Annotation of src/etc/netstart, Revision 1.131
1.1 deraadt 1: #!/bin/sh -
2: #
1.131 ! sobrado 3: # $OpenBSD: netstart,v 1.130 2010/06/16 23:45:57 todd Exp $
1.101 millert 4:
5: # Strip comments (and leading/trailing whitespace if IFS is set)
6: # from a file and spew to stdout
7: stripcom() {
1.108 todd 8: local _l
1.110 todd 9: [[ -f $1 ]] || return
1.108 todd 10: while read _l; do
11: [[ -n ${_l%%#*} ]] && echo $_l
12: done<$1
1.101 millert 13: }
1.45 millert 14:
15: # Returns true if $1 contains only alphanumerics
16: isalphanumeric() {
17: local _n
18: _n=$1
19: while [ ${#_n} != 0 ]; do
20: case $_n in
21: [A-Za-z0-9]*) ;;
22: *) return 1;;
23: esac
24: _n=${_n#?}
25: done
26: return 0
27: }
1.81 angelos 28:
1.83 miod 29: # Start the $1 interface
30: ifstart() {
1.84 deraadt 31: if=$1
1.83 miod 32: # Interface names must be alphanumeric only. We check to avoid
33: # configuring backup or temp files, and to catch the "*" case.
1.84 deraadt 34: if ! isalphanumeric "$if"; then
1.83 miod 35: return
36: fi
37:
1.119 deraadt 38: file=/etc/hostname.$if
1.121 todd 39: if ! [ -f $file ]; then
40: echo "netstart: $file: No such file or directory"
41: return
42: fi
1.123 sthen 43: # Not using stat(1), we can't rely on having /usr yet
44: set -A stat -- `ls -nL $file`
45: if [ "${stat[0]#???????} ${stat[2]} ${stat[3]}" != "--- 0 0" ]; then
1.119 deraadt 46: echo "WARNING: $file is insecure, fixing permissions"
1.122 sthen 47: chmod -LR o-rwx $file
48: chown -LR root.wheel $file
1.119 deraadt 49: fi
1.84 deraadt 50: ifconfig $if > /dev/null 2>&1
1.83 miod 51: if [ "$?" != "0" ]; then
1.89 markus 52: # Try to create interface if it does not exist
53: ifconfig $if create > /dev/null 2>&1
54: if [ "$?" != "0" ]; then
55: return
56: fi
1.83 miod 57: fi
58:
59: # Now parse the hostname.* file
60: while :; do
61: if [ "$cmd2" ]; then
62: # We are carrying over from the 'read dt dtaddr'
63: # last time.
64: set -- $cmd2
65: af="$1" name="$2" mask="$3" bcaddr="$4" ext1="$5" cmd2=
66: # Make sure and get any remaining args in ext2,
67: # like the read below
68: i=1
1.126 simon 69: while [ $i -lt 6 -a -n "$1" ]; do shift; let i=i+1; done
1.83 miod 70: ext2="$@"
71: else
72: # Read the next line or exit the while loop.
73: read af name mask bcaddr ext1 ext2 || break
74: fi
75: # $af can be "dhcp", "up", "rtsol", an address family,
76: # commands, or a comment.
77: case "$af" in
78: "#"*|"") # skip comments and empty lines
79: continue
80: ;;
81: "!"*) # parse commands
82: cmd="${af#*!} ${name} ${mask} ${bcaddr} ${ext1} ${ext2}"
83: ;;
84: "dhcp")
85: [ "$name" = "NONE" ] && name=
86: [ "$mask" = "NONE" ] && mask=
87: [ "$bcaddr" = "NONE" ] && bcaddr=
1.106 todd 88: cmd="ifconfig $if $name $mask $bcaddr $ext1 $ext2 down"
89: cmd="$cmd;dhclient $if"
1.110 todd 90: dhcpif="$dhcpif $if"
1.83 miod 91: ;;
92: "rtsol")
1.84 deraadt 93: rtsolif="$rtsolif $if"
1.106 todd 94: cmd="ifconfig $if $name $mask $bcaddr $ext1 $ext2 up"
1.83 miod 95: ;;
96: *)
97: read dt dtaddr
98: if [ "$name" = "alias" ]; then
99: # perform a 'shift' of sorts
100: alias=$name
101: name=$mask
102: mask=$bcaddr
103: bcaddr=$ext1
104: ext1=$ext2
105: ext2=
106: else
107: alias=
108: fi
1.114 todd 109: cmd="ifconfig $if $af $alias $name"
1.83 miod 110: case "$dt" in
111: dest)
112: cmd="$cmd $dtaddr"
113: ;;
1.130 todd 114: *)
1.83 miod 115: cmd2="$dt $dtaddr"
116: ;;
117: esac
118: case $af in
119: inet)
1.128 todd 120: if [ ! -n "$name" ]; then
121: echo "/etc/hostname.$if: inet alone is invalid"
122: return
123: fi
1.83 miod 124: [ "$mask" ] && cmd="$cmd netmask $mask"
125: if [ "$bcaddr" -a "X$bcaddr" != "XNONE" ]; then
126: cmd="$cmd broadcast $bcaddr"
127: fi
1.91 deraadt 128: [ "$alias" ] && rtcmd=";route -qn add -host $name 127.0.0.1"
1.83 miod 129: ;;
1.128 todd 130: inet6)
131: if [ ! -n "$name" ]; then
132: echo "/etc/hostname.$if: inet6 alone is invalid"
133: return
134: fi
135: [ "$mask" ] && cmd="$cmd prefixlen $mask"
1.83 miod 136: cmd="$cmd $bcaddr"
137: ;;
138: *)
139: cmd="$cmd $mask $bcaddr"
140: ;;
141: esac
142: cmd="$cmd $ext1 $ext2$rtcmd" rtcmd=
143: ;;
144: esac
145: eval "$cmd"
1.84 deraadt 146: done < /etc/hostname.$if
1.83 miod 147: }
148:
1.105 todd 149: # Start multiple:
150: # start "$1" interfaces in order or all interfaces if empty
151: # don't start "$2" interfaces
152: ifmstart() {
153: for sif in ${1:-ALL}; do
154: for hn in /etc/hostname.*; do
155: # Strip off /etc/hostname. prefix
156: if=${hn#/etc/hostname.}
157: test "$if" = "*" && continue
1.113 david 158:
1.105 todd 159: # Skip unwanted ifs
1.113 david 160: s=""
1.105 todd 161: for xf in $2; do
162: test "$xf" = "${if%%[0-9]*}" && s="1" && break
163: done
164: test "$s" = "1" && continue
165:
166: # Start wanted ifs
167: test "$sif" = "ALL" -o \
168: "$sif" = "${if%%[0-9]*}" \
169: && ifstart $if
170: done
171: done
172: }
173:
1.81 angelos 174: # Re-read /etc/rc.conf
175: . /etc/rc.conf
1.1 deraadt 176:
1.83 miod 177: # If we were invoked with a list of interface names, just reconfigure these
178: # interfaces (or bridges) and return.
179: if [ $1x = autobootx ]; then
180: shift
181: fi
182: if [ $# -gt 0 ]; then
183: while [ $# -gt 0 ]; do
1.127 deraadt 184: ifstart $1
1.83 miod 185: shift
186: done
187: return
188: fi
189:
190: # Otherwise, process with the complete network initialization.
191:
1.1 deraadt 192: # /etc/myname contains my symbolic name
1.87 henning 193: if [ -f /etc/myname ]; then
1.100 millert 194: hostname=`stripcom /etc/myname`
1.87 henning 195: hostname $hostname
196: else
197: hostname=`hostname`
198: fi
199:
1.1 deraadt 200: if [ -f /etc/defaultdomain ]; then
1.100 millert 201: domainname `stripcom /etc/defaultdomain`
1.4 dm 202: fi
203:
1.131 ! sobrado 204: # Set the address for the loopback interface. Bringing the interface up,
! 205: # automatically invokes the IPv6 address ::1.
1.129 henning 206: ifconfig lo0 inet 127.0.0.1/8
1.24 kstailey 207:
1.54 itojun 208: if ifconfig lo0 inet6 >/dev/null 2>&1; then
209: # IPv6 configurations.
210: ip6kernel=YES
211:
1.83 miod 212: # Disallow link-local unicast dest without outgoing scope identifiers.
1.98 deraadt 213: route -qn add -inet6 fe80:: -prefixlen 10 ::1 -reject > /dev/null
1.66 itojun 214:
1.83 miod 215: # Disallow site-local unicast dest without outgoing scope identifiers.
1.66 itojun 216: # If you configure site-locals without scope id (it is permissible
217: # config for routers that are not on scope boundary), you may want
218: # to comment the line out.
1.98 deraadt 219: route -qn add -inet6 fec0:: -prefixlen 10 ::1 -reject > /dev/null
1.66 itojun 220:
1.83 miod 221: # Disallow "internal" addresses to appear on the wire.
1.98 deraadt 222: route -qn add -inet6 ::ffff:0.0.0.0 -prefixlen 96 ::1 -reject > /dev/null
1.66 itojun 223:
1.83 miod 224: # Disallow packets to malicious IPv4 compatible prefix.
1.98 deraadt 225: route -qn add -inet6 ::224.0.0.0 -prefixlen 100 ::1 -reject > /dev/null
226: route -qn add -inet6 ::127.0.0.0 -prefixlen 104 ::1 -reject > /dev/null
227: route -qn add -inet6 ::0.0.0.0 -prefixlen 104 ::1 -reject > /dev/null
228: route -qn add -inet6 ::255.0.0.0 -prefixlen 104 ::1 -reject > /dev/null
1.66 itojun 229:
1.83 miod 230: # Disallow packets to malicious 6to4 prefix.
1.98 deraadt 231: route -qn add -inet6 2002:e000:: -prefixlen 20 ::1 -reject > /dev/null
232: route -qn add -inet6 2002:7f00:: -prefixlen 24 ::1 -reject > /dev/null
233: route -qn add -inet6 2002:0000:: -prefixlen 24 ::1 -reject > /dev/null
234: route -qn add -inet6 2002:ff00:: -prefixlen 24 ::1 -reject > /dev/null
1.115 itojun 235:
236: # Disallow packets without scope identifier.
237: route -qn add -inet6 ff01:: -prefixlen 16 ::1 -reject > /dev/null
238: route -qn add -inet6 ff02:: -prefixlen 16 ::1 -reject > /dev/null
1.66 itojun 239:
240: # Completely disallow packets to IPv4 compatible prefix.
241: # This may conflict with RFC1933 under following circumstances:
242: # (1) An IPv6-only KAME node tries to originate packets to IPv4
1.77 deraadt 243: # compatible destination. The KAME node has no IPv4 compatible
1.66 itojun 244: # support. Under RFC1933, it should transmit native IPv6
245: # packets toward IPv4 compatible destination, hoping it would
246: # reach a router that forwards the packet toward auto-tunnel
247: # interface.
1.77 deraadt 248: # (2) An IPv6-only node originates a packet to an IPv4 compatible
1.66 itojun 249: # destination. A KAME node is acting as an IPv6 router, and
250: # asked to forward it.
1.77 deraadt 251: # Due to rare use of IPv4 compatible addresses, and security issues
1.66 itojun 252: # with it, we disable it by default.
1.98 deraadt 253: route -qn add -inet6 ::0.0.0.0 -prefixlen 96 ::1 -reject > /dev/null
1.56 itojun 254:
255: rtsolif=""
1.54 itojun 256: else
257: ip6kernel=NO
258: fi
259:
1.105 todd 260:
261: # Configure all the non-loopback interfaces which we know about, but
1.127 deraadt 262: # do not start interfaces which must be delayed. Refer to hostname.if(5)
263: ifmstart "" "trunk vlan carp gif gre pfsync pppoe tun bridge"
1.56 itojun 264:
1.118 brad 265: # The trunk interfaces need to come up first in this list.
266: # The vlan interfaces need to come up after trunk.
267: # Configure all the carp interfaces which we know about before default route.
268: ifmstart "trunk vlan carp"
269:
1.56 itojun 270: if [ "$ip6kernel" = "YES" -a "x$rtsolif" != "x" ]; then
271: fw=`sysctl -n net.inet6.ip6.forwarding`
272: ra=`sysctl -n net.inet6.ip6.accept_rtadv`
273: if [ "x$fw" = "x0" -a "x$ra" = "x1" ]; then
1.57 itojun 274: echo "IPv6 autoconf:$rtsolif"
1.56 itojun 275: rtsol $rtsolif
276: else
277: echo "WARNING: inconsistent config - check /etc/sysctl.conf for IPv6 autoconf"
278: fi
1.57 itojun 279: fi
1.102 mcbride 280:
1.14 deraadt 281: # /etc/mygate, if it exists, contains the name of my gateway host
282: # that name must be in /etc/hosts.
1.110 todd 283: [[ -z $dhcpif ]] && stripcom /etc/mygate | while read gw; do
284: [[ $gw == @(*:*) ]] && continue
285: route -qn delete default > /dev/null 2>&1
286: route -qn add -host default $gw && break
287: done
288: [[ -z $rtsolif ]] && stripcom /etc/mygate | while read gw; do
289: [[ $gw == !(*:*) ]] && continue
290: route -qn delete -inet6 default > /dev/null 2>&1
291: route -qn add -host -inet6 default $gw && break
292: done
1.44 deraadt 293:
1.48 niklas 294: # Multicast routing.
295: #
296: # The routing to the 224.0.0.0/4 net is setup according to these rules:
297: # multicast_host multicast_router route comment
298: # NO NO -reject no multicast
299: # NO YES none installed daemon will run
300: # YES/interface NO -interface YES=def. iface
301: # Any other combination -reject config error
1.112 reyk 302: route -qn delete 224.0.0.0/4 > /dev/null 2>&1
1.48 niklas 303: case "$multicast_host:$multicast_router" in
304: NO:NO)
1.91 deraadt 305: route -qn add -net 224.0.0.0/4 -interface 127.0.0.1 -reject > /dev/null
1.67 deraadt 306: ;;
1.48 niklas 307: NO:YES)
308: ;;
309: *:NO)
1.112 reyk 310: maddr=`if [ "$multicast_host" = "YES" ]; then
1.91 deraadt 311: ed -s '!route -qn show -inet' <<EOF
1.48 niklas 312: /^default/p
313: EOF
314: else
315: ed -s "!ifconfig $multicast_host" <<EOF
316: /^ inet /p
317: EOF
1.112 reyk 318: fi 2> /dev/null`
319: if [ "X${maddr}" != "X" ]; then
320: set $maddr
321: route -qn add -net 224.0.0.0/4 -interface $2 > /dev/null
322: else
323: route -qn add -net 224.0.0.0/4 -interface \
324: 127.0.0.1 -reject > /dev/null
325: fi
1.67 deraadt 326: ;;
1.48 niklas 327: *:*)
328: echo 'config error, multicasting disabled until rc.conf is fixed'
1.91 deraadt 329: route -qn add -net 224.0.0.0/4 -interface 127.0.0.1 -reject > /dev/null
1.67 deraadt 330: ;;
1.48 niklas 331: esac
1.83 miod 332:
1.105 todd 333:
1.125 jdixon 334: # Configure PPPoE, GIF, GRE and TUN interfaces, delayed because they require
335: # routes to be set. TUN might depend on PPPoE, and GIF or GRE may depend on
336: # either of them.
1.127 deraadt 337: ifmstart "pppoe tun gif gre bridge"
1.92 deraadt 338:
1.99 itojun 339: # reject 127/8 other than 127.0.0.1
1.92 deraadt 340: route -qn add -net 127 127.0.0.1 -reject > /dev/null
1.116 david 341:
342: if [ "$ip6kernel" = "YES" ]; then
343: # this is to make sure DAD is completed before going further.
1.124 markus 344: count=0
345: while [ $((count++)) -lt 10 -a "x"`sysctl -n net.inet6.ip6.dad_pending` != "x0" ]; do
346: sleep 1
347: done
1.116 david 348: fi