable} in
655	[Yy][Ee][Ss])
656		echo -n ' rwhod';	rwhod ${rwhod_flags}
657		;;
658	esac
659
660	# Kerberos runs ONLY on the Kerberos server machine
661	case ${kerberos_server_enable} in
662	[Yy][Ee][Ss])
663		case ${kerberos_stash} in
664		[Yy][Ee][Ss])
665			stash_flag=-n
666			;;
667		*)
668			stash_flag=
669			;;
670		esac
671
672		echo -n ' kerberos'
673		kerberos ${stash_flag} >> /var/log/kerberos.log &
674
675		case ${kadmind_server_enable} in
676		[Yy][Ee][Ss])
677			echo -n ' kadmind'
678			(sleep 20; kadmind ${stash_flag} >/dev/null 2>&1 &) &
679			;;
680		esac
681		unset stash_flag
682		;;
683	esac
684
685	case ${pppoed_enable} in
686	[Yy][Ee][Ss])
687		if [ -n "${pppoed_provider}" ]; then
688			pppoed_flags="${pppoed_flags} -p ${pppoed_provider}"
689		fi
690		echo -n ' pppoed';
691		/usr/libexec/pppoed ${pppoed_flags} ${pppoed_interface}
692		;;
693	esac
694
695	case ${sshd_enable} in
696	[Yy][Ee][Ss])
697		if [ ! -f /etc/ssh/ssh_host_key ]; then
698			echo ' creating ssh RSA host key';
699			/usr/bin/ssh-keygen -N "" -f /etc/ssh/ssh_host_key
700		fi
701		if [ ! -f /etc/ssh/ssh_host_dsa_key ]; then
702			echo ' creating ssh DSA host key';
703			/usr/bin/ssh-keygen -d -N "" -f /etc/ssh/ssh_host_dsa_key
704		fi
705		;;
706	esac
707
708	echo '.'
709	network_pass3_done=YES
710}
711
712network_pass4() {
713	echo -n 'Additional TCP options:'
714	case ${log_in_vain} in
715	[Nn][Oo] | '')
716		;;
717	*)
718		echo -n ' log_in_vain=YES'
719		sysctl -w net.inet.tcp.log_in_vain=1 >/dev/null
720		sysctl -w net.inet.udp.log_in_vain=1 >/dev/null
721		;;
722	esac
723
724	echo '.'
725	network_pass4_done=YES
726}
727
728convert_host_conf() {
729    host_conf=$1; shift;
730    nsswitch_conf=$1; shift;
731    awk '                                                                   \
732        /^[:blank:]*#/       { next }                                       \
733        /(hosts|local|file)/ { nsswitch[c] = "files"; c++; next }           \
734        /(dns|bind)/         { nsswitch[c] = "dns";   c++; next }           \
735        /nis/                { nsswitch[c] = "nis";   c++; next }           \
736        { printf "Warning: unrecognized line [%s]", $0 > "/dev/stderr" }    \
737        END {                                                               \
738                printf "hosts: ";                                           \
739                for (i in nsswitch) printf "%s ", nsswitch[i];              \
740                printf "\n";                                                \
741        }' < $host_conf > $nsswitch_conf
742}
743
744