xref: /openbsd-current/etc/netstart

#!/bin/sh -
#
#	$OpenBSD: netstart,v 1.177 2017/04/24 20:31:48 rpe Exp $

# Turn off Strict Bourne shell mode.
set +o sh

# Echo file $1 to stdout. Skip comment lines and delete everything
# after the first '#' from other lines. Strip leading and trailing
# whitespace if IFS is set.
# Usage: stripcom /path/to/file
stripcom() {
	local _file=$1 _line

	[[ -f $_file ]] || return

	while read _line; do
		[[ -n ${_line%%#*} ]] && print -r -- "$_line"
	done <$_file
}

# Parse and "unpack" a hostname.if(5) line given as positional parameters.
# Fill the _cmds array with the resulting interface configuration commands.
parse_hn_line() {
	local _af=0 _name=1 _mask=2 _bc=3 _prefix=2 _c _cmd _prev _daddr
	set -A _c -- "$@"
	set -o noglob

	case ${_c[_af]} in
	''|*([[:blank:]])'#'*)
		return
		;;
	inet)	((${#_c[*]} > 1)) || return
		[[ ${_c[_name]} == alias ]] && _mask=3 _bc=4
		[[ -n ${_c[_mask]} ]] && _c[_mask]="netmask ${_c[_mask]}"
		if [[ -n ${_c[_bc]} ]]; then
			_c[_bc]="broadcast ${_c[_bc]}"
			[[ ${_c[_bc]} == *NONE ]] && _c[_bc]=
		fi
		_cmds[${#_cmds[*]}]="ifconfig $_if ${_c[@]}"
		;;
	inet6)	((${#_c[*]} > 1)) || return
		if [[ ${_c[_name]} == autoconf ]]; then
			_cmds[${#_cmds[*]}]="ifconfig $_if ${_c[@]}"
			rtsolif="$rtsolif $_if"
			return
		fi
		[[ ${_c[_name]} == alias ]] && _prefix=3
		[[ -n ${_c[_prefix]} ]] && _c[_prefix]="prefixlen ${_c[_prefix]}"
		_cmds[${#_cmds[*]}]="ifconfig $_if ${_c[@]}"
		;;
	dest)	((${#_c[*]} == 2)) && _daddr=${_c[1]} || return
		_prev=$((${#_cmds[*]} - 1))
		((_prev >= 0)) || return
		set -A _c -- ${_cmds[_prev]}
		_name=3
		[[ ${_c[_name]} == alias ]] && _name=4
		_c[_name]="${_c[_name]} $_daddr"
		_cmds[$_prev]="${_c[@]}"
		;;
	dhcp)	_c[0]=
		_cmds[${#_cmds[*]}]="ifconfig $_if ${_c[@]} down;dhclient $_if"
		dhcpif="$dhcpif $_if"
		;;
	rtsol)	# XXX Support the rtsol keyword for some time to enable a smooth
		# XXX transition to autoconf.
		_c[0]=
		_cmds[${#_cmds[*]}]="ifconfig $_if ${_c[@]} up"
		_cmds[${#_cmds[*]}]="ifconfig $_if inet6 autoconf"
		rtsolif="$rtsolif $_if"
		;;
	'!'*)	_cmd=$(print -- "${_c[@]}" | sed 's/\$if/'$_if'/g')
		_cmds[${#_cmds[*]}]="${_cmd#!}"
		;;
	*)	_cmds[${#_cmds[*]}]="ifconfig $_if ${_c[@]}"
		;;
	esac
	unset _c
}

# Start a single interface.
# Usage: ifstart if1
ifstart() {
	local _if=$1 _file=$HN_DIR/hostname.$1 _cmds _i=0 _line _stat
	set -A _cmds

	# Interface names must be alphanumeric only.  We check to avoid
	# configuring backup or temp files, and to catch the "*" case.
	[[ $_if != +([[:alpha:]])+([[:digit:]]) ]] && return

	if [[ ! -f $_file ]]; then
		echo "netstart: $_file: No such file or directory"
		return
	fi

	# Not using stat(1), we can't rely on having /usr yet.
	set -A _stat -- $(ls -nL $_file)
	if [ "${_stat[0]#???????} ${_stat[2]} ${_stat[3]}" != "--- 0 0" ]; then
		echo "WARNING: $_file is insecure, fixing permissions"
		chmod -LR o-rwx $_file
		chown -LR root.wheel $_file
	fi

	# Check for ifconfig'able interface, except if -n option is specified.
	if ! $PRINT_ONLY; then
		(ifconfig $_if || ifconfig $_if create) >/dev/null 2>&1 ||
		return
	fi

	# Parse the hostname.if(5) file and fill _cmds array with interface
	# configuration commands.
	set -o noglob
	while IFS= read -- _line; do
		parse_hn_line $_line
	done <$_file

	# Apply the interface configuration commands stored in _cmds array.
	while ((_i < ${#_cmds[*]})); do
		if $PRINT_ONLY; then
			print -r -- "${_cmds[_i]}"
		else
			eval "${_cmds[_i]}"
		fi
		((_i++))
	done
	unset _cmds
}

# Start multiple interfaces by driver name.
# Usage: ifmstart "em iwm" "trunk vlan"
#   Start "$1" interfaces in order or all interfaces if empty.
#   Don't start "$2" interfaces. "$2" is optional.
ifmstart() {
	local _sifs=$1 _xifs=$2 _hn _if _sif _xif

	for _sif in ${_sifs:-ALL}; do
		for _hn in /etc/hostname.*; do
			_if=${_hn#/etc/hostname.}
			[[ $_if == '*' ]] && continue

			# Skip unwanted ifs.
			for _xif in $_xifs; do
				[[ $_xif == ${_if%%[0-9]*} ]] && continue 2
			done

			# Start wanted ifs.
			[[ $_sif == @(ALL|${_if%%[0-9]*}) ]] && ifstart $_if
		done
	done
}

# IPv6 autoconf the interfaces in the $rtsolif list.
# Usage: ifv6autoconf
ifv6autoconf() {
	local _if

	# $ip6kernel will not have been set if we were invoked with a
	# list of interface names
	ifconfig lo0 inet6 >/dev/null 2>&1 || return 0

	for _if in $rtsolif; do
		ifconfig $_if inet6 autoconf
	done
}

# Parse /etc/mygate and add default routes for IPv4 and IPv6
# Usage: defaultroute
defaultroute() {
	[[ -z $dhcpif ]] && stripcom /etc/mygate | while read gw; do
			[[ $gw == @(*:*) ]] && continue
			route -qn delete default >/dev/null 2>&1
			route -qn add -host default $gw && break
	done
	[[ -z $rtsolif ]] && stripcom /etc/mygate | while read gw; do
			[[ $gw == !(*:*) ]] && continue
			route -qn delete -inet6 default >/dev/null 2>&1
			route -qn add -host -inet6 default $gw && break
	done
}

# Make sure the invoking user has the right privileges.
if (($(id -u) != 0)); then
	echo "${0##*/}: need root privileges"
	exit 1
fi

# Get network related vars from rc.conf using the parsing routine from rc.subr.
FUNCS_ONLY=1 . /etc/rc.d/rc.subr
_rc_parse_conf

HN_DIR=${HN_DIR:-/etc}
PRINT_ONLY=false
USAGE="USAGE: ${0##*/} [-n] [interface ...]"
while getopts ":n" opt; do
	case $opt in
	n)	PRINT_ONLY=true;;
	*)	print -u2 "$USAGE"; exit 1;;
	esac
done
shift $((OPTIND-1))

# Option -n is only supported if interface names are specified as parameters.
if $PRINT_ONLY && (($# == 0)); then
	print -u2 "Missing parameters.\n$USAGE"
	exit 1
fi

# If we were invoked with a list of interface names, just reconfigure these
# interfaces (or bridges), add default routes and return.
if (($# > 0)); then
	for _if; do ifstart $_if; done
	ifv6autoconf
	defaultroute
	return
fi

# Otherwise, process with the complete network initialization.

# /etc/myname contains my symbolic name.
[[ -f /etc/myname ]] && hostname "$(stripcom /etc/myname)"

# Set the address for the loopback interface.  Bringing the interface up,
# automatically invokes the IPv6 address ::1.
ifconfig lo0 inet 127.0.0.1/8

if ifconfig lo0 inet6 >/dev/null 2>&1; then
	# IPv6 configurations.
	ip6kernel=YES

	# Disallow link-local unicast dest without outgoing scope identifiers.
	route -qn add -inet6 fe80:: -prefixlen 10 ::1 -reject >/dev/null

	# Disallow site-local unicast dest without outgoing scope identifiers.
	# If you configure site-locals without scope id (it is permissible
	# config for routers that are not on scope boundary), you may want
	# to comment the line out.
	route -qn add -inet6 fec0:: -prefixlen 10 ::1 -reject >/dev/null

	# Disallow "internal" addresses to appear on the wire.
	route -qn add -inet6 ::ffff:0.0.0.0 -prefixlen 96 ::1 -reject >/dev/null

	# Disallow packets to malicious IPv4 compatible prefix.
	route -qn add -inet6 ::224.0.0.0 -prefixlen 100 ::1 -reject >/dev/null
	route -qn add -inet6 ::127.0.0.0 -prefixlen 104 ::1 -reject >/dev/null
	route -qn add -inet6 ::0.0.0.0 -prefixlen 104 ::1 -reject >/dev/null
	route -qn add -inet6 ::255.0.0.0 -prefixlen 104 ::1 -reject >/dev/null

	# Disallow packets to malicious 6to4 prefix.
	route -qn add -inet6 2002:e000:: -prefixlen 20 ::1 -reject >/dev/null
	route -qn add -inet6 2002:7f00:: -prefixlen 24 ::1 -reject >/dev/null
	route -qn add -inet6 2002:0000:: -prefixlen 24 ::1 -reject >/dev/null
	route -qn add -inet6 2002:ff00:: -prefixlen 24 ::1 -reject >/dev/null

	# Disallow packets without scope identifier.
	route -qn add -inet6 ff01:: -prefixlen 16 ::1 -reject >/dev/null
	route -qn add -inet6 ff02:: -prefixlen 16 ::1 -reject >/dev/null

	# Completely disallow packets to IPv4 compatible prefix.
	#
	# This may conflict with RFC1933 under following circumstances:
	# (1) An IPv6-only KAME node tries to originate packets to IPv4
	#     compatible destination.  The KAME node has no IPv4 compatible
	#     support.  Under RFC1933, it should transmit native IPv6
	#     packets toward IPv4 compatible destination, hoping it would
	#     reach a router that forwards the packet toward auto-tunnel
	#     interface.
	# (2) An IPv6-only node originates a packet to an IPv4 compatible
	#     destination.  A KAME node is acting as an IPv6 router, and
	#     asked to forward it.
	#
	# Due to rare use of IPv4 compatible addresses, and security issues
	# with it, we disable it by default.
	route -qn add -inet6 ::0.0.0.0 -prefixlen 96 ::1 -reject >/dev/null

	rtsolif=""
else
	ip6kernel=NO
fi


# Configure all the non-loopback interfaces which we know about, but
# do not start interfaces which must be delayed. Refer to hostname.if(5)
ifmstart "" "trunk svlan vlan carp gif gre pfsync pppoe tun bridge switch pflow"

# The trunk interfaces need to come up first in this list.
# The (s)vlan interfaces need to come up after trunk.
# Configure all the carp interfaces which we know about before default route.
ifmstart "trunk svlan vlan carp"

# Now that $rtsolif has been populated, IPv6 autoconf those interfaces
ifv6autoconf

# Look for default routes in /etc/mygate.
defaultroute

# Multicast routing.
if [[ $multicast != YES ]]; then
	route -qn delete 224.0.0.0/4 >/dev/null 2>&1
	route -qn add -net 224.0.0.0/4 -interface 127.0.0.1 -reject >/dev/null
fi

# Configure PPPoE, GIF, GRE, TUN and PFLOW interfaces, delayed because they
# require routes to be set. TUN might depend on PPPoE, and GIF or GRE may
# depend on either of them. PFLOW might bind to ip addresses configured
# on either of them.
ifmstart "pppoe tun gif gre bridge switch pflow"

# Reject 127/8 other than 127.0.0.1.
route -qn add -net 127 127.0.0.1 -reject >/dev/null

if [[ $ip6kernel == YES ]]; then
	# This is to make sure DAD is completed before going further.
	count=0
	while ((count++ < 10 && $(sysctl -n net.inet6.ip6.dad_pending) != 0)); do
		sleep 1
	done
fi