network revision 1.40 
1#!/bin/sh
2#
3# $NetBSD: network,v 1.40 2003/01/06 10:11:14 tron Exp $
4#
5
6# PROVIDE: network
7# REQUIRE: ipfilter ipsec mountcritlocal root tty sysctl
8# BEFORE:  NETWORKING
9# KEYWORD: shutdown
10
11. /etc/rc.subr
12
13name="network"
14start_cmd="network_start"
15stop_cmd="network_stop"
16
17network_start()
18{
19	# set hostname, turn on network
20	#
21	echo "Starting network."
22
23	# If $hostname is set, use it for my Internet name,
24	# otherwise use /etc/myname
25	#
26	if [ -z "$hostname" ] && [ -f /etc/myname ]; then
27		hostname=`cat /etc/myname`
28	fi
29	if [ -n "$hostname" ]; then
30		echo "Hostname: $hostname"
31		hostname $hostname
32	else
33		# Don't warn about it if we're going to run
34		# DHCP later, as we will probably get the
35		# hostname at that time.
36		#
37		if ! checkyesno dhclient && [ -z "`hostname`" ]; then
38			warn "\$hostname not set."
39		fi
40	fi
41
42	# Check $domainname first, then /etc/defaultdomain,
43	# for NIS/YP domain name
44	#
45	if [ -z "$domainname" ] && [ -f /etc/defaultdomain ]; then
46		domainname=`cat /etc/defaultdomain`
47	fi
48	if [ -n "$domainname" ]; then
49		echo "NIS domainname: $domainname"
50		domainname $domainname
51	fi
52
53	# Flush all routes just to make sure it is clean
54	if checkyesno flushroutes; then
55		route -n flush
56	fi
57
58	# Set the address for the first loopback interface, so that the
59	# auto-route from a newly configured interface's address to lo0
60	# works correctly.
61	#
62	# NOTE: obscure networking problems will occur if lo0 isn't configured.
63	#
64	ifconfig lo0 inet 127.0.0.1
65
66	# According to RFC1122, 127.0.0.0/8 must not leave the node.
67	#
68	route -q add -inet 127.0.0.0 -netmask 0xff000000 127.0.0.1 -reject
69
70	# IPv6 routing setups, and host/router mode selection.
71	#
72	if ifconfig lo0 inet6 >/dev/null 2>&1; then
73		# We have IPv6 support in kernel.
74
75		# disallow link-local unicast dest without outgoing scope
76		# identifiers.
77		#
78		route -q add -inet6 fe80:: -prefixlen 10 ::1 -reject
79
80		# disallow site-local unicast dest without outgoing scope
81		# identifiers.
82		# If you configure site-locals without scope id (it is
83		# permissible config for routers that are not on scope
84		# boundary), you may want to comment the following one out.
85		#
86		if ! checkyesno ip6sitelocal; then
87			route -q add -inet6 fec0:: -prefixlen 10 ::1 -reject
88		fi
89
90		# disallow "internal" addresses to appear on the wire.
91		#
92		route -q add -inet6 ::ffff:0.0.0.0 -prefixlen 96 ::1 -reject
93
94		# disallow packets to malicious IPv4 compatible prefix
95		#
96		route -q add -inet6 ::224.0.0.0 -prefixlen 100 ::1 -reject
97		route -q add -inet6 ::127.0.0.0 -prefixlen 104 ::1 -reject
98		route -q add -inet6 ::0.0.0.0 -prefixlen 104 ::1 -reject
99		route -q add -inet6 ::255.0.0.0 -prefixlen 104 ::1 -reject
100
101		# disallow packets to malicious 6to4 prefix
102		#
103		route -q add -inet6 2002:e000:: -prefixlen 20 ::1 -reject
104		route -q add -inet6 2002:7f00:: -prefixlen 24 ::1 -reject
105		route -q add -inet6 2002:0000:: -prefixlen 24 ::1 -reject
106		route -q add -inet6 2002:ff00:: -prefixlen 24 ::1 -reject
107
108		# Completely disallow packets to IPv4 compatible prefix.
109		# This may conflict with RFC1933 under following circumstances:
110		# (1) An IPv6-only KAME node tries to originate packets to IPv4
111		#     comatible destination.  The KAME node has no IPv4
112		#     compatible support.  Under RFC1933, it should transmit
113		#     native IPv6 packets toward IPv4 compatible destination,
114		#     hoping it would reach a router that forwards the packet
115		#     toward auto-tunnel interface.
116		# (2) An IPv6-only node originates a packet to IPv4 compatible
117		#     destination.  A KAME node is acting as an IPv6 router, and
118		#     asked to forward it.
119		# Due to rare use of IPv4 compatible address, and security
120		# issues with it, we disable it by default.
121		#
122		route -q add -inet6 ::0.0.0.0 -prefixlen 96 ::1 -reject
123
124		sysctl -qw net.inet6.ip6.forwarding=0
125		sysctl -qw net.inet6.ip6.accept_rtadv=0
126
127		case $ip6mode in
128		router)
129			echo 'IPv6 mode: router'
130			sysctl -qw net.inet6.ip6.forwarding=1
131			;;
132
133		autohost)
134			echo 'IPv6 mode: autoconfigured host'
135			sysctl -qw net.inet6.ip6.accept_rtadv=1
136			;;
137
138		host)	
139			echo 'IPv6 mode: host'
140			;;
141
142		*)	warn "invalid \$ip6mode value "\"$ip6mode\"
143			;;
144
145		esac
146	fi
147
148	# Configure all of the network interfaces listed in $net_interfaces;
149	# if $auto_ifconfig is YES, grab all interfaces from ifconfig.
150	# In the following, "xxN" stands in for interface names, like "le0".
151	# For any interfaces that has an $ifconfig_xxN variable associated,
152	# we do "ifconfig xxN $ifconfig_xxN".
153	# If there is no such variable, we take the contents of the file
154	# /etc/ifconfig.xxN, and run "ifconfig xxN" repeatedly, using each
155	# line of the file as the arguments for a separate "ifconfig"
156	# invocation.
157	#
158	# In order to configure an interface reasonably, you at the very least
159	# need to specify "[addr_family] [hostname]" (e.g "inet my.domain.org"),
160	# and probably a netmask (as in "netmask 0xffffffe0"). You will
161	# frequently need to specify a media type, as in "media UTP", for
162	# interface cards with multiple media connections that do not
163	# autoconfigure. See the ifconfig manual page for details.
164	#
165	# Note that /etc/ifconfig.xxN takes multiple lines.  The following
166	# configuration is possible:
167	#	inet 10.1.1.1 netmask 0xffffff00
168	#	inet 10.1.1.2 netmask 0xffffff00 alias
169	#	inet6 fec0::1 prefixlen 64 alias
170	#
171	# You can put shell script fragment into /etc/ifconfig.xxN by
172	# starting a line with "!".  Refer to ifconfig.if(5) for details.
173	#
174	if [ "$net_interfaces" != NO ]; then
175		if checkyesno auto_ifconfig; then
176			tmp=`ifconfig -l`
177			for cloner in `ifconfig -C 2>/dev/null`; do
178				for int in /etc/ifconfig.${cloner}[0-9]*; do
179					[ ! -f $int ] && break
180					tmp="$tmp ${int##*.}"
181				done
182			done
183		else
184			tmp="$net_interfaces"
185		fi
186		echo -n 'Configuring network interfaces:'
187		for int in $tmp; do
188			eval args=\$ifconfig_$int
189			if [ -n "$args" ] || [ -f /etc/ifconfig.$int ]; then
190				if ifconfig $int create 2>/dev/null && \
191				   checkyesno ipfilter; then
192					# resync ipf(4)
193					ipf -y >/dev/null
194				fi
195			fi
196			if [ -n "$args" ]; then
197				echo -n " $int"
198				ifconfig $int $args
199			elif [ -f /etc/ifconfig.$int ]; then
200				echo -n " $int"
201				while read args; do
202					[ -z "$args" ] && continue
203					case "$args" in
204					"#"*|create)
205						;;
206					"!"*)
207						eval ${args#*!}
208						;;
209					*)
210						ifconfig $int $args
211						;;
212					esac
213				done < /etc/ifconfig.$int
214			else
215				if ! checkyesno auto_ifconfig; then
216					echo
217					warn \
218			"/etc/ifconfig.$int missing and ifconfig_$int not set;"
219					warn "interface $int not configured."
220				fi
221				continue
222			fi
223			configured_interfaces="$configured_interfaces $int"
224		done
225		echo "."
226	fi
227
228	# Check $defaultroute, then /etc/mygate, for the name of my gateway
229	# host. That name must be in /etc/hosts.
230	#
231	if [ -z "$defaultroute" ] && [ -f /etc/mygate ]; then
232		defaultroute=`cat /etc/mygate`
233	fi
234	if [ -n "$defaultroute" ]; then
235		route add default $defaultroute
236	fi
237
238	# Check if each configured interface xxN has an $ifaliases_xxN variable
239	# associated, then configure additional IP addresses for that interface.
240	# The variable contains a list of "address netmask" pairs, with
241	# "netmask" set to "-" if the interface default netmask is to be used.
242	#
243	# Note that $ifaliases_xxN works only with certain configurations and
244	# considered not recommended.  Use /etc/ifconfig.xxN if possible.
245	# 
246	#
247	if [ -n "$configured_interfaces" ]; then
248		echo "Adding interface aliases:"
249		done_aliases_message=yes
250	fi
251	for int in $configured_interfaces; do
252		eval args=\$ifaliases_$int
253		if [ -n "$args" ]; then
254			set -- $args
255			while [ $# -ge 2 ]; do
256				addr=$1 ; net=$2 ; shift 2
257				if [ "$net" = "-" ]; then
258					# for compatibility only, obsolete
259					ifconfig $int inet alias $addr
260				else
261					ifconfig $int inet alias $addr \
262					    netmask $net
263				fi
264			done
265		fi
266	done
267
268	# /etc/ifaliases, if it exists, contains the names of additional IP
269	# addresses for each interface. It is formatted as a series of lines
270	# that contain
271	#	address interface netmask
272	#
273	# Note that /etc/ifaliases works only with certain cases only and its
274	# use is not recommended.  Use /etc/ifconfig.xxN instead.
275	#
276	#
277	if [ -f /etc/ifaliases ]; then
278		if [ "$done_aliases_message" != yes ]; then
279			echo "Adding interface aliases:"
280		fi
281		while read addr int net; do
282			if [ -z "$net" ]; then
283				# for compatibility only, obsolete
284				ifconfig $int inet alias $addr
285			else
286				ifconfig $int inet alias $addr netmask $net
287			fi
288		done < /etc/ifaliases
289	fi
290
291	# IPv6 interface autoconfiguration.
292	#
293	if ifconfig lo0 inet6 >/dev/null 2>&1; then
294		# wait till DAD is completed. always invoke it in case
295		# if are configured manually by ifconfig
296		#
297		dadcount=`sysctl -n net.inet6.ip6.dad_count 2>/dev/null`
298		sleep $dadcount
299		sleep 1
300
301		if checkyesno rtsol; then
302			if [ "$ip6mode" = "autohost" ]; then
303				echo 'Sending router solicitation...'
304				rtsol $rtsol_flags
305			else
306				echo
307				warn \
308			    "ip6mode must be set to 'autohost' to use rtsol."
309			fi
310
311			# wait till DAD is completed, for global addresses
312			# configured by router advert message.
313			#
314			sleep $dadcount
315			sleep 1
316		fi
317	fi
318
319	# XXX this must die
320	if [ -s /etc/netstart.local ]; then
321		sh /etc/netstart.local start
322	fi
323}
324
325network_stop()
326{
327	echo "Stopping network."
328
329	# XXX this must die
330	if [ -s /etc/netstart.local ]; then
331		sh /etc/netstart.local stop
332	fi
333
334	echo "Deleting aliases."
335	if [ -f /etc/ifaliases ]; then
336		while read addr int net; do
337			ifconfig $int inet delete $addr
338		done < /etc/ifaliases
339	fi
340
341	for int in `ifconfig -lu`; do
342		eval args=\$ifaliases_$int
343		if [ -n "$args" ]; then
344			set -- $args
345			while [ $# -ge 2 ]; do
346				addr=$1 ; net=$2 ; shift 2
347				ifconfig $int inet delete $addr
348			done
349		fi
350	done
351
352	# down interfaces
353	#
354	echo -n 'Downing network interfaces:'
355	if [ "$net_interfaces" != NO ]; then
356		if checkyesno auto_ifconfig; then
357			tmp=`ifconfig -l`
358		else
359			tmp="$net_interfaces"
360		fi
361		for int in $tmp; do
362			eval args=\$ifconfig_$int
363			if [ -n "$args" ] || [ -f /etc/ifconfig.$int ]; then
364				echo -n " $int"
365				ifconfig $int down
366				if ifconfig $int destroy 2>/dev/null && \
367				   checkyesno ipfilter; then
368					# resync ipf(4)
369					ipf -y >/dev/null
370				fi
371			fi
372		done
373		echo "."
374	fi
375
376	# flush routes
377	#
378	route -n flush
379
380}
381
382load_rc_config $name ipfilter
383run_rc_command "$1"
384