Annotation of src/etc/netstart, Revision 1.133
1.1 deraadt 1: #!/bin/sh -
2: #
1.133 ! guenther 3: # $OpenBSD: netstart,v 1.132 2011/05/26 15:22:53 mpf Exp $
1.101 millert 4:
5: # Strip comments (and leading/trailing whitespace if IFS is set)
6: # from a file and spew to stdout
7: stripcom() {
1.108 todd 8: local _l
1.110 todd 9: [[ -f $1 ]] || return
1.108 todd 10: while read _l; do
11: [[ -n ${_l%%#*} ]] && echo $_l
12: done<$1
1.101 millert 13: }
1.45 millert 14:
15: # Returns true if $1 contains only alphanumerics
16: isalphanumeric() {
17: local _n
18: _n=$1
19: while [ ${#_n} != 0 ]; do
20: case $_n in
21: [A-Za-z0-9]*) ;;
22: *) return 1;;
23: esac
24: _n=${_n#?}
25: done
26: return 0
27: }
1.81 angelos 28:
1.83 miod 29: # Start the $1 interface
30: ifstart() {
1.84 deraadt 31: if=$1
1.83 miod 32: # Interface names must be alphanumeric only. We check to avoid
33: # configuring backup or temp files, and to catch the "*" case.
1.84 deraadt 34: if ! isalphanumeric "$if"; then
1.83 miod 35: return
36: fi
37:
1.119 deraadt 38: file=/etc/hostname.$if
1.121 todd 39: if ! [ -f $file ]; then
40: echo "netstart: $file: No such file or directory"
41: return
42: fi
1.123 sthen 43: # Not using stat(1), we can't rely on having /usr yet
44: set -A stat -- `ls -nL $file`
45: if [ "${stat[0]#???????} ${stat[2]} ${stat[3]}" != "--- 0 0" ]; then
1.119 deraadt 46: echo "WARNING: $file is insecure, fixing permissions"
1.122 sthen 47: chmod -LR o-rwx $file
48: chown -LR root.wheel $file
1.119 deraadt 49: fi
1.133 ! guenther 50: if ! ifconfig $if > /dev/null 2>&1; then
1.89 markus 51: # Try to create interface if it does not exist
1.133 ! guenther 52: if ! ifconfig $if create > /dev/null 2>&1; then
1.89 markus 53: return
54: fi
1.83 miod 55: fi
56:
57: # Now parse the hostname.* file
58: while :; do
59: if [ "$cmd2" ]; then
60: # We are carrying over from the 'read dt dtaddr'
61: # last time.
62: set -- $cmd2
63: af="$1" name="$2" mask="$3" bcaddr="$4" ext1="$5" cmd2=
64: # Make sure and get any remaining args in ext2,
65: # like the read below
66: i=1
1.126 simon 67: while [ $i -lt 6 -a -n "$1" ]; do shift; let i=i+1; done
1.83 miod 68: ext2="$@"
69: else
70: # Read the next line or exit the while loop.
71: read af name mask bcaddr ext1 ext2 || break
72: fi
73: # $af can be "dhcp", "up", "rtsol", an address family,
74: # commands, or a comment.
75: case "$af" in
76: "#"*|"") # skip comments and empty lines
77: continue
78: ;;
79: "!"*) # parse commands
80: cmd="${af#*!} ${name} ${mask} ${bcaddr} ${ext1} ${ext2}"
81: ;;
82: "dhcp")
83: [ "$name" = "NONE" ] && name=
84: [ "$mask" = "NONE" ] && mask=
85: [ "$bcaddr" = "NONE" ] && bcaddr=
1.106 todd 86: cmd="ifconfig $if $name $mask $bcaddr $ext1 $ext2 down"
87: cmd="$cmd;dhclient $if"
1.110 todd 88: dhcpif="$dhcpif $if"
1.83 miod 89: ;;
90: "rtsol")
1.84 deraadt 91: rtsolif="$rtsolif $if"
1.106 todd 92: cmd="ifconfig $if $name $mask $bcaddr $ext1 $ext2 up"
1.83 miod 93: ;;
94: *)
95: read dt dtaddr
96: if [ "$name" = "alias" ]; then
97: # perform a 'shift' of sorts
98: alias=$name
99: name=$mask
100: mask=$bcaddr
101: bcaddr=$ext1
102: ext1=$ext2
103: ext2=
104: else
105: alias=
106: fi
1.114 todd 107: cmd="ifconfig $if $af $alias $name"
1.83 miod 108: case "$dt" in
109: dest)
110: cmd="$cmd $dtaddr"
111: ;;
1.130 todd 112: *)
1.83 miod 113: cmd2="$dt $dtaddr"
114: ;;
115: esac
116: case $af in
117: inet)
1.128 todd 118: if [ ! -n "$name" ]; then
119: echo "/etc/hostname.$if: inet alone is invalid"
120: return
121: fi
1.83 miod 122: [ "$mask" ] && cmd="$cmd netmask $mask"
123: if [ "$bcaddr" -a "X$bcaddr" != "XNONE" ]; then
124: cmd="$cmd broadcast $bcaddr"
125: fi
1.91 deraadt 126: [ "$alias" ] && rtcmd=";route -qn add -host $name 127.0.0.1"
1.83 miod 127: ;;
1.128 todd 128: inet6)
129: if [ ! -n "$name" ]; then
130: echo "/etc/hostname.$if: inet6 alone is invalid"
131: return
132: fi
133: [ "$mask" ] && cmd="$cmd prefixlen $mask"
1.83 miod 134: cmd="$cmd $bcaddr"
135: ;;
136: *)
137: cmd="$cmd $mask $bcaddr"
138: ;;
139: esac
140: cmd="$cmd $ext1 $ext2$rtcmd" rtcmd=
141: ;;
142: esac
143: eval "$cmd"
1.84 deraadt 144: done < /etc/hostname.$if
1.83 miod 145: }
146:
1.105 todd 147: # Start multiple:
148: # start "$1" interfaces in order or all interfaces if empty
149: # don't start "$2" interfaces
150: ifmstart() {
151: for sif in ${1:-ALL}; do
152: for hn in /etc/hostname.*; do
153: # Strip off /etc/hostname. prefix
154: if=${hn#/etc/hostname.}
155: test "$if" = "*" && continue
1.113 david 156:
1.105 todd 157: # Skip unwanted ifs
1.113 david 158: s=""
1.105 todd 159: for xf in $2; do
160: test "$xf" = "${if%%[0-9]*}" && s="1" && break
161: done
162: test "$s" = "1" && continue
163:
164: # Start wanted ifs
165: test "$sif" = "ALL" -o \
166: "$sif" = "${if%%[0-9]*}" \
167: && ifstart $if
168: done
169: done
170: }
171:
1.81 angelos 172: # Re-read /etc/rc.conf
173: . /etc/rc.conf
1.1 deraadt 174:
1.83 miod 175: # If we were invoked with a list of interface names, just reconfigure these
176: # interfaces (or bridges) and return.
177: if [ $1x = autobootx ]; then
178: shift
179: fi
180: if [ $# -gt 0 ]; then
181: while [ $# -gt 0 ]; do
1.127 deraadt 182: ifstart $1
1.83 miod 183: shift
184: done
185: return
186: fi
187:
188: # Otherwise, process with the complete network initialization.
189:
1.1 deraadt 190: # /etc/myname contains my symbolic name
1.87 henning 191: if [ -f /etc/myname ]; then
1.100 millert 192: hostname=`stripcom /etc/myname`
1.87 henning 193: hostname $hostname
194: else
195: hostname=`hostname`
196: fi
197:
1.1 deraadt 198: if [ -f /etc/defaultdomain ]; then
1.100 millert 199: domainname `stripcom /etc/defaultdomain`
1.4 dm 200: fi
201:
1.131 sobrado 202: # Set the address for the loopback interface. Bringing the interface up,
203: # automatically invokes the IPv6 address ::1.
1.129 henning 204: ifconfig lo0 inet 127.0.0.1/8
1.24 kstailey 205:
1.54 itojun 206: if ifconfig lo0 inet6 >/dev/null 2>&1; then
207: # IPv6 configurations.
208: ip6kernel=YES
209:
1.83 miod 210: # Disallow link-local unicast dest without outgoing scope identifiers.
1.98 deraadt 211: route -qn add -inet6 fe80:: -prefixlen 10 ::1 -reject > /dev/null
1.66 itojun 212:
1.83 miod 213: # Disallow site-local unicast dest without outgoing scope identifiers.
1.66 itojun 214: # If you configure site-locals without scope id (it is permissible
215: # config for routers that are not on scope boundary), you may want
216: # to comment the line out.
1.98 deraadt 217: route -qn add -inet6 fec0:: -prefixlen 10 ::1 -reject > /dev/null
1.66 itojun 218:
1.83 miod 219: # Disallow "internal" addresses to appear on the wire.
1.98 deraadt 220: route -qn add -inet6 ::ffff:0.0.0.0 -prefixlen 96 ::1 -reject > /dev/null
1.66 itojun 221:
1.83 miod 222: # Disallow packets to malicious IPv4 compatible prefix.
1.98 deraadt 223: route -qn add -inet6 ::224.0.0.0 -prefixlen 100 ::1 -reject > /dev/null
224: route -qn add -inet6 ::127.0.0.0 -prefixlen 104 ::1 -reject > /dev/null
225: route -qn add -inet6 ::0.0.0.0 -prefixlen 104 ::1 -reject > /dev/null
226: route -qn add -inet6 ::255.0.0.0 -prefixlen 104 ::1 -reject > /dev/null
1.66 itojun 227:
1.83 miod 228: # Disallow packets to malicious 6to4 prefix.
1.98 deraadt 229: route -qn add -inet6 2002:e000:: -prefixlen 20 ::1 -reject > /dev/null
230: route -qn add -inet6 2002:7f00:: -prefixlen 24 ::1 -reject > /dev/null
231: route -qn add -inet6 2002:0000:: -prefixlen 24 ::1 -reject > /dev/null
232: route -qn add -inet6 2002:ff00:: -prefixlen 24 ::1 -reject > /dev/null
1.115 itojun 233:
234: # Disallow packets without scope identifier.
235: route -qn add -inet6 ff01:: -prefixlen 16 ::1 -reject > /dev/null
236: route -qn add -inet6 ff02:: -prefixlen 16 ::1 -reject > /dev/null
1.66 itojun 237:
238: # Completely disallow packets to IPv4 compatible prefix.
239: # This may conflict with RFC1933 under following circumstances:
240: # (1) An IPv6-only KAME node tries to originate packets to IPv4
1.77 deraadt 241: # compatible destination. The KAME node has no IPv4 compatible
1.66 itojun 242: # support. Under RFC1933, it should transmit native IPv6
243: # packets toward IPv4 compatible destination, hoping it would
244: # reach a router that forwards the packet toward auto-tunnel
245: # interface.
1.77 deraadt 246: # (2) An IPv6-only node originates a packet to an IPv4 compatible
1.66 itojun 247: # destination. A KAME node is acting as an IPv6 router, and
248: # asked to forward it.
1.77 deraadt 249: # Due to rare use of IPv4 compatible addresses, and security issues
1.66 itojun 250: # with it, we disable it by default.
1.98 deraadt 251: route -qn add -inet6 ::0.0.0.0 -prefixlen 96 ::1 -reject > /dev/null
1.56 itojun 252:
253: rtsolif=""
1.54 itojun 254: else
255: ip6kernel=NO
256: fi
257:
1.105 todd 258:
259: # Configure all the non-loopback interfaces which we know about, but
1.127 deraadt 260: # do not start interfaces which must be delayed. Refer to hostname.if(5)
1.132 mpf 261: ifmstart "" "trunk svlan vlan carp gif gre pfsync pppoe tun bridge"
1.56 itojun 262:
1.118 brad 263: # The trunk interfaces need to come up first in this list.
1.132 mpf 264: # The (s)vlan interfaces need to come up after trunk.
1.118 brad 265: # Configure all the carp interfaces which we know about before default route.
1.132 mpf 266: ifmstart "trunk svlan vlan carp"
1.118 brad 267:
1.56 itojun 268: if [ "$ip6kernel" = "YES" -a "x$rtsolif" != "x" ]; then
269: fw=`sysctl -n net.inet6.ip6.forwarding`
270: ra=`sysctl -n net.inet6.ip6.accept_rtadv`
271: if [ "x$fw" = "x0" -a "x$ra" = "x1" ]; then
1.57 itojun 272: echo "IPv6 autoconf:$rtsolif"
1.56 itojun 273: rtsol $rtsolif
274: else
275: echo "WARNING: inconsistent config - check /etc/sysctl.conf for IPv6 autoconf"
276: fi
1.57 itojun 277: fi
1.102 mcbride 278:
1.14 deraadt 279: # /etc/mygate, if it exists, contains the name of my gateway host
280: # that name must be in /etc/hosts.
1.110 todd 281: [[ -z $dhcpif ]] && stripcom /etc/mygate | while read gw; do
282: [[ $gw == @(*:*) ]] && continue
283: route -qn delete default > /dev/null 2>&1
284: route -qn add -host default $gw && break
285: done
286: [[ -z $rtsolif ]] && stripcom /etc/mygate | while read gw; do
287: [[ $gw == !(*:*) ]] && continue
288: route -qn delete -inet6 default > /dev/null 2>&1
289: route -qn add -host -inet6 default $gw && break
290: done
1.44 deraadt 291:
1.48 niklas 292: # Multicast routing.
293: #
294: # The routing to the 224.0.0.0/4 net is setup according to these rules:
295: # multicast_host multicast_router route comment
296: # NO NO -reject no multicast
297: # NO YES none installed daemon will run
298: # YES/interface NO -interface YES=def. iface
299: # Any other combination -reject config error
1.112 reyk 300: route -qn delete 224.0.0.0/4 > /dev/null 2>&1
1.48 niklas 301: case "$multicast_host:$multicast_router" in
302: NO:NO)
1.91 deraadt 303: route -qn add -net 224.0.0.0/4 -interface 127.0.0.1 -reject > /dev/null
1.67 deraadt 304: ;;
1.48 niklas 305: NO:YES)
306: ;;
307: *:NO)
1.112 reyk 308: maddr=`if [ "$multicast_host" = "YES" ]; then
1.91 deraadt 309: ed -s '!route -qn show -inet' <<EOF
1.48 niklas 310: /^default/p
311: EOF
312: else
313: ed -s "!ifconfig $multicast_host" <<EOF
314: /^ inet /p
315: EOF
1.112 reyk 316: fi 2> /dev/null`
317: if [ "X${maddr}" != "X" ]; then
318: set $maddr
319: route -qn add -net 224.0.0.0/4 -interface $2 > /dev/null
320: else
321: route -qn add -net 224.0.0.0/4 -interface \
322: 127.0.0.1 -reject > /dev/null
323: fi
1.67 deraadt 324: ;;
1.48 niklas 325: *:*)
326: echo 'config error, multicasting disabled until rc.conf is fixed'
1.91 deraadt 327: route -qn add -net 224.0.0.0/4 -interface 127.0.0.1 -reject > /dev/null
1.67 deraadt 328: ;;
1.48 niklas 329: esac
1.83 miod 330:
1.105 todd 331:
1.125 jdixon 332: # Configure PPPoE, GIF, GRE and TUN interfaces, delayed because they require
333: # routes to be set. TUN might depend on PPPoE, and GIF or GRE may depend on
334: # either of them.
1.127 deraadt 335: ifmstart "pppoe tun gif gre bridge"
1.92 deraadt 336:
1.99 itojun 337: # reject 127/8 other than 127.0.0.1
1.92 deraadt 338: route -qn add -net 127 127.0.0.1 -reject > /dev/null
1.116 david 339:
340: if [ "$ip6kernel" = "YES" ]; then
341: # this is to make sure DAD is completed before going further.
1.124 markus 342: count=0
343: while [ $((count++)) -lt 10 -a "x"`sysctl -n net.inet6.ip6.dad_pending` != "x0" ]; do
344: sleep 1
345: done
1.116 david 346: fi