version 1.214, 2021/08/06 07:06:35 |
version 1.215, 2021/08/30 16:58:52 |
|
|
ifcreate() { |
ifcreate() { |
local _if=$1 |
local _if=$1 |
|
|
{ ifconfig $_if || ifconfig $_if create; } >/dev/null 2>&1 |
if $PRINT_ONLY; then |
|
print -r -- "{ ifconfig $_if || ifconfig $_if create; }" |
|
else |
|
{ ifconfig $_if || ifconfig $_if create; } >/dev/null 2>&1 |
|
fi |
} |
} |
|
|
# Create interfaces for network pseudo-devices referred to by hostname.if files. |
# Create interfaces for network pseudo-devices referred to by hostname.if files. |
|
|
fi |
fi |
|
|
# Check for ifconfig'able interface, except if -n option is specified. |
# Check for ifconfig'able interface, except if -n option is specified. |
if ! $PRINT_ONLY; then |
ifcreate $_if || return |
ifcreate $_if || return |
|
fi |
|
|
|
# Parse the hostname.if(5) file and fill _cmds array with interface |
# Parse the hostname.if(5) file and fill _cmds array with interface |
# configuration commands. |
# configuration commands. |
|
|
set +o noglob |
set +o noglob |
} |
} |
|
|
|
# add all the routes needed for IPv6 |
|
ip6routes() { |
|
local _i=0 |
|
set -A _cmds |
|
|
|
# Disallow link-local unicast dest without outgoing scope identifiers. |
|
_cmds[_i++]="route -qn add -inet6 fe80:: -prefixlen 10 ::1 -reject" |
|
|
|
# Disallow site-local unicast dest without outgoing scope identifiers. |
|
# If you configure site-locals without scope id (it is permissible |
|
# config for routers that are not on scope boundary), you may want |
|
# to comment the line out. |
|
_cmds[_i++]="route -qn add -inet6 fec0:: -prefixlen 10 ::1 -reject" |
|
|
|
# Disallow "internal" addresses to appear on the wire. |
|
_cmds[_i++]="route -qn add -inet6 ::ffff:0.0.0.0 -prefixlen 96 ::1 -reject" |
|
|
|
# Disallow packets to malicious 6to4 prefix. |
|
_cmds[_i++]="route -qn add -inet6 2002:e000:: -prefixlen 20 ::1 -reject" |
|
_cmds[_i++]="route -qn add -inet6 2002:7f00:: -prefixlen 24 ::1 -reject" |
|
_cmds[_i++]="route -qn add -inet6 2002:0000:: -prefixlen 24 ::1 -reject" |
|
_cmds[_i++]="route -qn add -inet6 2002:ff00:: -prefixlen 24 ::1 -reject" |
|
|
|
# Disallow packets without scope identifier. |
|
_cmds[_i++]="route -qn add -inet6 ff01:: -prefixlen 16 ::1 -reject" |
|
_cmds[_i++]="route -qn add -inet6 ff02:: -prefixlen 16 ::1 -reject" |
|
|
|
# Completely disallow packets to IPv4 compatible prefix. |
|
# |
|
# This may conflict with RFC1933 under following circumstances: |
|
# (1) An IPv6-only KAME node tries to originate packets to IPv4 |
|
# compatible destination. The KAME node has no IPv4 compatible |
|
# support. Under RFC1933, it should transmit native IPv6 |
|
# packets toward IPv4 compatible destination, hoping it would |
|
# reach a router that forwards the packet toward auto-tunnel |
|
# interface. |
|
# (2) An IPv6-only node originates a packet to an IPv4 compatible |
|
# destination. A KAME node is acting as an IPv6 router, and |
|
# asked to forward it. |
|
# |
|
# Due to rare use of IPv4 compatible addresses, and security issues |
|
# with it, we disable it by default. |
|
_cmds[_i++]="route -qn add -inet6 ::0.0.0.0 -prefixlen 96 ::1 -reject" |
|
|
|
# Apply the interface configuration commands stored in _cmds array. |
|
_i=0 |
|
while ((_i < ${#_cmds[*]})); do |
|
if $PRINT_ONLY; then |
|
print -r -- "${_cmds[_i]}" |
|
else |
|
eval "${_cmds[_i]}" |
|
fi |
|
((_i++)) |
|
done |
|
unset _cmds |
|
} |
|
|
# Make sure the invoking user has the right privileges. Check for presence of |
# Make sure the invoking user has the right privileges. Check for presence of |
# id(1) to avoid problems with diskless setups. |
# id(1) to avoid problems with diskless setups. |
if [[ -x /usr/bin/id ]] && (($(id -u) != 0)); then |
if [[ -x /usr/bin/id ]] && (($(id -u) != 0)); then |
|
|
done |
done |
shift $((OPTIND-1)) |
shift $((OPTIND-1)) |
|
|
# Option -n is only supported if interface names are specified as parameters. |
|
$PRINT_ONLY && (($# == 0)) && usage |
|
|
|
# Load key material for the generation of IPv6 Semantically Opaque Interface |
# Load key material for the generation of IPv6 Semantically Opaque Interface |
# Identifiers (SOII) used for link local and SLAAC addresses. |
# Identifiers (SOII) used for link local and SLAAC addresses. |
$PRINT_ONLY || [[ ! -f /etc/soii.key ]] || |
$PRINT_ONLY || [[ ! -f /etc/soii.key ]] || |
|
|
|
|
# Set the address for the loopback interface. Bringing the interface up, |
# Set the address for the loopback interface. Bringing the interface up, |
# automatically invokes the IPv6 address ::1. |
# automatically invokes the IPv6 address ::1. |
ifconfig lo0 inet 127.0.0.1/8 |
if $PRINT_ONLY; then |
|
print -r -- "ifconfig lo0 inet 127.0.0.1/8" |
|
else |
|
ifconfig lo0 inet 127.0.0.1/8 |
|
fi |
|
|
# IPv6 configuration. |
# IPv6 configuration. |
if ifconfig lo0 inet6 >/dev/null 2>&1; then |
if ifconfig lo0 inet6 >/dev/null 2>&1; then |
ip6kernel=YES |
ip6kernel=YES |
|
ip6routes |
# Disallow link-local unicast dest without outgoing scope identifiers. |
|
route -qn add -inet6 fe80:: -prefixlen 10 ::1 -reject |
|
|
|
# Disallow site-local unicast dest without outgoing scope identifiers. |
|
# If you configure site-locals without scope id (it is permissible |
|
# config for routers that are not on scope boundary), you may want |
|
# to comment the line out. |
|
route -qn add -inet6 fec0:: -prefixlen 10 ::1 -reject |
|
|
|
# Disallow "internal" addresses to appear on the wire. |
|
route -qn add -inet6 ::ffff:0.0.0.0 -prefixlen 96 ::1 -reject |
|
|
|
# Disallow packets to malicious 6to4 prefix. |
|
route -qn add -inet6 2002:e000:: -prefixlen 20 ::1 -reject |
|
route -qn add -inet6 2002:7f00:: -prefixlen 24 ::1 -reject |
|
route -qn add -inet6 2002:0000:: -prefixlen 24 ::1 -reject |
|
route -qn add -inet6 2002:ff00:: -prefixlen 24 ::1 -reject |
|
|
|
# Disallow packets without scope identifier. |
|
route -qn add -inet6 ff01:: -prefixlen 16 ::1 -reject |
|
route -qn add -inet6 ff02:: -prefixlen 16 ::1 -reject |
|
|
|
# Completely disallow packets to IPv4 compatible prefix. |
|
# |
|
# This may conflict with RFC1933 under following circumstances: |
|
# (1) An IPv6-only KAME node tries to originate packets to IPv4 |
|
# compatible destination. The KAME node has no IPv4 compatible |
|
# support. Under RFC1933, it should transmit native IPv6 |
|
# packets toward IPv4 compatible destination, hoping it would |
|
# reach a router that forwards the packet toward auto-tunnel |
|
# interface. |
|
# (2) An IPv6-only node originates a packet to an IPv4 compatible |
|
# destination. A KAME node is acting as an IPv6 router, and |
|
# asked to forward it. |
|
# |
|
# Due to rare use of IPv4 compatible addresses, and security issues |
|
# with it, we disable it by default. |
|
route -qn add -inet6 ::0.0.0.0 -prefixlen 96 ::1 -reject |
|
else |
else |
ip6kernel=NO |
ip6kernel=NO |
fi |
fi |
|
|
|
|
# Multicast routing. |
# Multicast routing. |
if [[ $multicast != YES ]]; then |
if [[ $multicast != YES ]]; then |
route -qn delete 224.0.0.0/4 >/dev/null 2>&1 |
if $PRINT_ONLY; then |
route -qn add -net 224.0.0.0/4 -interface 127.0.0.1 -reject >/dev/null |
print -r -- "route -qn delete 224.0.0.0/4" |
|
print -r -- "route -qn add -net 224.0.0.0/4 -interface 127.0.0.1 -reject" |
|
else |
|
route -qn delete 224.0.0.0/4 |
|
route -qn add -net 224.0.0.0/4 -interface 127.0.0.1 -reject |
|
fi |
fi |
fi |
|
|
# Reject 127/8 other than 127.0.0.1. |
# Reject 127/8 other than 127.0.0.1. |
route -qn add -net 127 127.0.0.1 -reject >/dev/null |
if $PRINT_ONLY; then |
|
print -r -- "route -qn add -net 127 127.0.0.1 -reject" |
|
else |
|
route -qn add -net 127 127.0.0.1 -reject |
|
fi |
|
|
# Configure interfaces that rely on routing |
# Configure interfaces that rely on routing |
ifmstart "tun tap gif etherip gre egre pflow wg" |
ifmstart "tun tap gif etherip gre egre pflow wg" |